Allow security policies to be removed using the Security annotation by passing it a name of null.

2025-02-02 15:51:48 +03:00 · 2022-01-26 17:33:35 +00:00 · 2022-01-26 17:33:35 +00:00 · 9545a0ce52
commit 9545a0ce52
parent 1885d25cd9
5 changed files with 86 additions and 0 deletions
--- a/Describer/OpenApiPhpDescriber.php
+++ b/Describer/OpenApiPhpDescriber.php
@ -109,6 +109,13 @@ final class OpenApiPhpDescriber

                if ($annotation instanceof Security) {
                    $annotation->validate();
+
+                    if (null === $annotation->name) {
+                        $mergeProperties->security = [];
+
+                        continue;
+                    }
+
                    $mergeProperties->security[] = [$annotation->name => $annotation->scopes];

                    continue;
--- a/Resources/doc/security.rst
+++ b/Resources/doc/security.rst
@ -0,0 +1,43 @@
+Security
+========
+
+A default security policy can be added in ``nelmio_api_doc.documentation.security``
+
+.. code-block:: yaml
+
+    nelmio_api_doc:
+        documentation:
+            components:
+            securitySchemes:
+                Bearer:
+                    type: http
+                    scheme: bearer
+                ApiKeyAuth:
+                    type: apiKey
+                    in: header
+                    name: X-API-Key
+            security:
+                Bearer: []
+
+This will add the Bearer security policy to all registered paths.
+
+Overriding Specific Paths
+-------------------------
+
+The security policy can be overriden for a path using the ``@Security`` annotation.
+
+.. code-block:: php
+
+    /**
+     * @Security(name="ApiKeyAuth")
+     */
+
+Notice at the bottom of the docblock is a ``@Security`` annotation with a name of `ApiKeyAuth`. This will override the global security policy to only accept the ``ApiKeyAuth`` policy for this path.
+
+You can also completely remove security from a path by providing ``@Security`` with a name of ``null``.
+
+.. code-block:: php
+
+    /**
+     * @Security(name=null)
+     */
--- a/Tests/Functional/Controller/ApiController80.php
+++ b/Tests/Functional/Controller/ApiController80.php
@ -164,6 +164,16 @@ class ApiController80
    {
    }

+    /**
+     * @Route("/securityOverride")
+     * @OA\Response(response="201", description="")
+     * @Security(name="api_key")
+     * @Security(name=null)
+     */
+    public function securityActionOverride()
+    {
+    }
+
    /**
     * @Route("/swagger/symfonyConstraints", methods={"GET"})
     * @OA\Response(
--- a/Tests/Functional/Controller/ApiController81.php
+++ b/Tests/Functional/Controller/ApiController81.php
@ -50,4 +50,12 @@ class ApiController81 extends ApiController80
    public function securityActionAttributes()
    {
    }
+
+    #[Route('/security_override_attributes')]
+    #[OA\Response(response: '201', description: '')]
+    #[Security(name: 'api_key')]
+    #[Security(name: null)]
+    public function securityOverrideActionAttributes()
+    {
+    }
 }
--- a/Tests/Functional/FunctionalTest.php
+++ b/Tests/Functional/FunctionalTest.php
@ -369,6 +369,24 @@ class FunctionalTest extends WebTestCase
        }
    }

+    /**
+     * @dataProvider provideSecurityOverrideRoute
+     */
+    public function testSecurityOverrideAction(string $route)
+    {
+        $operation = $this->getOperation($route, 'get');
+        $this->assertEquals([], $operation->security);
+    }
+
+    public function provideSecurityOverrideRoute(): iterable
+    {
+        yield 'Annotations' => ['/api/securityOverride'];
+
+        if (\PHP_VERSION_ID >= 80100) {
+            yield 'Attributes' => ['/api/security_override_attributes'];
+        }
+    }
+
    public function testClassSecurityAction()
    {
        $operation = $this->getOperation('/api/security/class', 'get');