Feature: Add service authentication support (microsoft#795)

* Authentication base

* Implement auth on http side

* Authentication

* use unique name

* Add tests

* Add docs

* Merge with main

* Wip

* Export more things

* Export more things

* Allow description

* Allow description

* Missing desc in openapi3

* Missing desc in openapi3

* Fix formatting

* Fix syntax error after merge

Co-authored-by: David Wilson <[email protected]>

Author: timotheeguerin

common/changes/@cadl-lang/compiler/feature-http-auth_2022-07-28-21-38.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@cadl-lang/compiler",
+      "comment": "Allow extracting value from enums",
+      "type": "minor"
+    }
+  ],
+  "packageName": "@cadl-lang/compiler"
+}

common/changes/@cadl-lang/openapi3/feature-http-auth_2022-07-28-21-38.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@cadl-lang/openapi3",
+      "comment": "Use authentication configured via `@useAuth` http decorator",
+      "type": "minor"
+    }
+  ],
+  "packageName": "@cadl-lang/openapi3"
+}

common/changes/@cadl-lang/rest/feature-http-auth_2022-07-28-21-38.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@cadl-lang/rest",
+      "comment": "Add new `@useAuth` decorator providing support to define service authentication",
+      "type": "minor"
+    }
+  ],
+  "packageName": "@cadl-lang/rest"
+}

packages/compiler/core/decorator-utils.ts

@@ -355,6 +355,8 @@ function cadlTypeToJsonInternal(
     case "Boolean":
     case "Number":
       return [cadlType.value, []];
+    case "EnumMember":
+      return [cadlType.value ?? cadlType.name, []];
     case "Tuple": {
       const result = [];
       for (const [index, type] of cadlType.values.entries()) {

packages/openapi3/src/openapi.ts

@@ -1,5 +1,6 @@
 import {
   checkIfServiceNamespace,
+  compilerAssert,
   emitFile,
   EmitOptionsFor,
   EnumMemberType,
@@ -54,29 +55,34 @@ import {
 import { Discriminator, getDiscriminator, http } from "@cadl-lang/rest";
 import {
   getAllRoutes,
+  getAuthentication,
   getContentTypes,
   getHeaderFieldName,
   getPathParamName,
   getQueryParamName,
   getStatusCodeDescription,
+  HttpAuth,
   HttpOperationParameter,
   HttpOperationParameters,
   HttpOperationResponse,
   isStatusCode,
   OperationDetails,
   reportIfNoRoutes,
+  ServiceAuthentication,
 } from "@cadl-lang/rest/http";
 import { buildVersionProjections } from "@cadl-lang/versioning";
 import { getOneOf, getRef } from "./decorators.js";
 import { OpenAPI3EmitterOptions, OpenAPILibrary, reportDiagnostic } from "./lib.js";
 import {
   OpenAPI3Discriminator,
   OpenAPI3Document,
+  OpenAPI3OAuthFlows,
   OpenAPI3Operation,
   OpenAPI3Parameter,
   OpenAPI3ParameterType,
   OpenAPI3Schema,
   OpenAPI3SchemaProperty,
+  OpenAPI3SecurityScheme,
   OpenAPI3Server,
   OpenAPI3ServerVariable,
 } from "./types.js";
@@ -212,6 +218,8 @@ function createOAPIEmitter(program: Program, options: ResolvedOpenAPI3EmitterOpt
   return { emitOpenAPI };
 
