Skip to content

Remove security on operation level fix #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 2, 2021
Merged

Remove security on operation level fix #284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions openapi_core/schema/operations/generators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,16 @@ def generate(self, path_name, path):
tags_list = operation_deref.get('tags', [])
summary = operation_deref.get('summary')
description = operation_deref.get('description')
security_spec = operation_deref.get('security', [])
servers_spec = operation_deref.get('servers', [])

servers = self.servers_generator.generate(servers_spec)
security = self.security_requirements_generator.generate(
security_spec)

security = None
if 'security' in operation_deref:
security_spec = operation_deref.get('security')
security = self.security_requirements_generator.generate(
security_spec)

extensions = self.extensions_generator.generate(operation_deref)

external_docs = None
Expand All @@ -67,7 +71,7 @@ def generate(self, path_name, path):
Operation(
http_method, path_name, responses, list(parameters),
summary=summary, description=description,
external_docs=external_docs, security=list(security),
external_docs=external_docs, security=security,
request_body=request_body, deprecated=deprecated,
operation_id=operation_id, tags=list(tags_list),
servers=list(servers), extensions=extensions,
Expand Down
2 changes: 1 addition & 1 deletion openapi_core/schema/operations/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ def __init__(
self.summary = summary
self.description = description
self.external_docs = external_docs
self.security = security
self.security = security and list(security)
self.request_body = request_body
self.deprecated = deprecated
self.operation_id = operation_id
Expand Down
5 changes: 4 additions & 1 deletion openapi_core/validation/request/validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,10 @@ def _validate_body(self, request):
)

def _get_security(self, request, operation):
security = operation.security or self.spec.security
security = self.spec.security
if operation.security is not None:
security = operation.security

if not security:
return {}

Expand Down
41 changes: 41 additions & 0 deletions tests/integration/data/v3.0/security_override.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
openapi: "3.0.0"
info:
title: Minimal OpenAPI specification with security override
version: "0.1"
security:
- api_key: []
paths:
/resource/{resId}:
parameters:
- name: resId
in: path
required: true
description: the ID of the resource to retrieve
schema:
type: string
get:
responses:
default:
description: Default security.
post:
security:
- petstore_auth:
- write:pets
- read:pets
responses:
default:
description: Override security.
put:
security: []
responses:
default:
description: Remove security.
components:
securitySchemes:
api_key:
type: apiKey
name: api_key
in: query
petstore_auth:
type: http
scheme: basic
17 changes: 9 additions & 8 deletions tests/integration/schema/test_spec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,14 +152,15 @@ def test_spec(self, spec, spec_dict):
assert variable.default == variable_spec['default']
assert variable.enum == variable_spec.get('enum')

security_spec = operation_spec.get('security', [])
for idx, security_req in enumerate(operation.security):
assert type(security_req) == SecurityRequirement

security_req_spec = security_spec[idx]
for scheme_name in security_req:
security_req[scheme_name] == security_req_spec[
scheme_name]
security_spec = operation_spec.get('security')
if security_spec is not None:
for idx, security_req in enumerate(operation.security):
assert type(security_req) == SecurityRequirement

security_req_spec = security_spec[idx]
for scheme_name in security_req:
security_req[scheme_name] == security_req_spec[
scheme_name]

responses_spec = operation_spec.get('responses')

Expand Down
86 changes: 86 additions & 0 deletions tests/integration/validation/test_security_override.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
from base64 import b64encode

import pytest
from six import text_type

from openapi_core.shortcuts import create_spec
from openapi_core.validation.exceptions import InvalidSecurity
from openapi_core.validation.request.validators import RequestValidator
from openapi_core.testing import MockRequest


@pytest.fixture
def request_validator(spec):
return RequestValidator(spec)


@pytest.fixture('class')
def spec(factory):
spec_dict = factory.spec_from_file("data/v3.0/security_override.yaml")
return create_spec(spec_dict)


class TestSecurityOverride(object):

host_url = 'http://petstore.swagger.io'

api_key = '12345'

@property
def api_key_encoded(self):
api_key_bytes = self.api_key.encode('utf8')
api_key_bytes_enc = b64encode(api_key_bytes)
return text_type(api_key_bytes_enc, 'utf8')

def test_default(self, request_validator):
args = {'api_key': self.api_key}
request = MockRequest(
self.host_url, 'get', '/resource/one', args=args)

result = request_validator.validate(request)

assert not result.errors
assert result.security == {
'api_key': self.api_key,
}

def test_default_invalid(self, request_validator):
request = MockRequest(self.host_url, 'get', '/resource/one')

result = request_validator.validate(request)

assert type(result.errors[0]) == InvalidSecurity
assert result.security is None

def test_override(self, request_validator):
authorization = 'Basic ' + self.api_key_encoded
headers = {
'Authorization': authorization,
}
request = MockRequest(
self.host_url, 'post', '/resource/one', headers=headers)

result = request_validator.validate(request)

assert not result.errors
assert result.security == {
'petstore_auth': self.api_key_encoded,
}

def test_override_invalid(self, request_validator):
request = MockRequest(
self.host_url, 'post', '/resource/one')

result = request_validator.validate(request)

assert type(result.errors[0]) == InvalidSecurity
assert result.security is None

def test_remove(self, request_validator):
request = MockRequest(
self.host_url, 'put', '/resource/one')

result = request_validator.validate(request)

assert not result.errors
assert result.security == {}