feat(core): refine combo security scheme implementation #1416

erossignon · erossignon · commit 0bc5c88e27a0 · 2025-09-04T15:25:20.000+02:00
This commit refines the implementation of combo security schemes
  by introducing explicit AllOfSecurityScheme and OneOfSecurityScheme
  types.

  The getSecuritySchemes method in ConsumedThing has been updated to
  recursively resolve these schemes, and the tests have been expanded
  to cover nested allOf and oneOf scenarios.
diff --git a/packages/core/src/consumed-thing.ts b/packages/core/src/consumed-thing.ts
@@ -24,6 +24,8 @@ import {
     ThingAction,
     ThingEvent,
     SecurityScheme,
+    AllOfSecurityScheme,
+    OneOfSecurityScheme,
 } from "./thing-description";
 
 import { ThingModel } from "wot-thing-model-types";
@@ -445,30 +447,50 @@ export default class ConsumedThing extends Thing implements IConsumedThing {
     }
 
     getSecuritySchemes(security: Array<string>): Array<SecurityScheme> {
-        const visited = new Set<string>();
+        const alreadyProcessed = new Map<string, SecurityScheme | null>();
 
-        const scs: Array<SecurityScheme> = [];
         const visitSchemes = (security: Array<string>) => {
+            const resolveComboScheme = (
+                combo: ComboSecurityScheme
+            ): AllOfSecurityScheme | OneOfSecurityScheme | undefined => {
+                if (combo.allOf instanceof Array) {
+                    const allOf = visitSchemes(combo.allOf as string[]);
+                    return <AllOfSecurityScheme>{
+                        scheme: "combo",
+                        allOf,
+                    };
+                }
+                if (combo.oneOf instanceof Array) {
+                    const oneOf = visitSchemes(combo.oneOf as string[]);
+                    return <OneOfSecurityScheme>{
+                        scheme: "combo",
+                        oneOf,
+                    };
+                }
+                return undefined; // not supported , but handled gracefully
+            };
+            const scs: SecurityScheme[] = [];
             for (const s of security) {
-                if (visited.has(s)) {
+                if (alreadyProcessed.has(s)) {
+                    scs.push(alreadyProcessed.get(s)!);
                     continue;
                 }
-                visited.add(s);
+                alreadyProcessed.set(s, null);
 
-                const ws = this.securityDefinitions[s + ""]; // String vs. string (fix wot-typescript-definitions?)
+                let ws: SecurityScheme | undefined = this.securityDefinitions[s];
                 // also push nosec in case of proxy
+                if (ws?.scheme === "combo") {
+                    ws = resolveComboScheme(ws as ComboSecurityScheme);
+                }
                 if (ws != null) {
-                    if (ws.scheme === "combo") {
-                        const combo = ws as ComboSecurityScheme;
-                        visitSchemes(combo.allOf as string[]);
-                    } else {
-                        scs.push(ws);
-                    }
+                    scs.push(ws);
+                    // remember in case we came accross the same again
+                    alreadyProcessed.set(s, ws);
                 }
             }
+            return scs;
         };
-        visitSchemes(security);
-        return scs;
+        return visitSchemes(security);
     }
 
     ensureClientSecurity(client: ProtocolClient, form: Form | undefined): void {
diff --git a/packages/core/src/thing-description.ts b/packages/core/src/thing-description.ts
@@ -135,15 +135,16 @@ export interface NullSchema extends BaseSchema {
 }
 
