Add OpenAPI security (rebase) #59
Conversation
|
@gcasar Thanks for picking this up. I'll review it asap this week. Regarding the |
openapi/spec.go
Outdated
| } | ||
|
|
||
| // A workaround for missing omitnil functionality. | ||
| // explicitly excludes Security which: |
There was a problem hiding this comment.
I would rephrase the comment to smthing like this, up to you tho:
It explicitely omit the Security field from marshaling when it is nil, but not when empty.
openapi/generator.go
Outdated
| @@ -104,6 +104,12 @@ func (g *Generator) SetServers(servers []*Server) { | |||
| g.api.Servers = servers | |||
| } | |||
|
|
|||
| // SetSecurity sets the security options for the | |||
| // current specification. | |||
| func (g *Generator) SetSecurity(security *SecurityRequirement) { | |||
There was a problem hiding this comment.
I would prefer to name the function SetSecurityRequirement, to be in-par with the OpenAPI spec object naming.
fizz.go
Outdated
| } | ||
|
|
||
| // NoSecurity explicitly removes all security. | ||
| func NoSecurity() func(*openapi.OperationInfo) { |
There was a problem hiding this comment.
Having this feels weird for the end-user. I'm wondering if it shouldn't be the default, applied directly by the package (i.e, if operation.Security == nil, initialize Security to empty slice, via MarshalYAML/JSON) ?
There was a problem hiding this comment.
Hmm... given that I understand your comment correctly I believe that would actually change semantics:
- you want to omit Security altogether (as per the spec) if you are not overriding the top level Security setting
- any serialized Security value, even an empty array has meaning.
From Operation Object:
A declaration of which security mechanisms can be used for this operation. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. To make security optional, an empty security requirement ({}) can be included in the array. This definition overrides any declared top-level security. To remove a top-level security declaration, an empty array can be used.
There was a problem hiding this comment.
Okay, that was me, I didn't read the spec properly. NoSecurity() would be useful only if the top-level Security field is set:
To remove a top-level security declaration, an empty array can be used.
What would you think of WithoutSecurity instead as name ?
Speaking of that, the spec also specify the following:
To make security optional, an empty security requirement ({}) can be included in the array.
We could provide a "helper-func" (WithOptionalSecurity()) for that, that would append an empty openapi.SecurityRequirement object in the operation's Security field (slice). Thoughts ?
| @@ -353,6 +353,20 @@ func InputModel(model interface{}) func(*openapi.OperationInfo) { | |||
| } | |||
| } | |||
|
|
|||
| // Security adds a security definition to an operation. | |||
| func Security(security *openapi.SecurityRequirement) func(*openapi.OperationInfo) { | |||
There was a problem hiding this comment.
Please add this to the README: https://github.com/wI2L/fizz#operation-informations
There was a problem hiding this comment.
Also, if we're including security-related helpers functions such as WithoutSecurity() and OptionalSecurity(), they should also be documented/mentionned.
|
@gcasar Sorry for the delay, just got back from holidays. Please see the minor fixes suggestions, otherwise looks good. |
|
Closes #50. |
README.md
Outdated
| @@ -96,6 +96,17 @@ fizz.Header(name, desc string, model interface{}) | |||
| // Override the binding model of the operation. | |||
| fizz.InputModel(model interface{}) | |||
|
|
|||
| // Add a security requirement to the list of security overrides for this operation. | |||
There was a problem hiding this comment.
Sounds redundant to me.
What do you think of:
Overrides top-level security requirement for this operation. Note that this function can be used more than once to add may requirements.
README.md
Outdated
| // that might have been specified in the root `security` property. | ||
| fizz.Security(security *openapi.SecurityRequirement) | ||
|
|
||
| // Make other security requirements optional. |
There was a problem hiding this comment.
Again, I think it is better to be explicit. We should indicate what the function does, not just its effect:
Add an empty security requirement to this operation to make other security requirements optional.
There was a problem hiding this comment.
I was not sure how to break this one - let me know if you want me to reformat it:)
README.md
Outdated
| // Make other security requirements optional. | ||
| fizz.WithOptionalSecurity() | ||
|
|
||
| // Remove any security requirements for this operation. |
There was a problem hiding this comment.
Remove any top-level security requirements for this operation.
fizz.go
Outdated
| } | ||
| } | ||
|
|
||
| // WithoutSecurity explicitly removes all security. |
There was a problem hiding this comment.
Use same comment as those in README. See proposal.
fizz.go
Outdated
| } | ||
| } | ||
|
|
||
| // WithOptionalSecurity makes other security requirements optional. |
There was a problem hiding this comment.
Use same comment as those in README. See proposal.
|
@wI2L almost there :) I don't like to squash by force pushing - is it ok with you if you squash it yourself when merging? |
|
Any updates @wI2L ? |
|
@ipfans I'll take care of migrating CI to Github actions and merge pending pull requests to make a proper release by september. Sorry for the delay. |
|
Any updates on this? I'd find it useful 😊 |
Codecov Report
@@ Coverage Diff @@
## master #59 +/- ##
==========================================
- Coverage 95.88% 95.17% -0.72%
==========================================
Files 7 7
Lines 924 953 +29
==========================================
+ Hits 886 907 +21
- Misses 22 30 +8
Partials 16 16
Continue to review full report at Codecov.
|
wI2L
force-pushed
the
openapi-security
branch
5 times, most recently
from
285ce19
to
7606e1d
Compare
Co-authored-by: Gregor Casar <gregorcasar@gmail.com>
wI2L
force-pushed
the
openapi-security
branch
from
7606e1d
to
c029d2c
Compare
|
To everyone involved on this PR, and expecting the changes, I apologize for the unreasonable delay, haven't found some time to work on it, and I wanted to update the CI pipeline of the project before merhing anything new. This will be shipped in next release. |
|
Thanks for getting it in @wI2L! |
Fixes Issue #35, continues stale PR #50.
I tried to keep the comments from #50 relevant by resolving conflicts by back-merging and addressing them here. We can squash commits at your discretion.
securityfield in path section (see security parameter - an empty array is used to signal "no security" override)The last point is the only one that is troublesome since it does not align with the way JSON gets serialised and would benefit from something like this request. The proposed way is backwards compatible but does repeat some code.