Closed tedepstein closed 6 years ago
@tedepstein I implemented a fix in https://github.com/RepreZen/KaiZen-OpenAPI-Editor/commit/4ad3045495a6aa060b0c43791edd72e3123c0545 It uses a different approach for type reference validation. We had a built in mechanism but I found that I could launch validation on a subset of a JSON schema with the JSON schema library we are using. So I am using that now to validate referenced elements.
Screencast:
Looks promising, @ghillairet. Thanks for the fast turnaround!
Implemented in #440
@ghillairet , there were some test failures after merging #440. @andylowry is investigating, but please check the current status when you're back online.
@tedepstein @andylowry Thanks for fixing this test. The fix looks good and It's working as expected.
@tedepstein I think this is a fair description of some of what I was doing; confirming per your request in #163
KZOE is too restrictive in validating references. It correctly ensures that the references themselves are in contexts explicitly allowed by OpenAPI 2.0 and 3.0. But it incorrectly requires the referenced components to be reachable through an OAS-standard path.
The OpenAPI 2.0 spec shows examples of references to single-component files (or "fragment files"), and to components in non-OAS-standard paths:
The OpenAPI 3.0.1 spec has equivalent examples, and neither spec explicitly says that referenced components have to be in their designated locations, in a valid OpenAPI document.
So we should not impose these additional restrictions.
Example: Reference to single-component schema file
Given a
Quotations_Schema.yaml
file like this:... the following OpenAPI 3.0 spec in the same folder should be valid:
It fails to resolve the ref, showing a warning:
Invalid object reference, the referenced object is not of expected type.
Here's an OpenAPI 2.0 file that should also be valid in the same folder containing
Quotations_Schema.yaml
. It fails with the same warning.Example: Internal Reference to Non-Components Path
The following OpenAPI 3.0 document correctly resolves the parameter reference in
/customers/parameters
to the parameter object defined in/products/parameters
:Here's the equivalent in Swagger-OpenAPI 2.0, which also works as expected:
Example: External reference to non-components path
The same also works for external references in OpenAPI 3.0:
ProductsPath.yaml
CustomersPath.yaml
Works in OAS2 as well:
ProductsPath_v2.yaml
CustomersPath_v2.yaml
Example: Reference to OAS-Standard Path in Invalid OAS Document
In both 2.0 and 3.0 versions, I can make the
ProductsPath
file invalid by removing the header, and the external reference to its parameter still works, as long as it's accessible through this path that would lead to a valid parameter if the target file were a valid OpenAPI document. I'll call this an "OAS-standard path."ProductsPathNotOAS.yaml
CustomersPath.yaml
ProductsPathNotOAS_v2.yaml
CustomersPathNotOAS_v2.yaml
Example: Reference to Non-OAS-Standard Path
If I put the parameter reference in a completely non-OAS-standard path, i.e. putting the parameter definiton in some path like
/foo/bar/parameter
that is not allowed in OpenAPI at all, then the external reference fails.ProductsPathReallyNotOAS.yaml
CustomersPathReallyNotOAS.yaml
ProductsPathReallyNotOAS_v2.yaml
CustomersPathReallyNotOAS_v2.yaml