 // TODO AutoSecurityScheme
-// TODO ComboSecurityScheme
 export type SecurityType =
     | NoSecurityScheme
     | BasicSecurityScheme
     | DigestSecurityScheme
     | BearerSecurityScheme
     | APIKeySecurityScheme
     | OAuth2SecurityScheme
-    | PSKSecurityScheme;
+    | PSKSecurityScheme
+    | AllOfSecurityScheme
+    | OneOfSecurityScheme;
 
 export interface SecurityScheme {
     scheme: string;
@@ -180,6 +181,17 @@ export interface PSKSecurityScheme extends SecurityScheme, TDT.PskSecurityScheme
 export interface OAuth2SecurityScheme extends SecurityScheme, TDT.OAuth2SecurityScheme {
     scheme: "oauth2";
 }
+export interface OneOfSecurityScheme extends SecurityScheme {
+    scheme: "combo";
+    oneOf: SecurityScheme[];
+    allOf: never;
+}
+export interface AllOfSecurityScheme extends SecurityScheme {
+    scheme: "combo";
+    allOf: SecurityScheme[];
+    oneOf: never;
+}
+export type ComboSecurityScheme = AllOfSecurityScheme | OneOfSecurityScheme;
 
 /** Implements the Thing Property description */
 export abstract class ThingProperty extends BaseSchema {
diff --git a/packages/core/test/ClientTest.ts b/packages/core/test/ClientTest.ts
@@ -27,7 +27,7 @@ import { Subscription } from "rxjs/Subscription";
 
 import Servient from "../src/servient";
 import ConsumedThing from "../src/consumed-thing";
-import { Form, SecurityScheme } from "../src/thing-description";
+import { AllOfSecurityScheme, Form, OneOfSecurityScheme, SecurityScheme } from "../src/thing-description";
 import { ProtocolClient, ProtocolClientFactory } from "../src/protocol-interfaces";
 import { Content } from "../src/content";
 import { ContentSerdes } from "../src/content-serdes";
@@ -806,7 +806,7 @@ class WoTClientTest {
         expect(WoTClientTest.servient.hasClientFor(tcf2.scheme)).to.be.not.true;
     }
 
-    @test "ensure combo security"() {
+    @test "ensure combo security - allOf"() {
         const ct = new ConsumedThing(WoTClientTest.servient);
         ct.securityDefinitions = {
             basic_sc: {
@@ -829,12 +829,69 @@ class WoTClientTest {
             href: "https://example.com/",
         };
         ct.ensureClientSecurity(pc, form);
-        expect(pc.securitySchemes.length).equals(2);
-        expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
-        expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
+        expect(pc.securitySchemes.length).equals(1);
+        expect(pc.securitySchemes[0].scheme).equals("combo");
+
+        const comboScheme = pc.securitySchemes[0] as AllOfSecurityScheme;
+        expect(comboScheme.allOf).instanceOf(Array);
+        expect(comboScheme.allOf.length).equal(2);
+        expect(comboScheme.allOf[0].scheme).equals("opcua-channel-security");
+        expect(comboScheme.allOf[1].scheme).equals("opcua-authentication");
+    }
+
+    @test "ensure combo security - oneOf"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            basic_sc: {
+                scheme: "basic",
+            },
+            opcua_secure_channel_encrypt_sc: {
+                scheme: "opcua-channel-security",
+                mode: "encrypt",
+            },
+            opcua_secure_channel_sign_sc: {
+                scheme: "opcua-channel-security",
+                mode: "sign",
+            },
+            opcua_authetication_sc: {
+                scheme: "opcua-authentication",
+            },
+            comob_opcua_secure_channel: {
+                scheme: "combo",
+                oneOf: ["opcua_secure_channel_encrypt_sc", "opcua_secure_channel_sign_sc"],
+            },
+            combo_sc: {
+                scheme: "combo",
+                allOf: ["comob_opcua_secure_channel", "opcua_authetication_sc"],
+            },
+        };
+        ct.security = ["combo_sc"];
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+        };
+        ct.ensureClientSecurity(pc, form);
+        expect(pc.securitySchemes.length).equals(1);
+        expect(pc.securitySchemes[0].scheme).equals("combo");
+
+        const comboScheme = pc.securitySchemes[0] as AllOfSecurityScheme;
+
+        expect(comboScheme.allOf).instanceOf(Array);
+        expect(comboScheme.allOf.length).equal(2);
+        expect(comboScheme.allOf[0].scheme).equals("combo");
+        expect(comboScheme.allOf[1].scheme).equals("opcua-authentication");
+
+        //
+        const firstScheme = comboScheme.allOf[0] as OneOfSecurityScheme;
+        expect(firstScheme.scheme).equal("combo");
+        expect(firstScheme.oneOf).instanceOf(Array);
+
+        expect(firstScheme.oneOf.length).equal(2);
+        expect(firstScheme.oneOf[0].scheme).equal("opcua-channel-security");
+        expect(firstScheme.oneOf[0].scheme).equal("opcua-channel-security");
     }
 
