Skip to content

Fix OpenAPI annotation problems for GitLab REST API

Herber Madrigal requested to merge 379037-fix-openapi-annotations into master

What does this MR do and why?

Annotations have been added to the REST API endpoints to allow for automatic generation of OpenAPI specifications. The module used to produce the OpenAPI documents does not have good guardrails against producing invalid documents. This has lead to a miss-use of the annotations in two places. This MR corrects the miss-uses.

Currently this bug does not impact users, only our internal usage of the document for performing security scans of our REST API, which is a requirement dictated by policies.

  • This bug does not impact users, only internal usage of the document.
  • No changelog is needed.
  • No tests have been added

Verification

The goal of this change is to be able to perform DAST API against GitLab Rest API by using OpenAPI v2 file. The issue was that OpenAPI v2 file was generated using models, and the models used an array in one property instead of a string property. To ensure the file is properly parsed and can be consumed by DAST API, this MR has been set up.

The commit e2da145754e0fa8e8a7960be5845f9e8a8f94f8b has updated the openapi_v2.yaml that is consumed by start-review-app-pipeline -> dast_rest_api. dast_rest_api has been set up to use DAST API, and with latest generated openapi_v2.yaml did not report any parsing error. Here is the related pipeline

How to set up and validate locally

  1. Modify lib/api/api.rb to include modules. (See Add Endpoints, item 2.3 from this README. In my case I used latest modules from master branch. The following modules were excluded since they were throwing errors when running locally: 
    mount ::API::Members
mount ::API::Templates
  2. regenerate openapi_v2.yaml. In my case, I normally delete the previous version, to ensure a new one gets created. 
    bundle exec rake --trace gitlab:openapi:generate
  3. Use newly generated doc/api/openapi/openapi_v2.yaml in DAST API. the simplest way is to set up a project and use DAST API.
  4. Execute the pipeline, and the dast_api job should not fail due to parsing errors.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #379037 (closed)

Edited by Herber Madrigal

Merge request reports