Merge pull request api-platform#1240 from bartwesselink/feature/swagger-ui-api-key-implementation

feature: Implement SwaggerUI api key authentication functionality

Author: Simperfit

src/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -111,6 +111,7 @@ public function load(array $configs, ContainerBuilder $container)
 
         $this->registerMetadataConfiguration($container, $config, $loader);
         $this->registerOAuthConfiguration($container, $config, $loader);
+        $this->registerApiKeysConfiguration($container, $config, $loader);
         $this->registerSwaggerConfiguration($container, $config, $loader);
         $this->registerJsonLdConfiguration($formats, $loader);
         $this->registerJsonHalConfiguration($formats, $loader);
@@ -269,6 +270,18 @@ private function registerOAuthConfiguration(ContainerBuilder $container, array $
         $container->setParameter('api_platform.oauth.scopes', $config['oauth']['scopes']);
     }
 
+    /**
+     * Registers the api keys configuration.
+     *
+     * @param ContainerBuilder $container
+     * @param array            $config
+     * @param XmlFileLoader    $loader
+     */
+    private function registerApiKeysConfiguration(ContainerBuilder $container, array $config, XmlFileLoader $loader)
+    {
+        $container->setParameter('api_platform.swagger.api_keys', $config['swagger']['api_keys']);
+    }
+
     /**
      * Registers the Swagger and Swagger UI configuration.
      *

src/Bridge/Symfony/Bundle/DependencyInjection/Configuration.php

@@ -86,6 +86,24 @@ public function getConfigTreeBuilder()
                     ->end()
                 ->end()
 
+                ->arrayNode('swagger')
+                    ->addDefaultsIfNotSet()
+                    ->children()
+                             ->arrayNode('api_keys')
+                             ->addDefaultsIfNotSet()
+                                ->children()
+                                ->scalarNode('name')
+                                    ->info('The name of the header or query parameter containing the api key.')
+                                ->end()
+                                ->enumNode('type')
+                                    ->info('Whether the api key should be a query parameter or a header.')
+                                    ->values(['query', 'header'])
+                                ->end()
+                            ->end()
+                        ->end()
+                    ->end()
+                ->end()
+
                 ->arrayNode('collection')
                     ->addDefaultsIfNotSet()
                     ->children()

src/Bridge/Symfony/Bundle/Resources/config/swagger.xml

@@ -22,7 +22,8 @@
             <argument>%api_platform.oauth.tokenUrl%</argument>
             <argument>%api_platform.oauth.authorizationUrl%</argument>
             <argument>%api_platform.oauth.scopes%</argument>
-            <argument type="service" id="api_platform.subresource_operation_factory"></argument>
+            <argument>%api_platform.swagger.api_keys%</argument>
+            <argument type="service" id="api_platform.subresource_operation_factory" />
             <argument>%api_platform.collection.pagination.enabled%</argument>
             <argument>%api_platform.collection.pagination.page_parameter_name%</argument>
             <argument>%api_platform.collection.pagination.client_items_per_page%</argument>

src/Swagger/Serializer/DocumentationNormalizer.php

@@ -59,6 +59,7 @@ final class DocumentationNormalizer implements NormalizerInterface
     private $oauthTokenUrl;
     private $oauthAuthorizationUrl;
     private $oauthScopes;
+    private $apiKeys;
     private $subresourceOperationFactory;
     private $paginationEnabled;
     private $paginationPageParameterName;
@@ -68,7 +69,7 @@ final class DocumentationNormalizer implements NormalizerInterface
     /**
      * @param ContainerInterface|FilterCollection|null $filterLocator The new filter locator or the deprecated filter collection
      */
-    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, PropertyNameCollectionFactoryInterface $propertyNameCollectionFactory, PropertyMetadataFactoryInterface $propertyMetadataFactory, ResourceClassResolverInterface $resourceClassResolver, OperationMethodResolverInterface $operationMethodResolver, OperationPathResolverInterface $operationPathResolver, UrlGeneratorInterface $urlGenerator = null, $filterLocator = null, NameConverterInterface $nameConverter = null, $oauthEnabled = false, $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', $oauthScopes = [], SubresourceOperationFactoryInterface $subresourceOperationFactory = null, $paginationEnabled = true, $paginationPageParameterName = 'page', $clientItemsPerPage = false, $itemsPerPageParameterName = 'itemsPerPage')
+    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, PropertyNameCollectionFactoryInterface $propertyNameCollectionFactory, PropertyMetadataFactoryInterface $propertyMetadataFactory, ResourceClassResolverInterface $resourceClassResolver, OperationMethodResolverInterface $operationMethodResolver, OperationPathResolverInterface $operationPathResolver, UrlGeneratorInterface $urlGenerator = null, $filterLocator = null, NameConverterInterface $nameConverter = null, $oauthEnabled = false, $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', array $oauthScopes = [], array $apiKeys = [], SubresourceOperationFactoryInterface $subresourceOperationFactory = null, $paginationEnabled = true, $paginationPageParameterName = 'page', $clientItemsPerPage = false, $itemsPerPageParameterName = 'itemsPerPage')
     {
         if ($urlGenerator) {
             @trigger_error(sprintf('Passing an instance of %s to %s() is deprecated since version 2.1 and will be removed in 3.0.', UrlGeneratorInterface::class, __METHOD__), E_USER_DEPRECATED);
@@ -92,6 +93,8 @@ public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFa
         $this->subresourceOperationFactory = $subresourceOperationFactory;
         $this->paginationEnabled = $paginationEnabled;
         $this->paginationPageParameterName = $paginationPageParameterName;
+        $this->apiKeys = $apiKeys;
+        $this->subresourceOperationFactory = $subresourceOperationFactory;
         $this->clientItemsPerPage = $clientItemsPerPage;
         $this->itemsPerPageParameterName = $itemsPerPageParameterName;
     }
@@ -612,19 +615,41 @@ private function computeDoc(Documentation $documentation, \ArrayObject $definiti
             'paths' => $paths,
         ];
 
