Merging to release-5.7.0: [TT-13535/TT-13566] Make upstream oauth flow client secret omitempty (#6708)

[buger]

User description

[TT-13535/TT-13566] Make upstream oauth flow client secret omitempty (#6708)

User description

TT-13566

Summary	Make upstream auth oauth password client secret not required in oas schema
Type	Sub-task
Status	Ready for Testing
Points	N/A
Labels	-

---

Description

Make upstream oauth flow client secret omitempty to not break when an
API is created without clientSecret and saved later.

Related Issue

Parent: https://tyktech.atlassian.net/browse/TT-13535
Subtask: https://tyktech.atlassian.net/browse/TT-13566

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing
  functionality to change)
• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

---

PR Type

enhancement

---

Description

• Updated the ClientAuthData struct in apidef/api_definitions.go to
  make the ClientSecret field optional by adding the omitempty tag.
• This change prevents errors when an API is created without a
  clientSecret and saved later.

---

Changes walkthrough 📝

	Relevant files
Enhancement	api_definitions.go Make `ClientSecret` optional in OAuth client auth data      apidef/api_definitions.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1

---

💡 PR-Agent usage: Comment /help "your question" on any pull
request to receive relevant information

---

PR Type

Enhancement, Tests

---

Description

• Made the ClientSecret field optional in the ClientAuthData struct by adding the omitempty tag in apidef/api_definitions.go and apidef/oas/upstream.go.
• Updated the schema in apidef/schema.go to remove client_secret from the list of required fields.
• Enhanced test coverage in apidef/api_definitions_test.go by configuring UpstreamAuth and including ClientSecret in test setup to prevent schema errors.

---

Changes walkthrough 📝

	Relevant files
Enhancement	api_definitions.go Make `ClientSecret` optional in OAuth client auth data      apidef/api_definitions.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1      upstream.go Make `ClientSecret` optional in OAuth client auth data      apidef/oas/upstream.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1      schema.go Remove `client_secret` from required schema fields              apidef/schema.go Removed client_secret from required fields in schema. +0/-1
Tests	api_definitions_test.go Add test setup for optional `ClientSecret` in schema          apidef/api_definitions_test.go Added UpstreamAuth configuration to test schema. Included ClientSecret in test setup to avoid schema errors. +22/-0

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 6708 - Fully compliant Fully compliant requirements: Make the ClientSecret field in the ClientAuthData struct optional by adding the omitempty tag. Ensure that the API does not break when created without a clientSecret and saved later.

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Code Consistency Ensure that the changes in ClientAuthData struct are consistently applied across all relevant files and schemas.

[github-actions]

API Changes

--- prev.txt	2024-11-18 14:00:33.570386395 +0000
+++ current.txt	2024-11-18 14:00:26.950345128 +0000
@@ -1204,7 +1204,6 @@
               },
               "required": [
                 "client_id",
-                "client_secret",
                 "token_url",
                 "username",
                 "password"
@@ -1545,7 +1544,7 @@
 	// ClientID is the application's ID.
 	ClientID string `bson:"client_id" json:"client_id"`
 	// ClientSecret is the application's secret.
-	ClientSecret string `bson:"client_secret" json:"client_secret"`
+	ClientSecret string `bson:"client_secret,omitempty" json:"client_secret,omitempty"` // client secret is optional for password flow
 }
     ClientAuthData holds the client ID and secret for upstream OAuth2
     authentication.
@@ -3487,7 +3486,7 @@
 	// ClientID is the application's ID.
 	ClientID string `bson:"clientId" json:"clientId"`
 	// ClientSecret is the application's secret.
-	ClientSecret string `bson:"clientSecret" json:"clientSecret"`
+	ClientSecret string `bson:"clientSecret,omitempty" json:"clientSecret,omitempty"` // client secret is optional for password flow
 }
     ClientAuthData holds the client ID and secret for OAuth2 authentication.
 

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Enhancement	Implement conditional validation for client_secret in application logic post-schema change After removing client_secret from the required fields in the schema, add validation in the application logic to ensure that the presence of client_secret is correctly handled when it is indeed necessary for certain OAuth flows. apidef/schema.go [1108-1113] "required": [ "client_id", "token_url", "username", "password" -] +] // Add conditional validation for client_secret in app logic Suggestion importance[1-10]: 8 Why: Adding conditional validation for client_secret after its removal from required schema fields is crucial to ensure robust application logic, especially for OAuth flows where it might be necessary. This suggestion addresses a significant potential issue in the application's functionality.	8
Best practice	Replace hardcoded test credentials with dynamic retrieval or generation to enhance security and flexibility Replace the hardcoded 'dummy' client secret in tests with a variable or function that can generate or retrieve appropriate test credentials. This approach avoids the risk of hardcoded sensitive information and makes the tests more flexible. apidef/api_definitions_test.go [24] -ClientSecret: "dummy", // workaround to fix schema error +ClientSecret: getTestClientSecret(), // dynamically retrieve or generate client secret Suggestion importance[1-10]: 7 Why: Replacing hardcoded credentials with a method to dynamically generate or retrieve them enhances security and flexibility in tests. This is a significant improvement for maintaining secure and adaptable testing environments.	7
Maintainability	Ensure consistent use of the omitempty tag for ClientSecret across all definitions Ensure that the omitempty tag is consistently applied or removed based on the actual optional nature of ClientSecret across all relevant structs and API definitions to maintain consistency and avoid serialization issues. apidef/api_definitions.go [852] -ClientSecret string `bson:"client_secret,omitempty" json:"client_secret,omitempty"` // client secret is optional for password flow +ClientSecret string `bson:"client_secret,omitempty" json:"client_secret,omitempty"` // ensure consistency across all uses Suggestion importance[1-10]: 6 Why: Ensuring consistency in the use of serialization tags like omitempty is crucial for maintaining the integrity of data handling and serialization processes. This suggestion correctly identifies a potential inconsistency issue.	6
Possible issue	Check for potential disruptions caused by changes in serialization field names Verify that the change of BSON and JSON tags from clientSecret to client_secret (or vice versa) in ClientAuthData does not break existing integrations or database queries, as field naming in serialization tags can affect data storage and retrieval. apidef/oas/upstream.go [684] -ClientSecret string `bson:"clientSecret,omitempty" json:"clientSecret,omitempty"` // client secret is optional for password flow +ClientSecret string `bson:"clientSecret,omitempty" json:"clientSecret,omitempty"` // verify impact on existing data Suggestion importance[1-10]: 5 Why: Verifying the impact of changes in serialization tags is important to prevent disruptions in existing integrations or data flows. However, the suggestion could be more actionable by specifying methods or tests to verify these impacts.	5

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud