Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oas3-operation-security-defined check does not honor $refs #2735

Open
rittneje opened this issue Nov 14, 2024 · 0 comments
Open

oas3-operation-security-defined check does not honor $refs #2735

rittneje opened this issue Nov 14, 2024 · 0 comments

Comments

@rittneje
Copy link

Describe the bug

We have our security schemes defined in a common file, and then we reference them from our actual API file using $ref.

It seems that oas3-operation-security-defined does not handle this properly, and triggers a false positive.

To Reproduce

api.yaml

openapi: "3.0.2"
info:
  version: 0.0.0
  title: Example API
  description: Example API
  contact:
    name: John Smith
    email: [email protected]
servers:
  - url: https://example.com
tags:
- name: "foo"
paths:
  /api/v1/foobar:
   get:
      operationId: Foobar
      tags: ["foo"]
      description: foo
      security:
        - Oauth:
          - admin
      responses:
        "204":
          description: foo
components:
  securitySchemes:
    Oauth:
      $ref: "./common.yaml#/components/securitySchemes/Oauth"

common.yaml

components:
  securitySchemes:
    Oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          refreshUrl: https://example.com/oauth/token
          scopes:
            admin: Admin scope
$ spectral lint --verbose --fail-severity=warn "api.yaml"
[...]
 21:13  warning  oas3-operation-security-defined  "admin" must be listed among scopes.  paths./api/v1/foobar.get.security[0].Oauth[0]

Expected behavior
It should pass validation.

Screenshots
n/a

Environment (remove any that are not applicable):

  • Library version: v6.14.1

Additional context

If I remove the ref and copy-paste, then it works.

api.yaml

openapi: "3.0.2"
info:
  version: 0.0.0
  title: Example API
  description: Example API
  contact:
    name: John Smith
    email: [email protected]
servers:
  - url: https://example.com
tags:
- name: "foo"
paths:
  /api/v1/foobar:
   get:
      operationId: Foobar
      tags: ["foo"]
      description: foo
      security:
        - Oauth:
          - admin
      responses:
        "204":
          description: foo
components:
  securitySchemes:
    Oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          refreshUrl: https://example.com/oauth/token
          scopes:
            admin: Admin scope
$ spectral lint --verbose --fail-severity=warn "api.yaml"
[...]
No results with a severity of 'warn' or higher found!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rittneje