Feat/swg 15853 port validation security clean (#4995)

* feat(ls): port validation security

Author: lukaszzazulak

packages/apidom-ls/src/config/codes.ts

@@ -80,6 +80,8 @@ enum ApilintCodes {
   SCHEMA_PATTERN_REG_EXP_ANCHORS,
   SCHEMA_ITEMS_REQUIRED,
 
+  SECURITY_REQUIREMENT_ARRAY = 14997,
+  SECURITY_SCHEME_USED = 14998,
   DUPLICATE_KEYS = 14999,
   NOT_ALLOWED_FIELDS = 15000,
 
@@ -835,6 +837,7 @@ enum ApilintCodes {
   OPENAPI2_SECURITY_SCHEME_FIELD_TOKEN_URL_REQUIRED,
   OPENAPI2_SECURITY_SCHEME_FIELD_SCOPES_TYPE = 3220800,
   OPENAPI2_SECURITY_SCHEME_FIELD_SCOPES_REQUIRED,
+  OPENAPI2_SECURITY_SCHEME_FIELD_SCOPES_RESOLVED,
 
   OPENAPI2_HEADER = 3230000,
   OPENAPI2_HEADER_FIELD_DESCRIPTION_TYPE = 3230100,

packages/apidom-ls/src/config/openapi/security-requirement/lint/index.ts

@@ -1,6 +1,13 @@
 import keysDefined2_0Lint from './keys--defined-2-0.ts';
 import keysDefined3_0__3_1Lint from './keys--defined-3-0--3-1.ts';
+import valuesResolved20Lint from './values--resolved-2-0.ts';
+import valueTypeArrayLint from './value--type-array.ts';
 
-const lints = [keysDefined2_0Lint, keysDefined3_0__3_1Lint];
+const lints = [
+  keysDefined2_0Lint,
+  keysDefined3_0__3_1Lint,
+  valuesResolved20Lint,
+  valueTypeArrayLint,
+];
 
 export default lints;

packages/apidom-ls/src/config/openapi/security-requirement/lint/value--type-array.ts

@@ -0,0 +1,17 @@
+import { DiagnosticSeverity } from 'vscode-languageserver-types';
+
+import ApilintCodes from '../../../codes.ts';
+import { LinterMeta } from '../../../../apidom-language-types.ts';
+import { OpenAPI2, OpenAPI30 } from '../../target-specs.ts';
+
+const valueTypeArrayLint: LinterMeta = {
+  code: ApilintCodes.SECURITY_REQUIREMENT_ARRAY,
+  source: 'apilint',
+  message: 'must be an array',
+  severity: DiagnosticSeverity.Error,
+  linterFunction: 'apilintChildrenOfType',
+  linterParams: ['array'],
+  targetSpecs: [...OpenAPI2, ...OpenAPI30],
+};
+
+export default valueTypeArrayLint;

packages/apidom-ls/src/config/openapi/security-requirement/lint/values--resolved-2-0.ts

@@ -0,0 +1,17 @@
+import { DiagnosticSeverity } from 'vscode-languageserver-types';
+
+import ApilintCodes from '../../../codes.ts';
+import { LinterMeta } from '../../../../apidom-language-types.ts';
+import { OpenAPI2 } from '../../target-specs.ts';
+
+const valuesResolved20Lint: LinterMeta = {
+  code: ApilintCodes.OPENAPI2_SECURITY_SCHEME_FIELD_SCOPES_RESOLVED,
+  source: 'apilint',
+  message: 'Security scope definition could not be resolved',
+  severity: DiagnosticSeverity.Error,
+  linterFunction: 'apilintSecurityScopeResolved',
+  marker: 'value',
+  targetSpecs: OpenAPI2,
+};
+
+export default valuesResolved20Lint;

packages/apidom-ls/src/config/openapi/security-scheme/lint/index.ts

@@ -26,6 +26,7 @@ import flowsTypeLint from './flows--type.ts';
 import flowsRequiredLint from './flows--required.ts';
 import openIdConnectUrlFormatURILint from './open-id-connect-url--format-uri.ts';
 import openIdConnectUrlRequiredLint from './open-id-connect-url--required.ts';
+import keysUsedLint from './keys--used.ts';
 
