Merge pull request #1286 from shockey/bug/1259-security-validation

shockey · web-flow · commit 91213fd265d8 · 2017-04-20T16:26:16.000-07:00
Fix and improve security validation
diff --git a/src/plugins/validation/semantic-validators/validators/security.js b/src/plugins/validation/semantic-validators/validators/security.js
@@ -21,24 +21,24 @@ export function validate({ resolvedSpec }) {
         if (!securityDefinition) {
           errors.push({
             message: "security requirements must match a security definition",
-            path: path.join(".")
+            path: path
           })
         }
 
-        if (securityDefinition && securityDefinition.type === "oauth2") {
+        if (securityDefinition) {
           let scopes = obj[key]
           if (Array.isArray(scopes)){
-            let unresolvedScopes = []
-            scopes.forEach((scope) => {
-              if (!securityDefinition.scopes[scope]) { unresolvedScopes.push(scope) }
-            })
-            let unresolvedScopesLen = unresolvedScopes.length
-            if ( unresolvedScopesLen ) {
-              errors.push({
-                message: `security scope definition${unresolvedScopesLen > 1 ? "s" : ""} ${unresolvedScopes.join(", ")} could not be resolved`,
-              path: path.join(".")
+
+            // Check for unknown scopes
+
+            scopes.forEach((scope, i) => {
+              if (!securityDefinition.scopes || !securityDefinition.scopes[scope]) {
+                errors.push({
+                  message: `Security scope definition ${scope} could not be resolved`,
+                  path: path.concat([i.toString()])
+                })
+              }
             })
-            }
           }
         }
       })
diff --git a/test/plugins/validation/semantic/security.js b/test/plugins/validation/semantic/security.js
@@ -0,0 +1,135 @@
+import expect from "expect"
+import { validate } from "plugins/validation/semantic-validators/validators/security"
+
+describe("validation plugin - semantic - security", () => {
+  it("should return an error when an operation references a non-existing security scope", () => {
+    const spec = {
+      "securityDefinitions": {
+        "api_key": {
+          "type": "apiKey",
+          "name": "apikey",
+          "in": "query",
+          "scopes": {
+            "asdf": "blah blah"
+          }
+        }
+      },
+      "paths": {
+        "/": {
+          "get": {
+            "description": "asdf",
+            "security": [
+              {
+                "api_key": [
+                  "write:pets"
+                ]
+              }
+            ]
+          }
+        }
+      }
+    }
+
+    let res = validate({ resolvedSpec: spec })
+    expect(res.errors.length).toEqual(1)
+    expect(res.errors[0].path).toEqual(["paths", "/", "get", "security", "0", "0"])
+    expect(res.errors[0].message).toEqual("Security scope definition write:pets could not be resolved")
+    expect(res.warnings.length).toEqual(0)
+  })
+  it("should return an error when an operation references a security definition with no scopes", () => {
+    const spec = {
+      "securityDefinitions": {
+        "api_key": {
+          "type": "apiKey",
+          "name": "apikey",
+          "in": "query"
+        }
+      },
+      "paths": {
+        "/": {
+          "get": {
+            "description": "asdf",
+            "security": [
+              {
+                "api_key": [
+                  "write:pets"
+                ]
+              }
+            ]
+          }
+        }
+      }
+    }
+
+    let res = validate({ resolvedSpec: spec })
+    expect(res.errors.length).toEqual(1)
+    expect(res.errors[0].path).toEqual(["paths", "/", "get", "security", "0", "0"])
+    expect(res.errors[0].message).toEqual("Security scope definition write:pets could not be resolved")
+    expect(res.warnings.length).toEqual(0)
+  })
+
+  it("should return an error when an operation references a non-existing security definition", () => {
+    const spec = {
+      "securityDefinitions": {
+        "api_key": {
+          "type": "apiKey",
+          "name": "apikey",
+          "in": "query"
+        }
+      },
+      "paths": {
+        "/": {
+          "get": {
+            "description": "asdf",
+            "security": [
+              {
+                "fictional_security_definition": [
+                  "write:pets"
+                ]
+              }
+            ]
+          }
+        }
+      }
+    }
+
+    let res = validate({ resolvedSpec: spec })
+    expect(res.errors.length).toEqual(1)
+    expect(res.errors[0].path).toEqual(["paths", "/", "get", "security", "0"])
+    expect(res.errors[0].message).toEqual("security requirements must match a security definition")
+    expect(res.warnings.length).toEqual(0)
+  })
+
+  it("should not return an error when an operation references an existing security scope", () => {
+    const spec = {
+      "securityDefinitions": {
+        "api_key": {
+          "type": "apiKey",
+          "name": "apikey",
+          "in": "query",
+          "scopes": {
+            "write:pets": "write to pets"
+          }
+        }
+      },
+      "paths": {
+        "/": {
+          "get": {
+            "description": "asdf",
+            "security": [
+              {
+                "api_key": [
+                  "write:pets"
+                ]
+              }
+            ]
+          }
+        }
+      }
+    }
+
+    let res = validate({ resolvedSpec: spec })
+    expect(res.errors.length).toEqual(0)
+    expect(res.warnings.length).toEqual(0)
+  })
+})
