[PHP] Code generator does not use/validate "scheme" security attribute

[sebastien-rosset]

Bug Report Checklist

• Have you provided a full/minimal spec to reproduce the issue?
• Have you validated the input using an OpenAPI validator (example)?
• What's the version of OpenAPI Generator used?
• Have you search for related issues/PRs?
• What's the actual output vs expected output?
• [Optional] Bounty to sponsor the fix (example)

Description

The PHP code generator does not validate the value of the "scheme" attribute in the security scheme object. It assumes that when type is set to "http", the auth scheme is "basic". But that's not always the case. Other HTTP schemes that are defined in the IANA registry.

The "scheme" attribute in the security scheme object is required as specified in OAS 3.0.2
The value of the "scheme" attribute must be the auth scheme from the IANA registry available at
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml (as per RFC 7235).

openapi-generator version

master branch, January 18 2020

OpenAPI declaration file content or url

Consider the following OAS security schemes:

securitySchemes:
   http_basic_test:
      type: http
      scheme: basic
   http_scram:
      type: http
      scheme: SCRAM-SHA-256
   http_other_scheme:
      type: http
      scheme: my-security-scheme-value

The PHP generator properly generates the code for "http_basic_test". For the other two scheme values (http_scram and http_other_scheme), the generator still produces code assuming the scheme value is "basic".

I found this issue while working on PR #4993 and #4958

Command line used for generation

./bin/openapi3/php-petstore.sh

Steps to reproduce

1. Edit modules/openapi-generator/src/test/resources/3_0/petstore-with-fake-endpoints-models-for-testing.yaml and add the following scheme:

   http_signature_test:
      type: http
      scheme: signature

The "signature" value is NOT HTTP basic. This is just an example, I think any value would produce the same results.

2. Execute ./bin/openapi3/php-petstore.sh

3. Notice the following code is generated in b/samples/openapi3/client/petstore/php/OpenAPIClient-php/lib/Api/PetApi.php

+        // this endpoint requires HTTP basic authentication
+        if (!empty($this->config->getUsername()) || !(empty($this->config->getPassword()))) {
+            $headers['Authorization'] = 'Basic ' . base64_encode($this->config->getUsername() . ":" . $this->config->getPassword());
+        }

I would expect that the PHP generator to inspect the value of "scheme" and skip the "http basic" code generation.

Related issues/PRs

Similar issue: #239

Suggest a fix

I think the code generator should validate the value of the "scheme" attribute. If it does not understand the value and cannot generate the code that will be able to implement this value, it should skip the security scheme. Or alternatively it should fail, but I think skipping is better.
My reasoning for skipping is that if an OAS spec supports multiple schemes, at least the PHP generator will be able to generate a subset of the schemes, even if it does not support all of them.

[sebastien-rosset]

Fixed through #5095