APIDevTools / swagger-cli

Swagger 2.0 and OpenAPI 3.0 command-line tool
https://apitools.dev/swagger-cli
MIT License
517 stars 68 forks source link

Validate security keys against securitySchemes #72

Open andreasanta opened 2 years ago

andreasanta commented 2 years ago

Given the following yaml file

openapi: 3.0.0
info:
  description: Sites 
  title: Sites
  version: 1.0.0
paths:
  /sites/available-sites:
    get:
      summary: "get available sites for current contact"
      responses:
        '200':
          description: 'Success response'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Sites'
        '400':
          description: 'Bad request'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - subscription_key_wrong: []
      tags:
        - Sites
components:
  schemas:
    Sites:
      type: object
      properties:
        sites:
          type: array
          items:
            $ref: '#/components/schemas/Site'
    Site:
      type: object
      properties:
        id:
          type: string
        name:
          type: string
        locationtype:
          type: string
        selfRegistrationDuration:
          type: integer
        additionalInfo:
          $ref: '#/components/schemas/SiteAdditionalInfo'
        address:
          $ref: '#/components/schemas/Address'
        geoCoordinates:
          $ref: '#/components/schemas/GeoCoordinates'
        images:
          type: array
          items:
            type: string
        siteMapImage:
          type: string 
    SiteAdditionalInfo:
      type: object
      properties:
        markdown:
          type: string
        html:
          type: string
    Address:
      type: object
      properties:
        line1:
          type: string
        line2:
          type: string
        line3:
          type: string
        city:
          type: string
        postalCode:
          type: string
        stateOrProvince:
          type: string
        country:
          type: string
    GeoCoordinates:
      type: object
      properties:
        longitude:
          type: number
        latitude:
          type: number
      required:
        - longitude
        - latitude
    Error:
      type: object
      properties:
        errorMessage:
          type: string
          format: string
        errorDetail:
          type: string
          format: string
  securitySchemes:
    subscription_key:
      type: apiKey
      name: Ocp-Apim-Subscription-Key
      in: header

Validation passes, but it should fail because security is referencing a non existent security scheme.

samueleaton commented 2 years ago

this tool is just a cli wrapper around https://github.com/APIDevTools/swagger-parser so it should probably be moved there