+        $securityDefinitions = [];
+        $security = [];
+
         if ($this->oauthEnabled) {
-            $doc['securityDefinitions'] = [
-                'oauth' => [
-                    'type' => $this->oauthType,
-                    'description' => 'OAuth client_credentials Grant',
-                    'flow' => $this->oauthFlow,
-                    'tokenUrl' => $this->oauthTokenUrl,
-                    'authorizationUrl' => $this->oauthAuthorizationUrl,
-                    'scopes' => $this->oauthScopes,
-                ],
+            $securityDefinitions['oauth'] = [
+                'type' => $this->oauthType,
+                'description' => 'OAuth client_credentials Grant',
+                'flow' => $this->oauthFlow,
+                'tokenUrl' => $this->oauthTokenUrl,
+                'authorizationUrl' => $this->oauthAuthorizationUrl,
+                'scopes' => $this->oauthScopes,
             ];
 
-            $doc['security'] = [['oauth' => []]];
+            $security[] = ['oauth' => []];
+        }
+
+        if ($this->apiKeys) {
+            foreach ($this->apiKeys as $key => $apiKey) {
+                $name = $apiKey['name'];
+                $type = $apiKey['type'];
+
+                $securityDefinitions[$key] = [
+                    'type' => 'apiKey',
+                    'in' => $type,
+                    'description' => sprintf('Value for the %s %s', $name, $type === 'query' ? sprintf('%s parameter', $type) : $type),
+                    'name' => $name,
+                ];
+
+                $security[] = [$key => []];
+            }
+        }
+
+        if ($securityDefinitions && $security) {
+            $doc['securityDefinitions'] = $securityDefinitions;
+            $doc['security'] = $security;
         }
 
         if ('' !== $description = $documentation->getDescription()) {

tests/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtensionTest.php

@@ -471,6 +471,7 @@ private function getContainerBuilderProphecy()
             'api_platform.oauth.tokenUrl' => '/oauth/v2/token',
             'api_platform.oauth.authorizationUrl' => '/oauth/v2/auth',
             'api_platform.oauth.scopes' => [],
+            'api_platform.swagger.api_keys' => [],
             'api_platform.enable_swagger' => true,
             'api_platform.enable_swagger_ui' => true,
             'api_platform.resource_class_directories' => Argument::type('array'),

tests/Bridge/Symfony/Bundle/DependencyInjection/ConfigurationTest.php

@@ -84,6 +84,9 @@ public function testDefaultConfig()
                 'authorizationUrl' => '/oauth/v2/auth',
                 'scopes' => [],
             ],
+            'swagger' => [
+                'api_keys' => [],
+            ],
             'eager_loading' => [
                 'enabled' => true,
                 'max_joins' => 30,
@@ -208,4 +211,26 @@ public function testExceptionToStatusConfigWithInvalidHttpStatusCodeValue($inval
             ],
         ]);
     }
+
+    /**
+     * Test config for api keys.
+     */
+    public function testApiKeysConfig()
+    {
+        $exampleConfig = [
+                'name' => 'Authorization',
+                'type' => 'query',
+        ];
+
+        $config = $this->processor->processConfiguration($this->configuration, [
+            'api_platform' => [
+                'swagger' => [
+                    'api_keys' => $exampleConfig,
+               ],
+            ],
+        ]);
+
+        $this->assertTrue(isset($config['swagger']['api_keys']));
+        $this->assertSame($exampleConfig, $config['swagger']['api_keys']);
+    }
 }

