github.com/circl-dev/go-swagger@v0.31.0/examples/composed-auth/swagger.yml (about)

     1  ---
     2  
     3  swagger: '2.0'
     4  info:
     5    title: Composing authorizations
     6    description: |
     7      This sample API demonstrates how to compose several authentication schemes
     8      and configure complex security requirements for your operations.
     9  
    10      This API simulates a very simple market place with customers and resellers
    11      of items.
    12  
    13      Personas:
    14        - as a first time user, I want to see all items on sales
    15        - as a registered customer, I want to post orders for items and
    16          consult my past orders
    17        - as a registered reseller, I want to see all pending orders on the items
    18          I am selling on the market place
    19        - as a reseller managing my own inventories, I want to post replenishment orders for the items I provide
    20        - as a register user, I want to consult my personal account infos
    21  
    22      The situation we defined on the authentication side is as follows:
    23        - every known user is authenticated using a basic token
    24        - resellers are authenticated using API keys - we let the option to authenticate using a header or query param
    25        - any registered user (customer or reseller) will add a signed JWT to access more API endpoints
    26  
    27      Obviously, there are several ways to achieve the same result. We just wanted to demonstrate here how
    28      security requirements may compose several schemes.
    29  
    30      Note that we used the "OAuth2" declaration here but don't implement a real
    31      OAuth2 workflow: our intend here is just to be able to extract scopes from a passed JWT token (the
    32      only way to manipulate scoped authorizers with Swagger 2.0 is to declare them with type "oauth2").
    33  
    34    version: '0.0.1'
    35  consumes:
    36  - application/json
    37  produces:
    38  - application/json
    39  schemes:
    40    - http   # https in a normal setup
    41  basePath: /api
    42  securityDefinitions:
    43    isRegistered:
    44      # This scheme uses the header: "Authorization: Basic {base64 encoded string defined by username:password}"
    45      # Scopes are not supported with this type of authorization.
    46      type: basic
    47    isReseller:
    48      # This scheme uses the header: "X-Custom-Key: {base64 encoded string}"
    49      # Scopes are not supported with this type of authorization.
    50      type: apiKey
    51      in: header
    52      name: X-Custom-Key
    53    isResellerQuery:
    54      # This scheme uses the query parameter "CustomKeyAsQuery"
    55      # Scopes are not supported with this type of authorization.
    56      type: apiKey
    57      in: query
    58      name: CustomKeyAsQuery
    59    hasRole:
    60      # This scheme uses the header: "Authorization: Bearer {base64 encoded string representing a JWT}"
    61      # Alternatively, the query param: "access_token" may be used.
    62      #
    63      # In our scenario, we must use the query param version in order to avoid
    64      # passing several headers with key 'Authorization'
    65      type: oauth2
    66      # The flow and URLs in spec are for documentary purpose: go-swagger does not implement OAuth workflows
    67      flow: accessCode
    68      authorizationUrl: 'https://dummy.oauth.net/auth'
    69      tokenUrl: 'https://dumy.oauth.net/token'
    70      # Required scopes are passed by the runtime to the authorizer
    71      scopes:
    72        customer: scope of registered customers
    73        inventoryManager: scope of resellers acting as inventory managers
    74  
    75  # Default Security requirements for all operations
    76  security:
    77    - isRegistered: []
    78  
    79  paths:
    80    /items:
    81      get:
    82        summary: items on sale
    83        operationId: GetItems
    84        description: |
    85          Everybody should be able to access this operation
    86        security: []
    87        responses: &multipleOrdersResponse
    88          '200':
    89            $ref: "#/responses/multipleItems"
    90          default:
    91            $ref: "#/responses/otherError"
    92  
    93    /account:
    94      get:
    95        summary: registered user account
    96        operationId: GetAccount
    97        description: |
    98          Every registered user should be able to access this operation
    99        security:
   100          - isRegistered: []
   101        responses:
   102          '200':
   103            description: registered user personal account infos
   104            schema:
   105              type: object
   106              additionalProperties: true
   107          '401':
   108            $ref: "#/responses/unauthorized"
   109          default:
   110            $ref: "#/responses/otherError"
   111  
   112    /order/{orderID}:
   113      get:
   114        summary: retrieves an order
   115        operationId: GetOrder
   116        description: |
   117          Only registered customers should be able to retrieve orders
   118        security:
   119          - isRegistered: []
   120            hasRole: [ customer ]
   121        parameters: &singleOrderParam
   122          - name: orderID
   123            in: path
   124            type: string
   125            required: true
   126        responses: &singleOrderResponse
   127          '200':
   128            $ref: "#/responses/singleOrder"
   129          '401':
   130            $ref: "#/responses/unauthorized"
   131          '403':
   132            $ref: "#/responses/forbidden"
   133          default:
   134            $ref: "#/responses/otherError"
   135    /order/add:
   136      post:
   137        summary: post a new order
   138        operationId: AddOrder
   139        description: |
   140          Registered customers should be able to add purchase orders.
   141          Registered inventory managers should be able to add replenishment orders.
   142  
   143        security:
   144          - isRegistered: []
   145            hasRole: [ customer ]
   146          - isReseller: []
   147            hasRole: [ inventoryManager ]
   148          - isResellerQuery: []
   149            hasRole: [ inventoryManager ]
   150        parameters:
   151          - name: order
   152            in: body
   153            schema:
   154              $ref: "#/definitions/Order"
   155            required: true
   156        responses:
   157          '200':
   158            description: empty response
   159          '401':
   160            $ref: "#/responses/unauthorized"
   161          '403':
   162            $ref: "#/responses/forbidden"
   163          default:
   164            $ref: "#/responses/otherError"
   165  
   166    /orders/{itemID}:
   167      get:
   168        summary: retrieves all orders for an item
   169        operationId: GetOrdersForItem
   170        description: |
   171          Only registered resellers should be able to search orders for an item
   172        security:
   173          - isReseller: []
   174          - isResellerQuery: []
   175        parameters: &singleItemParam
   176          - name: itemID
   177            in: path
   178            type: string
   179            required: true
   180        responses: &multipleOrdersResponse
   181          '200':
   182            $ref: "#/responses/multipleOrders"
   183          '401':
   184            $ref: "#/responses/unauthorized"
   185          '403':
   186            $ref: "#/responses/forbidden"
   187          default:
   188            $ref: "#/responses/otherError"
   189  
   190  definitions:
   191    Order:
   192      type: object
   193      required: [ orderID ]
   194      properties:
   195        orderID:
   196          type: string
   197        orderLines:
   198          type: array
   199          items:
   200            x-go-name: orderLine
   201            type: object
   202            required: [quantity, purchasedItem]
   203            properties:
   204              quantity:
   205                type: integer
   206                format: int32
   207                minimum: 1
   208              purchasedItem:
   209                $ref: "#/definitions/Item"
   210  
   211    Item:
   212      type: string
   213  
   214    Error:
   215      type: object
   216      required:
   217        - message
   218      properties:
   219        code:
   220          type: integer
   221          format: int64
   222        message:
   223          type: string
   224  
   225    principal:
   226      type: object
   227      properties:
   228        name:
   229          type: string
   230        roles:
   231          type: array
   232          items:
   233            type: string
   234  
   235  responses:
   236    unauthorized:
   237      description: unauthorized access for a lack of authentication
   238    forbidden:
   239      description: forbidden access for a lack of sufficient privileges
   240    otherError:
   241      description: other error response
   242      schema:
   243        $ref: "#/definitions/Error"
   244    singleOrder:
   245      description: content of an order
   246      schema:
   247        $ref: "#/definitions/Order"
   248    multipleOrders:
   249      description: multiple orders
   250      schema:
   251        type: array
   252        items:
   253          $ref: "#/definitions/Order"
   254    singleItem:
   255      description: single item
   256      schema:
   257        type: string
   258    multipleItems:
   259      description: multiple items
   260      schema:
   261        type: array
   262        items:
   263          $ref: "#/definitions/Item"
   264