Overriding securedBy shows inconsistent parsing results

Question

Overriding securedBy shows inconsistent parsing results

CoderSpinoza opened this issue 5 years ago · comments

I want to override securedBy node of a method in an extension, but having a hard time making it work as expected. The simplified version of the specs are like below.

First case

#%RAML 1.0
title: Public API
baseUri: https://example.com/v1
securitySchemes:
  oauth: !include securitySchemes/oauth.raml
/users:
  get:
    securedBy: [oauth]

#%RAML 1.0
title: Private API
baseUri: https://example.com/v1/internal
securitySchemes:
  adminKey: !include securitySchemes/admin_key.raml
/users:
  get:
    securedBy: [adminKey]

It is basically providing additional security scheme for private internal users. What I expect for the /users endpoint of Private API is to have two security schema applications, oauth, and admin_key. However, I am just getting one security scheme adminKey for Private API.

If I declare two security schemes in Private API like below, I get three security schemes [oauth, adminKey, oauth], which neither is what I want.

Second case

#%RAML 1.0
title: Private API
baseUri: https://example.com/v1/internal
securitySchemes:
  adminKey: !include securitySchemes/admin_key.raml
/users:
  get:
    securedBy: [oauth, adminKey]

According to the spec in RAML 1.0 Spec, security schema applications are considered simple properties in merging rules.

Security Schema applications are always Simple Properties.

What I guess is that:

The first case regards securedBy as a single-value simple property, which is just replaced with the value in extension Private API.
The second case regards securedBy as a multi-value simple property, which concatenates these values to produce [oauth, adminKey, oauth] combination.

Merging rule for simple properties are also stated in RAML 1.0 Spec.

If the property is a Simple Property
- If the property is a Single-value Simple Property,
  - The property value in the identically named Current Target Tree Object property is replaced with its value from Current Extension Tree Object property.
- If the property is a Multi-value Simple Property
  - The property value from Current Extension Tree Object property is added to the identically named Current Target Tree Object property values if no such value already exists.

Final question

My final question is this. What would be the best way to apply an additional security scheme to an endpoint in extension? Thanks for your help in advance :)

Artem Kostiuk · Answer 1 · Wed Sep 25 2019 17:51:59 GMT+0800 (China Standard Time)

Note that raml-js-parser-2 has been deprecated, the new official parser is webapi-parcser. Feel free to attempt to reproduce this issue with webapi-parser and report any issue you may have on that repository.

Hara Kang · Answer 2 · Fri Sep 27 2019 09:37:14 GMT+0800 (China Standard Time)

@postatum Yeap thanks. I will close this issue. :)

Artem Kostiuk · Answer 3 · Fri Sep 27 2019 14:28:20 GMT+0800 (China Standard Time)

@postatum Yeap thanks. I will close this issue. :)

Nice, thanks.