Merge pull request #195 from p1c2u/feature/security-validation

Security validation

Author: p1c2u

openapi_core/schema/components/factories.py

@@ -1,6 +1,9 @@
 from openapi_core.compat import lru_cache
 from openapi_core.schema.components.models import Components
 from openapi_core.schema.schemas.generators import SchemasGenerator
+from openapi_core.schema.security_schemes.generators import (
+    SecuritySchemesGenerator,
+)
 
 
 class ComponentsFactory(object):
@@ -15,15 +18,18 @@ def create(self, components_spec):
         schemas_spec = components_deref.get('schemas', {})
         responses_spec = components_deref.get('responses', {})
         parameters_spec = components_deref.get('parameters', {})
-        request_bodies_spec = components_deref.get('request_bodies', {})
+        request_bodies_spec = components_deref.get('requestBodies', {})
+        security_schemes_spec = components_deref.get('securitySchemes', {})
 
         schemas = self.schemas_generator.generate(schemas_spec)
         responses = self._generate_response(responses_spec)
         parameters = self._generate_parameters(parameters_spec)
         request_bodies = self._generate_request_bodies(request_bodies_spec)
+        security_schemes = self._generate_security_schemes(
+            security_schemes_spec)
         return Components(
             schemas=list(schemas), responses=responses, parameters=parameters,
-            request_bodies=request_bodies,
+            request_bodies=request_bodies, security_schemes=security_schemes,
         )
 
     @property
@@ -39,3 +45,7 @@ def _generate_parameters(self, parameters_spec):
 
     def _generate_request_bodies(self, request_bodies_spec):
         return request_bodies_spec
+
+    def _generate_security_schemes(self, security_schemes_spec):
+        return SecuritySchemesGenerator(self.dereferencer).generate(
+            security_schemes_spec)

openapi_core/schema/components/models.py

@@ -3,8 +3,11 @@ class Components(object):
 
     def __init__(
             self, schemas=None, responses=None, parameters=None,
-            request_bodies=None):
+            request_bodies=None, security_schemes=None):
         self.schemas = schemas and dict(schemas) or {}
         self.responses = responses and dict(responses) or {}
         self.parameters = parameters and dict(parameters) or {}
         self.request_bodies = request_bodies and dict(request_bodies) or {}
+        self.security_schemes = (
+            security_schemes and dict(security_schemes) or {}
+        )

openapi_core/schema/operations/generators.py

@@ -11,7 +11,9 @@
 from openapi_core.schema.parameters.generators import ParametersGenerator
 from openapi_core.schema.request_bodies.factories import RequestBodyFactory
 from openapi_core.schema.responses.generators import ResponsesGenerator
-from openapi_core.schema.security.factories import SecurityRequirementFactory
+from openapi_core.schema.security_requirements.generators import (
+    SecurityRequirementsGenerator,
+)
 from openapi_core.schema.servers.generators import ServersGenerator
 
 
@@ -39,16 +41,12 @@ def generate(self, path_name, path):
             tags_list = operation_deref.get('tags', [])
             summary = operation_deref.get('summary')
             description = operation_deref.get('description')
-            security_requirements_list = operation_deref.get('security', [])
+            security_spec = operation_deref.get('security', [])
             servers_spec = operation_deref.get('servers', [])
 
             servers = self.servers_generator.generate(servers_spec)
-
-            security = None
-            if security_requirements_list:
-                security = list(map(
-                    self.security_requirement_factory.create,
-                    security_requirements_list))
+            security = self.security_requirements_generator.generate(
+                security_spec)
 
             external_docs = None
             if 'externalDocs' in operation_deref:
@@ -67,10 +65,10 @@ def generate(self, path_name, path):
                 Operation(
                     http_method, path_name, responses, list(parameters),
                     summary=summary, description=description,
-                    external_docs=external_docs, security=security,
+                    external_docs=external_docs, security=list(security),
                     request_body=request_body, deprecated=deprecated,
                     operation_id=operation_id, tags=list(tags_list),
-                    servers=servers,
+                    servers=list(servers),
                 ),
             )
 
@@ -96,8 +94,8 @@ def request_body_factory(self):
 
     @property
     @lru_cache()
-    def security_requirement_factory(self):
-        return SecurityRequirementFactory(self.dereferencer)
+    def security_requirements_generator(self):
+        return SecurityRequirementsGenerator(self.dereferencer)
 