tests/Swagger/Serializer/DocumentationNormalizerTest.php

@@ -424,6 +424,131 @@ public function testNormalizeWithNameConverter()
         $this->assertEquals($expected, $normalizer->normalize($documentation));
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation The use of ApiPlatform\Core\PathResolver\UnderscoreOperationPathResolver is deprecated since 2.1. Please use PathSegmentNameGenerator
+     */
+    public function testNormalizeWithApiKeysEnabled()
+    {
+        $documentation = new Documentation(new ResourceNameCollection([Dummy::class]), 'Test API', 'This is a test API.', '1.2.3', ['jsonld' => ['application/ld+json']]);
+
+        $propertyNameCollectionFactoryProphecy = $this->prophesize(PropertyNameCollectionFactoryInterface::class);
+        $propertyNameCollectionFactoryProphecy->create(Dummy::class, [])->shouldBeCalled()->willReturn(new PropertyNameCollection(['name']));
+
+        $dummyMetadata = new ResourceMetadata('Dummy', 'This is a dummy.', null, ['get' => ['method' => 'GET']], [], []);
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create(Dummy::class)->shouldBeCalled()->willReturn($dummyMetadata);
+
+        $propertyMetadataFactoryProphecy = $this->prophesize(PropertyMetadataFactoryInterface::class);
+        $propertyMetadataFactoryProphecy->create(Dummy::class, 'name')->shouldBeCalled()->willReturn(new PropertyMetadata(new Type(Type::BUILTIN_TYPE_STRING), 'This is a name.', true, true, null, null, false));
+
+        $resourceClassResolverProphecy = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolverProphecy->isResourceClass(Dummy::class)->willReturn(true);
+
+        $operationMethodResolverProphecy = $this->prophesize(OperationMethodResolverInterface::class);
+        $operationMethodResolverProphecy->getItemOperationMethod(Dummy::class, 'get')->shouldBeCalled()->willReturn('GET');
+
+        $operationPathResolver = new CustomOperationPathResolver(new UnderscoreOperationPathResolver());
+
+        $apiKeysConfiguration = [
+            'header' => [
+                'type' => 'header',
+                'name' => 'Authorization',
+            ],
+            'query' => [
+                'type' => 'query',
+                'name' => 'key',
+            ],
+        ];
+
+        $normalizer = new DocumentationNormalizer(
+            $resourceMetadataFactoryProphecy->reveal(),
+            $propertyNameCollectionFactoryProphecy->reveal(),
+            $propertyMetadataFactoryProphecy->reveal(),
+            $resourceClassResolverProphecy->reveal(),
+            $operationMethodResolverProphecy->reveal(),
+            $operationPathResolver,
+            null,
+            null,
+            null,
+            false,
+            null,
+            null,
+            null,
+            null,
+            [],
+            $apiKeysConfiguration
+        );
+
+        $expected = [
+            'swagger' => '2.0',
+            'basePath' => '/app_dev.php/',
+            'info' => [
+                'title' => 'Test API',
+                'description' => 'This is a test API.',
+                'version' => '1.2.3',
+            ],
+            'paths' => new \ArrayObject([
+                '/dummies/{id}' => [
+                    'get' => new \ArrayObject([
+                        'tags' => ['Dummy'],
+                        'operationId' => 'getDummyItem',
+                        'produces' => ['application/ld+json'],
+                        'summary' => 'Retrieves a Dummy resource.',
+                        'parameters' => [
+                            [
+                                'name' => 'id',
+                                'in' => 'path',
+                                'type' => 'string',
+                                'required' => true,
+                            ],
+                        ],
+                        'responses' => [
+                            200 => [
+                                'description' => 'Dummy resource response',
+                                'schema' => ['$ref' => '#/definitions/Dummy'],
+                            ],
+                            404 => ['description' => 'Resource not found'],
+                        ],
+                    ]),
+                ],
+            ]),
+            'definitions' => new \ArrayObject([
+                'Dummy' => new \ArrayObject([
+                    'type' => 'object',
+                    'description' => 'This is a dummy.',
+                    'properties' => [
+                        'name' => new \ArrayObject([
+                            'type' => 'string',
+                            'description' => 'This is a name.',
+                        ]),
+                    ],
+                ]),
+            ]),
+            'securityDefinitions' => [
+                'header' => [
+                    'type' => 'apiKey',
+                    'in' => 'header',
+                    'description' => 'Value for the Authorization header',
+                    'name' => 'Authorization',
+                ],
+                'query' => [
+                    'type' => 'apiKey',
+                    'in' => 'query',
+                    'description' => 'Value for the key query parameter',
+                    'name' => 'key',
+                ],
+            ],
+            'security' => [
+                ['header' => []],
+                ['query' => []],
+            ],
+        ];
+
+        $this->assertEquals($expected, $normalizer->normalize($documentation, DocumentationNormalizer::FORMAT, ['base_url' => '/app_dev.php/']));
+    }
+
     /**
      * @group legacy
      * @expectedDeprecation The use of ApiPlatform\Core\PathResolver\UnderscoreOperationPathResolver is deprecated since 2.1. Please use PathSegmentNameGenerator instead
@@ -1608,7 +1733,7 @@ public function testNormalizeWithSubResource()
             $resourceClassResolverProphecy->reveal(),
             $operationMethodResolverProphecy->reveal(),
             $operationPathResolver,
-            null, null, null, false, '', '', '', '', [],
+            null, null, null, false, '', '', '', '', [], [],
             $subresourceOperationFactory
         );