new tests for security

Author: n2ygk

rest_framework/schemas/openapi.py

@@ -73,10 +73,11 @@ def get_schema(self, request=None, public=False):
         security_schemes_schemas = {}
         root_security_requirements = []
 
-        for auth_class in api_settings.DEFAULT_AUTHENTICATION_CLASSES:
-            req = auth_class.openapi_security_requirement(None, None)
-            if req:
-                root_security_requirements += req
+        if api_settings.DEFAULT_AUTHENTICATION_CLASSES:
+            for auth_class in api_settings.DEFAULT_AUTHENTICATION_CLASSES:
+                req = auth_class.openapi_security_requirement(None, None)
+                if req:
+                    root_security_requirements += req
 
         # Iterate endpoints generating per method path operations.
         paths = {}
@@ -721,6 +722,34 @@ def get_tags(self, path, method):
 
         return [path.split('/')[0].replace('_', '-')]
 
+    def get_security_schemes(self, path, method):
+        """
+        Get components.schemas.securitySchemes required by this path.
+        returns dict of securitySchemes.
+        """
+        schemes = {}
+        for auth_class in self.view.authentication_classes:
+            if hasattr(auth_class, 'openapi_security_scheme'):
+                schemes.update(auth_class.openapi_security_scheme())
+        return schemes
+
+    def get_security_requirements(self, path, method):
+        """
+        Get Security Requirement Object list for this operation.
+        Returns a list of security requirement objects based on the view's authentication classes
+        unless this view's authentication classes are the same as the root-level defaults.
+        """
+        # references the securityScheme names described above in get_security_schemes()
+        security = []
+        if self.view.authentication_classes == api_settings.DEFAULT_AUTHENTICATION_CLASSES:
+            return None
+        for auth_class in self.view.authentication_classes:
+            if hasattr(auth_class, 'openapi_security_requirement'):
+                req = auth_class.openapi_security_requirement(self.view, method)
+                if req:
+                    security += req
+        return security
+
     def _get_path_parameters(self, path, method):
         warnings.warn(
             "Method `_get_path_parameters()` has been renamed to `get_path_parameters()`. "
@@ -816,31 +845,3 @@ def _allows_filters(self, path, method):
             RemovedInDRF314Warning, stacklevel=2
         )
         return self.allows_filters(path, method)
-
-    def get_security_schemes(self, path, method):
-        """
-        Get components.schemas.securitySchemes required by this path.
-        returns dict of securitySchemes.
-        """
-        schemes = {}
-        for auth_class in self.view.authentication_classes:
-            if hasattr(auth_class, 'openapi_security_scheme'):
-                schemes.update(auth_class.openapi_security_scheme())
-        return schemes
-
-    def get_security_requirements(self, path, method):
-        """
-        Get Security Requirement Object list for this operation.
-        Returns a list of security requirement objects based on the view's authentication classes
-        unless this view's authentication classes are the same as the root-level defaults.
-        """
-        # references the securityScheme names described above in get_security_schemes()
-        security = []
-        if self.view.authentication_classes == api_settings.DEFAULT_AUTHENTICATION_CLASSES:
-            return None
-        for auth_class in self.view.authentication_classes:
-            if hasattr(auth_class, 'openapi_security_requirement'):
-                req = auth_class.openapi_security_requirement(self.view, method)
-                if req:
-                    security += req
-        return security

tests/schemas/test_openapi.py

@@ -7,6 +7,7 @@
 from django.utils.translation import gettext_lazy as _
 
 from rest_framework import filters, generics, pagination, routers, serializers
+from rest_framework.authentication import TokenAuthentication
 from rest_framework.authtoken.views import obtain_auth_token
 from rest_framework.compat import uritemplate
 from rest_framework.parsers import JSONParser, MultiPartParser
@@ -1110,3 +1111,49 @@ class ExampleView(generics.DestroyAPIView):
         schema = generator.get_schema(request=create_request('/'))
         assert 'schemas' not in schema['components']
         assert 'content' not in schema['paths']['/example/']['delete']['responses']['204']
+
+    def test_default_root_security_schemes(self):
+        patterns = [
+            url(r'^example/?$', views.ExampleAutoSchemaComponentName.as_view()),
+        ]
+
+        generator = SchemaGenerator(patterns=patterns)
+
+        request = create_request('/')
+        schema = generator.get_schema(request=request)
+        assert 'security' in schema
+        assert {'sessionAuth': []} in schema['security']
+        assert {'basicAuth': []} in schema['security']
+        assert 'security' not in schema['paths']['/example/']['get']
+
+    @override_settings(REST_FRAMEWORK={'DEFAULT_AUTHENTICATION_CLASSES': None})
+    def test_no_default_root_security_schemes(self):
+        patterns = [
+            url(r'^example/?$', views.ExampleAutoSchemaComponentName.as_view()),
+        ]
+
+        generator = SchemaGenerator(patterns=patterns)
+
+        request = create_request('/')
+        schema = generator.get_schema(request=request)
+        assert 'security' not in schema
+
+    def test_operation_security_schemes(self):
+        class MyExample(views.ExampleAutoSchemaComponentName):
+            authentication_classes = [TokenAuthentication]
+
+        patterns = [
+            url(r'^example/?$', MyExample.as_view()),
+        ]
+
+        generator = SchemaGenerator(patterns=patterns)
+
+        request = create_request('/')
+        schema = generator.get_schema(request=request)
+        assert 'security' in schema
+        assert {'sessionAuth': []} in schema['security']
+        assert {'basicAuth': []} in schema['security']
+        get_operation = schema['paths']['/example/']['get']
+        assert 'security' in get_operation
+        assert {'tokenAuth': []} in get_operation['security']
+        assert len(get_operation['security']) == 1