Add more checks (#298)

Tufin · Jun 29, 2023 · 5d42683 · 5d42683
1 parent e93e1ba
commit 5d42683
Show file tree

Hide file tree

Showing 41 changed files with 2,175 additions and 96 deletions.
diff --git a/BREAKING-CHANGES-EXAMPLES.md b/BREAKING-CHANGES-EXAMPLES.md
diff --git a/checker/check-api-security-updated.go b/checker/check-api-security-updated.go
@@ -0,0 +1,166 @@
+package checker
+
+import (
+	"fmt"
+
+	"github.com/tufin/oasdiff/diff"
+)
+
+const (
+	APISecurityRemovedCheckId       = "api-security-removed"
+	APISecurityAddedCheckId         = "api-security-added"
+	APISecurityScopeAddedId         = "api-security-scope-added"
+	APISecurityScopeRemovedId       = "api-security-scope-removed"
+	APIGlobalSecurityRemovedCheckId = "api-global-security-removed"
+	APIGlobalSecurityAddedCheckId   = "api-global-security-added"
+	APIGlobalSecurityScopeAddedId   = "api-global-security-scope-added"
+	APIGlobalSecurityScopeRemovedId = "api-global-security-scope-removed"
+)
+
+func checkGlobalSecurity(diffReport *diff.Diff, operationsSources *diff.OperationsSourcesMap, config BackwardCompatibilityCheckConfig) []BackwardCompatibilityError {
+	result := make([]BackwardCompatibilityError, 0)
+	if diffReport.SecurityDiff == nil {
+		return result
+	}
+
+	for _, addedSecurity := range diffReport.SecurityDiff.Added {
+		result = append(result, BackwardCompatibilityError{
+			Id:          APIGlobalSecurityAddedCheckId,
+			Level:       INFO,
+			Text:        fmt.Sprintf(config.i18n(APIGlobalSecurityAddedCheckId), ColorizedValue(addedSecurity)),
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security." + addedSecurity,
+			OperationId: "N/A",
+		})
+	}
+
+	for _, removedSecurity := range diffReport.SecurityDiff.Deleted {
+		result = append(result, BackwardCompatibilityError{
+			Id:          APIGlobalSecurityRemovedCheckId,
+			Level:       INFO,
+			Text:        fmt.Sprintf(config.i18n(APIGlobalSecurityRemovedCheckId), ColorizedValue(removedSecurity)),
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security." + removedSecurity,
+			OperationId: "N/A",
+		})
+	}
+
+	for _, updatedSecurity := range diffReport.SecurityDiff.Modified {
+		for securitySchemeName, updatedSecuritySchemeScopes := range updatedSecurity {
+			for _, addedScope := range updatedSecuritySchemeScopes.Added {
+				result = append(result, BackwardCompatibilityError{
+					Id:          APIGlobalSecurityScopeAddedId,
+					Level:       INFO,
+					Text:        fmt.Sprintf(config.i18n(APIGlobalSecurityScopeAddedId), ColorizedValue(addedScope), ColorizedValue(securitySchemeName)),
+					Operation:   "N/A",
+					Path:        "",
+					Source:      "security.scopes." + addedScope,
+					OperationId: "N/A",
+				})
+			}
+			for _, deletedScope := range updatedSecuritySchemeScopes.Deleted {
+				result = append(result, BackwardCompatibilityError{
+					Id:          APIGlobalSecurityScopeRemovedId,
+					Level:       INFO,
+					Text:        fmt.Sprintf(config.i18n(APIGlobalSecurityScopeRemovedId), ColorizedValue(deletedScope), ColorizedValue(securitySchemeName)),
+					Operation:   "N/A",
+					Path:        "",
+					Source:      "security.scopes." + deletedScope,
+					OperationId: "N/A",
+				})
+			}
+		}
+	}
+
+	return result
+
+}
+
+func APISecurityUpdatedCheck(diffReport *diff.Diff, operationsSources *diff.OperationsSourcesMap, config BackwardCompatibilityCheckConfig) []BackwardCompatibilityError {
+	result := make([]BackwardCompatibilityError, 0)
+
+	result = append(result, checkGlobalSecurity(diffReport, operationsSources, config)...)
+
+	if diffReport.PathsDiff == nil || diffReport.PathsDiff.Modified == nil {
+		return result
+	}
+
+	for path, pathItem := range diffReport.PathsDiff.Modified {
+		if pathItem.OperationsDiff == nil {
+			continue
+		}
+		for operation, operationItem := range pathItem.OperationsDiff.Modified {
+
+			source := (*operationsSources)[operationItem.Revision]
+
+			if operationItem.SecurityDiff == nil {
+				continue
+			}
+
+			for _, addedSecurity := range operationItem.SecurityDiff.Added {
+				if addedSecurity == "" {
+					continue
+				}
+				result = append(result, BackwardCompatibilityError{
+					Id:          APISecurityAddedCheckId,
+					Level:       INFO,
+					Text:        fmt.Sprintf(config.i18n(APISecurityAddedCheckId), ColorizedValue(addedSecurity)),
+					Operation:   operation,
+					OperationId: operationItem.Revision.OperationID,
+					Path:        path,
+					Source:      source,
+				})
+			}
+
+			for _, deletedSecurity := range operationItem.SecurityDiff.Deleted {
+				if deletedSecurity == "" {
+					continue
+				}
+				result = append(result, BackwardCompatibilityError{
+					Id:          APISecurityRemovedCheckId,
+					Level:       INFO,
+					Text:        fmt.Sprintf(config.i18n(APISecurityRemovedCheckId), ColorizedValue(deletedSecurity)),
+					Operation:   operation,
+					OperationId: operationItem.Revision.OperationID,
+					Path:        path,
+					Source:      source,
+				})
+			}
+
+			for _, updatedSecurity := range operationItem.SecurityDiff.Modified {
+				if updatedSecurity.Empty() {
+					continue
+				}
+				for securitySchemeName, updatedSecuritySchemeScopes := range updatedSecurity {
+					for _, addedScope := range updatedSecuritySchemeScopes.Added {
+						result = append(result, BackwardCompatibilityError{
+							Id:          APISecurityScopeAddedId,
+							Level:       INFO,
+							Text:        fmt.Sprintf(config.i18n(APISecurityScopeAddedId), ColorizedValue(addedScope), ColorizedValue(securitySchemeName)),
+							Operation:   operation,
+							OperationId: operationItem.Revision.OperationID,
+							Path:        path,
+							Source:      source,
+						})
+					}
+					for _, deletedScope := range updatedSecuritySchemeScopes.Deleted {
+						result = append(result, BackwardCompatibilityError{
+							Id:          APISecurityScopeRemovedId,
+							Level:       INFO,
+							Text:        fmt.Sprintf(config.i18n(APISecurityScopeRemovedId), ColorizedValue(deletedScope), ColorizedValue(securitySchemeName)),
+							Operation:   operation,
+							OperationId: operationItem.Revision.OperationID,
+							Path:        path,
+							Source:      source,
+						})
+					}
+				}
+			}
+
+		}
+	}
+
+	return result
+}
diff --git a/checker/check-api-security-updated_test.go b/checker/check-api-security-updated_test.go
@@ -0,0 +1,195 @@
+package checker_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/tufin/oasdiff/checker"
+	"github.com/tufin/oasdiff/diff"
+)
+
+// CL: Adding a new global security to the API
+func TestAPIGlobalSecurityyAdded(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_global_added_base.yaml")
+	s2, err := open("../data/checker/api_security_global_added_revision.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-global-security-added",
+			Text:        "the security scheme 'petstore_auth' was added to the API",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security.petstore_auth",
+			OperationId: "N/A",
+		}}, errs)
+}
+
+// CL: Removing a global security from the API
+func TestAPIGlobalSecurityyDeleted(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_global_added_revision.yaml")
+	s2, err := open("../data/checker/api_security_global_added_base.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-global-security-removed",
+			Text:        "the security scheme 'petstore_auth' was removed from the API",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security.petstore_auth",
+			OperationId: "N/A",
+		}}, errs)
+}
+
+// CL: Removing a security scope from an API global security
+func TestAPIGlobalSecurityScopeRemoved(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_global_added_revision.yaml")
+	s2, err := open("../data/checker/api_security_global_added_revision.yaml")
+	require.Empty(t, err)
+
+	s2.Spec.Security[0]["petstore_auth"] = s2.Spec.Security[0]["petstore_auth"][:1]
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-global-security-scope-removed",
+			Text:        "the security scope 'read:pets' was removed from the global security scheme 'petstore_auth'",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security.scopes.read:pets",
+			OperationId: "N/A",
+		}}, errs)
+}
+
+// CL: Adding a security scope from an API global security
+func TestAPIGlobalSecurityScopeAdded(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_global_added_revision.yaml")
+	s2, err := open("../data/checker/api_security_global_added_revision.yaml")
+	require.Empty(t, err)
+
+	s1.Spec.Security[0]["petstore_auth"] = s2.Spec.Security[0]["petstore_auth"][:1]
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-global-security-scope-added",
+			Text:        "the security scope 'read:pets' was added to the global security scheme 'petstore_auth'",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "N/A",
+			Path:        "",
+			Source:      "security.scopes.read:pets",
+			OperationId: "N/A",
+		}}, errs)
+}
+
+// CL: Adding a new security to the API endpoint
+func TestAPISecurityAdded(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_added_base.yaml")
+	s2, err := open("../data/checker/api_security_added_revision.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-security-added",
+			Text:        "the endpoint scheme security 'petstore_auth' was added to the API",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "POST",
+			Path:        "/subscribe",
+			Source:      "../data/checker/api_security_added_revision.yaml",
+			OperationId: "",
+		}}, errs)
+}
+
+// CL: Removing a new security to the API endpoint
+func TestAPISecurityDeleted(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_added_revision.yaml")
+	s2, err := open("../data/checker/api_security_added_base.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-security-removed",
+			Text:        "the endpoint scheme security 'petstore_auth' was removed from the API",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "POST",
+			Path:        "/subscribe",
+			Source:      "../data/checker/api_security_added_base.yaml",
+			OperationId: "",
+		}}, errs)
+}
+
+// CL: Removing a security scope from an API endpoint security
+func TestAPISecurityScopeRemoved(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_updated_base.yaml")
+	s2, err := open("../data/checker/api_security_updated_revision.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-security-scope-removed",
+			Text:        "the security scope 'read:pets' was removed from the endpoint's security scheme 'petstore_auth'",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "POST",
+			Path:        "/subscribe",
+			Source:      "../data/checker/api_security_updated_revision.yaml",
+			OperationId: "",
+		}}, errs)
+}
+
+// CL: Adding a security scope to an API endpoint security
+func TestAPISecurityScopeAdded(t *testing.T) {
+	s1, _ := open("../data/checker/api_security_updated_revision.yaml")
+	s2, err := open("../data/checker/api_security_updated_base.yaml")
+	require.Empty(t, err)
+
+	d, osm, err := diff.GetWithOperationsSourcesMap(getConfig(), s1, s2)
+	require.NoError(t, err)
+	errs := checker.CheckBackwardCompatibilityUntilLevel(singleCheckConfig(checker.APISecurityUpdatedCheck), d, osm, checker.INFO)
+	require.NotEmpty(t, errs)
+	require.Equal(t, checker.BackwardCompatibilityErrors{
+		{
+			Id:          "api-security-scope-added",
+			Text:        "the security scope 'read:pets' was added to the endpoint's security scheme 'petstore_auth'",
+			Comment:     "",
+			Level:       checker.INFO,
+			Operation:   "POST",
+			Path:        "/subscribe",
+			Source:      "../data/checker/api_security_updated_base.yaml",
+			OperationId: "",
+		}}, errs)
+}