   function initializeEmitter(serviceNamespaceType: NamespaceType, version?: string) {
+    const auth = processAuth(serviceNamespaceType);
+
     root = {
       openapi: "3.0.0",
       info: {
@@ -222,13 +230,14 @@ function createOAPIEmitter(program: Program, options: ResolvedOpenAPI3EmitterOpt
       externalDocs: getExternalDocs(program, serviceNamespaceType),
       tags: [],
       paths: {},
+      security: auth?.security,
       components: {
         parameters: {},
         requestBodies: {},
         responses: {},
         schemas: {},
         examples: {},
-        securitySchemes: {},
+        securitySchemes: auth?.securitySchemes ?? {},
       },
     };
     const servers = http.getServers(program, serviceNamespaceType);
@@ -1305,6 +1314,65 @@ function createOAPIEmitter(program: Program, options: ResolvedOpenAPI3EmitterOpt
         return { type: "string", format: "duration" };
     }
   }
+
+  function processAuth(serviceNamespace: NamespaceType):
+    | {
+        securitySchemes: Record<string, OpenAPI3SecurityScheme>;
+        security: Record<string, string[]>[];
+      }
+    | undefined {
+    const authentication = getAuthentication(program, serviceNamespace);
+    if (authentication) {
+      return processServiceAuthentication(authentication);
+    }
+    return undefined;
+  }
+
+  function processServiceAuthentication(authentication: ServiceAuthentication): {
+    securitySchemes: Record<string, OpenAPI3SecurityScheme>;
+    security: Record<string, string[]>[];
+  } {
+    const oaiSchemes: Record<string, OpenAPI3SecurityScheme> = {};
+    const security: Record<string, string[]>[] = [];
+    for (const option of authentication.options) {
+      const oai3SecurityOption: Record<string, string[]> = {};
+      for (const scheme of option.schemes) {
+        const [oaiScheme, scopes] = getOpenAPI3Scheme(scheme);
+        oaiSchemes[scheme.id] = oaiScheme;
+        oai3SecurityOption[scheme.id] = scopes;
+      }
+      security.push(oai3SecurityOption);
+    }
+    return { securitySchemes: oaiSchemes, security };
+  }
+
+  function getOpenAPI3Scheme(auth: HttpAuth): [OpenAPI3SecurityScheme, string[]] {
+    switch (auth.type) {
+      case "http":
+        return [{ type: "http", scheme: auth.scheme, description: auth.description }, []];
+      case "apiKey":
+        return [
+          { type: "apiKey", in: auth.in, name: auth.name, description: auth.description },
+          [],
+        ];
+      case "oauth2":
+        const flows: OpenAPI3OAuthFlows = {};
+        const scopes: string[] = [];
+        for (const flow of auth.flows) {
+          scopes.push(...flow.scopes);
+          flows[flow.type] = {
+            authorizationUrl: (flow as any).authorizationUrl,
+            tokenUrl: (flow as any).tokenUrl,
+            refreshUrl: flow.refreshUrl,
+            scopes: Object.fromEntries(flow.scopes.map((x: string) => [x, ""])),
+          };
+        }
+        return [{ type: "oauth2", flows, description: auth.description }, scopes];
+      default:
+        const _assertNever: never = auth;
+        compilerAssert(false, "Unreachable");
+    }
+  }
 }
 
 function prettierOutput(output: string) {

packages/openapi3/src/types.ts

@@ -34,6 +34,9 @@ export interface OpenAPI3Document extends Extensions {
 
   /** An element to hold various schemas for the specification. */
   components?: OpenAPI3Components;
+
+  /** A declaration of which security mechanisms can be used across the API. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. Individual operations can override this definition. */
+  security?: Record<string, string[]>[];
 }
 
 export interface OpenAPI3Info extends Extensions {

packages/openapi3/test/security.test.ts

@@ -0,0 +1,145 @@
+import { deepStrictEqual } from "assert";
+import { openApiFor } from "./test-host.js";
+
+describe("openapi3: security", () => {
+  it("set a basic auth", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+      @useAuth(BasicAuth)
+      namespace MyService {}
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      BasicAuth: {
+        type: "http",
+        scheme: "basic",
+      },
+    });
+    deepStrictEqual(res.security, [{ BasicAuth: [] }]);
+  });
+
+  it("set a bearer auth", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+      @useAuth(BearerAuth)
+      namespace MyService {}
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      BearerAuth: {
+        type: "http",
+        scheme: "bearer",
+      },
+    });
+    deepStrictEqual(res.security, [{ BearerAuth: [] }]);
+  });
+
+  it("set a ApiKeyAuth ", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+      @useAuth(ApiKeyAuth<ApiKeyLocation.header, "x-my-header">)
+      namespace MyService {}
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      ApiKeyAuth: {
+        type: "apiKey",
+        in: "header",
+        name: "x-my-header",
+      },
+    });
+    deepStrictEqual(res.security, [{ ApiKeyAuth: [] }]);
+  });
+
+  it("set a oauth2 auth", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+     
+      @useAuth(OAuth2Auth<[MyFlow]>)
+      namespace MyService {
+        model MyFlow {
+          type: OAuth2FlowType.implicit;
+          authorizationUrl: "https://api.example.com/oauth2/authorize";
+          refreshUrl: "https://api.example.com/oauth2/refresh";
+          scopes: ["read", "write"];
+        }
+      }
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      OAuth2Auth: {
+        type: "oauth2",
+        flows: {
+          implicit: {
+            authorizationUrl: "https://api.example.com/oauth2/authorize",
+            refreshUrl: "https://api.example.com/oauth2/refresh",
+            scopes: {
+              read: "",
+              write: "",
+            },
+          },
+        },
+      },
+    });
+    deepStrictEqual(res.security, [{ OAuth2Auth: ["read", "write"] }]);
+  });
+
+  it("can specify custom auth name with description", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+      @useAuth(MyAuth)
+      @test namespace Foo {
+        @doc("My custom basic auth")
+        model MyAuth is BasicAuth;
+      }
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      MyAuth: {
+        type: "http",
+        scheme: "basic",
+        description: "My custom basic auth",
+      },
+    });
+    deepStrictEqual(res.security, [{ MyAuth: [] }]);
+  });
+
+  it("can use multiple auth", async () => {
+    const res = await openApiFor(
+      `
+      @serviceTitle("My service")
+      @useAuth(BearerAuth | [ApiKeyAuth<ApiKeyLocation.header, "x-my-header">, BasicAuth])
+      namespace MyService {}
+      `
+    );
+    deepStrictEqual(res.components.securitySchemes, {
+      ApiKeyAuth: {
+        in: "header",
+        name: "x-my-header",
+        type: "apiKey",
+      },
+      BasicAuth: {
+        scheme: "basic",
+        type: "http",
+      },
+      BearerAuth: {
+        scheme: "bearer",
+        type: "http",
+      },
+    });
+    deepStrictEqual(res.security, [
+      {
+        BearerAuth: [],
+      },
+      {
+        ApiKeyAuth: [],
+        BasicAuth: [],
+      },
+    ]);
+  });
+});

