Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add API-key scope checking #1837

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add API-key scope checking #1837

wants to merge 5 commits into from

Conversation

etvahala
Copy link

Fixes # N/A

The current documentation mentions that API-key
security supports scopes: "
The function should accept the following arguments:

  • apikey
  • required_scopes (optional) "

However, the scopes were not passed to the checker.

Changes proposed in this pull request:

  • Add missing parameter routing to ApiKeySecurityHandler
  • Add a unit test for API-key scopes

@etvahala
Add API-key scope checking
bb9fe8d 
The current documentation mentions that API-key
security supports scopes: "
The function should accept the following arguments:
- apikey
- required_scopes (optional)
"
However, the scopes were not passed to the checker.
@RobbeSneyders
Copy link
Member

Thanks @etvahala!

2 points:

  • The openapi docs only describes scopes for oauth2 and OpenID security schemes, and mentions the scopes are empty for all other schemes. API Key authentication should allow scopes to be defined. OAI/OpenAPI-Specification#1366 seems to mention that this was changed in the 3.1 spec, however I don't see this included in the actual spec.
    Adding scopes to an API key security block does seem to pass validation for 3.X specs, but not for 2.X specs. So I'm not sure if we should add support for this.
    @etvahala could you post the relevant parts of your spec to show how you define this?
    @Ruwann what do you think?

  • The tests are failing. You can wait until we have decided about point 1, although I would be more inclined to support this if you can show that it can pass the test suite without introducing a lot of complexity to maintain.

@RobbeSneyders
Copy link
Member

Ping @etvahala @Ruwann

@etvahala
Add missing scopes to test functions
b5591af 
Some of the unit tests used internal methods,
fixed the tests with the added scopes-parameter.
@etvahala
Merge branch 'main' into feature/apikey-scopes-support
5a95751
@etvahala
Copy link
Author

Fixed the unit tests.

The scope support for API keys was introduced in this OpenAPI spec commit, by introducing weasel words "...and the list MAY be empty if authorization does not require a specified scope.".

@RobbeSneyders
Copy link
Member

Thanks @etvahala!

I don't think the line you linked is relevant, but the next one is:

For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.

See also this OpenAPI issue.

So seems to align with the spec indeed 👍

@coveralls
Copy link

coveralls commented Feb 13, 2024
edited

Coverage Status

coverage: 94.214%. remained the same
when pulling 7105ed9 on etvahala:feature/apikey-scopes-support
into 211bdb0 on spec-first:main.

RobbeSneyders
RobbeSneyders reviewed Feb 13, 2024
View reviewed changes
Copy link
Member

@RobbeSneyders RobbeSneyders left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, one small suggestion.

tests/decorators/test_security.py Outdated Show resolved Hide resolved
Ruwann
Ruwann approved these changes Feb 14, 2024
View reviewed changes
Copy link
Member

@Ruwann Ruwann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! The current implementation looks good to me.
I believe we should also extend it to other security schemes, not only API keys?

For full reference, in the past, connexion re-used the scopes value from other security schemes as required_scopes as argument value security schemes that didn't allow scopes. This was addressed in PR #1474

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RobbeSneyders RobbeSneyders RobbeSneyders left review comments

@Ruwann Ruwann Ruwann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@etvahala @RobbeSneyders @coveralls @Ruwann