 const lints = [
   typeEquals2_0Lint,
@@ -57,6 +58,7 @@ const lints = [
   allowedFields2_0Lint,
   allowedFields3_0Lint,
   allowedFields3_1Lint,
+  keysUsedLint,
 ];
 
 export default lints;

packages/apidom-ls/src/config/openapi/security-scheme/lint/keys--used.ts

@@ -0,0 +1,18 @@
+import { DiagnosticSeverity } from 'vscode-languageserver-types';
+
+import ApilintCodes from '../../../codes.ts';
+import { LinterMeta } from '../../../../apidom-language-types.ts';
+import { OpenAPI2, OpenAPI30 } from '../../target-specs.ts';
+
+const keysUsedLint: LinterMeta = {
+  code: ApilintCodes.SECURITY_SCHEME_USED,
+  source: 'apilint',
+  message:
+    'Security Scheme was defined but never used. To apply security, use the `security` section in operations or on the root level of your API definition',
+  severity: DiagnosticSeverity.Warning,
+  linterFunction: 'apilintSecuritySchemeUsed',
+  marker: 'key',
+  targetSpecs: [...OpenAPI2, ...OpenAPI30],
+};
+
+export default keysUsedLint;

packages/apidom-ls/src/services/validation/linter-functions.ts

@@ -1334,4 +1334,73 @@ export const standardLinterfunctions: FunctionItem[] = [
       return true;
     },
   },
+  {
+    functionName: 'apilintSecurityScopeResolved',
+    function: (element: Element): boolean => {
+      const api = root(element);
+      const securityDefinitions = isObject(api) && api.get('securityDefinitions');
+      if (!securityDefinitions || !isObject(securityDefinitions)) return true;
+
+      const hasScope = (schemeName: string, scopesFromSecurity: string[]) => {
+        const oneSecurityDefinition = securityDefinitions.get(schemeName);
+        if (!oneSecurityDefinition) return true; // returning true, because when key is not found, then keys--defined rule will come into play.
+
+        const oneSecurityDefinitionScopes = oneSecurityDefinition.get('scopes');
+        if (!oneSecurityDefinitionScopes) return true; // returning true, because when scopes is not found, then scope--required rule from security scheme will come into play.
+
+        return scopesFromSecurity.every(
+          (scopeFromSecurity: string) => !!oneSecurityDefinitionScopes.get(scopeFromSecurity),
+        );
+      };
+
+      if (isObject(element)) {
+        const securityRequirement = element.toValue();
+        for (const [schemeName, scopesFromSecurity] of Object.entries(securityRequirement)) {
+          if (Array.isArray(scopesFromSecurity)) {
+            return hasScope(schemeName, scopesFromSecurity);
+          }
+        }
+      }
+
+      return true;
+    },
+  },
+  {
+    functionName: 'apilintSecuritySchemeUsed',
+    function: (element: Element): boolean => {
+      if (element && element.parent && isMember(element.parent)) {
+        const schemeName: string =
+          isStringElement(element.parent.key) && element.parent.key.toValue();
+        const api = root(element);
+        const globalSecurity: ObjectElement[] = isObject(api) && api.get('security');
+        if (globalSecurity) {
+          for (const secObj of globalSecurity) {
+            if (secObj.hasKey(schemeName)) {
+              return true;
+            }
+          }
+        }
+        const paths: ObjectElement = isObject(api) && api.get('paths');
+        return !!paths.findElements(
+          (e) => {
+            if (isObject(e) && e.hasKey('security')) {
+              const opSecurity = e.get('security');
+              if (isArray(opSecurity)) {
+                return !!opSecurity.findElements(
+                  (securityRequirementObject) =>
+                    isObject(securityRequirementObject) &&
+                    securityRequirementObject.hasKey(schemeName),
+                  {},
+                ).length;
+              }
+            }
+            return false;
+          },
+          { recursive: true },
+        ).length;
+      }
+
+      return true;
+    },
+  },
 ];

packages/apidom-ls/test/fixtures/validation/oas/security-requirement-not-array.yaml

@@ -0,0 +1,44 @@
+openapi: "3.0.3"
+info:
+  title: Example
+  version: "1.0"
+
+components:
+  securitySchemes:
+    oauth2:
+      type: oauth2
+      flows:
+        implicit:
+          authorizationUrl: "https://auth.example.com/authorize"
+          scopes:
+            read:pets: "Read pets information"
+            write:pets: "Write pets information"
+
+    secondScheme:
+      type: oauth2
+      flows:
+        implicit:
+          authorizationUrl: "https://auth.example.com/authorize"
+          scopes:
+            read:pets: "Read pets information"
+            write:pets: "Write pets information"
+
+security:
+  - oauth2: ["read:pets", "write:pets"]
+  - secondScheme: 'notarray'
+
+paths:
+  /pets:
+    get:
+      responses:
+        "200":
+          description: OK
+
+  /lic:
+    get:
+      security:
+        - secondScheme: ["read:pets"]
+        - oauth2: 'notarray'
+      responses:
+        "200":
+          description: OK

packages/apidom-ls/test/fixtures/validation/oas/security-scheme-not-used-2-0.yaml

@@ -0,0 +1,47 @@
+swagger: "2.0"
+info:
+  title: Example
+  version: "1.0"
+
+securityDefinitions:
+  oauth2:
+    type: oauth2
+    flow: implicit
+    authorizationUrl: "https://auth.example.com/authorize"
+    scopes:
+      read:pets: "Read pets information"
+      write:pets: "Write pets information"
+  secondScheme:
+    type: oauth2
+    flow: implicit
+    authorizationUrl: "https://auth.example.com/authorize"
+    scopes:
+      read:pets: "Read pets information"
+      write:pets: "Write pets information"
+  notUsedScheme:
+    type: oauth2
+    flow: implicit
+    authorizationUrl: "https://auth.example.com/authorize"
+    scopes:
+      read:people: "Read people information"
+      write:people: "Write people information"
+security:
+  - oauth2: ["read:pets", "write:pets"]
+  - secondScheme: ["read:pets", "write:pets"]
+
+paths:
+  /pets:
+    get:
+      responses:
+        "200":
+          description: OK
+
+  /lic:
+    get:
+      security:
+        - secondScheme: ['read:pets']
+        - oauth2: ['read:pets']
+      responses:
+        "200":
+          description: OK
+ 

packages/apidom-ls/test/fixtures/validation/oas/security-scheme-not-used-3-0.yaml

@@ -0,0 +1,53 @@
+openapi: "3.0.3"
+info:
+  title: Example
+  version: "1.0"
+
+components:
+  securitySchemes:
+    oauth2:
+      type: oauth2
+      flows:
+        implicit:
+          authorizationUrl: "https://auth.example.com/authorize"
+          scopes:
+            read:pets: "Read pets information"
+            write:pets: "Write pets information"
+
+    secondScheme:
+      type: oauth2
+      flows:
+        implicit:
+          authorizationUrl: "https://auth.example.com/authorize"
+          scopes:
+            read:pets: "Read pets information"
+            write:pets: "Write pets information"
+
+    notUsedScheme:
+      type: oauth2
+      flows:
+        implicit:
+          authorizationUrl: "https://auth.example.com/authorize"
+          scopes:
+            read:people: "Read people information"
+            write:people: "Write people information"
+
+security:
+  - oauth2: ["read:pets", "write:pets"]
+  - secondScheme: ["read:pets", "write:pets"]
+
+paths:
+  /pets:
+    get:
+      responses:
+        "200":
+          description: OK
+
+  /lic:
+    get:
+      security:
+        - secondScheme: ["read:pets"]
+        - oauth2: ["read:pets"]
+      responses:
+        "200":
+          description: OK