Add support for non internal non components references to security schemes

mattpolzin · mattpolzin · commit 977ed9ca5693 · 2025-12-11T09:55:53.000-06:00
diff --git a/Sources/OpenAPIKit/Document/Document.swift b/Sources/OpenAPIKit/Document/Document.swift
@@ -857,7 +857,11 @@ internal func encodeSecurity<CodingKeys: CodingKey>(requirements security: [Open
     var securityContainer = container.nestedUnkeyedContainer(forKey: key)
     for securityRequirement in security {
         let securityKeysAndValues = securityRequirement
-            .compactMap { keyValue in keyValue.key.name.map { ($0, keyValue.value) } }
+            .compactMap { (key, value) in 
+                guard case .internal = key else { return (key.absoluteString, value) }
+
+                return key.name.map { ($0, value) }
+            }
         let securityStringKeyedDict = Dictionary(
             securityKeysAndValues,
             uniquingKeysWith: { $1 }
@@ -866,36 +870,52 @@ internal func encodeSecurity<CodingKeys: CodingKey>(requirements security: [Open
     }
 }
 
-internal func decodeSecurityRequirements<CodingKeys: CodingKey>(from container: KeyedDecodingContainer<CodingKeys>, forKey key: CodingKeys, given optionalComponents: OpenAPI.Components?) throws -> [OpenAPI.SecurityRequirement]? {
+internal func decodeSecurityRequirements<CodingKeys: CodingKey>(from container: KeyedDecodingContainer<CodingKeys>, forKey codingKey: CodingKeys, given optionalComponents: OpenAPI.Components?) throws -> [OpenAPI.SecurityRequirement]? {
     // A real mess here because we've got an Array of non-string-keyed
     // Dictionaries.
-    if container.contains(key) {
-        var securityContainer = try container.nestedUnkeyedContainer(forKey: key)
+    if container.contains(codingKey) {
+        var securityContainer = try container.nestedUnkeyedContainer(forKey: codingKey)
 
         var securityRequirements = [OpenAPI.SecurityRequirement]()
         while !securityContainer.isAtEnd {
             let securityStringKeyedDict = try securityContainer.decode([String: [String]].self)
 
-            // convert to JSONReference keys
-            let securityKeysAndValues = securityStringKeyedDict.map { (key, value) in
-                (
-                    key: JSONReference<OpenAPI.SecurityScheme>.component(named: key),
-                    value: value
-                )
-            }
+            // ultimately we end up with JSON references that may be internal
+            // or external. we determine if they are internal by looking them
+            // up in the components; if found, they are internal, otherwise,
+            // they are external.
+            let securityKeysAndValues: [(key: JSONReference<OpenAPI.SecurityScheme>, value: [String])]
 
             if let components = optionalComponents {
                 // check each key for validity against components.
                 let foundInComponents = { (ref: JSONReference<OpenAPI.SecurityScheme>) -> Bool in
                     return (try? components.contains(ref)) ?? false
                 }
-                guard securityKeysAndValues.map({ $0.key }).allSatisfy(foundInComponents) else {
+                var foundBadKeys = false
+                
+                securityKeysAndValues = securityStringKeyedDict.map { (key, value) in
+                    let componentKey = JSONReference<OpenAPI.SecurityScheme>.component(named: key)
+                    if foundInComponents(componentKey) {
+                        return (componentKey, value)
+                    }
+                    if let url = URL(string: key) {
+                        return (.external(url), value)
+                    }
+                    foundBadKeys = true
+                    return (componentKey, value)
+                }
+
+                if foundBadKeys {
                     throw GenericError(
-                        subjectName: key.stringValue,
-                        details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary",
-                        codingPath: container.codingPath + [key]
+                        subjectName: codingKey.stringValue,
+                        details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a security scheme found in another file",
+                        codingPath: container.codingPath + [codingKey]
                     )
                 }
+            } else {
+                securityKeysAndValues = securityStringKeyedDict.map { (key, value) in 
+                    (JSONReference<OpenAPI.SecurityScheme>.component(named: key), value)
+                }
             }
 
