Improve security validations for OpenAPI spec deployments [210105969]

Assigned

Feature Request

Status Update

No update yet.

Description

gr...@google.com

created issue #1

Dec 10, 2021 01:39PM

Issue summary:

We don't validate if all the security keys, from either top level or a specific path, are present under the securityDefinitions definition
If one path has multiple security, one of which is not under securityDefinitions, unauthenticated requests will pass the ESPv2 container and counted as valid
We also don't check this when using the --validate-only flag (as this uses the same revision creation flow, just doesn't deploy the revision I understand)
This can cause pretty issues where protected endpoints may be accessed without authentication

Expected behaviour

I would expect the endpoints API to validate that the security revisions are there and are valid (I checked open source tools that also didn't warn about this)
However for example the Swagger editor returns this error when I submit my spec there:

Semantic error at paths./.get.security.1
Security requirements must match a security definition
Jump to line 19

I would also expect that if a security key is not there, the fallback should not be allowing the request to go through as normal (not sure if this could be WAI for openapi, but previously validating that these scenarios don't happen would resolve this issue)

Reproduction Steps:

Sample spec:

swagger: '2.0'
info:
  title: Cloud Endpoints + Cloud Run
  description: Sample API on Cloud Endpoints with a Cloud Run backend
  version: 1.0.0
host: sample-run-sevice.a.run.app
schemes:
  - https
produces:
  - application/json
x-google-backend:
  address: https://sample-backend-service.a.run.app
paths:
  /:
    get:
      security:
        - test: []
        - doesntexist: []
      summary: Greet a user
      operationId: hello
      responses:
        '200':
          description: A successful response
          schema:
            type: string
securityDefinitions:
  test:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: sample-service-account@project.iam.gserviceaccount.com
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/sample-service-account@project.iam.gserviceaccount.com"

Note that the security key contains a definition named doesntexist, which is not defined

IssueTracker

Improve security validations for OpenAPI spec deployments

Status Update

Description

Issue summary:

Reproduction Steps:

Comments

Issue 210105969

Description

Issue summary:

Reproduction Steps:

Issue summary

Comments

Add comment

Issue metadata