     @property
     @lru_cache()

openapi_core/schema/security/factories.py

@@ -0,0 +1,15 @@
+"""OpenAPI core security requirements generators module"""
+from openapi_core.schema.security_requirements.models import (
+    SecurityRequirement,
+)
+
+
+class SecurityRequirementsGenerator(object):
+
+    def __init__(self, dereferencer):
+        self.dereferencer = dereferencer
+
+    def generate(self, security_spec):
+        security_deref = self.dereferencer.dereference(security_spec)
+        for security_requirement_spec in security_deref:
+            yield SecurityRequirement(security_requirement_spec)

openapi_core/schema/security/models.py

@@ -0,0 +1,6 @@
+"""OpenAPI core security requirements models module"""
+
+
+class SecurityRequirement(dict):
+    """Represents an OpenAPI Security Requirement."""
+    pass

openapi_core/schema/security/__init__.py renamed to openapi_core/schema/security_requirements/__init__.py

@@ -0,0 +1,27 @@
+"""OpenAPI core security schemes enums module"""
+from enum import Enum
+
+
+class SecuritySchemeType(Enum):
+
+    API_KEY = 'apiKey'
+    HTTP = 'http'
+    OAUTH2 = 'oauth2'
+    OPEN_ID_CONNECT = 'openIdConnect'
+
+
+class ApiKeyLocation(Enum):
+
+    QUERY = 'query'
+    HEADER = 'header'
+    COOKIE = 'cookie'
+
+    @classmethod
+    def has_value(cls, value):
+        return (any(value == item.value for item in cls))
+
+
+class HttpAuthScheme(Enum):
+
+    BASIC = 'basic'
+    BEARER = 'bearer'

openapi_core/schema/security_requirements/generators.py

@@ -0,0 +1,37 @@
+"""OpenAPI core security schemes generators module"""
+import logging
+
+from six import iteritems
+
+from openapi_core.schema.security_schemes.models import SecurityScheme
+
+log = logging.getLogger(__name__)
+
+
+class SecuritySchemesGenerator(object):
+
+    def __init__(self, dereferencer):
+        self.dereferencer = dereferencer
+
+    def generate(self, security_schemes_spec):
+        security_schemes_deref = self.dereferencer.dereference(
+            security_schemes_spec)
+
+        for scheme_name, scheme_spec in iteritems(security_schemes_deref):
+            scheme_deref = self.dereferencer.dereference(scheme_spec)
+            scheme_type = scheme_deref['type']
+            description = scheme_deref.get('description')
+            name = scheme_deref.get('name')
+            apikey_in = scheme_deref.get('in')
+            scheme = scheme_deref.get('scheme')
+            bearer_format = scheme_deref.get('bearerFormat')
+            flows = scheme_deref.get('flows')
+            open_id_connect_url = scheme_deref.get('openIdConnectUrl')
+
+            scheme = SecurityScheme(
+                scheme_type, description=description, name=name,
+                apikey_in=apikey_in, scheme=scheme,
+                bearer_format=bearer_format, flows=flows,
+                open_id_connect_url=open_id_connect_url,
+            )
+            yield scheme_name, scheme

openapi_core/schema/security_requirements/models.py

@@ -0,0 +1,22 @@
+"""OpenAPI core security schemes models module"""
+from openapi_core.schema.security_schemes.enums import (
+    SecuritySchemeType, ApiKeyLocation, HttpAuthScheme,
+)
+
+
+class SecurityScheme(object):
+    """Represents an OpenAPI Security Scheme."""
+
+    def __init__(
+            self, scheme_type, description=None, name=None, apikey_in=None,
+            scheme=None, bearer_format=None, flows=None,
+            open_id_connect_url=None,
+    ):
+        self.type = SecuritySchemeType(scheme_type)
+        self.description = description
+        self.name = name
+        self.apikey_in = apikey_in and ApiKeyLocation(apikey_in)
+        self.scheme = scheme and HttpAuthScheme(scheme)
+        self.bearer_format = bearer_format
+        self.flows = flows
+        self.open_id_connect_url = open_id_connect_url

openapi_core/schema/security_schemes/__init__.py

@@ -9,6 +9,9 @@
 from openapi_core.schema.infos.factories import InfoFactory
 from openapi_core.schema.paths.generators import PathsGenerator
 from openapi_core.schema.schemas.registries import SchemaRegistry
+from openapi_core.schema.security_requirements.generators import (
+    SecurityRequirementsGenerator,
+)
 from openapi_core.schema.servers.generators import ServersGenerator
 from openapi_core.schema.specs.models import Spec
 
