fix: only include root security and security schemes relevant for operation when creating single operation specification

Author: b41ex

src/apitypes/rest/rest.operation.ts

@@ -47,7 +47,7 @@ import {
   takeIfDefined,
 } from '../../utils'
 import { API_KIND, INLINE_REFS_FLAG, ORIGINS_SYMBOL, VERSION_STATUS } from '../../consts'
-import { getCustomTags, resolveApiAudience } from './rest.utils'
+import { extractSecuritySchemesNames, getCustomTags, resolveApiAudience } from './rest.utils'
 import { DebugPerformanceContext, syncDebugPerformance } from '../../utils/logs'
 import {
   calculateDeprecatedItems,
@@ -142,13 +142,15 @@ export const buildRestOperation = (
   const models: Record<string, string> = {}
   const apiKind = effectiveOperationObject[REST_KIND_KEY] || document.apiKind || API_KIND.BWC
   const [specWithSingleOperation] = syncDebugPerformance('[ModelsAndOperationHashing]', () => {
+    const operationSecurity = effectiveOperationObject.security
     const specWithSingleOperation = createSingleOperationSpec(
       document.data,
       path,
       method,
       openapi,
       servers,
       security,
+      operationSecurity,
       components?.securitySchemes,
     )
     calculateSpecRefs(document.data, refsOnlySingleOperationSpec, specWithSingleOperation, [operationId], models, componentsHashMap)
@@ -320,22 +322,32 @@ const isOperationPaths = (paths: JsonPath[]): boolean => {
 // todo output of this method disrupts document normalization.
 //  origin symbols are not being transferred to the resulting spec.
 //  DO NOT pass output of this method to apiDiff
-const createSingleOperationSpec = (
+export const createSingleOperationSpec = (
   document: OpenAPIV3.Document,
   path: string,
   method: OpenAPIV3.HttpMethods,
   openapi?: string,
   servers?: OpenAPIV3.ServerObject[],
   security?: OpenAPIV3.SecurityRequirementObject[],
+  operationSecurity?: OpenAPIV3.SecurityRequirementObject[],
   securitySchemes?: { [p: string]: OpenAPIV3.ReferenceObject | OpenAPIV3.SecuritySchemeObject },
 ): TYPE.RestOperationData => {
   const pathData = document.paths[path] as OpenAPIV3.PathItemObject
 
+  // Filter security schemes to only include used ones
+  const effectiveSecurity = operationSecurity ?? security ?? []
+  const usedSecuritySchemeNames = extractSecuritySchemesNames(effectiveSecurity)
+  const effectiveSecuritySchemes = securitySchemes && usedSecuritySchemeNames.size > 0
+    ? Object.fromEntries(
+      Object.entries(securitySchemes).filter(([name]) => usedSecuritySchemeNames.has(name)),
+    )
+    : undefined
+
   const isRefPathData = !!pathData.$ref
   return {
     openapi: openapi ?? '3.0.0',
     ...takeIfDefined({ servers }),
-    ...takeIfDefined({ security }), // TODO: remove duplicates in security
+    ...!operationSecurity ? takeIfDefined({ security }) : {},// Only add root security if operation security is not explicitly defined
     paths: {
       [path]: isRefPathData
         ? pathData
@@ -346,7 +358,7 @@ const createSingleOperationSpec = (
         },
     },
     components: {
-      ...takeIfDefined({ securitySchemes }),
+      ...takeIfDefined({ securitySchemes: effectiveSecuritySchemes }),
     },
   }
 }

test/helpers/matchers.ts

@@ -31,7 +31,11 @@ import {
 } from '../../src'
 import { JsonPath } from 'json-crawl'
 import { ActionType } from '@netcracker/qubership-apihub-api-diff'
-import { ArrayContaining, ExpectedRecursive, ObjectContaining, RecursiveMatcher } from '../../.jest/jasmin'
+import { ArrayContaining, AsymmetricMatcher, ExpectedRecursive, ObjectContaining, RecursiveMatcher } from '../../.jest/jasmin'
+import { extractSecuritySchemesNames } from '../../src/apitypes/rest/rest.utils'
+import type { OpenAPIV3 } from 'openapi-types'
+
+type SecuritySchemesObject = OpenAPIV3.ComponentsObject['securitySchemes']
 
 export type ApihubComparisonMatcher = ObjectContaining<VersionsComparison> & VersionsComparison
 export type ApihubOperationChangesMatcher = ObjectContaining<OperationChanges> & OperationChanges
@@ -102,27 +106,27 @@ export function operationTypeMatcher(
   expected: RecursiveMatcher<OperationType>,
 ): ApihubChangesSummaryMatcher {
   return expect.objectContaining({
-      comparisons: expect.arrayContaining([
-        expect.objectContaining({
-          operationTypes: expect.arrayContaining([
-            expect.objectContaining(expected),
-          ]),
-        }),
-      ]),
-    },
+    comparisons: expect.arrayContaining([
+      expect.objectContaining({
+        operationTypes: expect.arrayContaining([
+          expect.objectContaining(expected),
+        ]),
+      }),
+    ]),
+  },
   )
 }
 
 export function operationChangesMatcher(
   expected: Array<ExpectedRecursive<OperationChanges>>,
 ): ApihubOperationChangesMatcher {
   return expect.objectContaining({
-      comparisons: expect.arrayContaining([
-        expect.objectContaining({
-          data: expect.toIncludeSameMembers(expected),
-        }),
-      ]),
-    },
+    comparisons: expect.arrayContaining([
+      expect.objectContaining({
+        data: expect.toIncludeSameMembers(expected),
+      }),
+    ]),
+  },
   )
 }
 
