Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

[spring]: Incorrect @AuthorizationScope

Created by: aanno2

Description

When I generate spring (java) from this api.yml:

# API-first development with swagger
# This file will be used at compile time to generate Spring-MVC endpoint stubs using swagger-codegen
swagger: "2.0"
info:
  title: gateway
  version: 0.0.1
basePath: /rest
paths:
  /account/self:
    get:
      summary: server user information
      description: Get information about account (oauth2) currently used on server (development, debugging)
      security:
        - oAuth2NoScopes: []
      operationId: accountSelf
      produces:
        - application/json
      parameters: []
      responses:
        200:
          description: user information
          schema:
            $ref: '#/definitions/OaAccountModel'
  /account/selfSecured:
    get:
      summary: server user information
      description: Get information about account (oauth2) currently used on server (development, debugging)
      security:
        - oAuth2NoScopes:
            - registry
            - dummy
      operationId: accountSelfSecured
      produces:
        - application/json
      parameters: []
      responses:
        200:
          description: user information
          schema:
            $ref: '#/definitions/OaAccountModel'
definitions:
  OaAccountModel:
    type: object
    properties:
      userid:
        type: string
      info:
        type: string
      roles:
        type: array
        items:
          type: string
      scopes:
        type: array
        items:
          type: string
securityDefinitions:
  oAuth2NoScopes:
    type: oauth2
    description: 'keycload login TODO tp: Change realm!'
    authorizationUrl: 'https://localhost:8443/auth/realms/zap/protocol/openid-connect/auth'
    tokenUrl: 'https://localhost:8443/auth/realms/zap/protocol/openid-connect/token'
    flow: implicit
    scopes:
        registry: admin right to registry
        dummy: dummy scope

I've got the impression that the @AuthorizationScope generated are not appropriate.

openapi-generator version

3.0.2

Generated AccountApi.java
/**
 * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech) (3.0.2).
 * https://openapi-generator.tech
 * Do not edit the class manually.
 */
package de.siteos.zap.web.api;

import de.siteos.zap.web.api.model.OaAccountModel;
import io.swagger.annotations.*;
import org.springframework.http.ResponseEntity;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestPart;
import org.springframework.web.multipart.MultipartFile;

import javax.validation.Valid;
import javax.validation.constraints.*;
import java.util.List;
import java.util.Map;
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.SpringCodegen", date = "2018-06-25T09:50:17.329+02:00[Europe/Berlin]")

@Validated
@Api(value = "account", description = "the account API")
public interface AccountApi {

    default AccountApiDelegate getDelegate() {
        return new AccountApiDelegate() {};
    }

    @ApiOperation(value = "server user information", nickname = "accountSelf", notes = "Get information about account (oauth2) currently used on server (development, debugging)", response = OaAccountModel.class, authorizations = {
        @Authorization(value = "oAuth2NoScopes", scopes = {
            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")
            })
    }, tags={  })
    @ApiResponses(value = { 
        @ApiResponse(code = 200, message = "user information", response = OaAccountModel.class) })
    @RequestMapping(value = "/account/self",
        produces = { "application/json" }, 
        method = RequestMethod.GET)
    default ResponseEntity<OaAccountModel> accountSelf() {
        return getDelegate().accountSelf();
    }


    @ApiOperation(value = "server user information", nickname = "accountSelfSecured", notes = "Get information about account (oauth2) currently used on server (development, debugging)", response = OaAccountModel.class, authorizations = {
        @Authorization(value = "oAuth2NoScopes", scopes = {
            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")
            })
    }, tags={  })
    @ApiResponses(value = { 
        @ApiResponse(code = 200, message = "user information", response = OaAccountModel.class) })
    @RequestMapping(value = "/account/selfSecured",
        produces = { "application/json" }, 
        method = RequestMethod.GET)
    default ResponseEntity<OaAccountModel> accountSelfSecured() {
        return getDelegate().accountSelfSecured();
    }

}
Suggest a fix/enhancement

As you can see, in both cases

            @AuthorizationScope(scope = "registry", description = "admin right to registry"),
            @AuthorizationScope(scope = "dummy", description = "dummy scope")

is generated. However, I only expect this on the /account/selfSecured path (as it declare this scopes). On the /account/self path this is wrong as there is an empty scope definition. Hence I expect the no @AuthorizationScope is generated for the /account/self path.