Skip to content

Commit 68aacd6

Browse files
P0lipP0lip
authored
feat(rulesets): add scope validation to oas{2,3}-operation-security-defined rules (#2538)
1 parent 714a8a5 commit 68aacd6

File tree

3 files changed

+252
-125
lines changed

3 files changed

+252
-125
lines changed

packages/rulesets/src/oas/__tests__/oas2-operation-security-defined.test.ts

Lines changed: 97 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,21 @@ import testRule from './__helpers__/tester';
33

44
testRule('oas2-operation-security-defined', [
55
{
6-
name: 'a correct object (just in body)',
6+
name: 'valid case',
77
document: {
88
swagger: '2.0',
99
securityDefinitions: {
10-
apikey: {},
10+
apikey: {
11+
type: 'apiKey',
12+
name: 'api_key',
13+
in: 'header',
14+
},
1115
},
16+
security: [
17+
{
18+
apikey: [],
19+
},
20+
],
1221
paths: {
1322
'/path': {
1423
get: {
@@ -25,37 +34,44 @@ testRule('oas2-operation-security-defined', [
2534
},
2635

2736
{
28-
name: 'a correct object (API-level security)',
37+
name: 'valid and invalid object',
2938
document: {
3039
swagger: '2.0',
3140
securityDefinitions: {
32-
apikey: {},
41+
apikey: {
42+
type: 'apiKey',
43+
name: 'api_key',
44+
in: 'header',
45+
},
46+
oauth2: {
47+
type: 'oauth2',
48+
flows: 'accessCode',
49+
authorizationUrl: 'https://example.com/api/oauth/dialog',
50+
tokenUrl: 'https://example.com/api/oauth/token',
51+
scopes: {
52+
'write:pets': 'modify pets in your account',
53+
'read:pets': 'read your pets',
54+
},
55+
},
3356
},
3457
security: [
3558
{
3659
apikey: [],
60+
basic: [],
61+
oauth2: ['write:pets'],
3762
},
38-
],
39-
paths: {
40-
'/path': {
41-
get: {},
63+
{},
64+
{
65+
oauth2: ['write:users', 'read:users'],
4266
},
43-
},
44-
},
45-
errors: [],
46-
},
47-
48-
{
49-
name: 'invalid object',
50-
document: {
51-
swagger: '2.0',
52-
securityDefinitions: {},
67+
],
5368
paths: {
54-
'/path': {
69+
'/users': {
5570
get: {
5671
security: [
5772
{
58-
apikey: [],
73+
bearer: [],
74+
oauth2: [],
5975
},
6076
],
6177
},
@@ -64,45 +80,32 @@ testRule('oas2-operation-security-defined', [
6480
},
6581
errors: [
6682
{
67-
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
68-
path: ['paths', '/path', 'get', 'security', '0', 'apikey'],
83+
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
84+
path: ['security', '0', 'basic'],
6985
severity: DiagnosticSeverity.Warning,
7086
},
71-
],
72-
},
73-
74-
{
75-
name: 'invalid object (API-level security)',
76-
document: {
77-
swagger: '2.0',
78-
securityDefinitions: {},
79-
security: [
80-
{
81-
apikey: [],
82-
},
83-
],
84-
paths: {
85-
'/path': {
86-
get: {},
87-
},
87+
{
88+
message: '"write:users" must be listed among scopes.',
89+
path: ['security', '2', 'oauth2', '0'],
90+
severity: DiagnosticSeverity.Warning,
8891
},
89-
},
90-
errors: [
9192
{
92-
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
93-
path: ['security', '0', 'apikey'],
93+
message: '"read:users" must be listed among scopes.',
94+
path: ['security', '2', 'oauth2', '1'],
95+
severity: DiagnosticSeverity.Warning,
96+
},
97+
{
98+
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
99+
path: ['paths', '/users', 'get', 'security', '0', 'bearer'],
94100
severity: DiagnosticSeverity.Warning,
95101
},
96102
],
97103
},
98104

99105
{
100-
name: 'valid and invalid object',
106+
name: 'missing securityDefinitions',
101107
document: {
102108
swagger: '2.0',
103-
securityDefinitions: {
104-
apikey: {},
105-
},
106109
paths: {
107110
'/path': {
108111
get: {
@@ -111,12 +114,18 @@ testRule('oas2-operation-security-defined', [
111114
apikey: [],
112115
basic: [],
113116
},
117+
{},
114118
],
115119
},
116120
},
117121
},
118122
},
119123
errors: [
124+
{
125+
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
126+
path: ['paths', '/path', 'get', 'security', '0', 'apikey'],
127+
severity: DiagnosticSeverity.Warning,
128+
},
120129
{
121130
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
122131
path: ['paths', '/path', 'get', 'security', '0', 'basic'],
@@ -126,28 +135,58 @@ testRule('oas2-operation-security-defined', [
126135
},
127136

128137
{
129-
name: 'valid and invalid object (API-level security)',
138+
name: 'invalid scopes in Security Scheme object',
130139
document: {
131140
swagger: '2.0',
132141
securityDefinitions: {
133-
apikey: {},
134-
},
135-
security: [
136-
{
137-
apikey: [],
138-
basic: [],
142+
authorizationCode: {
143+
type: 'oauth2',
144+
flows: 'accessCode',
145+
authorizationUrl: 'https://example.com/api/oauth/dialog',
146+
tokenUrl: 'https://example.com/api/oauth/token',
147+
scopes: null,
139148
},
140-
],
149+
noFlows: {
150+
type: 'oauth2',
151+
},
152+
client: {
153+
type: 'oauth2',
154+
flows: {
155+
clientCredentials: null,
156+
},
157+
},
158+
},
141159
paths: {
142160
'/path': {
143-
get: {},
161+
get: {
162+
security: [
163+
{
164+
noFlows: ['read:users'],
165+
authorizationCode: ['write:users'],
166+
},
167+
{
168+
noFlows: [],
169+
client: ['read:users'],
170+
},
171+
],
172+
},
144173
},
145174
},
146175
},
147176
errors: [
148177
{
149-
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
150-
path: ['security', '0', 'basic'],
178+
message: '"read:users" must be listed among scopes.',
179+
path: ['paths', '/path', 'get', 'security', '0', 'noFlows', '0'],
180+
severity: DiagnosticSeverity.Warning,
181+
},
182+
{
183+
message: '"write:users" must be listed among scopes.',
184+
path: ['paths', '/path', 'get', 'security', '0', 'authorizationCode', '0'],
185+
severity: DiagnosticSeverity.Warning,
186+
},
187+
{
188+
message: '"read:users" must be listed among scopes.',
189+
path: ['paths', '/path', 'get', 'security', '1', 'client', '0'],
151190
severity: DiagnosticSeverity.Warning,
152191
},
153192
],

0 commit comments

Comments
 (0)