allOf seems to be partially supported in Response Validation

Bug Report
1

I have an object in a response like
{
“items”: [
{object with properties}]}

The object with props is reprsented as
asset:
allOf:
- $ref: ‘#/components/schemas/assetBasicInfo’
- $ref: ‘#/components/schemas/assetInfo’

and all the properties that are part of assetInfo are saying should not have additionalProperties blah.

image
image600×654 47.1 KB

I validated by changing asset to be just assetInfo and response validation was fine. Its like allOf is only taking the properties from the first item in the array.

2

Hello, I’m sorry but I don’t fully understand the issue you’re encountering. Could you please provide the actual response data and specify which schema the failing validation fields belong to?

3

sure.
here is the response schema

image
image1352×806 98.4 KB

and asset which is in the array using allOf
image
image1822×1504 168 KB

I want to do response validation to ensure no additioonal properties are added that are not in the openapi schema.
here is a response
{
“items”: [
{
“id”: “a:a:2E2GOunn”,
“name”: “TS01”,
“assetType”: 2,
“protectionState”: 3,
“domain”: “domain.local”,
“identityProtectionState”: 1,
“rpcProtectionState”: 1,
“breakGlassActivated”: false,
“assetStatus”: 2,
“ipV4Addresses”: [
“192.168.2.79”
],
“ipV6Addresses”: ,
“operatingSystem”: “Windows Server 2022 Datacenter”,
“osType”: 2,
“source”: 3,
“fqdn”: “TS01.domain.local”,
“healthState”: {
“healthStatus”: 1,
“healthIssuesList”:
},
“lastLogon”: 1767277432922,
“passwordUpdateTime”: 1767495242872,
“principalName”: “DOMAIN\TS01$”,
“protectedAt”: 1765545774720,
“rpcMonitored”: false,
“assignedDeploymentId”: “”,
“preferredDeploymentId”: “”,
“deploymentsClusterId”: “C:d:00085899”,
“deploymentsClusterSource”: 1,
“inactiveReason”: 3,
“outboundRestriction”: 1,
“isQuarantined”: false,
“externalDeviceId”: “”,
“manufacturer”: “”,
“purdueLevel”: 0,
“hasDns”: true,
“switchLocationOverridden”: false,
“ipSpace”: 0,
“isIpSecConfigured”: false,
“enforcementMethod”: 0,
“state”: {
“assetId”: “a:a:2E2GOunn”,
“isAssetConnected”: true,
“protectionState”: 3,
“lastConnectedAt”: 1767644670327,
“protectedAt”: 1765545774720,
“identityProtectionState”: 1,
“rpcProtectionState”: 1
},
“deploymentsCluster”: {
“id”: “C:d:00085899”,
“name”: “ZN deployments cluster”
}
}
],
“count”: 17,
“nextOffset”: 0,
“nextCursor”: “a:a:2E2GOunn”
}

you can see on the asset there are properties that are defined as part of assetInfo which are saying 1. $.items[0] should not have additional properties assetStatus. AssetStatus is part of assetInfo which is referenced via allOf in asset.
Let me know if this doesnt help clarify

4

Hello, thank you for your feedback. We are currently investigating this issue and will inform you as soon as there are any updates.