Fix a bunch of API validation problems

Apparently `nullable` doesn't play well with attribute modifications in
OpenAPI 3.0 (apparently better in 3.1?).

This is evidenced by validations previously passing against newer
versions when it should've been impossible.

OAI/OpenAPI-Specification#1368

app/presenters/api_docs/api_schema.rb

@@ -3,14 +3,26 @@ class APISchema
     attr_reader :schema
     delegate :description, :required, to: :schema
 
+    def self.null_types(schema)
+      all_types(schema).select { |type| type['type'].nil? }
+    end
+
+    def self.non_null_types(schema)
+      all_types(schema).reject { |type| type['type'].nil? }
+    end
+
+    def self.all_types(schema)
+      (schema['anyOf']&.to_a || []) + (schema['oneOf']&.to_a || []) + (schema['allOf']&.to_a || [])
+    end
+
     def initialize(schema)
       @schema = schema
     end
 
     def properties
       props = []
 
-      schema['allOf']&.each do |schema_nested|
+      self.class.non_null_types(schema).each do |schema_nested|
         schema_nested.properties.each do |property|
           props << property
         end
@@ -56,7 +68,7 @@ def required?
       end
 
       def nullable?
-        attributes['nullable'] || attributes['oneOf']&.any? { |ref_type| ref_type['type'].nil? }
+        attributes['nullable'] || APISchema.null_types(attributes).any?
       end
 
       def deprecated?
@@ -87,8 +99,8 @@ def object_schema_name
           linked_schema = attributes['items']
         end
 
-        if attributes['oneOf'].present?
-          linked_schema = attributes['oneOf'].find { |ref_type| ref_type['type'].present? }
+        if (non_null_types = APISchema.non_null_types(attributes)).any?
+          linked_schema = non_null_types.first
         end
 
         location = linked_schema.node_context.source_location.to_s

config/vendor_api/draft.yml

@@ -43,7 +43,7 @@ components:
           - "$ref": "#/components/schemas/Month"
         end_month:
           description: The month the position ended
-          oneOf: # https://github.com/OAI/OpenAPI-Specification/issues/1368
+          anyOf:
           - type: null
           - "$ref": "#/components/schemas/Month"
         skills_relevant_to_teaching:

config/vendor_api/v1.0.yml

@@ -507,20 +507,20 @@ components:
           description: References will only be included once a candidate has accepted an offer and has received a reference. There is no limit to the number of references.
         offer:
           anyOf:
+          - type: null
           - "$ref": "#/components/schemas/Offer"
-          nullable: true
         withdrawal:
           anyOf:
+          - type: null
           - "$ref": "#/components/schemas/Withdrawal"
-          nullable: true
         rejection:
           anyOf:
+          - type: null
           - "$ref": "#/components/schemas/Rejection"
-          nullable: true
         hesa_itt_data:
           anyOf:
+          - type: null
           - "$ref": "#/components/schemas/HESAITTData"
-          nullable: true
           deprecated: true
           description: |
             Values to populate this candidate’s HESA Initial Teacher
@@ -804,7 +804,7 @@ components:
           - Completion of professional skills test
         course:
           description: An optional `course` that you wish to suggest to the candidate.
-          anyOf:
+          oneOf:
           - "$ref": "#/components/schemas/Course"
     Qualification:
       type: object

spec/requests/vendor_api/v1.0/get_multiple_applications_spec.rb

@@ -49,7 +49,7 @@
 
     get_api_request "/api/v1.0/applications?since=#{CGI.escape(1.day.ago.iso8601)}"
 
-    expect(parsed_response).to be_valid_against_openapi_schema('MultipleApplicationsResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('MultipleApplicationsResponse', '1.0')
   end
 
   it 'returns a ParameterMissingResponse if the `since` parameter is missing' do

spec/requests/vendor_api/v1.0/get_reference_data_spec.rb

@@ -9,7 +9,7 @@
     end
 
     it 'returns a response that is valid according to the OpenAPI schema' do
-      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse', '1.0')
     end
 
     it 'includes GCSE subjects' do
@@ -23,7 +23,7 @@
     end
 
     it 'returns a response that is valid according to the OpenAPI schema' do
-      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse', '1.0')
     end
 
     it 'includes appropriate subjects' do
@@ -37,7 +37,7 @@
     end
 
     it 'returns a response that is valid according to the OpenAPI schema' do
-      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse', '1.0')
     end
 
     it 'includes appropriate grades' do
@@ -51,7 +51,7 @@
     end
 
     it 'returns a response that is valid according to the OpenAPI schema' do
-      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('ListResponse', '1.0')
     end
 
     it 'includes appropriate grades' do

spec/requests/vendor_api/v1.0/get_single_application_spec.rb

@@ -11,7 +11,7 @@
 
     get_api_request "/api/v1.0/applications/#{application_choice.id}"
 
