Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[spring]: Incorrect @AuthorizationScope #392

Closed
aanno2 opened this issue Jun 25, 2018 · 3 comments · Fixed by #1982
Closed

[spring]: Incorrect @AuthorizationScope #392

aanno2 opened this issue Jun 25, 2018 · 3 comments · Fixed by #1982

Comments

@aanno2
Copy link
Contributor

aanno2 commented Jun 25, 2018

Description

When I generate spring (java) from this api.yml:

# API-first development with swagger
# This file will be used at compile time to generate Spring-MVC endpoint stubs using swagger-codegen
swagger: "2.0"
info:
  title: gateway
  version: 0.0.1
basePath: /rest
paths:
  /account/self:
    get:
      summary: server user information
      description: Get information about account (oauth2) currently used on server (development, debugging)
      security:
        - oAuth2NoScopes: []
      operationId: accountSelf
      produces:
        - application/json
      parameters: []
      responses:
        200:
          description: user information
          schema:
            $ref: '#/definitions/OaAccountModel'
  /account/selfSecured:
    get:
      summary: server user information
      description: Get information about account (oauth2) currently used on server (development, debugging)
      security:
        - oAuth2NoScopes:
            - registry
            - dummy
      operationId: accountSelfSecured
      produces:
        - application/json
      parameters: []
      responses:
        200:
          description: user information
          schema:
            $ref: '#/definitions/OaAccountModel'
definitions:
  OaAccountModel:
    type: object
    properties:
      userid:
        type: string
      info:
        type: string
      roles:
        type: array
        items:
          type: string
      scopes:
        type: array
        items:
          type: string
securityDefinitions:
  oAuth2NoScopes:
    type: oauth2
    description: 'keycload login TODO tp: Change realm!'
    authorizationUrl: 'https://localhost:8443/auth/realms/zap/protocol/openid-connect/auth'
    tokenUrl: 'https://localhost:8443/auth/realms/zap/protocol/openid-connect/token'
    flow: implicit
    scopes:
        registry: admin right to registry
        dummy: dummy scope

I've got the impression that the @AuthorizationScope generated are not appropriate.

openapi-generator version

3.0.2

Generated AccountApi.java
/**
 * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech) (3.0.2).
 * https://openapi-generator.tech
 * Do not edit the class manually.
 */
package de.siteos.zap.web.api;

import de.siteos.zap.web.api.model.OaAccountModel;
import io.swagger.annotations.*;
import org.springframework.http.ResponseEntity;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestPart;
import org.springframework.web.multipart.MultipartFile;

import javax.validation.Valid;
import javax.validation.constraints.*;
import java.util.List;
import java.util.Map;
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.SpringCodegen", date = "2018-06-25T09:50:17.329+02:00[Europe/Berlin]")

@Validated
@Api(value = "account", description = "the account API")
public interface AccountApi {

    default AccountApiDelegate getDelegate() {
        return new AccountApiDelegate() {};
    }

    @ApiOperation(value = "server user information", nickname = "accountSelf", notes = "Get information about account (oauth2) currently used on server (development, debugging)", response = OaAccountModel.class, authorizations = {
        @Authorization(value = "oAuth2NoScopes", scopes = {
            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")
            })
    }, tags={  })
    @ApiResponses(value = { 
        @ApiResponse(code = 200, message = "user information", response = OaAccountModel.class) })
    @RequestMapping(value = "/account/self",
        produces = { "application/json" }, 
        method = RequestMethod.GET)
    default ResponseEntity<OaAccountModel> accountSelf() {
        return getDelegate().accountSelf();
    }


    @ApiOperation(value = "server user information", nickname = "accountSelfSecured", notes = "Get information about account (oauth2) currently used on server (development, debugging)", response = OaAccountModel.class, authorizations = {
        @Authorization(value = "oAuth2NoScopes", scopes = {
            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")
            })
    }, tags={  })
    @ApiResponses(value = { 
        @ApiResponse(code = 200, message = "user information", response = OaAccountModel.class) })
    @RequestMapping(value = "/account/selfSecured",
        produces = { "application/json" }, 
        method = RequestMethod.GET)
    default ResponseEntity<OaAccountModel> accountSelfSecured() {
        return getDelegate().accountSelfSecured();
    }

}
Suggest a fix/enhancement

As you can see, in both cases

            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")

is generated. However, I only expect this on the /account/selfSecured path (as it declare this scopes). On the /account/self path this is wrong as there is an empty scope definition. Hence I expect the no @AuthorizationScope is generated for the /account/self path.
@mikezx6r
Copy link
Contributor

I have also looked at this, and assuming both @aanno2 and I are interpreting the spec correctly, the issue here is in the parser and not the templates.

The parser appears to 'see' the security entry on the path, and then loads the scopes from the components section rather than taking the list from the path's security entry (and possibly ensuring they all exist in the components security.

The template is merely using the provided auths from the parsed objects.

I haven't looked at the code to see how hard it would be to address this, but suspect it's not easy to address. Anyone with more experience on the parser available to investigate or even just comment on whether my assessment is accurate or not?

@mikezx6r
Copy link
Contributor

Upon further investigation, the actual Swagger Parser correctly retrieves the information. It appears the Code Generator is incorrectly interpreting it, and passing it to the templates. I think the issue is in DefaultGenerator, so getting close to a PR for this.

@mikezx6r mikezx6r mentioned this issue Jan 24, 2019
Open
@mikezx6r mikezx6r mentioned this issue Feb 13, 2019
Merged
@dnsymphony dnsymphony mentioned this issue Apr 18, 2019
Closed
@gpor0
Copy link

gpor0 commented May 21, 2019

Same happened to me in 4.0.0-beta3 with JAXRS. Confirming fix in snapshot version.

@gpor0 gpor0 mentioned this issue Apr 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correct issue with OAuth scopes not propogated correctly mikezx6r/openapi-generator
3 participants
@mikezx6r @gpor0 @aanno2