search

zalando / zally

A minimalistic, simple-to-use API linter
https://zalando.github.io/zally
MIT License
902 stars 143 forks source link

[Zally-CLI 1.1] Cannot submit file for linting. HTTP Status: 500 #765

Closed qlibin closed 6 years ago

qlibin commented 6 years ago

I've noticed that the Zally-CLI fails on missing scopes field in securityDefinitions

$ zally lint api-without-scopes.yaml
Cannot submit file for linting. HTTP Status: 500, Response: {"title":"Internal Server Error","status":500}

api-without-scopes.yaml:

swagger: '2.0'
info:
  x-api-id: 1cc9097a-f3bd-4525-a2aa-3deb494efa4c
  x-audience: business-unit-internal
  title: Test API
  version: '0.1.0'
  description: |
      Just to reproduce a bug

schemes:
  - https

produces:
  - application/json

securityDefinitions:
  oauth2:
    type: oauth2
    flow: implicit
    authorizationUrl: https://identity.merchant-center.zalan.do/auth/realms/retailcore/protocol/openid-connect/auth

The following file doesn't produce status 500 response:

swagger: '2.0'
info:
  x-api-id: 1cc9097a-f3bd-4525-a2aa-3deb494efa4c
  x-audience: business-unit-internal
  title: Test API
  version: '0.1.0'
  description: |
      Just to reproduce a bug

schemes:
  - https

produces:
  - application/json

securityDefinitions:
  oauth2:
    type: oauth2
    flow: implicit
    authorizationUrl: https://identity.merchant-center.zalan.do/auth/realms/retailcore/protocol/openid-connect/auth
    scopes:
      uid: "dsfd"
$ zally -v
Zally-CLI version 1.1
maxim-tschumak commented 6 years ago

Thanks for reporting!

ghost commented 6 years ago

Might be related to #773 .

roxspring commented 6 years ago

Not sure @ddufourboivin-zalando. #773 seems to be about the parse failing but that's not what's happening here. The file is syntactically valid swagger and parses correctly as such, where it fails is in the conversion to openapi - the upstream conversion code makes assumptions that simply aren't reliably true.

In this case, we possibly ought to offer a patch upstream, but can work around it with something like this in DefaultContext.kt:

// hack to allow OAuth2 definition with no scopes
swagger.securityDefinitions?.values?.filterIsInstance(OAuth2Definition::class.java)?.forEach {
    if (it.scopes == null) {
        it.scopes = LinkedHashMap()
    }
}