search

python-openapi / openapi-core

Openapi-core is a Python library that adds client-side and server-side support for the OpenAPI v3.0 and OpenAPI v3.1 specification.
BSD 3-Clause "New" or "Revised" License
287 stars 131 forks source link

[Bug]: Mutual exclusion by use of `additionalProperties: false` across union types #803

Open segfault87 opened 4 months ago

segfault87 commented 4 months ago

Actual Behavior

If additionalProperties: false is declared in components and being combined into one by allOf, validation unconditionally fails.

Let's say we have following OpenAPI spec:

---
openapi: 3.0.0

info:
  title: Test API
  description: Test
  version: 0.0.1

servers:
  - url: https://www.example.com

paths:
  /test:
    post:
      summary: test
      description: test
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Derived'
        required: true
      responses:
        "200":
          description: Success

components:
  schemas:
    Base:
      required:
      - foo
      type: object
      properties:
        foo:
          type: string
          nullable: false
      additionalProperties: false
    Derived:
      type: object
      allOf:
      - $ref: '#/components/schemas/Base'
      - type: object
        required:
        - bar
        properties:
          bar:
            type: string
            nullable: false
        additionalProperties: false

This spec compiles without any problem. But when validating actual request with this spec, validator fails with following error message:

RequestValidationResult(errors=[InvalidSchemaValue(value={'bar': '2',
                                                          'foo': '1'},
                                                   type='object',
                                                   schema_errors=(<ValidationError: "Additional properties are not allowed ('bar' was unexpected)">,
                                                                  <ValidationError: "Additional properties are not allowed ('foo' was unexpected)">))],
                        body=None,
                        parameters=Parameters(query={},
                                              header={},
                                              cookie={},
                                              path={}),
                        security={})

Expected Behavior

I think openapi-core should behave one of following:

Steps to Reproduce

Validate {"foo": "-", "bar": "-"} with spec supplied above.

OpenAPI Core Version

0.19.0

OpenAPI Core Integration

pydantic

Affected Area(s)

validation

References

No response

Anything else we need to know?

No response

Would you like to implement a fix?

Yes

p1c2u commented 3 months ago

Hi @segfault87 thanks for the report.

Mutual exclusion is not something that should be checked by validation tool. Validation tools just make sure your requirements are met. Is up to user how he design his requirements. Tools shouldn't forbid to make mutual exclusion requirement like interest > 10 and < 1

What you need is probably unevaluatedProperties which part of OpenAPI 3.1

components:
  schemas:
    Base:
      required:
      - foo
      type: object
      properties:
        foo:
          type: string
          nullable: false
    Derived:
      type: object
      unevaluatedProperties: false
      allOf:
      - $ref: '#/components/schemas/Base'
      - type: object
        required:
        - bar
        properties:
          bar:
            type: string
            nullable: false