Merge pull request vyuldashev#52 from ArrowWebSolutions/develop

vyuldashev · web-flow · commit 7b7661eba878 · 2021-09-22T01:04:35.000+01:00
Ability to turn off security at operation level
diff --git a/src/Attributes/Operation.php b/src/Attributes/Operation.php
@@ -1,5 +1,4 @@
 <?php
-
 namespace Vyuldashev\LaravelOpenApi\Attributes;
 
 use Attribute;
@@ -31,6 +30,12 @@ public function __construct(string $id = null, array $tags = [], string $securit
         $this->tags = $tags;
         $this->method = $method;
 
+        if ($security === '') {
+            //user wants to turn off security on this operation
+            $this->security = $security;
+            return;
+        }
+
         if ($security) {
             $this->security = class_exists($security) ? $security : app()->getNamespace().'OpenApi\\SecuritySchemes\\'.$security;
 
diff --git a/src/Builders/Paths/Operation/SecurityBuilder.php b/src/Builders/Paths/Operation/SecurityBuilder.php
@@ -1,10 +1,9 @@
 <?php
-
 namespace Vyuldashev\LaravelOpenApi\Builders\Paths\Operation;
 
+use Vyuldashev\LaravelOpenApi\RouteInformation;
 use GoldSpecDigital\ObjectOrientedOAS\Objects\SecurityRequirement;
 use Vyuldashev\LaravelOpenApi\Attributes\Operation as OperationAttribute;
-use Vyuldashev\LaravelOpenApi\RouteInformation;
 
 class SecurityBuilder
 {
@@ -14,6 +13,10 @@ public function build(RouteInformation $route): array
             ->filter(static fn (object $attribute) => $attribute instanceof OperationAttribute)
             ->filter(static fn (OperationAttribute $attribute) => isset($attribute->security))
             ->map(static function (OperationAttribute $attribute) {
+                // return a null scheme if the security is set to ''
+                if ($attribute->security === '') {
+                    return SecurityRequirement::create()->securityScheme(null);
+                }
                 $security = app($attribute->security);
                 $scheme = $security->build();
 
diff --git a/src/Builders/Paths/OperationsBuilder.php b/src/Builders/Paths/OperationsBuilder.php
@@ -1,19 +1,18 @@
 <?php
-
 namespace Vyuldashev\LaravelOpenApi\Builders\Paths;
 
-use GoldSpecDigital\ObjectOrientedOAS\Exceptions\InvalidArgumentException;
-use GoldSpecDigital\ObjectOrientedOAS\Objects\Operation;
-use Illuminate\Support\Collection;
 use Illuminate\Support\Str;
-use Vyuldashev\LaravelOpenApi\Attributes\Operation as OperationAttribute;
+use Illuminate\Support\Collection;
+use Vyuldashev\LaravelOpenApi\RouteInformation;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\Operation;
 use Vyuldashev\LaravelOpenApi\Builders\ExtensionsBuilder;
+use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\SecurityBuilder;
 use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\CallbacksBuilder;
+use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\ResponsesBuilder;
+use Vyuldashev\LaravelOpenApi\Attributes\Operation as OperationAttribute;
 use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\ParametersBuilder;
+use GoldSpecDigital\ObjectOrientedOAS\Exceptions\InvalidArgumentException;
 use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\RequestBodyBuilder;
-use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\ResponsesBuilder;
-use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\SecurityBuilder;
-use Vyuldashev\LaravelOpenApi\RouteInformation;
 
 class OperationsBuilder
 {
@@ -73,8 +72,14 @@ public function build(array | Collection $routes): array
                 ->parameters(...$parameters)
                 ->requestBody($requestBody)
                 ->responses(...$responses)
-                ->callbacks(...$callbacks)
-                ->security(...$security);
+                ->callbacks(...$callbacks);
+
+            /** Not the cleanest code, we need to call notSecurity instead of security when our security has been turned off */
+            if (count($security) === 1 && $security[0]->securityScheme === null) {
+                $operation = $operation->noSecurity();
+            } else {
+                $operation = $operation->security(...$security);
+            }
 
             $this->extensionsBuilder->build($operation, $route->actionAttributes);
 
diff --git a/tests/Builders/SecurityBuilderTest.php b/tests/Builders/SecurityBuilderTest.php
@@ -0,0 +1,225 @@
+<?php
+namespace Vyuldashev\LaravelOpenApi\Tests\Builders;
+
+use phpDocumentor\Reflection\DocBlock;
+use Vyuldashev\LaravelOpenApi\Tests\TestCase;
+use GoldSpecDigital\ObjectOrientedOAS\OpenApi;
+use Vyuldashev\LaravelOpenApi\RouteInformation;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\PathItem;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\Operation;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\Components;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\SecurityScheme;
+use Vyuldashev\LaravelOpenApi\Factories\SecuritySchemeFactory;
+use Vyuldashev\LaravelOpenApi\Builders\Paths\OperationsBuilder;
+use GoldSpecDigital\ObjectOrientedOAS\Objects\SecurityRequirement;
+use Vyuldashev\LaravelOpenApi\Builders\Paths\Operation\SecurityBuilder;
+use Vyuldashev\LaravelOpenApi\Attributes\Operation as AttributesOperation;
+
+class SecurityBuilderTest extends TestCase
+{
+    /**
+     * We're just making sure we're getting the expected output
+     */
+    public function testWeCanBuildUpTheSecurityScheme(): void
+    {
+        $securityFactory = resolve(JwtSecurityScheme::class);
+        $testJwtScheme = $securityFactory->build();
+
+        $globalRequirement = SecurityRequirement::create('JWT')
+            ->securityScheme($testJwtScheme);
+
+        $components = Components::create()
+            ->securitySchemes($testJwtScheme);
+
+        $operation = Operation::create()
+            ->action('get');
+
+        $openApi = OpenApi::create()
+            ->security($globalRequirement)
+            ->components($components)
+            ->paths(
+                PathItem::create()
+                    ->route('/foo')
+                    ->operations($operation)
+            );
+
+        self::assertSame([
+            'paths' => [
+                '/foo' => [
+                    'get' => [],
+                ],
+            ],
+            'components' => [
+                'securitySchemes' => [
+                    'JWT' => [
+                        'type' => 'http',
+                        'name' => 'TestScheme',
+                        'in' => 'header',
+                        'scheme' => 'bearer',
+                        'bearerFormat' => 'JWT',
+                    ],
+                ],
+            ],
+            'security' => [
+                [
+                    'JWT' => [],
+                ]
+            ]
+        ], $openApi->toArray());
+    }
+
+    /**
+     * We're just verifying that the builder is capable of
+     * adding security information to the operation
+     */
+    public function testWeCanAddOperationSecurityUsingBuilder()
+    {
+        $securityFactory = resolve(JwtSecurityScheme::class);
+        $testJwtScheme = $securityFactory->build();
+
+        $globalRequirement = SecurityRequirement::create('JWT')
+            ->securityScheme($testJwtScheme);
+
+        $components = Components::create()
+            ->securitySchemes($testJwtScheme);
+
+        $routeInfo = new RouteInformation;
+        $routeInfo->action = 'get';
+        $routeInfo->name = 'test route';
+        $routeInfo->actionAttributes = collect([
+            new AttributesOperation(security: JwtSecurityScheme::class),
+        ]);
+        $routeInfo->uri = '/example';
+
+        /** @var SecurityBuilder */
+        $builder = resolve(SecurityBuilder::class);
+
+        $operation = Operation::create()
+            ->security(...$builder->build($routeInfo))
+            ->action('get');
+
+        $openApi = OpenApi::create()
+        ->security($globalRequirement)
+        ->components($components)
+        ->paths(
+            PathItem::create()
+                ->route('/foo')
+                ->operations($operation)
+        );
+
+        self::assertSame([
+            'paths' => [
+                '/foo' => [
+                    'get' => [
+                        'security' => [
+                            [
+                                'JWT' => []
+                            ],
+                        ],
+                    ],
+                ],
+            ],
+            'components' => [
+                'securitySchemes' => [
+                    'JWT' => [
+                        'type' => 'http',
+                        'name' => 'TestScheme',
+                        'in' => 'header',
+                        'scheme' => 'bearer',
+                        'bearerFormat' => 'JWT',
+                    ],
+                ],
+            ],
+            'security' => [
+                [
+                    'JWT' => [],
+                ]
+            ]
+        ], $openApi->toArray());
+    }
+
+    /**
+     * He's the main part of the PR. It's not possible to turn
+     * off security for an operation.
+     */
+    public function testWeCanAddTurnOffOperationSecurityUsingBuilder()
+    {
+        $securityFactory = resolve(JwtSecurityScheme::class);
+        $testJwtScheme = $securityFactory->build();
+
+        $globalRequirement = SecurityRequirement::create('JWT')
+            ->securityScheme($testJwtScheme);
+
+        $components = Components::create()
+            ->securitySchemes($testJwtScheme);
+
+        $routeInfo = new RouteInformation;
+        $routeInfo->parameters = collect();
+        $routeInfo->action = 'foo';
+        $routeInfo->method = 'get';
+        $routeInfo->name = 'test route';
+        $routeInfo->actionDocBlock = new DocBlock('Test');
+        $routeInfo->actionAttributes = collect([
+            /**
+                 * we can set secuity to null to turn it off, as
+                 * that's the default value. So '' is next best
+                 * option?
+                */
+            new AttributesOperation(security: ''),
+        ]);
+
+        /** @var OperationsBuilder */
+        $operationsBuilder = resolve(OperationsBuilder::class);
+
+        $operations = $operationsBuilder->build([$routeInfo]);
+
+        $openApi = OpenApi::create()
+        ->security($globalRequirement)
+        ->components($components)
+        ->paths(
+            PathItem::create()
+                ->route('/foo')
+                ->operations(...$operations)
+        );
+
+        self::assertSame([
+            'paths' => [
+                '/foo' => [
+                    'get' => [
+                        'summary' => 'Test',
+                        'security' => [],
+                    ],
+                ],
+            ],
+            'components' => [
+                'securitySchemes' => [
+                    'JWT' => [
+                        'type' => 'http',
+                        'name' => 'TestScheme',
+                        'in' => 'header',
+                        'scheme' => 'bearer',
+                        'bearerFormat' => 'JWT',
+                    ],
+                ],
+            ],
+            'security' => [
+                [
+                    'JWT' => [],
+                ]
+            ]
+        ], $openApi->toArray());
+    }
+}
+
+class JwtSecurityScheme extends SecuritySchemeFactory
+{
+    public function build(): SecurityScheme
+    {
+        return SecurityScheme::create('JWT')
+            ->name('TestScheme')
+            ->type(SecurityScheme::TYPE_HTTP)
+            ->in(SecurityScheme::IN_HEADER)
+            ->scheme('bearer')
+            ->bearerFormat('JWT');
+    }
+}
