Remove security on operation level fix

p1c2u · p1c2u · commit 2104b62b65ad · 2021-02-02T12:39:53.000Z
diff --git a/openapi_core/schema/operations/generators.py b/openapi_core/schema/operations/generators.py
@@ -42,12 +42,16 @@ def generate(self, path_name, path):
             tags_list = operation_deref.get('tags', [])
             summary = operation_deref.get('summary')
             description = operation_deref.get('description')
-            security_spec = operation_deref.get('security', [])
             servers_spec = operation_deref.get('servers', [])
 
             servers = self.servers_generator.generate(servers_spec)
-            security = self.security_requirements_generator.generate(
-                security_spec)
+
+            security = None
+            if 'security' in operation_deref:
+                security_spec = operation_deref.get('security')
+                security = self.security_requirements_generator.generate(
+                    security_spec)
+
             extensions = self.extensions_generator.generate(operation_deref)
 
             external_docs = None
@@ -67,7 +71,7 @@ def generate(self, path_name, path):
                 Operation(
                     http_method, path_name, responses, list(parameters),
                     summary=summary, description=description,
-                    external_docs=external_docs, security=list(security),
+                    external_docs=external_docs, security=security,
                     request_body=request_body, deprecated=deprecated,
                     operation_id=operation_id, tags=list(tags_list),
                     servers=list(servers), extensions=extensions,
diff --git a/openapi_core/schema/operations/models.py b/openapi_core/schema/operations/models.py
@@ -18,7 +18,7 @@ def __init__(
         self.summary = summary
         self.description = description
         self.external_docs = external_docs
-        self.security = security
+        self.security = security and list(security)
         self.request_body = request_body
         self.deprecated = deprecated
         self.operation_id = operation_id
diff --git a/openapi_core/validation/request/validators.py b/openapi_core/validation/request/validators.py
@@ -87,7 +87,10 @@ def _validate_body(self, request):
         )
 
     def _get_security(self, request, operation):
-        security = operation.security or self.spec.security
+        security = self.spec.security
+        if operation.security is not None:
+            security = operation.security
+
         if not security:
             return {}
 
diff --git a/tests/integration/data/v3.0/security_override.yaml b/tests/integration/data/v3.0/security_override.yaml
@@ -0,0 +1,41 @@
+openapi: "3.0.0"
+info:
+  title: Minimal OpenAPI specification with security override
+  version: "0.1"
+security:
+  - api_key: []
+paths:
+  /resource/{resId}:
+    parameters:
+      - name: resId
+        in: path
+        required: true
+        description: the ID of the resource to retrieve
+        schema:
+          type: string
+    get:
+      responses:
+        default:
+          description: Default security.
+    post:
+      security:
+        - petstore_auth:
+            - write:pets
+            - read:pets
+      responses:
+        default:
+          description: Override security.
+    put:
+      security: []
+      responses:
+        default:
+          description: Remove security.
+components:
+  securitySchemes:
+    api_key:
+      type: apiKey
+      name: api_key
+      in: query
+    petstore_auth:
+      type: http
+      scheme: basic
diff --git a/tests/integration/validation/test_security_override.py b/tests/integration/validation/test_security_override.py
@@ -0,0 +1,94 @@
+from base64 import b64encode
+import json
+
+import pytest
+from six import text_type
+
+from openapi_core.shortcuts import create_spec
+from openapi_core.unmarshalling.schemas.exceptions import InvalidSchemaValue
+from openapi_core.validation.exceptions import InvalidSecurity
+from openapi_core.validation.response.validators import ResponseValidator
+from openapi_core.validation.request.validators import RequestValidator
+from openapi_core.testing import MockRequest, MockResponse
+
+
+@pytest.fixture
+def response_validator(spec):
+    return ResponseValidator(spec)
+
+
+@pytest.fixture
+def request_validator(spec):
+    return RequestValidator(spec)
+
+
+@pytest.fixture('class')
+def spec(factory):
+    spec_dict = factory.spec_from_file("data/v3.0/security_override.yaml")
+    return create_spec(spec_dict)
+
+
+class TestSecurityOverride(object):
+
+    host_url = 'http://petstore.swagger.io'
+
+    api_key = '12345'
+
+    @property
+    def api_key_encoded(self):
+        api_key_bytes = self.api_key.encode('utf8')
+        api_key_bytes_enc = b64encode(api_key_bytes)
+        return text_type(api_key_bytes_enc, 'utf8')
+
+    def test_default(self, request_validator):
+        args = {'api_key': self.api_key}
+        request = MockRequest(
+            self.host_url, 'get', '/resource/one', args=args)
+
+        result = request_validator.validate(request)
+
+        assert not result.errors
+        assert result.security == {
+            'api_key': self.api_key,
+        }
+
+    def test_default_invalid(self, request_validator):
+        request = MockRequest(self.host_url, 'get', '/resource/one')
+
+        result = request_validator.validate(request)
+
+        assert type(result.errors[0]) == InvalidSecurity
+        assert result.security is None
+
+    def test_override(self, request_validator):
+        authorization = 'Basic ' + self.api_key_encoded
+        headers = {
+            'Authorization': authorization,
+        }
+        request = MockRequest(
+            self.host_url, 'post', '/resource/one', headers=headers)
+
+        result = request_validator.validate(request)
+
+        assert not result.errors
+        assert result.security == {
+            'petstore_auth': self.api_key_encoded,
+        }
+
+    def test_override_invalid(self, request_validator):
+        request = MockRequest(
+            self.host_url, 'post', '/resource/one')
+
+        result = request_validator.validate(request)
+
+        assert type(result.errors[0]) == InvalidSecurity
+        assert result.security is None
+
+    def test_remove(self, request_validator):
+        request = MockRequest(
+            self.host_url, 'put', '/resource/one')
+
+        result = request_validator.validate(request)
+
+        assert not result.errors
+        assert result.security == {}
