Merge pull request #1814 from microsoft/mk/fix-default-missing-proper…

…ties-to-empty-list Fix: Do not default to an empty list if Security scheme is missing
microsoft · Sep 4, 2024 · 27c0e78 · 27c0e78
2 parents da3dfd9 + 18d99e6
commit 27c0e78
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 4 deletions.
diff --git a/src/Microsoft.OpenApi/Models/OpenApiDocument.cs b/src/Microsoft.OpenApi/Models/OpenApiDocument.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
 
 using System;
@@ -48,8 +48,7 @@ public class OpenApiDocument : IOpenApiSerializable, IOpenApiExtensible, IOpenAp
         /// <summary>
         /// A declaration of which security mechanisms can be used across the API.
         /// </summary>
-        public IList<OpenApiSecurityRequirement> SecurityRequirements { get; set; } =
-            new List<OpenApiSecurityRequirement>();
+        public IList<OpenApiSecurityRequirement> SecurityRequirements { get; set; }
 
         /// <summary>
         /// A list of tags used by the specification with additional metadata.

diff --git a/src/Microsoft.OpenApi/Models/OpenApiOperation.cs b/src/Microsoft.OpenApi/Models/OpenApiOperation.cs
@@ -91,7 +91,7 @@ public class OpenApiOperation : IOpenApiSerializable, IOpenApiExtensible, IOpenA
         /// This definition overrides any declared top-level security.
         /// To remove a top-level security declaration, an empty array can be used.
         /// </summary>
-        public IList<OpenApiSecurityRequirement> Security { get; set; } = new List<OpenApiSecurityRequirement>();
+        public IList<OpenApiSecurityRequirement> Security { get; set; }
 
         /// <summary>
         /// An alternative server array to service this operation.

diff --git a/test/Microsoft.OpenApi.Readers.Tests/V3Tests/OpenApiDocumentTests.cs b/test/Microsoft.OpenApi.Readers.Tests/V3Tests/OpenApiDocumentTests.cs
@@ -10,6 +10,7 @@
 using FluentAssertions;
 using Microsoft.OpenApi.Any;
 using Microsoft.OpenApi.Exceptions;
+using Microsoft.OpenApi.Extensions;
 using Microsoft.OpenApi.Interfaces;
 using Microsoft.OpenApi.Models;
 using Microsoft.OpenApi.Readers.Interface;
@@ -1432,5 +1433,65 @@ public void ParseBasicDocumentWithServerVariableAndNoDefaultShouldFail()
 
             diagnostic.Errors.Should().NotBeEmpty();
         }
+
+        [Fact]
+        public void ParseDocumentWithMissingSecuritySchemeDefaultsToNull()
+        {
+            // Arrange
+            var input = @"openapi: 3.0.0
+info:
+  title: test
+  version: ""1.0""
+paths:
+  /test:
+    get:
+      description: description for test path
+      responses:
+        '200':
+          description: test
+components:
+  securitySchemes:
+    apiKey0:
+      type: apiKey,
+      name: x-api-key,
+      in: header";
+
+            // Act && Assert
+            var doc = new OpenApiStringReader().Read(input, out var diagnostic);
+
+            doc.Paths["/test"].Operations[OperationType.Get].Security.Should().BeNull();
+            doc.SecurityRequirements.Should().BeNull();
+        }
+
+        [Fact]
+        public void ParseDocumentWithEmptySecuritySchemeDefaultsToEmptyList()
+        {
+            // Arrange
+            var input = @"openapi: 3.0.0
+info:
+  title: test
+  version: ""1.0""
+paths:
+  /test:
+    get:
+      description: description for test path
+      responses:
+        '200':
+          description: test
+      security: []
+security: 
+- apiKey0: []
+components:
+  securitySchemes:
+    apiKey0:
+      type: apiKey,
+      name: x-api-key,
+      in: header";
+
+            // Act && Assert
+            var doc = new OpenApiStringReader().Read(input, out var diagnostic);
+
+            doc.Paths["/test"].Operations[OperationType.Get].Security.Should().BeEmpty();
+        }
     }
 }