Support mutualTLS security scheme type (#2696)

feat(models): support mutualTLS security scheme

* fix(writers): throw for mutualTLS in OAS 3.0

Author: mdaneri

src/Microsoft.OpenApi/Models/OpenApiSecurityScheme.cs

@@ -126,6 +126,14 @@ private void SerializeInternal(IOpenApiWriter writer, OpenApiSpecVersion version
                     // openIdConnectUrl
                     writer.WriteProperty(OpenApiConstants.OpenIdConnectUrl, OpenIdConnectUrl?.ToString());
                     break;
+                case SecuritySchemeType.MutualTLS:
+                    // No additional properties for mutualTLS
+                    if (version < OpenApiSpecVersion.OpenApi3_1)
+                    {
+                        // mutualTLS is introduced in OpenAPI 3.1
+                        throw new OpenApiException($"mutualTLS security scheme is only supported in OpenAPI 3.1 and later versions. Current version: {version}");
+                    }
+                    break;
             }
 
             // deprecated - serialize as native field for v3.2+ or as extension for earlier versions
@@ -170,6 +178,14 @@ public virtual void SerializeAsV2(IOpenApiWriter writer)
                 return;
             }
 
+            if (Type == SecuritySchemeType.MutualTLS)
+            {
+                // Bail because V2 does not support mutualTLS
+                writer.WriteStartObject();
+                writer.WriteEndObject();
+                return;
+            }
+
             writer.WriteStartObject();
 
             // type

src/Microsoft.OpenApi/Models/SecuritySchemeType.cs

@@ -26,6 +26,11 @@ public enum SecuritySchemeType
         /// <summary>
         /// Use OAuth2 with OpenId Connect URL to discover OAuth2 configuration value.
         /// </summary>
-        [Display("openIdConnect")] OpenIdConnect
+        [Display("openIdConnect")] OpenIdConnect,
+
+        /// <summary>
+        /// Use mutual TLS authentication.
+        /// </summary>
+        [Display("mutualTLS")] MutualTLS
     }
 }

test/Microsoft.OpenApi.Readers.Tests/V32Tests/OpenApiSecuritySchemeTests.cs

@@ -102,6 +102,25 @@ public async Task ParseOpenIdConnectSecuritySchemeShouldSucceed()
                 }, securityScheme);
         }
 
+        [Fact]
+        public async Task ParseMutualTlsSecuritySchemeShouldSucceed()
+        {
+            // Act
+            var securityScheme = await OpenApiModelFactory.LoadAsync<OpenApiSecurityScheme>(
+                Path.Combine(SampleFolderPath, "mutualTlsSecurityScheme.yaml"),
+                OpenApiSpecVersion.OpenApi3_2,
+                new(),
+                SettingsFixture.ReaderSettings);
+
+            // Assert
+            Assert.Equivalent(
+                new OpenApiSecurityScheme
+                {
+                    Type = SecuritySchemeType.MutualTLS,
+                    Description = "Sample Description"
+                }, securityScheme);
+        }
+
         [Fact]
         public async Task ParseOAuth2SecuritySchemeWithDeviceAuthorizationUrlShouldSucceed()
         {

test/Microsoft.OpenApi.Readers.Tests/V32Tests/Samples/OpenApiSecurityScheme/mutualTlsSecurityScheme.yaml

@@ -0,0 +1,2 @@
+type: mutualTLS
+description: Sample Description

test/Microsoft.OpenApi.Tests/Models/OpenApiSecuritySchemeTests.cs

@@ -101,6 +101,12 @@ public class OpenApiSecuritySchemeTests
             OpenIdConnectUrl = new("https://example.com/openIdConnect")
         };
 
+        private static OpenApiSecurityScheme MutualTlsSecurityScheme => new()
+        {
+            Description = "description1",
+            Type = SecuritySchemeType.MutualTLS
+        };
+
         private static OpenApiSecuritySchemeReference OpenApiSecuritySchemeReference => new("sampleSecurityScheme");
         private static OpenApiSecurityScheme ReferencedSecurityScheme => new()
         {
@@ -208,6 +214,19 @@ public async Task SerializeHttpBearerSecuritySchemeAsV3JsonWorks()
             Assert.Equal(expected, actual);
         }
 
+        [Fact]
+        public void SerializeMutualTlsSecuritySchemeAsV3Throws()
+        {
+            // Arrange
+            var outputStringWriter = new StringWriter(CultureInfo.InvariantCulture);
+            var writer = new OpenApiJsonWriter(outputStringWriter);
+
+            // Act & Assert
+            var exception = Assert.Throws<OpenApiException>(() => MutualTlsSecurityScheme.SerializeAsV3(writer));
+            Assert.Contains("mutualTLS security scheme is only supported in OpenAPI 3.1 and later versions", exception.Message);
+            Assert.Contains($"Current version: {OpenApiSpecVersion.OpenApi3_0}", exception.Message);
+        }
+
         [Fact]
         public async Task SerializeOAuthSingleFlowSecuritySchemeAsV3JsonWorks()
         {

test/Microsoft.OpenApi.Tests/PublicApi/PublicApi.approved.txt

@@ -1933,6 +1933,8 @@ namespace Microsoft.OpenApi
         OAuth2 = 2,
         [Microsoft.OpenApi.Display("openIdConnect")]
         OpenIdConnect = 3,
+        [Microsoft.OpenApi.Display("mutualTLS")]
+        MutualTLS = 4,
     }
     public abstract class SourceExpression : Microsoft.OpenApi.RuntimeExpression
     {