Make security pluggable

[Ruwann]

Make security pluggable

• Solution for standard security handlers: security_deny, security_passthrough, verify_none
• HTTP security handlers & overlap with basic from swagger 2
• Do we need a separate handler for each oauth2 flow?

[Ruwann]

The image should also be deleted

[coveralls]

Pull Request Test Coverage Report for Build 4645803828

• 185 of 206 (89.81%) changed or added relevant lines in 5 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage increased (+0.5%) to 93.859%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
connexion/middleware/request_validation.py	13	14	92.86%
connexion/security.py	156	176	88.64%

Files with Coverage Reduction	New Missed Lines	%
connexion/security.py	1	85.04%

Totals
Change from base Build 4568582322:	0.5%
Covered Lines:	3332
Relevant Lines:	3550

---

💛 - Coveralls

[RobbeSneyders]

This is starting to look great @Ruwann!

I left some comments already.

[RobbeSneyders]

Wondering if we should keep providing this behaviour.

• Context is now available as a global variable
• We could expect the security functions for the relevant schemes to always accept required scopes

It would remove some complexity if we would leave this out.

[Ruwann]

For the context, it would make sense to keep only one way of accessing it instead of 2 ways to do the same thing.

Not sure about the required scopes:
in the past, only oauth and oidc were allowed to use scopes:

For other security scheme types, the array MUST be empty.

but in OpenAPI 3.1, all security schemes can now use the scopes:

For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.

So it would depend on the signature of the security function again whether scopes need to be passed.

[RobbeSneyders]

Can't add a comment on the specific line below, but the API key used to be removed from the query string before passing it to the view function. I think this is necessary to prevent an unexpected keyword argument error. If we want to achieve the same behaviour, we should ensure it is removed from the scope.

[Ruwann]

Very good remark, didn't think of that. I suspect this mean that we don't have a test for this now then, otherwise this test should be failing, no?

[RobbeSneyders]

I assume a test is missing indeed. Something to check before merging the PR.

Currently the scope is not available in the SecurityHandlers though, which complicates modifying the scope. We could solve this by making the SecurityHandlers ASGI callables, which could have some additional nice benefits.

• It would fit with the "everything is an ASGI callable" design
• It might remove some of the functional complexity we currently have, as the SecurityHandler would no longer need to return a function, but can just be called itself

[RobbeSneyders]

Looks great! Seems like you have cracked the nut :)
I left some smaller comments in-line.

On a higher level,

• I think the code would still benefit from making the handlers callable, even if they are not ASGI callable. There's currently still a lot of functions being passed around, which makes it harder to follow.
• It would be good to add a test for the security_map keyword argument.

[RobbeSneyders]

Thanks!

This looks good to me except for

• Extending the interface of the Apps and APIs
• Adding a test for the validator_map
• Possibly making the security handlers callable

For me it's fine to merge this PR and tackle those in separate PRs though, which will make it easier to review.

[Ruwann]

I added the security_map argument for Apps and APIs in this PRs. The other ones can indeed be done in separate PRs, then we can merge this one (finally :))

Follow-up items:

• Add a test for the security_map
• Possibly make security handlers callable
• Rework context and required_scopes arguments
• Add OIDC security handler
• Possibly rework inner workings of ApiKeyHandler class
• Extend documentation