             securityRequirements.append(Dictionary(securityKeysAndValues, uniquingKeysWith: { $1 }))
@@ -928,6 +948,10 @@ internal func validate(securityRequirements: [OpenAPI.SecurityRequirement], at p
     let securitySchemes = securityRequirements.flatMap { $0.keys }
 
     for securityScheme in securitySchemes {
+        if case .external = securityScheme {
+            // external references are allowed as of OAS 3.2.0
+            continue
+        }
         guard components[securityScheme] != nil else {
             let schemeKey = securityScheme.name ?? securityScheme.absoluteString
             let keys = [
@@ -941,7 +965,7 @@ internal func validate(securityRequirements: [OpenAPI.SecurityRequirement], at p
 
             throw GenericError(
                 subjectName: schemeKey,
-                details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary",
+                details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a Security Scheme found in another file",
                 codingPath: keys
             )
         }
diff --git a/Tests/OpenAPIKitErrorReportingTests/SecuritySchemeErrorTests.swift b/Tests/OpenAPIKitErrorReportingTests/SecuritySchemeErrorTests.swift
@@ -11,8 +11,13 @@ import OpenAPIKit
 @preconcurrency import Yams
 
 final class SecuritySchemeErrorTests: XCTestCase {
-    func test_missingSecuritySchemeError() {
-        // missing as-in not found in the Components Object
+    func test_missingSecuritySchemeError() throws {
+        #if os(Linux) && compiler(>=6.0) && compiler(<6.1)
+        throw XCTSkip("Swift bug causes no exception in this test case for just one Swift 6 version (6.0)")
+        #endif
+
+        // missing as-in not found in the Components Object nor a valid external
+        // URL
         let documentYML =
         """
         openapi: 3.1.0
@@ -21,23 +26,25 @@ final class SecuritySchemeErrorTests: XCTestCase {
             version: 1.0
         paths: {}
         components: {}
-        security:
-            - missing: []
+        security: [
+          "": []
+        ]
         """
 
         XCTAssertThrowsError(try testDecoder.decode(OpenAPI.Document.self, from: documentYML)) { error in
 
             let openAPIError = OpenAPI.Error(from: error)
 
-            XCTAssertEqual(openAPIError.localizedDescription, "Problem encountered when parsing `security` in the root Document object: Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary.")
+            XCTAssertEqual(openAPIError.localizedDescription, "Problem encountered when parsing `security` in the root Document object: Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a security scheme found in another file.")
             XCTAssertEqual(openAPIError.codingPath.map { $0.stringValue }, [
                 "security"
             ])
         }
     }
 
     func test_missingSecuritySchemeInPathsError() {
-        // missing as-in not found in the Components Object
+        // missing as-in not found in the Components Object nor a valid external
+        // URL
         let documentYML =
         """
         openapi: 3.1.0
@@ -49,7 +56,7 @@ final class SecuritySchemeErrorTests: XCTestCase {
                 "get": {
                     "responses": {},
                     "security": [
-                        "hello": []
+                        "": []
                     ]
                 }
             }
@@ -61,13 +68,13 @@ final class SecuritySchemeErrorTests: XCTestCase {
 
             let openAPIError = OpenAPI.Error(from: error)
 
-            XCTAssertEqual(openAPIError.localizedDescription, "Problem encountered when parsing `hello` in Document.paths['/hello/world'].get.security: Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary.")
+            XCTAssertEqual(openAPIError.localizedDescription, "Problem encountered when parsing `` in Document.paths['/hello/world'].get.security: Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a Security Scheme found in another file.")
             XCTAssertEqual(openAPIError.codingPath.map { $0.stringValue }, [
                 "paths",
                 "/hello/world",
                 "get",
                 "security",
-                "hello"
+                ""
             ])
         }
     }
diff --git a/Tests/OpenAPIKitTests/Document/DocumentTests.swift b/Tests/OpenAPIKitTests/Document/DocumentTests.swift
@@ -40,6 +40,17 @@ final class DocumentTests: XCTestCase {
             tags: ["hi"],
             externalDocs: .init(url: URL(string: "https://google.com")!)
         )
+
+        // construct with external reference to a security scheme
+        let _ = OpenAPI.Document(
+            info: .init(title: "hi", version: "1.0"),
+            servers: [],
+            paths: [:],
+            components: .noComponents,
+            security: [
+                [.external(URL(string: "https://example.com/security.yml")!): []]
+            ]
+        )
     }
 
     func test_initOASVersions() {
@@ -846,7 +857,10 @@ extension DocumentTests {
             components: .direct(
                 securitySchemes: ["security": .init(type: .apiKey(name: "key", location: .header))]
             ),
-            security: [[.component( named: "security"):[]]]
+            security: [
+                [.component(named: "security"): []],
+                [.external(URL(string: "https://example.com/security.yml")!): []]
+            ]
         )
         let encodedDocument = try orderUnstableTestStringFromEncoding(of: document)
 