-    @test "ensure combo security in form"() {
+    @test "ensure combo security in form - allOf"() {
         const ct = new ConsumedThing(WoTClientTest.servient);
         ct.securityDefinitions = {
             basic_sc: {
@@ -858,9 +915,11 @@ class WoTClientTest {
             security: ["combo_sc"],
         };
         ct.ensureClientSecurity(pc, form);
-        expect(pc.securitySchemes.length).equals(2);
-        expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
-        expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
+        expect(pc.securitySchemes.length).equals(1);
+        const comboScheme = pc.securitySchemes[0] as AllOfSecurityScheme;
+
+        expect(comboScheme.allOf[0].scheme).equals("opcua-channel-security");
+        expect(comboScheme.allOf[1].scheme).equals("opcua-authentication");
     }
 
     @test "ensure no infinite loop with recursive combo security"() {
@@ -879,6 +938,66 @@ class WoTClientTest {
             security: ["combo_sc"],
         };
         ct.ensureClientSecurity(pc, form);
-        expect(pc.securitySchemes.length).equals(0);
+        expect(pc.securitySchemes.length).equals(1);
+    }
+
+    @test "complex combo security with repeated elements"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            // a badly designed combo that goes into infinite loop
+            a: {
+                scheme: "a",
+            },
+            b: {
+                scheme: "b",
+            },
+            c: {
+                scheme: "c",
+            },
+            combo_a_and_b: {
+                scheme: "combo",
+                allOf: ["a", "b"],
+            },
+            combo_a_and_c: {
+                scheme: "combo",
+                allOf: ["a", "c"],
+            },
+            combo_a_or_b: {
+                scheme: "combo",
+                oneOf: ["a", "b"],
+            },
+            combo_of_combo: {
+                scheme: "combo",
+                oneOf: ["combo_a_and_b", "combo_a_and_c"],
+            },
+        };
+        ct.security = ["combo_of_combo"];
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+        };
+        ct.ensureClientSecurity(pc, form);
+        expect(pc.securitySchemes.length).equals(1);
+        expect(pc.securitySchemes[0].scheme).equal("combo");
+        const comboOfCombo = pc.securitySchemes[0] as OneOfSecurityScheme;
+        expect(comboOfCombo.oneOf).instanceOf(Array);
+        expect(comboOfCombo.oneOf.length).equal(2);
+        expect(comboOfCombo.oneOf[0].scheme).equal("combo");
+        expect(comboOfCombo.oneOf[1].scheme).equal("combo");
+
+        const first = comboOfCombo.oneOf[0] as AllOfSecurityScheme;
+        expect(first.allOf).instanceOf(Array);
+        expect(first.allOf[0].scheme).equal("a");
+        expect(first.allOf[1].scheme).equal("b");
+
+        const second = comboOfCombo.oneOf[1] as AllOfSecurityScheme;
+        expect(second.allOf).instanceOf(Array);
+        expect(second.allOf[0].scheme).equal("a");
+        expect(second.allOf[1].scheme).equal("c");
+
+        // Verfy that a has been processed once - with strict equality
+        const a1 = first.allOf[0];
+        const a2 = second.allOf[0];
+        expect(a1).equals(a2);
     }
 }