@@ -166,8 +170,8 @@ export function notificationsMatcher(
   expected: Array<RecursiveMatcher<NotificationMessage>>,
 ): ApihubNotificationsMatcher {
   return expect.objectContaining({
-      notifications: expect.toIncludeSameMembers(expected),
-    },
+    notifications: expect.toIncludeSameMembers(expected),
+  },
   )
 }
 
@@ -184,8 +188,8 @@ export function exportDocumentsMatcher(
   expected: Array<RecursiveMatcher<ZippableDocument>>,
 ): ApihubExportDocumentsMatcher {
   return expect.objectContaining({
-      exportDocuments: expect.toIncludeSameMembers(expected),
-    },
+    exportDocuments: expect.toIncludeSameMembers(expected),
+  },
   )
 }
 
@@ -196,3 +200,31 @@ export function exportDocumentMatcher(
     filename: filename,
   })
 }
+
+/**
+ * Custom matcher to verify that security schemes in result match exactly the schemes used in security requirements
+ */
+export function securitySchemesFromRequirementsMatcher(
+  securityRequirements: OpenAPIV3.SecurityRequirementObject[],
+): AsymmetricMatcher<SecuritySchemesObject> {
+  const expectedSchemes = Array.from(extractSecuritySchemesNames(securityRequirements))
+
+  return {
+    asymmetricMatch: (actual: SecuritySchemesObject): boolean => {
+      if (!actual || typeof actual !== 'object') {
+        return false
+      }
+
+      const actualSchemes = Object.keys(actual)
+
+      // Check that all expected schemes are present
+      const hasAllExpected = expectedSchemes.every(scheme => actualSchemes.includes(scheme))
+
+      // Check that no extra schemes are present
+      const hasOnlyExpected = actualSchemes.every(scheme => expectedSchemes.includes(scheme))
+
+      return hasAllExpected && hasOnlyExpected
+    },
+    jasmineToString: () => `securitySchemesFromRequirements(${JSON.stringify(expectedSchemes)})`,
+  }
+}

test/projects/rest.operation/conditional-security-explicit/base.yaml

@@ -0,0 +1,24 @@
+openapi: 3.0.3
+info:
+  title: Conditional Security Test
+  version: 1.0.0
+security:
+  - bearerAuth: []
+paths:
+  /test:
+    get:
+      summary: Test operation with explicit security
+      security:
+        - apiKey: []
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKey:
+      type: apiKey
+      in: header
+      name: X-API-Key

test/projects/rest.operation/security-schemes-filtering-empty-operation/base.yaml

@@ -0,0 +1,24 @@
+openapi: 3.0.3
+info:
+  title: Security Filtering Root Test
+  version: 1.0.0
+paths:
+  /test:
+    get:
+      summary: Test operation
+      security: []
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-Key
+    unusedAuth:
+      type: http
+      scheme: basic

test/projects/rest.operation/security-schemes-filtering-empty-root/base.yaml

@@ -0,0 +1,24 @@
+openapi: 3.0.3
+info:
+  title: Security Filtering Root Test
+  version: 1.0.0
+security: []
+paths:
+  /test:
+    get:
+      summary: Test operation
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-Key
+    unusedAuth:
+      type: http
+      scheme: basic

test/projects/rest.operation/security-schemes-filtering-none-used/base.yaml

@@ -0,0 +1,23 @@
+openapi: 3.0.3
+info:
+  title: Security Filtering Test
+  version: 1.0.0
+paths:
+  /test:
+    get:
+      summary: Test operation with explicit security
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-Key
+    unusedAuth:
+      type: http
+      scheme: basic

test/projects/rest.operation/security-schemes-filtering-operation/base.yaml

@@ -0,0 +1,25 @@
+openapi: 3.0.3
+info:
+  title: Security Filtering Test
+  version: 1.0.0
+paths:
+  /test:
+    get:
+      summary: Test operation with explicit security
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-Key
+    unusedAuth:
+      type: http
+      scheme: basic

test/projects/rest.operation/security-schemes-filtering-root/base.yaml

@@ -0,0 +1,25 @@
+openapi: 3.0.3
+info:
+  title: Security Filtering Root Test
+  version: 1.0.0
+security:
+  - bearerAuth: []
+paths:
+  /test:
+    get:
+      summary: Test operation
+      responses:
+        '200':
+          description: OK
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+    apiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-Key
+    unusedAuth:
+      type: http
+      scheme: basic