OpenAPI 3.0 spec not parsing required properly

[viralanomaly]

I have a spec with components that look like this:

components:
  schemas:
    Credit:
      type: object
      properties:
        clientId:
          type: string
    CreditCreate:
      allOf:
        - $ref: '#/components/schemas/Credit'
        - required:
          - clientId

I'm doing it like this because there are about 30 fields in credit, and 10 in required. All the fields in required are present in the linked object (or objects if I'm linking more than one). This is rejected by the code in validators.py inside SchemaValidator. iter_errors calls itself recursively on each piece of the allOf, but this doesn't let me reuse another object and simply add some fields as required. I worked around it for now by telling iter_errors to check that the properties field contains something before erroring, but I'm not sure that it is the correct fix.

This behavior is supported in the swagger editor and in redoc, so I'm working off the assumption that it should be valid 3.0 syntax.

[dtkav]

@viralanomaly after looking through the OpenAPI3.0.1 spec section on schemaObject and the json schema validation rfc, I believe that each allOf schema must be able valid independently from each other.

see the excerpts below (emphasis mine)

from https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#schemaObject

allOf - Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema.

and

The following properties are taken directly from the JSON Schema definition and follow the same specifications:
...
required
...

from http://json-schema.org/latest/json-schema-validation.html#rfc.section.6.5.3

6.5.3. required

The value of this keyword MUST be an array. Elements of this array, if any, MUST be strings, and MUST be unique.

An object instance is valid against this keyword if every item in the array is the name of a property in the instance.

I think you need to supply the properties twice in your spec (example below).

openapi: 3.0.0
info:
  title: Test Api
  version: 0.0.1
paths: {}
components:
  schemas:
    Credit:
      type: object
      properties:
        clientId:
          type: string
    CreditCreate:
      allOf:
      - "$ref": "#/components/schemas/Credit"
      - required:
        - clientId
        properties:
          clientId:
            type: string

[dtkav]

hmm, some comments by the OpenAPI folks that contrast with my conclusion above:
OAI/OpenAPI-Specification#1562
OAI/OpenAPI-Specification#1590

[dtkav]

I heard back from one of the core jsonschema developers, and your request is the intended behavior. I put up #28 as a fix. Let me know what you think!

[p1c2u]

Should be resolved with fix #28 . Feel free to reopen it otherwise.

[cziebuhr]

I had a similar issue with following spec:

definitions:
  User:
    type: object
    properties:
      id:
        type: integer
       username:
         type: string
       password:
         type: string
  GetUser:
    required:
    - id
    - username
    allOf:
    - $ref: '#/definitions/User'
  PostUser:
    required:
    - username
    - password
    allOf:
    - $ref: '#/definitions/User'

The difference is, that I had required on top-level and not as child of allOf.
I see no point in swagger spec / json schema that this is invalid. Each validation keyword gets validated on its own. It's even valid to have a required keyword without having type: object or the instance being an object. In the latter case it just gets ignored, which means it succeeds.
I therefore vote for totally removing ExtraParametersError.

[dtkav]

Unrelated to the validator fix/bug, but your example could also be solved with readOnly/writeOnly. Then you can have one User, and set id to readOnly and password to writeOnly.

…

On Wed, Nov 7, 2018, 8:29 AM Christoph Ziebuhr ***@***.***> wrote: I had a similar issue with following spec: definitions: User: type: object properties: id: type: integer username: type: string password: type: string GetUser: required: - id - username allOf: - $ref: '#/definitions/User' PostUser: required: - username - password allOf: - $ref: '#/definitions/User' The difference is, that I had required on top-level and not as child of allOf. I see no point in swagger spec / json schema that this is invalid. Each validation keyword gets validated on its own. It's even valid to have a required keyword without having type: object or the instance being an object. In the latter case it just gets ignored, which means it succeeds. I therefore vote for totally removing ExtraParametersError. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#27 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAlPSf9c-JxmV2q0iQcTst-BYaFB45ZIks5uswpngaJpZM4UtqYP> .

[cziebuhr]

This is just a simplified example, I already use readOnly/writeOnly, but also have a PatchUser where nothing is required.

[codyaray]

I also ran into this when trying to re-use an explicit *Required schema instead of inlining the same group of fields everywhere this is needed (like @cziebuhr , that's everywhere except the PATCH request)

anyOf:
- $ref: #/components/schemas/MyObject
- $ref: #/components/schemas/MyObjectRequired

components:
  schemas:
    MyObjectRequired:
      type: object
      required:
      - field1
      - field2

[flixx]

Hello.
For me it looks like the issue is not really resolved. It's somewhat ignoreing the required property now without giving the expected result. As far as I understand it's also related and caused by how openAPI is specified (See OAI/OpenAPI-Specification#1608 )

I think It would be cool if this issue here could be reopened... It would be less confusing for people like me who find this thread on google and figure out if it's working or not.