Fix TopLevelResourcesListBySubscription to exclude tenant level API's… (#808)

* Fix TopLevelResourcesListBySubscription to exclude tenant level API's from validation

* Update test name

* Remove the guard

* Update package.json and CHANGELOG.md for TopLevelResourcesListBySubscription fix (#815)

* Initial plan

* Update package.json and CHANGELOG.md for version 2.2.1

Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>

* Apply suggestion from @mikeharder

* Increment patch version to 2.2.2 (#818)

* Initial plan

* Increment patch version from 2.2.1 to 2.2.2

Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>

---------

Co-authored-by: akhilailla <akhilailla@microsoft.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>
Co-authored-by: Mike Harder <mharder@microsoft.com>

Author: 4 people

packages/rulesets/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log - @microsoft.azure/openapi-validator-rulesets
 
+## 2.2.5
+
+### Patches
+
+- [TopLevelResourcesListBySubscription] Exclude tenant-level APIs from validation
+
 ## 2.2.4
 
 ### Patches

packages/rulesets/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft.azure/openapi-validator-rulesets",
-  "version": "2.2.4",
+  "version": "2.2.5",
   "description": "Azure OpenAPI Validator",
   "main": "dist/index.js",
   "files": [

packages/rulesets/src/native/legacyRules/TopLevelResourcesListBySubscription.ts

@@ -15,22 +15,41 @@ rules.push({
   *run(doc, node, path, ctx) {
     const msg = 'The top-level resource "{0}" does not have list by subscription operation, please add it.'
     const utils = new ArmHelper(doc, ctx?.specPath!, ctx?.inventory!)
-    const topLevelResources = utils.getTopLevelResourceNames()
+    // Top-level resources are calculated by ArmHelper.getTopLevelResources():
+    // 1. Scans all operations (GET/PUT/POST/PATCH/DELETE) in paths and x-ms-paths
+    // 2. For each operation, checks the 200/201 response schema's $ref to find resource definitions
+    // 3. A definition is a "resource" if it has x-ms-azure-resource:true or allOfs Resource/TrackedResource/ProxyResource
+    // 4. A resource is "top-level" if its path has exactly ONE resource-type segment after /providers/
+    //    e.g., /subscriptions/{sub}/providers/Microsoft.Contoso/widgets/{name} → "widgets" is top-level
+    //    vs. /.../widgets/{name}/parts/{partName} → "parts" is nested (2 segments)
+    const topLevelResources = utils.getTopLevelResources()
     const allCollectionApis = utils.getCollectionApiInfo()
-    for (const path in node.paths) {
-      const hasMatchedTenantLevel = !path.includes("/subscriptions/")
-      if (hasMatchedTenantLevel) {
-        return
-      }
-    }
+
+    // The same model can be discovered multiple times (different operations/files),
+    // but we only want to report at most once per definition name.
+    const validatedModels = new Set<string>()
     for (const resource of topLevelResources) {
+      const resourceName = resource.modelName
+      // Skip already validated resources
+      if (validatedModels.has(resourceName)) {
+        continue
+      }
+
+      // Tenant-scoped resources do not need list-by-subscription, so skip them.
+      const hasSubscriptionScopedOperation = resource.operations?.some((op: { apiPath: string }) => utils.isPathBySubscription(op.apiPath))
+      if (!hasSubscriptionScopedOperation) {
+        continue
+      }
+
+      validatedModels.add(resourceName)
       const hasMatched = allCollectionApis.some(
-        (collection) => resource === collection.childModelName && collection.collectionGetPath.some((p) => utils.isPathBySubscription(p)),
+        (collection) =>
+          resourceName === collection.childModelName && collection.collectionGetPath.some((p) => utils.isPathBySubscription(p)),
       )
       if (!hasMatched) {
         yield {
-          message: msg.replace("{0}", resource),
-          location: ["$", "definitions", resource] as JsonPath,
+          message: msg.replace("{0}", resourceName),
+          location: ["$", "definitions", resourceName] as JsonPath,
         }
       }
     }

packages/rulesets/src/native/tests/composite-azure-tests.ts

@@ -59,7 +59,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      NestedResourcesMustHaveListOperation
+      NestedResourcesMustHaveListOperation,
     )
     assertValidationRuleCount(messages, NestedResourcesMustHaveListOperation, 1)
   })
@@ -69,17 +69,17 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      TopLevelResourcesListByResourceGroup
+      TopLevelResourcesListByResourceGroup,
     )
     assertValidationRuleCount(messages, TopLevelResourcesListByResourceGroup, 1)
   })
 
