Skip to content

CLOUDP-304964: IPA-114: Errors (check for 401 and 403 codes for authorized endpoints) #639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 31, 2025
Merged

CLOUDP-304964: IPA-114: Errors (check for 401 and 403 codes for authorized endpoints) #639

merged 2 commits into from
Mar 31, 2025

Conversation

@yelizhenden-mdb
Copy link
Collaborator

@yelizhenden-mdb yelizhenden-mdb commented Mar 31, 2025
edited
Loading

Proposed changes

Jira ticket: CLOUDP-304964

  xgen-IPA-114-authenticated-endpoints-have-auth-errors:
    description: |
      Authenticated endpoints must define 401 and 403 responses.

      ##### Implementation details
      This rule checks that all authenticated endpoints (those without explicit 'security: []' 
      and not containing '/unauth' in the path) include 401 and 403 responses.

Checklist

  • I have signed the MongoDB CLA
  • I have added tests that prove my fix is effective or that my feature works

Changes to Spectral

  • I have read the README file for Spectral Updates

Further comments

@yelizhenden-mdb yelizhenden-mdb marked this pull request as ready for review March 31, 2025 15:36
@yelizhenden-mdb yelizhenden-mdb requested a review from a team as a code owner March 31, 2025 15:36
lovisaberggren
lovisaberggren reviewed Mar 31, 2025
View reviewed changes
tools/spectral/ipa/rulesets/IPA-114.yaml Outdated
and not containing '/unauth' in the path) include 401 and 403 responses.
message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-114-authenticated-endpoints-have-auth-errors'
severity: warn
given: '$.paths[*][*]'
Copy link
Collaborator

@lovisaberggren lovisaberggren Mar 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
given: '$.paths[*][*]'
given: '$.paths[*][put,patch,get,delete...]'

I think you need to add the methods explicitly here (similarly to a few of the IPA 117 rules), otherwise it will validate extensions as well. I can see in the results:

warning  xgen-IPA-114-authenticated-endpoints-have-auth-errors  Authenticated endpoint must define a 401 and 403 responses. https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-114-authenticated-endpoints-have-auth-errors                                                                                                        paths./api/atlas/v2/alertConfigs/matchers/fieldNames.x-xgen-IPA-exception

For: paths./api/atlas/v2/alertConfigs/matchers/fieldNames.x-xgen-IPA-exception

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, addressed 👍 507 violations 🥲

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:hidethepainharold:

@yelizhenden-mdb yelizhenden-mdb merged commit f5ae0e6 into main Mar 31, 2025
8 checks passed
@yelizhenden-mdb yelizhenden-mdb deleted the CLOUDP-304964 branch March 31, 2025 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovisaberggren lovisaberggren lovisaberggren approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yelizhenden-mdb @lovisaberggren