roas 0.6.0 - Docs.rs

//! Security Scheme Object

use crate::common::helpers::{
    Context, PushError, ValidateWithContext, validate_optional_url, validate_required_string,
    validate_required_url,
};
use crate::v3_1::spec::Spec;
use serde::{Deserialize, Serialize};
use std::collections::BTreeMap;
use std::fmt::{Display, Formatter};

/// Defines a security scheme that can be used by the operations.
/// Supported schemes are HTTP authentication, an API key (either as a header,
/// a cookie parameter or as a query parameter),
/// OAuth2’s common flows (implicit, password, client credentials and authorization code)
/// as defined in [RFC6749](https://www.rfc-editor.org/rfc/rfc6749.html),
/// and OpenID Connect Discovery.
///
/// Specification Examples:
///
/// * Basic Authentication Sample:
/// ```yaml
/// type: http
/// scheme: basic
/// ```
///
/// * API Key Sample:
/// ```yaml
/// type: apiKey
/// name: api_key
/// in: header
/// ```
///
/// * JWT Bearer Sample
/// ```yaml
/// type: http
/// scheme: bearer
/// bearerFormat: JWT
/// ```
///
/// * Implicit OAuth2 Sample:
/// ```yaml
/// type: oauth2
/// flows:
///   implicit:
///     authorizationUrl: https://example.com/api/oauth/dialog
///     scopes:
///       write:pets: modify pets in your account
///       read:pets: read your pets
/// ```
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq)]
#[serde(tag = "type")]
pub enum SecurityScheme {
    /// Basic Authentication Type
    #[serde(rename = "http")]
    HTTP(Box<HttpSecurityScheme>),

    /// API Key Authentication Type
    #[serde(rename = "apiKey")]
    ApiKey(Box<ApiKeySecurityScheme>),

    /// OAuth2 Authentication Type
    #[serde(rename = "oauth2")]
    OAuth2(Box<OAuth2SecurityScheme>),

    /// OpenIdConnect Authentication Type
    #[serde(rename = "openIdConnect")]
    OpenIdConnect(Box<OpenIdConnectSecurityScheme>),
}

impl Display for SecurityScheme {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        match self {
            SecurityScheme::HTTP(_) => write!(f, "http"),
            SecurityScheme::ApiKey(_) => write!(f, "apiKey"),
            SecurityScheme::OAuth2(_) => write!(f, "oauth2"),
            SecurityScheme::OpenIdConnect(_) => write!(f, "openIdConnect"),
        }
    }
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct HttpSecurityScheme {
    /// **Required** The name of the HTTP Authorization scheme to be used in the Authorization header
    /// as defined in [RFC7235](https://www.rfc-editor.org/rfc/rfc7235).
    /// The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
    pub scheme: HttpScheme,

    /// A hint to the client to identify how the bearer token is formatted.
    /// Bearer tokens are usually generated by an authorization server,
    /// so this information is primarily for documentation purposes.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "bearerFormat")]
    pub bearer_format: Option<String>,

    /// A short description for security scheme.
    /// [CommonMark](https://spec.commonmark.org) syntax MAY be used for rich text representation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// The HTTP Authorization schemes from
/// [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub enum HttpScheme {
    /// Basic Authentication Scheme
    /// [RFC7617](https://www.rfc-editor.org/rfc/rfc7617).
    #[default]
    #[serde(alias = "basic")]
    Basic,

    /// Bearer Authentication Scheme
    /// [RFC6750](https://www.rfc-editor.org/rfc/rfc6750).
    #[serde(alias = "bearer")]
    Bearer,

    /// Digest Authentication Scheme
    /// [RFC7616](https://www.rfc-editor.org/rfc/rfc7616).
    #[serde(alias = "digest")]
    Digest,

    /// DPoP Authentication Scheme
    /// [RFC9449, Section 7.1](https://www.iana.org/go/rfc9449).
    #[serde(alias = "dpop")]
    DPoP,

    /// HOBA Authentication Scheme
    /// [RFC7486, Section 3](https://www.rfc-editor.org/rfc/rfc7486).
    #[serde(alias = "hoba")]
    HOBA,

    /// Mutual Authentication Scheme
    /// [RFC8120](https://www.rfc-editor.org/rfc/rfc8120).
    #[serde(alias = "mutual")]
    Mutual,

    /// Negotiate Authentication Scheme
    /// [RFC4559, Section 3](https://www.rfc-editor.org/rfc/rfc4559).
    #[serde(alias = "negotiate")]
    Negotiate,

    /// OAuth Authentication Scheme
    /// [RFC5849, Section 3.5.1](https://www.rfc-editor.org/rfc/rfc5849).
    #[serde(alias = "oauth")]
    OAuth,

    /// SCRAM SHA 1 Authentication Scheme
    /// [RFC7804](https://www.iana.org/go/rfc7804).
    #[serde(alias = "scram-sha-1")]
    #[serde(rename = "SCRAM-SHA-1")]
    SCRAMSHA1,

    /// SCRAM SHA 256 Authentication Scheme
    /// [RFC7804](https://www.iana.org/go/rfc7804).
    #[serde(alias = "scram-sha-256")]
    #[serde(rename = "SCRAM-SHA-256")]
    SCRAMSHA256,

    /// Vapid Authentication Scheme
    /// [RFC8292, Section 3](https://www.iana.org/go/rfc8292).
    #[serde(rename = "vapid")]
    Vapid,
}

impl Display for HttpScheme {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        match self {
            HttpScheme::Basic => write!(f, "Basic"),
            HttpScheme::Bearer => write!(f, "Bearer"),
            HttpScheme::Digest => write!(f, "Digest"),
            HttpScheme::DPoP => write!(f, "DPoP"),
            HttpScheme::HOBA => write!(f, "HOBA"),
            HttpScheme::Mutual => write!(f, "Mutual"),
            HttpScheme::Negotiate => write!(f, "Negotiate"),
            HttpScheme::OAuth => write!(f, "OAuth"),
            HttpScheme::SCRAMSHA1 => write!(f, "SCRAM-SHA-1"),
            HttpScheme::SCRAMSHA256 => write!(f, "SCRAM-SHA-256"),
            HttpScheme::Vapid => write!(f, "vapid"),
        }
    }
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct ApiKeySecurityScheme {
    /// **Required** A short description for security scheme.
    pub name: String,

    /// **Required** The location of the API key.
    #[serde(rename = "in")]
    pub location: ApiKeyLocation,

    /// A short description for security scheme.
    /// [CommonMark](https://spec.commonmark.org) syntax MAY be used for rich text representation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// The location of the API key.
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub enum ApiKeyLocation {
    /// The API key MUST be transmitted as a header parameter.
    #[default]
    #[serde(rename = "query")]
    Query,

    /// The API key MUST be transmitted as a query parameter.
    #[serde(rename = "header")]
    Header,

    /// The API key MUST be transmitted as a cookie parameter.
    #[serde(rename = "cookie")]
    Cookie,
}

impl Display for ApiKeyLocation {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        match self {
            ApiKeyLocation::Query => write!(f, "query"),
            ApiKeyLocation::Header => write!(f, "header"),
            ApiKeyLocation::Cookie => write!(f, "cookie"),
        }
    }
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct OAuth2SecurityScheme {
    /// **Required**  An object containing configuration information for the flow types supported.
    pub flows: OAuth2Flows,

    /// A short description for security scheme.
    /// [CommonMark](https://spec.commonmark.org) syntax MAY be used for rich text representation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// Allows configuration of the supported OAuth Flows.
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct OAuth2Flows {
    /// Configuration for the OAuth Implicit flow
    #[serde(skip_serializing_if = "Option::is_none")]
    pub implicit: Option<ImplicitOAuth2Flow>,

    /// Configuration for the OAuth Resource Owner Password flow
    #[serde(skip_serializing_if = "Option::is_none")]
    pub password: Option<PasswordOAuth2Flow>,

    /// Configuration for the OAuth Client Credentials flow.
    /// Previously called `application` in OpenAPI 2.0.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "clientCredentials")]
    pub client_credentials: Option<ClientCredentialsOAuth2Flow>,

    /// Configuration for the OAuth Authorization Code flow.
    /// Previously called `accessCode` in OpenAPI 2.0.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "authorizationCode")]
    pub authorization_code: Option<AuthorizationCodeOAuth2Flow>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// Configuration details for the Implicit OAuth Flow
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct ImplicitOAuth2Flow {
    /// **Required** The authorization URL to be used for this flow.
    /// This MUST be in the form of a URL.
    #[serde(rename = "authorizationUrl")]
    pub authorization_url: String,

    /// The URL to be used for obtaining refresh tokens.
    /// This MUST be in the form of a URL.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "refreshUrl")]
    pub refresh_url: Option<String>,

    /// **Required** The available scopes for the OAuth2 security scheme.
    /// A map between the scope name and a short description for it.
    /// The map MAY be empty.
    pub scopes: BTreeMap<String, String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// Configuration details for the Password OAuth Flow
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct PasswordOAuth2Flow {
    /// **Required** The token URL to be used for this flow.
    /// This MUST be in the form of a URL.
    #[serde(rename = "tokenUrl")]
    pub token_url: String,

    /// The URL to be used for obtaining refresh tokens.
    /// This MUST be in the form of a URL.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "refreshUrl")]
    pub refresh_url: Option<String>,

    /// **Required** The available scopes for the OAuth2 security scheme.
    /// A map between the scope name and a short description for it.
    /// The map MAY be empty.
    pub scopes: BTreeMap<String, String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// Configuration details for the ClientCredentials OAuth Flow
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct ClientCredentialsOAuth2Flow {
    /// **Required** The token URL to be used for this flow.
    /// This MUST be in the form of a URL.
    #[serde(rename = "tokenUrl")]
    pub token_url: String,

    /// The URL to be used for obtaining refresh tokens.
    /// This MUST be in the form of a URL.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "refreshUrl")]
    pub refresh_url: Option<String>,

    /// **Required** The available scopes for the OAuth2 security scheme.
    /// A map between the scope name and a short description for it.
    /// The map MAY be empty.
    pub scopes: BTreeMap<String, String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

/// Configuration details for the ClientCredentials OAuth Flow
#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct AuthorizationCodeOAuth2Flow {
    /// **Required** The authorization URL to be used for this flow.
    /// This MUST be in the form of a URL.
    #[serde(rename = "authorizationUrl")]
    pub authorization_url: String,

    /// **Required** The token URL to be used for this flow.
    /// This MUST be in the form of a URL.
    #[serde(rename = "tokenUrl")]
    pub token_url: String,

    /// The URL to be used for obtaining refresh tokens.
    /// This MUST be in the form of a URL.
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(rename = "refreshUrl")]
    pub refresh_url: Option<String>,

    /// **Required** The available scopes for the OAuth2 security scheme.
    /// A map between the scope name and a short description for it.
    /// The map MAY be empty.
    pub scopes: BTreeMap<String, String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Default)]
pub struct OpenIdConnectSecurityScheme {
    /// **Required** OpenId Connect URL to discover OAuth2 configuration values.
    /// This MUST be in the form of a URL.
    #[serde(rename = "openIdConnectUrl")]
    pub open_id_connect_url: String,

    /// A short description for security scheme.
    /// [CommonMark](https://spec.commonmark.org) syntax MAY be used for rich text representation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    /// This object MAY be extended with Specification Extensions.
    /// The field name MUST begin with `x-`, for example, `x-internal-id`.
    /// The value can be null, a primitive, an array or an object.
    #[serde(flatten)]
    #[serde(with = "crate::common::extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<BTreeMap<String, serde_json::Value>>,
}

impl ValidateWithContext<Spec> for SecurityScheme {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        match self {
            SecurityScheme::HTTP(http) => http.validate_with_context(ctx, path),
            SecurityScheme::ApiKey(api_key) => api_key.validate_with_context(ctx, path),
            SecurityScheme::OAuth2(oauth2) => oauth2.validate_with_context(ctx, path),
            SecurityScheme::OpenIdConnect(open_id_connect) => {
                open_id_connect.validate_with_context(ctx, path)
            }
        }
    }
}

impl ValidateWithContext<Spec> for HttpSecurityScheme {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        if let Some(bearer_format) = &self.bearer_format
            && !bearer_format.is_empty()
            && self.scheme != HttpScheme::Bearer
        {
            ctx.error(
                path,
                format_args!(".bearerFormat: must be empty for scheme `{}`", self.scheme,),
            );
        }
    }
}

impl ValidateWithContext<Spec> for ApiKeySecurityScheme {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_string(&self.name, ctx, format!("{path}.name"));
    }
}

impl ValidateWithContext<Spec> for OAuth2SecurityScheme {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        self.flows
            .validate_with_context(ctx, format!("{path}.flow"));
    }
}

impl ValidateWithContext<Spec> for OAuth2Flows {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        if let Some(flow) = &self.implicit {
            flow.validate_with_context(ctx, format!("{path}.implicit"));
        }
        if let Some(flow) = &self.password {
            flow.validate_with_context(ctx, format!("{path}.password"));
        }
        if let Some(flow) = &self.client_credentials {
            flow.validate_with_context(ctx, format!("{path}.clientCredentials"));
        }
        if let Some(flow) = &self.authorization_code {
            flow.validate_with_context(ctx, format!("{path}.authorizationCode"));
        }
    }
}

impl ValidateWithContext<Spec> for ImplicitOAuth2Flow {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_url(
            &self.authorization_url,
            ctx,
            format!("{path}.authorizationUrl"),
        );
        validate_optional_url(&self.refresh_url, ctx, format!("{path}.refreshUrl"));
    }
}

impl ValidateWithContext<Spec> for PasswordOAuth2Flow {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_url(&self.token_url, ctx, format!("{path}.tokenUrl"));
        validate_optional_url(&self.refresh_url, ctx, format!("{path}.refreshUrl"));
    }
}

impl ValidateWithContext<Spec> for ClientCredentialsOAuth2Flow {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_url(&self.token_url, ctx, format!("{path}.tokenUrl"));
        validate_optional_url(&self.refresh_url, ctx, format!("{path}.refreshUrl"));
    }
}

impl ValidateWithContext<Spec> for AuthorizationCodeOAuth2Flow {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_url(
            &self.authorization_url,
            ctx,
            format!("{path}.authorizationUrl"),
        );
        validate_required_url(&self.token_url, ctx, format!("{path}.tokenUrl"));
        validate_optional_url(&self.refresh_url, ctx, format!("{path}.refreshUrl"));
    }
}

impl ValidateWithContext<Spec> for OpenIdConnectSecurityScheme {
    fn validate_with_context(&self, ctx: &mut Context<Spec>, path: String) {
        validate_required_url(
            &self.open_id_connect_url,
            ctx,
            format!("{path}.openIdConnectUrl"),
        );
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::validation::Options;
    use serde_json::json;

    #[test]
    fn test_security_scheme_http_deserialize() {
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "Basic",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Basic,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = basic",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "Bearer",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Bearer,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = bearer",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "Digest",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Digest,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = digest",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "DPoP",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::DPoP,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = dpop",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "HOBA",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::HOBA,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = hoba",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "Mutual",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Mutual,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = mutual",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "Negotiate",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Negotiate,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = negotiate",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "OAuth",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::OAuth,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = oauth",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "SCRAM-SHA-1",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::SCRAMSHA1,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = scram-sha-1",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "SCRAM-SHA-256",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::SCRAMSHA256,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = scram-sha-2256",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "http",
                "scheme": "vapid",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Vapid,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize scheme = vapid",
        );
    }

    #[test]
    fn test_security_scheme_http_serialize() {
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Basic,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "Basic",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = basic",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Bearer,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "Bearer",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = bearer",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Digest,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "Digest",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = digest",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::DPoP,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "DPoP",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = dpop",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::HOBA,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "HOBA",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = hoba",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Mutual,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "Mutual",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = mutual",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Negotiate,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "Negotiate",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = negotiate",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::OAuth,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "OAuth",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = oauth",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::SCRAMSHA1,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "SCRAM-SHA-1",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = scram-sha-1",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::SCRAMSHA256,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "SCRAM-SHA-256",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = scram-sha-256",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
                scheme: HttpScheme::Vapid,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "http",
                "scheme": "vapid",
                "description": "A short description for security scheme.",
            }),
            "serialize scheme = vapid",
        );
    }

    #[test]
    fn test_security_scheme_api_key_deserialize() {
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "header",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Header,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize in = header",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "query",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Query,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize in = query",
        );
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "cookie",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Cookie,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize in = cookie",
        );
    }

    #[test]
    fn test_security_scheme_api_key_serialize() {
        assert_eq!(
            serde_json::to_value(SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Header,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "header",
                "description": "A short description for security scheme.",
            }),
            "serialize location = header",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Query,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "query",
                "description": "A short description for security scheme.",
            }),
            "serialize location = query",
        );
        assert_eq!(
            serde_json::to_value(SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
                name: String::from("api_key"),
                location: ApiKeyLocation::Cookie,
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "apiKey",
                "name": "api_key",
                "in": "cookie",
                "description": "A short description for security scheme.",
            }),
            "serialize location = query",
        );
    }

    #[test]
    fn test_security_scheme_oauth2_deserialize() {
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "oauth2",
                "flows": {
                    "implicit": {
                        "authorizationUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "password": {
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "clientCredentials": {
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "authorizationCode": {
                        "authorizationUrl": "https://example.com/api/oauth/dialog",
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                },
                "description": "A short description for security scheme.",
                "x-tra": "custom",
            }))
            .unwrap(),
            SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
                flows: OAuth2Flows {
                    implicit: Some(ImplicitOAuth2Flow {
                        authorization_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    password: Some(PasswordOAuth2Flow {
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    client_credentials: Some(ClientCredentialsOAuth2Flow {
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    authorization_code: Some(AuthorizationCodeOAuth2Flow {
                        authorization_url: String::from("https://example.com/api/oauth/dialog"),
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    ..Default::default()
                },
                description: Some(String::from("A short description for security scheme.")),
                extensions: Some({
                    let mut map = BTreeMap::new();
                    map.insert(
                        String::from("x-tra"),
                        serde_json::Value::String(String::from("custom")),
                    );
                    map
                }),
            })),
            "deserialize",
        );
    }

    #[test]
    fn test_security_scheme_oauth2_serialize() {
        assert_eq!(
            serde_json::to_value(SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
                flows: OAuth2Flows {
                    implicit: Some(ImplicitOAuth2Flow {
                        authorization_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    password: Some(PasswordOAuth2Flow {
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    client_credentials: Some(ClientCredentialsOAuth2Flow {
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    authorization_code: Some(AuthorizationCodeOAuth2Flow {
                        authorization_url: String::from("https://example.com/api/oauth/dialog"),
                        token_url: String::from("https://example.com/api/oauth/dialog"),
                        scopes: BTreeMap::from_iter(vec![
                            (
                                String::from("write:pets"),
                                String::from("modify pets in your account"),
                            ),
                            (String::from("read:pets"), String::from("read your pets"),),
                        ]),
                        ..Default::default()
                    }),
                    ..Default::default()
                },
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })))
            .unwrap(),
            json!({
                "type": "oauth2",
                "flows": {
                    "implicit": {
                        "authorizationUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "password": {
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "clientCredentials": {
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                    "authorizationCode": {
                        "authorizationUrl": "https://example.com/api/oauth/dialog",
                        "tokenUrl": "https://example.com/api/oauth/dialog",
                        "scopes": {
                            "write:pets": "modify pets in your account",
                            "read:pets": "read your pets",
                        },
                    },
                },
                "description": "A short description for security scheme.",
            }),
            "serialize",
        );
    }

    #[test]
    fn test_security_scheme_open_id_connect_deserialize() {
        assert_eq!(
            serde_json::from_value::<SecurityScheme>(json!({
                "type": "openIdConnect",
                "openIdConnectUrl": "https://example.com/.well-known/openid-configuration",
                "description": "A short description for security scheme.",
            }))
            .unwrap(),
            SecurityScheme::OpenIdConnect(Box::new(OpenIdConnectSecurityScheme {
                open_id_connect_url: String::from(
                    "https://example.com/.well-known/openid-configuration"
                ),
                description: Some(String::from("A short description for security scheme.")),
                ..Default::default()
            })),
            "deserialize",
        );
    }

    #[test]
    fn test_security_scheme_open_id_connect_serialize() {
        assert_eq!(
            serde_json::to_value(SecurityScheme::OpenIdConnect(Box::new(
                OpenIdConnectSecurityScheme {
                    open_id_connect_url: String::from(
                        "https://example.com/.well-known/openid-configuration"
                    ),
                    description: Some(String::from("A short description for security scheme.")),
                    ..Default::default()
                }
            )))
            .unwrap(),
            json!({
                "type": "openIdConnect",
                "openIdConnectUrl": "https://example.com/.well-known/openid-configuration",
                "description": "A short description for security scheme.",
            }),
            "serialize",
        );
    }

    #[test]
    fn test_security_scheme_validation() {
        let spec = Spec::default();
        let mut ctx = Context::new(&spec, Options::new());

        SecurityScheme::OpenIdConnect(Box::new(OpenIdConnectSecurityScheme {
            open_id_connect_url: String::from(
                "https://example.com/.well-known/openid-configuration",
            ),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert!(
            ctx.errors.is_empty(),
            "OpenIdConnect: no errors: {:?}",
            ctx.errors
        );

        SecurityScheme::OpenIdConnect(Box::new(OpenIdConnectSecurityScheme {
            open_id_connect_url: String::from(""),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            1,
            "OpenIdConnect: one error: {:?}",
            ctx.errors
        );

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
            scheme: HttpScheme::Basic,
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert!(
            ctx.errors.is_empty(),
            "HTTP::Basic: no errors: {:?}",
            ctx.errors
        );

        SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
            scheme: HttpScheme::Bearer,
            bearer_format: Some(String::from("fooo")),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert!(
            ctx.errors.is_empty(),
            "HTTP::Bearer with format: no errors: {:?}",
            ctx.errors
        );

        SecurityScheme::HTTP(Box::new(HttpSecurityScheme {
            scheme: HttpScheme::Basic,
            bearer_format: Some(String::from("fooo")),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            1,
            "HTTP::Basic with format: one error: {:?}",
            ctx.errors
        );

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
            name: String::from("api_key"),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert!(ctx.errors.is_empty(), "ApiKey: no errors: {:?}", ctx.errors);

        SecurityScheme::ApiKey(Box::new(ApiKeySecurityScheme {
            name: String::from(""),
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(ctx.errors.len(), 1, "ApiKey: one error: {:?}", ctx.errors);

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
            flows: OAuth2Flows {
                ..Default::default()
            },
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert!(ctx.errors.is_empty(), "OAuth2: no errors: {:?}", ctx.errors);

        SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
            flows: OAuth2Flows {
                implicit: Some(ImplicitOAuth2Flow {
                    authorization_url: String::from("foo"),
                    refresh_url: Some(String::from("bar")),
                    ..Default::default()
                }),
                ..Default::default()
            },
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            2,
            "OAuth2.implicit.authorization_url: two errors: {:?}",
            ctx.errors
        );

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
            flows: OAuth2Flows {
                password: Some(PasswordOAuth2Flow {
                    token_url: String::from("foo"),
                    refresh_url: Some(String::from("bar")),
                    ..Default::default()
                }),
                ..Default::default()
            },
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            2,
            "OAuth2.password.(token_url, refresh_url): two errors: {:?}",
            ctx.errors
        );

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
            flows: OAuth2Flows {
                client_credentials: Some(ClientCredentialsOAuth2Flow {
                    token_url: String::from("foo"),
                    refresh_url: Some(String::from("bar")),
                    ..Default::default()
                }),
                ..Default::default()
            },
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            2,
            "OAuth2.client_credentials.(token_url, refresh_url): two errors: {:?}",
            ctx.errors
        );

        ctx = Context::new(&spec, Options::new());
        SecurityScheme::OAuth2(Box::new(OAuth2SecurityScheme {
            flows: OAuth2Flows {
                authorization_code: Some(AuthorizationCodeOAuth2Flow {
                    authorization_url: String::from("xyz"),
                    token_url: String::from("foo"),
                    refresh_url: Some(String::from("bar")),
                    ..Default::default()
                }),
                ..Default::default()
            },
            description: Some(String::from("A short description for security scheme.")),
            ..Default::default()
        }))
        .validate_with_context(&mut ctx, String::from("securityScheme"));
        assert_eq!(
            ctx.errors.len(),
            3,
            "OAuth2.authorization_code.(authorization_url, token_url, refresh_url): three errors: {:?}",
            ctx.errors
        );
    }
}