-  test("extension top level resources should report no errors", async () => {
+  test("extension top level resources should report no errors for list-by-subscription", async () => {
     const fileName = ["armResource/extensionTrackedResourceNoListBySubscription.json", "armResource/trackedResourceCommon.json"]
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      TopLevelResourcesListBySubscription
+      TopLevelResourcesListBySubscription,
     )
     assertValidationRuleCount(messages, TopLevelResourcesListBySubscription, 0)
   })
@@ -89,12 +89,42 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      TopLevelResourcesListBySubscription
+      TopLevelResourcesListBySubscription,
     )
-    // There is tenant level api in compute.json file
+    // This spec includes tenant-level APIs; validation should still run for subscription-scoped resources.
     assertValidationRuleCount(messages, TopLevelResourcesListBySubscription, 0)
   })
 
+  test("tenant-only specs should skip list-by-subscription validation", async () => {
+    const fileName = "armResource/topLevelListBySubscription_tenantOnlyResource.json"
+    const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
+      fileName,
+      OpenApiTypes.arm,
+      TopLevelResourcesListBySubscription,
+    )
+    assertValidationRuleCount(messages, TopLevelResourcesListBySubscription, 0)
+  })
+
+  test("mixed tenant and subscription specs should still validate list-by-subscription", async () => {
+    const fileName = "armResource/topLevelListBySubscription_mixedTenantAndSubscription_missingCollection.json"
+    const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
+      fileName,
+      OpenApiTypes.arm,
+      TopLevelResourcesListBySubscription,
+    )
+    assertValidationRuleCount(messages, TopLevelResourcesListBySubscription, 1)
+  })
+
+  test("subscription paths under x-ms-paths should still validate list-by-subscription", async () => {
+    const fileName = "armResource/topLevelListBySubscription_subscriptionInXmsPaths_missingCollection.json"
+    const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
+      fileName,
+      OpenApiTypes.arm,
+      TopLevelResourcesListBySubscription,
+    )
+    assertValidationRuleCount(messages, TopLevelResourcesListBySubscription, 1)
+  })
+
   test("get collection response schema should match the ARM specification", async () => {
     const fileName = "armResource/cdn.json"
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(fileName, OpenApiTypes.arm, GetCollectionResponseSchema)
@@ -106,7 +136,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      AllResourcesMustHaveGetOperation
+      AllResourcesMustHaveGetOperation,
     )
     assertValidationRuleCount(messages, AllResourcesMustHaveGetOperation, 1)
   })
@@ -116,7 +146,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      AllResourcesMustHaveGetOperation
+      AllResourcesMustHaveGetOperation,
     )
     assertValidationRuleCount(messages, AllResourcesMustHaveGetOperation, 0)
   })
@@ -126,7 +156,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      AllResourcesMustHaveGetOperation
+      AllResourcesMustHaveGetOperation,
     )
     assertValidationRuleCount(messages, AllResourcesMustHaveGetOperation, 0)
   })
@@ -135,7 +165,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      AllResourcesMustHaveGetOperation
+      AllResourcesMustHaveGetOperation,
     )
     assertValidationRuleCount(messages, AllResourcesMustHaveGetOperation, 0)
   })
@@ -145,7 +175,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      AllResourcesMustHaveGetOperation
+      AllResourcesMustHaveGetOperation,
     )
     assertValidationRuleCount(messages, AllResourcesMustHaveGetOperation, 0)
   })
@@ -161,7 +191,7 @@ describe("CompositeAzureTests", () => {
     const messages: LintResultMessage[] = await collectTestMessagesFromValidator(
       fileName,
       OpenApiTypes.arm,
-      PrivateEndpointResourceSchemaValidation
+      PrivateEndpointResourceSchemaValidation,
     )
     assertValidationRuleCount(messages, PrivateEndpointResourceSchemaValidation, 2)
   })

packages/rulesets/src/native/tests/resources/armResource/topLevelListBySubscription_mixedTenantAndSubscription_missingCollection.json

@@ -0,0 +1,111 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "MixedTenantAndSubscriptionRP",
+    "version": "2025-01-01"
+  },
+  "host": "management.azure.com",
+  "schemes": [
+    "https"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "paths": {
+    "/providers/Microsoft.Contoso/operations": {
+      "get": {
+        "operationId": "Operations_List",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/OperationListResult"
+            }
+          }
+        }
+      }
+    },
+    "/subscriptions/{subscriptionId}/providers/Microsoft.Contoso/widgets/{widgetName}": {
+      "get": {
+        "operationId": "Widgets_Get",
+        "parameters": [
+          {
+            "name": "subscriptionId",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "widgetName",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/Widget"
+            }
+          }
+        }
+      }
+    }
+  },
+  "definitions": {
+    "Resource": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "type": {
+          "type": "string"
+        }
+      }
+    },
+    "Widget": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/Resource"
+        }
+      ],
+      "properties": {
+        "properties": {
+          "type": "object",
+          "properties": {
+            "size": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
+    "OperationListResult": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Operation"
+          }
+        }
+      }
+    },
+    "Operation": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}