allow missing security schemes

[vijayvepa]

Our company uses the following process in contract validation space (currently with Swagger 2.0/asserj-swagger)

• Create a contract-first specification in YAML/Swagger 2.0
• Generate code from the contract-first specification (using Swagger Codegen)
• Resolve at runtime, implemented specification from code using Swagger Annotations and Spring Fox
• Compare the implemented specification with the contract first specification to ensure it matches

We are planning to migrate to Open Api 3.0 and as part of the research, I found this tool as a replacement for assertj-swagger.
When I was trying it out with above use-case, I found that the comparison is not allowed when security schemes are missing. Currently spring-fox is unable to resolve security-schemes correctly.

I wanted to get a workaround by allowing missing security schemes.

Here's the sample code for our validation process

public class SwaggerTests extends AbstractControllerTest {

    @Test
    public void validateImplementationAgainstDesignSpec() throws Exception {

       //contract-first specification yaml
        String projectPath = new File(".").getAbsoluteFile().getParentFile().getPath();
        String currContractLocation = projectPath + "/api/petstore-3-0.yaml";

      // resolved implementation specification yaml (spring fox)
        MvcResult mvcResult = this.mockMvc.perform(get("/v3/api-docs?group=default")
                                                           .accept(MediaType.APPLICATION_JSON))
                .andExpect(status().isOk())
                .andReturn();

        assertNotNull(mvcResult);
        assertNotNull(mvcResult.getResponse());

        SwaggerParseResult spec = new OpenAPIParser().readLocation(currContractLocation, null, null);
        OpenAPI specApi = spec.getOpenAPI();

        SwaggerParseResult impl = new OpenAPIParser().readContents(
                mvcResult.getResponse().getContentAsString(), null, null);
        OpenAPI implApi = impl.getOpenAPI();

        //assertEquals(specApi, implApi);

//comparison between implementation and specification
        final ChangedOpenApi changedOpenApi = OpenApiCompare.fromSpecifications(specApi, implApi);

        assertNotNull(changedOpenApi);

        final List<String> ignoredOperations = ImmutableList.of("uploadFileUsingPOST");

        changedOpenApi.getChangedOperations().forEach(changedOperation->{

            if(ignoredOperations.contains(changedOperation.getOperationId().getRight())){
                System.out.println("IGNORING " + changedOperation.getOperationId());
                return;
            }

            final ChangedRequestBody requestBody = changedOperation.getRequestBody();

            if(requestBody == null){
                return;
            }

            final DiffContext context = requestBody.getContext();

            final List<Changed> changedElements = requestBody.getChangedElements();
            if(changedElements == null){
                return;
            }
            final List<Changed> collect = changedElements.stream()
                    .filter(Objects::nonNull)
                    .filter(
                    Changed::isIncompatible).collect(
                    Collectors.toList());

            if(collect.size() > 0) {
                assertEquals(
                        changedOperation.getOperationId() +
                                "collect" + collect, 0, collect.size());
            }
        });

    }
}

Here's a sample consumption project where it works with the change. (and does not work with master)

OpenApiConsume3.zip

[DrSatyr]

Thanks for the contribution.

This PR is now stale and conflicting. The underlying issue still exists on master, but this implementation is too broad because it changes global $ref handling in RefPointer, which could hide invalid refs outside security schemes.

Closing this PR. If still needed, this should be reworked as a fresh, narrow fix focused only on missing/unknown security schemes with tests.