Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

[Ada] Operation security scopes are ignored when generating the server

Created by: stcarrez

Description

When you declare an operation with a security section, this defines the security models and scopes which are required by the operation. This information is partially used, and in particular the operation required scopes are not available to the model generator.

For example, if we define two OpenAPI 3.0 operations with same security but two different scopes:

 paths:
  /agents:
      ...
      security:
        - oauth: ['agent:register']
  /hosts
      security:
        - oauth: ['host:create']

and the security scheme would define "oauth":

components:
 securitySchemes:
   agent_auth:
     type: oauth2
     flows:
       password:
         tokenUrl:
'https://hyperion.vacs.fr/hyperion/api/v1/oauth/token'
         scopes:
           'agent:register': Register a new monitoring agent
            'host:create': Register and create a host

Then, the generated server operation will require that all the scopes are available. (Instead of only checking for agent:register for the first operation and host:create for the second.

openapi-generator version

3.3.0

OpenAPI declaration file content or url
Command line used for generation
java -jar openapi-generator-cli.jar generate --generator-name ada-server -i hyperion.yaml \
            -DprojectName=hyperion --model-package Hyperion.Rest
Steps to reproduce
Related issues/PRs
Suggest a fix/enhancement

The information is available internally within the SecurityRequirement list associated with each operation. This is not available to model templates.

By updating the language code generator we can access this information from fromOperation and create a vendor specific extension attribute that provides the information. I've done it in two steps:

  1. In fromOperation, add a x-scopes attribute that lists the operation security required scopes,
  2. In postProcessOperationsWithModels, build a new list of authMethods that only contain the operation required scopes (and not all of them), and put that list in the x-auth-scopes attribute.
  3. Update the server templates to use the x-auth-scopes instead of authMethods.