Merge pull request #457 from mattpolzin/feature/447/security-scheme-changes

OAS 3.2.0 security scheme features

Author: mattpolzin

Sources/OpenAPIKit/Document/Document.swift

@@ -857,7 +857,11 @@ internal func encodeSecurity<CodingKeys: CodingKey>(requirements security: [Open
     var securityContainer = container.nestedUnkeyedContainer(forKey: key)
     for securityRequirement in security {
         let securityKeysAndValues = securityRequirement
-            .compactMap { keyValue in keyValue.key.name.map { ($0, keyValue.value) } }
+            .compactMap { (key, value) in 
+                guard case .internal = key else { return (key.absoluteString, value) }
+
+                return key.name.map { ($0, value) }
+            }
         let securityStringKeyedDict = Dictionary(
             securityKeysAndValues,
             uniquingKeysWith: { $1 }
@@ -866,36 +870,52 @@ internal func encodeSecurity<CodingKeys: CodingKey>(requirements security: [Open
     }
 }
 
-internal func decodeSecurityRequirements<CodingKeys: CodingKey>(from container: KeyedDecodingContainer<CodingKeys>, forKey key: CodingKeys, given optionalComponents: OpenAPI.Components?) throws -> [OpenAPI.SecurityRequirement]? {
+internal func decodeSecurityRequirements<CodingKeys: CodingKey>(from container: KeyedDecodingContainer<CodingKeys>, forKey codingKey: CodingKeys, given optionalComponents: OpenAPI.Components?) throws -> [OpenAPI.SecurityRequirement]? {
     // A real mess here because we've got an Array of non-string-keyed
     // Dictionaries.
-    if container.contains(key) {
-        var securityContainer = try container.nestedUnkeyedContainer(forKey: key)
+    if container.contains(codingKey) {
+        var securityContainer = try container.nestedUnkeyedContainer(forKey: codingKey)
 
         var securityRequirements = [OpenAPI.SecurityRequirement]()
         while !securityContainer.isAtEnd {
             let securityStringKeyedDict = try securityContainer.decode([String: [String]].self)
 
-            // convert to JSONReference keys
-            let securityKeysAndValues = securityStringKeyedDict.map { (key, value) in
-                (
-                    key: JSONReference<OpenAPI.SecurityScheme>.component(named: key),
-                    value: value
-                )
-            }
+            // ultimately we end up with JSON references that may be internal
+            // or external. we determine if they are internal by looking them
+            // up in the components; if found, they are internal, otherwise,
+            // they are external.
+            let securityKeysAndValues: [(key: JSONReference<OpenAPI.SecurityScheme>, value: [String])]
 
             if let components = optionalComponents {
                 // check each key for validity against components.
                 let foundInComponents = { (ref: JSONReference<OpenAPI.SecurityScheme>) -> Bool in
                     return (try? components.contains(ref)) ?? false
                 }
-                guard securityKeysAndValues.map({ $0.key }).allSatisfy(foundInComponents) else {
+                var foundBadKeys = false
+                
+                securityKeysAndValues = securityStringKeyedDict.map { (key, value) in
+                    let componentKey = JSONReference<OpenAPI.SecurityScheme>.component(named: key)
+                    if foundInComponents(componentKey) {
+                        return (componentKey, value)
+                    }
+                    if let url = URL(string: key) {
+                        return (.external(url), value)
+                    }
+                    foundBadKeys = true
+                    return (componentKey, value)
+                }
+
+                if foundBadKeys {
                     throw GenericError(
-                        subjectName: key.stringValue,
-                        details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary",
-                        codingPath: container.codingPath + [key]
+                        subjectName: codingKey.stringValue,
+                        details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a security scheme found in another file",
+                        codingPath: container.codingPath + [codingKey]
                     )
                 }
+            } else {
+                securityKeysAndValues = securityStringKeyedDict.map { (key, value) in 
+                    (JSONReference<OpenAPI.SecurityScheme>.component(named: key), value)
+                }
             }
 
             securityRequirements.append(Dictionary(securityKeysAndValues, uniquingKeysWith: { $1 }))
@@ -928,6 +948,10 @@ internal func validate(securityRequirements: [OpenAPI.SecurityRequirement], at p
     let securitySchemes = securityRequirements.flatMap { $0.keys }
 
     for securityScheme in securitySchemes {
+        if case .external = securityScheme {
+            // external references are allowed as of OAS 3.2.0
+            continue
+        }
         guard components[securityScheme] != nil else {
             let schemeKey = securityScheme.name ?? securityScheme.absoluteString
             let keys = [
@@ -941,7 +965,7 @@ internal func validate(securityRequirements: [OpenAPI.SecurityRequirement], at p
 
             throw GenericError(
                 subjectName: schemeKey,
-                details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary",
+                details: "Each key found in a Security Requirement dictionary must refer to a Security Scheme present in the Components dictionary or be a JSON reference to a Security Scheme found in another file",
                 codingPath: keys
             )
         }

Sources/OpenAPIKit/Security/OAuthFlows.swift

@@ -0,0 +1,156 @@
+//
+//  OAuthFlows.swift
+//  
+//
+//  Created by Mathew Polzin on 1/23/20.
+//
+
+import OpenAPIKitCore
+import Foundation
+
+extension OpenAPI {
+    /// OpenAPI Spec "Oauth Flows Object"
+    ///
+    /// See [OpenAPI Oauth Flows Object](https://spec.openapis.org/oas/v3.0.4.html#oauth-flows-object).
+    public struct OAuthFlows: HasConditionalWarnings, Sendable {
+        public let implicit: Implicit?
+        public let password: Password?
+        public let clientCredentials: ClientCredentials?
+        public let authorizationCode: AuthorizationCode?
+        public let deviceAuthorization: DeviceAuthorization?
+
+        public let conditionalWarnings: [(any Condition, OpenAPI.Warning)]
+
+        public init(
+            implicit: Implicit? = nil,
+            password: Password? = nil,
+            clientCredentials: ClientCredentials? = nil,
+            authorizationCode: AuthorizationCode? = nil,
+            deviceAuthorization: DeviceAuthorization? = nil
+        ) {
+            self.implicit = implicit
+            self.password = password
+            self.clientCredentials = clientCredentials
+            self.authorizationCode = authorizationCode
+            self.deviceAuthorization = deviceAuthorization
+
+            self.conditionalWarnings = [
+                nonNilVersionWarning(fieldName: "deviceAuthorization", value: deviceAuthorization, minimumVersion: .v3_2_0)
+            ].compactMap { $0 }
+        }
+    }
+}
+
+extension OpenAPI.OAuthFlows: Equatable {
+    public static func == (lhs: Self, rhs: Self) -> Bool {
+        lhs.implicit == rhs.implicit
+        && lhs.password == rhs.password
+        && lhs.clientCredentials == rhs.clientCredentials
+        && lhs.authorizationCode == rhs.authorizationCode
+        && lhs.deviceAuthorization == rhs.deviceAuthorization
+    }
+}
+
+fileprivate func nonNilVersionWarning<Subject>(fieldName: String, value: Subject?, minimumVersion: OpenAPI.Document.Version) -> (any Condition, OpenAPI.Warning)? {
+    value.map { _ in
+        OpenAPI.Document.ConditionalWarnings.version(
+            lessThan: minimumVersion,
+            doesNotSupport: "The OAuthFlows \(fieldName) field"
+        )
+    }
+}
+
+extension OpenAPI.OAuthFlows {
+    @dynamicMemberLookup
+    public struct DeviceAuthorization: Equatable, Sendable {
+        private let common: CommonFields
+        public let deviceAuthorizationUrl: URL