@@ -872,6 +886,11 @@ extension DocumentTests {
                 {
                   "security" : [
 
+                  ]
+                },
+                {
+                  "https:\\/\\/example.com\\/security.yml" : [
+
                   ]
                 }
               ]
@@ -880,7 +899,7 @@ extension DocumentTests {
         )
     }
 
-    func test_specifySecurity_decode() throws {
+    func test_specifyInternalSecurity_decode() throws {
         let documentData =
         """
         {
@@ -926,6 +945,122 @@ extension DocumentTests {
         )
     }
 
+    func test_securityNotFoundInComponentsIsExternal_decode() throws {
+        let documentData =
+        """
+        {
+          "components" : {
+          },
+          "info" : {
+            "title" : "API",
+            "version" : "1.0"
+          },
+          "openapi" : "3.1.1",
+          "paths" : {
+
+          },
+          "security" : [
+            {
+              "security" : [
+
+              ]
+            }
+          ]
+        }
+        """.data(using: .utf8)!
+        let document = try orderUnstableDecode(OpenAPI.Document.self, from: documentData)
+
+        XCTAssertEqual(
+            document,
+            OpenAPI.Document(
+                info: .init(title: "API", version: "1.0"),
+                servers: [],
+                paths: [:],
+                components: .noComponents,
+                security: [[.external(URL(string: "security")!):[]]]
+            )
+        )
+    }
+
+    func test_specifyExternalSecurity_decode() throws {
+        let documentData =
+        """
+        {
+          "components" : {
+            "securitySchemes" : {
+              "security" : {
+                "in" : "header",
+                "name" : "key",
+                "type" : "apiKey"
+              }
+            }
+          },
+          "info" : {
+            "title" : "API",
+            "version" : "1.0"
+          },
+          "openapi" : "3.1.1",
+          "paths" : {
+
+          },
+          "security" : [
+            {
+              "https://example.com/security.yml": []
+            }
+          ]
+        }
+        """.data(using: .utf8)!
+        let document = try orderUnstableDecode(OpenAPI.Document.self, from: documentData)
+
+        XCTAssertEqual(
+            document,
+            OpenAPI.Document(
+                info: .init(title: "API", version: "1.0"),
+                servers: [],
+                paths: [:],
+                components: .direct(
+                    securitySchemes: ["security": .init(type: .apiKey(name: "key", location: .header))]
+                ),
+                security: [[.external(URL(string: "https://example.com/security.yml")!): []]]
+            )
+        )
+    }
+
+    func test_specifyInvalidSecurity_decode() throws {
+        let documentData =
+        """
+        {
+          "components" : {
+            "securitySchemes" : {
+              "security" : {
+                "in" : "header",
+                "name" : "key",
+                "type" : "apiKey"
+              }
+            }
+          },
+          "info" : {
+            "title" : "API",
+            "version" : "1.0"
+          },
+          "openapi" : "3.1.1",
+          "paths" : {
+
+          },
+          "security" : [
+            {
+              "$$$://(capture) <not &a valid>% @url://::**$[]": []
+            }
+          ]
+        }
+        """.data(using: .utf8)!
+        XCTAssertThrowsError(
+            try orderUnstableDecode(OpenAPI.Document.self, from: documentData)
+        ) { error in
+            XCTAssertEqual(OpenAPI.Error(from: error).localizedDescription, "Problem encountered when parsing `security` in the root Document object: Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a security scheme found in another file.")
+        }
+    }
+
     func test_specifyTags_encode() throws {
         let document = OpenAPI.Document(
             info: .init(title: "API", version: "1.0"),
