/
security.yml
112 lines (101 loc) · 2.98 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
functions:
- checkSecurity
rules:
sec-protection-global-unsafe: &sec-protection-global-unsafe-error
description: |-
Check if the operation is protected at operation level.
Otherwise, the global `#/security` property is check.
Your API should be protected by a `security` rule either at
global or operation level.
All operations should be protected especially when they
not safe (methods that do not alter the state of the server)
HTTP methods like `POST`, `PUT`, `PATCH` and `DELETE`.
This is done with one or more non-empty `security` rules.
Security rules are defined in the `securityScheme` section.
An example of a security rule applied at global level.
```
security:
- BasicAuth: []
paths:
/books: {}
/users: {}
securitySchemes:
BasicAuth:
scheme: http
type: basic
```
An example of a security rule applied at operation level, which
eventually overrides the global one
```
paths:
/books:
post:
security:
- AccessToken: []
securitySchemes:
BasicAuth:
scheme: http
type: basic
AccessToken:
scheme: http
type: bearer
bearerFormat: JWT
```
If your [safe methods](https://www.rfc-editor.org/rfc/rfc9110.html#name-safe-methods) (e.g. GET, HEAD) don't need to be protected,
you need to state it explicitly using an empty security rule:
```
security:
- {}
```
This can be done at operation level or at global level, but the latter is
discouraged because it will affect unsafe methods too.
message: >-
The following unsafe operation is not protected by a `security` rule: {{path}}
severity: error
given: "$"
then:
- function: "checkSecurity"
functionOptions:
schemesPath:
- securitySchemes
# If nullable is false, unauthenticated operations
# raise an error.
nullable: true
methods:
- post
- patch
- delete
- put
sec-protection-global-unsafe-strict:
<<: *sec-protection-global-unsafe-error
severity: info
then:
- function: "checkSecurity"
functionOptions:
schemesPath:
- securitySchemes
# If nullable is false, unauthenticated operations
# raise an error.
nullable: false
methods:
- post
- patch
- delete
- put
sec-protection-global-safe:
<<: *sec-protection-global-unsafe-error
severity: info
message: >-
The following operation is not protected by a `security` rule: {{path}}
given: "$"
then:
- function: "checkSecurity"
functionOptions:
schemesPath:
- securitySchemes
# If nullable is false, unauthenticated operations
# raise an error.
nullable: true
methods:
- get
- head