+        public let tokenUrl: URL
+
+        public init(deviceAuthorizationUrl: URL, tokenUrl: URL, refreshUrl: URL? = nil, scopes: OrderedDictionary<Scope, ScopeDescription>) {
+            self.deviceAuthorizationUrl = deviceAuthorizationUrl
+            self.tokenUrl = tokenUrl
+            common = .init(refreshUrl: refreshUrl, scopes: scopes)
+        }
+
+        public subscript<T>(dynamicMember path: KeyPath<CommonFields, T>) -> T {
+            return common[keyPath: path]
+        }
+    }
+}
+
+// MARK: - Codable
+extension OpenAPI.OAuthFlows {
+    private enum CodingKeys: String, CodingKey {
+        case implicit
+        case password
+        case clientCredentials
+        case authorizationCode
+        case deviceAuthorization
+    }
+}
+
+extension OpenAPI.OAuthFlows.DeviceAuthorization {
+    private enum CodingKeys: String, CodingKey {
+        case deviceAuthorizationUrl
+        case tokenUrl
+    }
+}
+
+extension OpenAPI.OAuthFlows: Encodable {
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+
+        try container.encodeIfPresent(implicit, forKey: .implicit)
+        try container.encodeIfPresent(password, forKey: .password)
+        try container.encodeIfPresent(clientCredentials, forKey: .clientCredentials)
+        try container.encodeIfPresent(authorizationCode, forKey: .authorizationCode)
+        try container.encodeIfPresent(deviceAuthorization, forKey: .deviceAuthorization)
+    }
+}
+
+extension OpenAPI.OAuthFlows: Decodable {
+    public init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+
+        implicit = try container.decodeIfPresent(OpenAPI.OAuthFlows.Implicit.self, forKey: .implicit)
+        password = try container.decodeIfPresent(OpenAPI.OAuthFlows.Password.self, forKey: .password)
+        clientCredentials = try container.decodeIfPresent(OpenAPI.OAuthFlows.ClientCredentials.self, forKey: .clientCredentials)
+        authorizationCode = try container.decodeIfPresent(OpenAPI.OAuthFlows.AuthorizationCode.self, forKey: .authorizationCode)
+        deviceAuthorization = try container.decodeIfPresent(OpenAPI.OAuthFlows.DeviceAuthorization.self, forKey: .deviceAuthorization)
+
+        self.conditionalWarnings = [
+            nonNilVersionWarning(fieldName: "deviceAuthorization", value: deviceAuthorization, minimumVersion: .v3_2_0)
+        ].compactMap { $0 }
+    }
+}
+
+extension OpenAPI.OAuthFlows.DeviceAuthorization: Encodable {
+    public func encode(to encoder: Encoder) throws {
+        try common.encode(to: encoder)
+
+        var container = encoder.container(keyedBy: CodingKeys.self)
+
+        try container.encode(tokenUrl.absoluteString, forKey: .tokenUrl)
+        try container.encode(deviceAuthorizationUrl.absoluteString, forKey: .deviceAuthorizationUrl)
+    }
+}
+
+extension OpenAPI.OAuthFlows.DeviceAuthorization: Decodable {
+    public init(from decoder: Decoder) throws {
+        common = try OpenAPI.OAuthFlows.CommonFields(from: decoder)
+
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+
+        tokenUrl = try container.decodeURLAsString(forKey: .tokenUrl)
+        deviceAuthorizationUrl = try container.decodeURLAsString(forKey: .deviceAuthorizationUrl)
+    }
+}
+
+extension OpenAPI.OAuthFlows: Validatable {}
+extension OpenAPI.OAuthFlows.DeviceAuthorization: Validatable {}
+// The following conformances are found in Core
+// extension Shared.OAuthFlows.Implicit: Validatable {}
+// extension Shared.OAuthFlows.Password: Validatable {}
+// extension Shared.OAuthFlows.ClientCredentials: Validatable {}
+// extension Shared.OAuthFlows.AuthorizationCode: Validatable {}