Merge pull request quarkusio#47933 from phillip-kruger/openapi-auto-security-fix

OpenAPI Auto security works with enabled-in-dev config from security

Author: gsmet

extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java

@@ -206,13 +206,14 @@ void registerAutoSecurityFilter(BuildProducer<SyntheticBeanBuildItem> syntheticB
             SmallRyeOpenApiConfig openApiConfig,
             OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             List<SecurityInformationBuildItem> securityInformationBuildItems,
-            OpenApiRecorder recorder) {
+            OpenApiRecorder recorder,
+            LaunchModeBuildItem launchMode) {
         AutoSecurityFilter autoSecurityFilter = null;
 
-        if (openApiConfig.autoAddSecurity()) {
+        if (securityConfig(launchMode, openApiConfig::autoAddSecurity)) {
             autoSecurityFilter = getAutoSecurityFilter(securityInformationBuildItems, openApiConfig)
                     .filter(securityFilter -> autoSecurityRuntimeEnabled(securityFilter,
-                            () -> hasAutoEndpointSecurity(apiFilteredIndexViewBuildItem, openApiConfig)))
+                            () -> hasAutoEndpointSecurity(apiFilteredIndexViewBuildItem, launchMode, openApiConfig)))
                     .orElse(null);
         }
 
@@ -339,6 +340,21 @@ void handler(LaunchModeBuildItem launch,
         }
     }
 
+    private boolean securityConfig(
+            LaunchModeBuildItem launchMode,
+            Supplier<Boolean> securitySetting) {
+
+        if (launchMode.getLaunchMode().equals(LaunchMode.DEVELOPMENT)) {
+            Config config = ConfigProvider.getConfig();
+            boolean authEnabled = config.getValue("quarkus.security.auth.enabled-in-dev-mode", Boolean.class);
+            if (authEnabled)
+                return securitySetting.get();
+            return false;
+        } else {
+            return securitySetting.get();
+        }
+    }
+
     private String getManagementRoot(LaunchModeBuildItem launch,
             NonApplicationRootPathBuildItem nonApplicationRootPathBuildItem,
             SmallRyeOpenApiConfig openApiConfig,
@@ -399,14 +415,14 @@ void addAutoFilters(BuildProducer<AddToOpenAPIDefinitionBuildItem> addToOpenAPID
             addToOpenAPIDefinitionProducer
                     .produce(new AddToOpenAPIDefinitionBuildItem(
                             new SecurityConfigFilter(config)));
-        } else if (config.autoAddSecurity()) {
+        } else if (securityConfig(launchModeBuildItem, config::autoAddSecurity)) {
             getAutoSecurityFilter(securityInformationBuildItems, config)
                     .map(AddToOpenAPIDefinitionBuildItem::new)
                     .ifPresent(addToOpenAPIDefinitionProducer::produce);
         }
 
         // Add operation filter to add tags/descriptions/security requirements
-        OASFilter operationFilter = getOperationFilter(apiFilteredIndexViewBuildItem, config);
+        OASFilter operationFilter = getOperationFilter(apiFilteredIndexViewBuildItem, launchModeBuildItem, config);
 
         if (operationFilter != null) {
             addToOpenAPIDefinitionProducer.produce(new AddToOpenAPIDefinitionBuildItem(operationFilter));
@@ -517,9 +533,10 @@ private Optional<AutoSecurityFilter> getAutoSecurityFilter(List<SecurityInformat
 
     private boolean hasAutoEndpointSecurity(
             OpenApiFilteredIndexViewBuildItem indexViewBuildItem,
+            LaunchModeBuildItem launchMode,
             SmallRyeOpenApiConfig config) {
 
-        if (config.autoAddSecurityRequirement()) {
+        if (securityConfig(launchMode, config::autoAddSecurityRequirement)) {
             Map<String, List<String>> rolesAllowedMethods = Collections.emptyMap();
             List<String> authenticatedMethods = Collections.emptyList();
 
@@ -538,6 +555,7 @@ private boolean hasAutoEndpointSecurity(
     }
 
     private OASFilter getOperationFilter(OpenApiFilteredIndexViewBuildItem indexViewBuildItem,
+            LaunchModeBuildItem launchMode,
             SmallRyeOpenApiConfig config) {
 
         Map<String, ClassAndMethod> classNamesMethods = Collections.emptyMap();
@@ -548,7 +566,7 @@ private OASFilter getOperationFilter(OpenApiFilteredIndexViewBuildItem indexView
             classNamesMethods = getClassNamesMethodReferences(indexViewBuildItem);
         }
 
-        if (config.autoAddSecurityRequirement()) {
+        if (securityConfig(launchMode, config::autoAddSecurityRequirement)) {
             rolesAllowedMethods = getRolesAllowedMethodReferences(indexViewBuildItem);
 
             for (String methodRef : getPermissionsAllowedMethodReferences(indexViewBuildItem)) {

extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/AutoSecurityDisabledTestCase.java

@@ -0,0 +1,53 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusDevModeTest;
+import io.restassured.RestAssured;
+
+public class AutoSecurityDisabledTestCase {
+
+    @RegisterExtension
+    final static QuarkusDevModeTest TEST = new QuarkusDevModeTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(OpenApiWithSecurity.class)
+                    .addAsResource(
+                            new StringAsset("quarkus.security.auth.enabled-in-dev-mode=false"),
+                            "application.properties"));
+
+    @Test
+    void testAutoSecurityRequirement() {
+
+        RestAssured.given()
+                .header("Accept", "application/json")
+                .when()
+                .get("/q/openapi")
+                .then()
+                .log().body()
+                .and()
+                // Make sure `security` is NOT present
+                .body("paths.'/openApiWithSecurity/test-security/annotated'.get.security", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated2'.get.security", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/naked'.get.security", nullValue())
+                // Make sure only 200 response is present
+                .body("paths.'/openApiWithSecurity/test-security/annotated'.get.responses.size()", equalTo(1))
+                .body("paths.'/openApiWithSecurity/test-security/annotated'.get.responses['200']", notNullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated'.get.responses['401']", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated'.get.responses['403']", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated2'.get.responses.size()", equalTo(1))
+                .body("paths.'/openApiWithSecurity/test-security/annotated2'.get.responses['200']", notNullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated2'.get.responses['401']", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/annotated2'.get.responses['403']", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/naked'.get.responses.size()", equalTo(1))
+                .body("paths.'/openApiWithSecurity/test-security/naked'.get.responses['200']", notNullValue())
+                .body("paths.'/openApiWithSecurity/test-security/naked'.get.responses['401']", nullValue())
+                .body("paths.'/openApiWithSecurity/test-security/naked'.get.responses['403']", nullValue());
+    }
+
+}

extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OpenApiWithSecurity.java

@@ -0,0 +1,39 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import io.quarkus.security.Authenticated;
+
+@Path("/openApiWithSecurity")
+public class OpenApiWithSecurity {
+
+    @GET
+    @Path("/test-security/naked")
+    @Authenticated
+    public String secureEndpointWithoutSecurityAnnotation() {
+        return "secret";
+    }
+
+    @GET
+    @Path("/test-security/annotated")
+    @RolesAllowed("admin")
+    public String secureEndpointWithRolesAllowedAnnotation() {
+        return "secret";
+    }
+
+    @GET
+    @Path("/test-security/annotated2")
+    @RolesAllowed("user")
+    public String secureEndpointWithRolesAllowed2Annotation() {
+        return "secret";
+    }
+
+    @GET
+    @Path("/test-security/public")
+    public String publicEndpoint() {
+        return "boo";
+    }
+
+}