packages/rest/README.md

@@ -25,27 +25,38 @@ See [Rest section in the tutorial](https://github.com/microsoft/cadl/blob/main/d
 
 `@cadl-lang/rest` library defines of the following artifacts:
 
-- [Models](#models)
-- [Decorators](#decorators)
-- [Interfaces](#interfaces)
+- [Cadl HTTP/Rest Library](#cadl-httprest-library)
+  - [Install](#install)
+  - [Usage](#usage)
+  - [Library Tour](#library-tour)
+  - [Models](#models)
+  - [Decorators](#decorators)
+  - [Interfaces](#interfaces)
+  - [See also](#see-also)
 
 ## Models
 
 - ### HTTP namespace
-  | Model                | Notes                                                                                                                                  |
-  | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
-  | LocationHeader       | Location header                                                                                                                        |
-  | Response<Status>  | <Status> is numerical status code.                                                                                                  |
-  | OkResponse<T>     | Response<200> with T as the response body model type.                                                                               |
-  | CreatedResponse      | Response<201>                                                                                                                       |
-  | AcceptedResponse     | Response<202>                                                                                                                       |
-  | NoContentResponse    | Response<204>                                                                                                                       |
-  | MovedResponse        | Response<301> with LocationHeader for redirected URL                                                                                |
-  | NotModifiedResponse  | Response<304>                                                                                                                       |
-  | UnauthorizedResponse | Response<401>                                                                                                                       |
-  | NotFoundResponse     | Response<404>                                                                                                                       |
-  | ConflictResponse     | Response<409>                                                                                                                       |
-  | PlainData<T>      | Produces a new model with the same properties as T, but with @query, @header, @body, and @path decorators removed from all properties. |
+
+  | Model                        | Notes                                                                                                                                  |
+  | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+  | LocationHeader               | Location header                                                                                                                        |
+  | Response<Status>          | <Status> is numerical status code.                                                                                                  |
+  | OkResponse<T>             | Response<200> with T as the response body model type.                                                                               |
+  | CreatedResponse              | Response<201>                                                                                                                       |
+  | AcceptedResponse             | Response<202>                                                                                                                       |
+  | NoContentResponse            | Response<204>                                                                                                                       |
+  | MovedResponse                | Response<301> with LocationHeader for redirected URL                                                                                |
+  | NotModifiedResponse          | Response<304>                                                                                                                       |
+  | UnauthorizedResponse         | Response<401>                                                                                                                       |
+  | NotFoundResponse             | Response<404>                                                                                                                       |
+  | ConflictResponse             | Response<409>                                                                                                                       |
+  | PlainData<T>              | Produces a new model with the same properties as T, but with @query, @header, @body, and @path decorators removed from all properties. |
+  | BasicAuth                    | Configure `basic` authentication with @useAuth                                                                                         |
+  | BearerAuth                   | Configure `bearer` authentication with @useAuth                                                                                        |
+  | ApiKeyAuth<TLocation, TName> | Configure `apiKey` authentication with @useAuth                                                                                        |
+  | OAuth2Auth<TFlows>           | Configure `oauth2` authentication with @useAuth                                                                                        |
+
 - ### REST namespace
   | Model                                      | Notes                                                                                                       |
   | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------- |
@@ -78,6 +89,7 @@ The `@cadl-lang/rest` library defines the following decorators in `Cadl.Http` na
 | @path       | model properties and operation parameters | indicating the properties are in request path.                                                    |
 | @statusCode | model properties and operation parameters | indicating the property is the return status code. Only one allowed per model.                    |
 | @server     | namespace                                 | Configure the server url for the service.                                                         |
+| @useAuth    | namespace                                 | Configure the service authentication.                                                             |
 
 - ### REST namespace