Adjust uri to uri-reference for security schema fixed fields #4328
Conversation
|
Why not change all the |
|
I didn't make that change initially only because I didn't have time to consume the whole specification to confirm that all the I am happy to update the PR if someone more knowledgable than I can confirm that is accurate. My hesitation came from the following, which planted the "seed of doubt" that there may be some exclusion hidden away on one of the
|
|
The XML Object |
|
@markrzen Update from today's TDC call: If you're up for changing the other |
|
@handrews On it right now. |
|
@handrews I could only find the xml object in the meta.yaml, and that document already looked correct. |
| @@ -12,7 +12,7 @@ properties: | |||
| $ref: '#/$defs/info' | |||
| jsonSchemaDialect: | |||
| type: string | |||
| format: uri | |||
| format: uri-reference | |||
There was a problem hiding this comment.
This one is the twin to JSON Schema's $schema keyword, and therefore cannot be a uri-reference.
There was a problem hiding this comment.
@karenetheridge philosophically I agree with you, but the way the OAS field is written unfortunately allows a relative URI-reference. Of course you'd have to resolve that before you could use it as a dialect URI, and the only way that might work is with a custom dialect, but there's no reason it couldn't work that way.
I do agree that it should have been written as requiring a non-relative URI.
There was a problem hiding this comment.
Happy to make the change if needed. Waiting for maintainer to come to an agreement.
There was a problem hiding this comment.
@handrews what do you mean "the way the OAS field is written unfortunately allows a relative URI-reference"? What are you referencing here?
There was a problem hiding this comment.
@karenetheridge It's the combination of two things:
§4.6.7 states:
Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986] Section 4.2.
while the fixed fields description for jsonSchemaDialect says:
The default value for the
$schemakeyword within Schema Objects contained within this OAS document. This MUST be in the form of a URI.
Strictly speaking, this text allows a URI reference. The value used with $schema of course must be a full URI, but that can be produced by resolving the relative URI-reference normally, just as with any other field that the OAS says "MUST be in the form of a URI". What is used with $schema is the resolved value, not the literal text.
At least that is my interpretation. We can always kick it up to @OAI/tsc for a ruling if you disagree. Again, I prefer your reading (and really dislike that we don't just explicitly say "URI-reference" and instead say "URI means URI-reference unless otherwise stated") but that's what we have to work with.
There was a problem hiding this comment.
At the very least we need to tighten up the language that leaves this vague. It is not reasonable to say in one place that a value is a URI, and then at the top say "actually that means URI-reference" because now there's no way to say that no, really, this actually has to be a fully-resolved URI.
Also, in any place where we do allow a URI-reference, we should be explicit as to how that value will be resolved -- whether it's against the URI used to identify the entry document, the current document, or the Host header on the current HTTP request under consideration (when relevant) -- I can see places where each of these might be the appropriate choice for URI resolution.
There was a problem hiding this comment.
@karenetheridge take a look at the XML Object's namespace field for how we say a field is a fully-resolve URI (again, I agree we should use the correct terminology per RFC3986 and not what we're doing now, but we do have ways to say we don't want a non-relative reference). We are very explicit about how OAD URI-referencess and API URL-references are resolved. Each of those topics gets a full section in the 3.1 specification. In any event, this is drifting outside of the scope of this PR and should continue in a discussion or issue.
There was a problem hiding this comment.
@karenetheridge it sounded like you accepted my reading of the spec for jsonSchemaDialect in the last comment, so I'm going to go ahead and merge this. If I'm wrong, lmk and we'll sort it out.
|
@karenetheridge or not... can you remove your "changes requested"? |
|
Oh this is because there's only one approval- it's too early in the morning for me to be doing code reviews apparently. @karenetheridge or @mikekistler if either of you is willing to give an approval that will do it. |
|
Apparently it needs explicit approval from @karenetheridge as the two approvals from @mikekistler and @handrews are in but the flow is still blocked. |
|
Someone with write access to the repo can likely dismiss the request for change. |
|
I'll check with @karenetheridge on this directly to resolve, she might just not have seen this in the last few days. |
Apparently we don't explicitly disallow uri-reference for jsonSchemaDialect, so we have to allow it for now.
We should still amend the spec to make this more clear, and specify which uri this uri-reference should resolve against (I suppose it would have to be the uri of the containing document itself).
|
@markrzen Thanks for your contribution, and extra thanks for your patience 😊 |
|
Thanks to all for making this work! Reason for asking is that I maintain tooling that builds on the "officially released" schema's and I'd like to offer @markrzen the update merged in this PR in my tooling. (see Mark's initial post in #4327) Kind regards, |
Resolves #4327
Tick one of the following options: