vxx/glue - paths/security, honor empty Operation security settings

empty Operation security settings were ignored and global scope used instead
commonism · Dec 27, 2023 · da08d4c · da08d4c
1 parent f414b03
commit da08d4c
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 7 deletions.
diff --git a/aiopenapi3/v20/glue.py b/aiopenapi3/v20/glue.py
@@ -83,7 +83,7 @@ def return_value(self, http_status: int = 200, content_type: str = "application/
             return None
 
     def _prepare_security(self):
-        security = self.operation.security or self.api._root.security
+        security = self.operation.security if self.operation.security is not None else self.api._root.security
 
         if not security:
             return

diff --git a/aiopenapi3/v30/glue.py b/aiopenapi3/v30/glue.py
@@ -91,7 +91,7 @@ def return_value(self, http_status: int = 200, content_type: str = "application/
         return None
 
     def _prepare_security(self) -> None:
-        security = self.operation.security or self.api._root.security
+        security = self.operation.security if self.operation.security is not None else self.api._root.security
 
         if not security:
             return

diff --git a/aiopenapi3/v30/paths.py b/aiopenapi3/v30/paths.py
@@ -80,7 +80,7 @@ class Operation(ObjectExtended, OperationBase):
     responses: Dict[str, Union[Response, Reference]] = Field(...)
     callbacks: Dict[str, Union["Callback", Reference]] = Field(default_factory=dict)
     deprecated: Optional[bool] = Field(default=None)
-    security: List[SecurityRequirement] = Field(default_factory=list)
+    security: Optional[List[SecurityRequirement]] = Field(default=None)
     servers: Optional[List[Server]] = Field(default=None)
 
 

diff --git a/aiopenapi3/v31/paths.py b/aiopenapi3/v31/paths.py
@@ -79,7 +79,7 @@ class Operation(ObjectExtended, OperationBase):
     responses: Dict[str, Union[Response, Reference]] = Field(default_factory=dict)
     callbacks: Dict[str, Union["Callback", Reference]] = Field(default_factory=dict)
     deprecated: Optional[bool] = Field(default=None)
-    security: List[SecurityRequirement] = Field(default_factory=list)
+    security: Optional[List[SecurityRequirement]] = Field(default=None)
     servers: Optional[List[Server]] = Field(default=None)
 
 

diff --git a/tests/fixtures/paths-security.yaml b/tests/fixtures/paths-security.yaml
@@ -6,7 +6,6 @@ servers:
   - url: http://127.0.0.1/api
 
 security:
-  - {}
   - cookieAuth: []
 
 paths:
@@ -80,6 +79,22 @@ paths:
         token: []
 
 
+  /api/v1/auth/null/:
+    get:
+      operationId: api_v1_auth_login_null
+      description: ''
+      tags:
+      - api
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Login'
+          description: ''
+      security: []
+
+
 components:
   schemas:
     Login:

diff --git a/tests/path_test.py b/tests/path_test.py
@@ -169,9 +169,10 @@ def test_paths_security(httpx_mock, with_paths_security):
     request = httpx_mock.get_requests()[-1]
     assert request.headers["Authorization"] == "Bearer %s" % (auth,)
 
-    # null session
+    # null session - via empty Operation Security
     api.authenticate(None)
-    api._.api_v1_auth_login_info(data={}, parameters={})
+    r = api._.api_v1_auth_login_null()
+    request = httpx_mock.get_requests()[-1]
 
 
 def test_paths_security_combined(httpx_mock, with_paths_security):