-    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
   end
 
   it 'returns a NotFoundResponse if the application cannot be found' do

spec/requests/vendor_api/v1.0/post_conditions_met_spec.rb

@@ -14,7 +14,7 @@
     post_api_request "/api/v1.0/applications/#{application_choice.id}/confirm-conditions-met"
 
     expect(response).to have_http_status(:ok)
-    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
     expect(parsed_response['data']['attributes']['status']).to eq 'recruited'
   end
 

spec/requests/vendor_api/v1.0/post_conditions_not_met_spec.rb

@@ -14,7 +14,7 @@
     post_api_request "/api/v1.0/applications/#{application_choice.id}/conditions-not-met"
 
     expect(response).to have_http_status(:ok)
-    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
     expect(parsed_response['data']['attributes']['status']).to eq 'conditions_not_met'
   end
 end

spec/requests/vendor_api/v1.0/post_confirm_enrolment_spec.rb

@@ -12,7 +12,7 @@
     post_api_request "/api/v1.0/applications/#{application_choice.id}/confirm-enrolment"
 
     expect(response).to have_http_status(:ok)
-    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
     expect(parsed_response['data']['attributes']['status']).to eq 'recruited'
   end
 

spec/requests/vendor_api/v1.0/post_make_an_offer_spec.rb

@@ -19,12 +19,12 @@
           ],
         },
       }
-      expect(request_body[:data]).to be_valid_against_openapi_schema('MakeOffer')
+      expect(request_body[:data]).to be_valid_against_openapi_schema('MakeOffer', '1.0')
 
       post_api_request "/api/v1.0/applications/#{application_choice.id}/offer", params: request_body
 
       course_option = application_choice.course_option
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq('offer')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [
@@ -74,12 +74,12 @@
           ],
         },
       }
-      expect(request_body[:data]).to be_valid_against_openapi_schema('MakeOffer')
+      expect(request_body[:data]).to be_valid_against_openapi_schema('MakeOffer', '1.0')
 
       post_api_request "/api/v1.0/applications/#{application_choice.id}/offer", params: request_body
 
       course_option = application_choice.course_option
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq('offer')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [
@@ -109,7 +109,7 @@
         },
       }
 
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [],
         'course' => course_option_to_course_payload(other_course_option),
@@ -136,7 +136,7 @@
       }
 
       expect(response).to have_http_status(:unprocessable_entity)
-      expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse', '1.0')
       expect(parsed_response['errors'].map { |e| e['message'] }).to contain_exactly(
         'Course code cannot be blank',
         'Study mode cannot be blank',
@@ -279,7 +279,7 @@
         },
       }
 
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [],
         'course' => course_option_to_course_payload(other_course_option),
@@ -303,7 +303,7 @@
         },
       }
 
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [],
         'course' => course_option_to_course_payload(other_course_option),
@@ -329,7 +329,7 @@
       }
 
       post_api_request "/api/v1.0/applications/#{application_choice.id}/offer", params: request_body
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
 
       new_course_option = course_option_for_provider(provider: currently_authenticated_provider)
 
@@ -367,7 +367,7 @@
       request_body = { data: { conditions: ['DBS Check'] } }
       post_api_request "/api/v1.0/applications/#{application_choice.id}/offer", params: request_body
 
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq('offer')
     end
   end
@@ -385,7 +385,7 @@
       }
 
       course_option = application_choice.course_option
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq('offer')
       expect(parsed_response['data']['attributes']['offer']).to eq(
         'conditions' => [],

spec/requests/vendor_api/v1.0/post_reject_application_spec.rb

@@ -20,7 +20,7 @@
       post_api_request "/api/v1.0/applications/#{application_choice.id}/reject", params: request_body
 
       expect(response).to have_http_status(:ok)
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq 'rejected'
       expect(parsed_response['data']['attributes']['rejection']).to match a_hash_including(
         'reason' => 'Does not meet minimum GCSE requirements',
@@ -39,7 +39,7 @@
       post_api_request "/api/v1.0/applications/#{application_choice.id}/reject", params: request_body
 
       expect(response).to have_http_status(:ok)
-      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse')
+      expect(parsed_response).to be_valid_against_openapi_schema('SingleApplicationResponse', '1.0')
       expect(parsed_response['data']['attributes']['status']).to eq 'rejected'
       expect(parsed_response['data']['attributes']['rejection']).to match a_hash_including(
         'reason' => 'Course is over-subscribed',

spec/requests/vendor_api/v1.0/post_test_data_clear_spec.rb

@@ -51,6 +51,6 @@
 
   it 'returns responses conforming to the schema' do
     post_api_request('/api/v1.0/test-data/clear')
-    expect(parsed_response).to be_valid_against_openapi_schema('OkResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('OkResponse', '1.0')
   end
 end

spec/requests/vendor_api/v1.0/post_test_data_generate_spec.rb

@@ -145,22 +145,22 @@
 
     post_api_request '/api/v1.0/test-data/generate?count=1'
 
-    expect(parsed_response).to be_valid_against_openapi_schema('OkResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('OkResponse', '1.0')
   end
 
   it 'returns error responses on invalid input' do
     create(:course_option, course: create(:course, :open_on_apply, provider: currently_authenticated_provider))
 
     post_api_request '/api/v1.0/test-data/generate?count=1&courses_per_application=2'
 
-    expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse', '1.0')
   end
 
   it 'returns error when you ask for zero courses per application' do
     create(:course_option, course: create(:course, :open_on_apply, provider: currently_authenticated_provider))
 
     post_api_request '/api/v1.0/test-data/generate?count=1&courses_per_application=0'
 
-    expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse')
+    expect(parsed_response).to be_valid_against_openapi_schema('UnprocessableEntityResponse', '1.0')
   end
 end

spec/requests/vendor_api/v1.1/post_update_interview_spec.rb

@@ -198,7 +198,7 @@ def post_interview!(params:, skip_validation: nil)
         post_interview! params: update_interview_params
 
         expect(response).to have_http_status(:not_found)
-        expect(parsed_response).to be_valid_against_openapi_schema('NotFoundResponse')
+        expect(parsed_response).to be_valid_against_openapi_schema('NotFoundResponse', '1.1')
         expect(parsed_response['errors'].map { |error| error['message'] })
           .to contain_exactly('Unable to find Application(s)')
       end