@@ -29,6 +32,7 @@ def create(self, spec_dict, spec_url=''):
         servers_spec = spec_dict_deref.get('servers', [])
         paths = spec_dict_deref.get('paths', {})
         components_spec = spec_dict_deref.get('components', {})
+        security_spec = spec_dict_deref.get('security', [])
 
         if not servers_spec:
             servers_spec = [
@@ -39,8 +43,13 @@ def create(self, spec_dict, spec_url=''):
         servers = self.servers_generator.generate(servers_spec)
         paths = self.paths_generator.generate(paths)
         components = self.components_factory.create(components_spec)
+
+        security = self.security_requirements_generator.generate(
+                security_spec)
+
         spec = Spec(
             info, list(paths), servers=list(servers), components=components,
+            security=list(security),
             _resolver=self.spec_resolver,
         )
         return spec
@@ -74,3 +83,8 @@ def paths_generator(self):
     @lru_cache()
     def components_factory(self):
         return ComponentsFactory(self.dereferencer, self.schemas_registry)
+
+    @property
+    @lru_cache()
+    def security_requirements_generator(self):
+        return SecurityRequirementsGenerator(self.dereferencer)

openapi_core/schema/security_schemes/enums.py

@@ -15,11 +15,13 @@ class Spec(object):
     """Represents an OpenAPI Specification for a service."""
 
     def __init__(
-            self, info, paths, servers=None, components=None, _resolver=None):
+            self, info, paths, servers=None, components=None,
+            security=None, _resolver=None):
         self.info = info
         self.paths = paths and dict(paths)
         self.servers = servers or []
         self.components = components
+        self.security = security
 
         self._resolver = _resolver
 

openapi_core/schema/security_schemes/generators.py

@@ -0,0 +1,5 @@
+from openapi_core.exceptions import OpenAPIError
+
+
+class SecurityError(OpenAPIError):
+    pass

openapi_core/schema/security_schemes/models.py

@@ -0,0 +1,19 @@
+from openapi_core.schema.security_schemes.enums import SecuritySchemeType
+from openapi_core.security.providers import (
+    ApiKeyProvider, HttpProvider, UnsupportedProvider,
+)
+
+
+class SecurityProviderFactory(object):
+
+    PROVIDERS = {
+        SecuritySchemeType.API_KEY: ApiKeyProvider,
+        SecuritySchemeType.HTTP: HttpProvider,
+    }
+
+    def create(self, scheme):
+        if scheme.type == SecuritySchemeType.API_KEY:
+            return ApiKeyProvider(scheme)
+        elif scheme.type == SecuritySchemeType.HTTP:
+            return HttpProvider(scheme)
+        return UnsupportedProvider(scheme)

openapi_core/schema/specs/factories.py

@@ -0,0 +1,47 @@
+import base64
+import binascii
+import warnings
+
+from openapi_core.security.exceptions import SecurityError
+
+
+class BaseProvider(object):
+
+    def __init__(self, scheme):
+        self.scheme = scheme
+
+
+class UnsupportedProvider(BaseProvider):
+
+    def __call__(self, request):
+        warnings.warn("Unsupported scheme type")
+
+
+class ApiKeyProvider(BaseProvider):
+
+    def __call__(self, request):
+        source = getattr(request.parameters, self.scheme.apikey_in.value)
+        if self.scheme.name not in source:
+            raise SecurityError("Missing api key parameter.")
+        return source.get(self.scheme.name)
+
+
+class HttpProvider(BaseProvider):
+
+    def __call__(self, request):
+        if 'Authorization' not in request.parameters.header:
+            raise SecurityError('Missing authorization header.')
+        auth_header = request.parameters.header['Authorization']
+        try:
+            auth_type, encoded_credentials = auth_header.split(' ', 1)
+        except ValueError:
+            raise SecurityError('Could not parse authorization header.')
+
+        if auth_type.lower() != self.scheme.scheme.value:
+            raise SecurityError(
+                'Unknown authorization method %s' % auth_type)
+        try:
+            return base64.b64decode(
+                encoded_credentials.encode('ascii')).decode('latin1')
+        except binascii.Error:
+            raise SecurityError('Invalid base64 encoding.')

openapi_core/schema/specs/models.py

@@ -0,0 +1,15 @@
+"""OpenAPI core validation exceptions module"""
+import attr
+
+from openapi_core.exceptions import OpenAPIError
+
+
+class ValidationError(OpenAPIError):
+    pass
+
+
+@attr.s(hash=True)
+class InvalidSecurity(ValidationError):
+
+    def __str__(self):
+        return "Security not valid for any requirement"

openapi_core/security/__init__.py

@@ -71,3 +71,4 @@ def full_url_pattern(self):
 class RequestValidationResult(BaseValidationResult):
     body = attr.ib(default=None)
     parameters = attr.ib(factory=RequestParameters)
+    security = attr.ib(default=None)