[PHP] Code generator does not use/validate "scheme" security attribute #5025
Description
Bug Report Checklist
- Have you provided a full/minimal spec to reproduce the issue?
- Have you validated the input using an OpenAPI validator (example)?
- What's the version of OpenAPI Generator used?
- Have you search for related issues/PRs?
- What's the actual output vs expected output?
- [Optional] Bounty to sponsor the fix (example)
Description
The PHP code generator does not validate the value of the "scheme" attribute in the security scheme object. It assumes that when type is set to "http", the auth scheme is "basic". But that's not always the case. Other HTTP schemes that are defined in the IANA registry.
The "scheme" attribute in the security scheme object is required as specified in OAS 3.0.2
The value of the "scheme" attribute must be the auth scheme from the IANA registry available at
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml (as per RFC 7235).
openapi-generator version
master branch, January 18 2020
OpenAPI declaration file content or url
Consider the following OAS security schemes:
securitySchemes:
http_basic_test:
type: http
scheme: basic
http_scram:
type: http
scheme: SCRAM-SHA-256
http_other_scheme:
type: http
scheme: my-security-scheme-valueThe PHP generator properly generates the code for "http_basic_test". For the other two scheme values (http_scram and http_other_scheme), the generator still produces code assuming the scheme value is "basic".
I found this issue while working on PR #4993 and #4958
Command line used for generation
./bin/openapi3/php-petstore.sh
Steps to reproduce
- Edit modules/openapi-generator/src/test/resources/3_0/petstore-with-fake-endpoints-models-for-testing.yaml and add the following scheme:
http_signature_test:
type: http
scheme: signatureThe "signature" value is NOT HTTP basic. This is just an example, I think any value would produce the same results.
-
Execute ./bin/openapi3/php-petstore.sh
-
Notice the following code is generated in b/samples/openapi3/client/petstore/php/OpenAPIClient-php/lib/Api/PetApi.php
+ // this endpoint requires HTTP basic authentication
+ if (!empty($this->config->getUsername()) || !(empty($this->config->getPassword()))) {
+ $headers['Authorization'] = 'Basic ' . base64_encode($this->config->getUsername() . ":" . $this->config->getPassword());
+ }
I would expect that the PHP generator to inspect the value of "scheme" and skip the "http basic" code generation.
Related issues/PRs
Similar issue: #239
Suggest a fix
I think the code generator should validate the value of the "scheme" attribute. If it does not understand the value and cannot generate the code that will be able to implement this value, it should skip the security scheme. Or alternatively it should fail, but I think skipping is better.
My reasoning for skipping is that if an OAS spec supports multiple schemes, at least the PHP generator will be able to generate a subset of the schemes, even if it does not support all of them.