[Bug]: Mutual exclusion by use of additionalProperties: false across union types

[segfault87]

Actual Behavior

If additionalProperties: false is declared in components and being combined into one by allOf, validation unconditionally fails.

Let's say we have following OpenAPI spec:

---
openapi: 3.0.0

info:
  title: Test API
  description: Test
  version: 0.0.1

servers:
  - url: https://www.example.com

paths:
  /test:
    post:
      summary: test
      description: test
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Derived'
        required: true
      responses:
        "200":
          description: Success

components:
  schemas:
    Base:
      required:
      - foo
      type: object
      properties:
        foo:
          type: string
          nullable: false
      additionalProperties: false
    Derived:
      type: object
      allOf:
      - $ref: '#/components/schemas/Base'
      - type: object
        required:
        - bar
        properties:
          bar:
            type: string
            nullable: false
        additionalProperties: false

This spec compiles without any problem. But when validating actual request with this spec, validator fails with following error message:

RequestValidationResult(errors=[InvalidSchemaValue(value={'bar': '2',
                                                          'foo': '1'},
                                                   type='object',
                                                   schema_errors=(<ValidationError: "Additional properties are not allowed ('bar' was unexpected)">,
                                                                  <ValidationError: "Additional properties are not allowed ('foo' was unexpected)">))],
                        body=None,
                        parameters=Parameters(query={},
                                              header={},
                                              cookie={},
                                              path={}),
                        security={})

Expected Behavior

I think openapi-core should behave one of following:

• Validation should be successful
• Or forbid use of additionalProperties: false in context of union types (allOf) at schema lvel.

Steps to Reproduce

Validate {"foo": "-", "bar": "-"} with spec supplied above.

OpenAPI Core Version

0.19.0

OpenAPI Core Integration

pydantic

Affected Area(s)

validation

References

No response

Anything else we need to know?

No response

Would you like to implement a fix?

Yes

[p1c2u]

Hi @segfault87 thanks for the report.

Mutual exclusion is not something that should be checked by validation tool. Validation tools just make sure your requirements are met. Is up to user how he design his requirements. Tools shouldn't forbid to make mutual exclusion requirement like interest > 10 and < 1

What you need is probably unevaluatedProperties which part of OpenAPI 3.1

components:
  schemas:
    Base:
      required:
      - foo
      type: object
      properties:
        foo:
          type: string
          nullable: false
    Derived:
      type: object
      unevaluatedProperties: false
      allOf:
      - $ref: '#/components/schemas/Base'
      - type: object
        required:
        - bar
        properties:
          bar:
            type: string
            nullable: false