Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Style Guide to cover securityDefintions #55

Open
mikekistler opened this issue Jan 19, 2022 · 4 comments
Open

Update Style Guide to cover securityDefintions #55

mikekistler opened this issue Jan 19, 2022 · 4 comments
Assignees

Comments

@mikekistler
Copy link
Member

The Style Guide should be updated with guidelines for documenting the security schemes supported/required by the API.

And we should add some Spectral rules to enforce these guidelines.

@mikekistler
Copy link
Member Author

The ARM linter already has a rule for securityDefintions:

https://github.com/Azure/azure-rest-api-specs/blob/master/documentation/openapi-authoring-automated-guidelines.md#r2054

Unfortunately, the link in the documentation that supposedly describes the required structure is broken. But I think it probably should be pointing here.

And here's the code that actually implements the rule:

https://github.com/Azure/azure-openapi-validator/blob/master/src/dotnet/OpenAPI.Validator/Validation/SecurityDefinitionsStructure.cs

It looks like it wants very specific values for each of the fields in the security definition, which is fine for ARM but we'll need something more flexible as a general rule for Azure.

@mikekistler mikekistler self-assigned this Jan 19, 2022
@lmazuel
Copy link
Member

lmazuel commented Jan 21, 2022

https://github.com/Azure/autorest/blob/main/docs/generate/authentication.md includes a proposal of syntax that could be used as guidelines for service teams, and be compatible with autorest at the same time

@mikekistler
Copy link
Member Author

Some basic validity and style elements we could/should check are:

  • There should be a global security or a security for each operation
  • For Oauth2, "scopes" should not be empty
  • For Oauth2 security, scopes should not be empty and should be a name in scopes of security scheme

@mikekistler
Copy link
Member Author

Here is a more specific set of rules:

  1. There is at least one security scheme.
  2. All security schemes are either:
  • type: oauth2 (do we care about the flow?) or
  • type: apiKey with in: header
  1. An oauth2 security scheme defines at least one scope.
  2. All scopes defined in an oauth2 security scheme match a pattern:
    https:\/\/[\w-]+(\.[\w-]+)+/[\w-.]+
    
  3. There is a global security or every operation has a security (that references a defined security scheme)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants