Skip to content

oas3-operation-security-defined check does not honor $refs #2735

New issue
New issue
Open
Open
oas3-operation-security-defined check does not honor $refs#2735
@rittneje

Description

@rittneje
rittneje
opened on Nov 14, 2024

Describe the bug

We have our security schemes defined in a common file, and then we reference them from our actual API file using $ref.

It seems that oas3-operation-security-defined does not handle this properly, and triggers a false positive.

To Reproduce

api.yaml

openapi: "3.0.2"
info:
  version: 0.0.0
  title: Example API
  description: Example API
  contact:
    name: John Smith
    email: [email protected]
servers:
  - url: https://example.com
tags:
- name: "foo"
paths:
  /api/v1/foobar:
   get:
      operationId: Foobar
      tags: ["foo"]
      description: foo
      security:
        - Oauth:
          - admin
      responses:
        "204":
          description: foo
components:
  securitySchemes:
    Oauth:
      $ref: "./common.yaml#/components/securitySchemes/Oauth"

common.yaml

components:
  securitySchemes:
    Oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          refreshUrl: https://example.com/oauth/token
          scopes:
            admin: Admin scope
$ spectral lint --verbose --fail-severity=warn "api.yaml"
[...]
 21:13  warning  oas3-operation-security-defined  "admin" must be listed among scopes.  paths./api/v1/foobar.get.security[0].Oauth[0]

Expected behavior
It should pass validation.

Screenshots
n/a

Environment (remove any that are not applicable):

  • Library version: v6.14.1

Additional context

If I remove the ref and copy-paste, then it works.

api.yaml

openapi: "3.0.2"
info:
  version: 0.0.0
  title: Example API
  description: Example API
  contact:
    name: John Smith
    email: [email protected]
servers:
  - url: https://example.com
tags:
- name: "foo"
paths:
  /api/v1/foobar:
   get:
      operationId: Foobar
      tags: ["foo"]
      description: foo
      security:
        - Oauth:
          - admin
      responses:
        "204":
          description: foo
components:
  securitySchemes:
    Oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          refreshUrl: https://example.com/oauth/token
          scopes:
            admin: Admin scope
$ spectral lint --verbose --fail-severity=warn "api.yaml"
[...]
No results with a severity of 'warn' or higher found!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions