Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues

- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes #30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes #30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes #27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes #21126

Signed-off-by: Michael Edgar <[email protected]>

Author: MikeEdgar

bom/application/pom.xml

@@ -58,7 +58,7 @@
         <smallrye-config.version>3.1.3</smallrye-config.version>
         <smallrye-health.version>4.0.1</smallrye-health.version>
         <smallrye-metrics.version>4.0.0</smallrye-metrics.version>
-        <smallrye-open-api.version>3.2.0</smallrye-open-api.version>
+        <smallrye-open-api.version>3.3.0</smallrye-open-api.version>
         <smallrye-graphql.version>2.1.1</smallrye-graphql.version>
         <smallrye-opentracing.version>3.0.3</smallrye-opentracing.version>
         <smallrye-fault-tolerance.version>6.2.1</smallrye-fault-tolerance.version>
@@ -1848,7 +1848,7 @@
                 <artifactId>quarkus-vertx-http-dev-ui-resources</artifactId>
                 <version>${project.version}</version>
             </dependency>
-            
+
             <dependency>
                 <groupId>io.quarkus</groupId>
                 <artifactId>quarkus-reactive-routes</artifactId>

extensions/panache/hibernate-orm-rest-data-panache/deployment/src/test/resources/application.properties

@@ -2,3 +2,6 @@ quarkus.datasource.db-kind=h2
 quarkus.datasource.jdbc.url=jdbc:h2:mem:test
 
 quarkus.hibernate-orm.database.generation=drop-and-create
+
+# Scopes will not populate in the OpenAPI document unless the security scheme is Oauth2 or OIDC
+quarkus.smallrye-openapi.security-scheme=oauth2-implicit

extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java

@@ -17,6 +17,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -320,42 +321,22 @@ OpenApiFilteredIndexViewBuildItem smallryeOpenApiIndex(CombinedIndexBuildItem co
 
     @BuildStep
     void addAutoFilters(BuildProducer<AddToOpenAPIDefinitionBuildItem> addToOpenAPIDefinitionProducer,
+            List<SecurityInformationBuildItem> securityInformationBuildItems,
             OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             SmallRyeOpenApiConfig config) {
 
-        List<AnnotationInstance> rolesAllowedAnnotations = new ArrayList<>();
-        for (DotName rolesAllowed : SecurityConstants.ROLES_ALLOWED) {
-            rolesAllowedAnnotations.addAll(apiFilteredIndexViewBuildItem.getIndex().getAnnotations(rolesAllowed));
-        }
-
-        Map<String, List<String>> methodReferences = new HashMap<>();
-        DotName securityRequirement = DotName.createSimple(SecurityRequirement.class.getName());
-        for (AnnotationInstance ai : rolesAllowedAnnotations) {
-            if (ai.target().kind().equals(AnnotationTarget.Kind.METHOD)) {
-                MethodInfo method = ai.target().asMethod();
-                if (isValidOpenAPIMethodForAutoAdd(method, securityRequirement)) {
-                    String ref = JandexUtil.createUniqueMethodReference(method.declaringClass(), method);
-                    methodReferences.put(ref, List.of(ai.value().asStringArray()));
-                }
-            }
-            if (ai.target().kind().equals(AnnotationTarget.Kind.CLASS)) {
-                ClassInfo classInfo = ai.target().asClass();
-                List<MethodInfo> methods = classInfo.methods();
-                for (MethodInfo method : methods) {
-                    if (isValidOpenAPIMethodForAutoAdd(method, securityRequirement)) {
-                        String ref = JandexUtil.createUniqueMethodReference(classInfo, method);
-                        methodReferences.put(ref, List.of(ai.value().asStringArray()));
-                    }
-                }
-
-            }
-        }
-
         // Add a security scheme from config
         if (config.securityScheme.isPresent()) {
             addToOpenAPIDefinitionProducer
                     .produce(new AddToOpenAPIDefinitionBuildItem(
                             new SecurityConfigFilter(config)));
+        } else {
+            OASFilter autoSecurityFilter = getAutoSecurityFilter(securityInformationBuildItems, config);
+
+            if (autoSecurityFilter != null) {
+                addToOpenAPIDefinitionProducer
+                        .produce(new AddToOpenAPIDefinitionBuildItem(autoSecurityFilter));
+            }
         }
 
         // Add Auto roles allowed
@@ -407,34 +388,19 @@ private OASFilter getAutoSecurityFilter(List<SecurityInformationBuildItem> secur
                                 config.securitySchemeDescription,
                                 config.basicSecuritySchemeValue);
                     case oidc:
-                        Optional<SecurityInformationBuildItem.OpenIDConnectInformation> maybeInfo = securityInformationBuildItem
-                                .getOpenIDConnectInformation();
-
-                        if (maybeInfo.isPresent()) {
-                            SecurityInformationBuildItem.OpenIDConnectInformation info = maybeInfo.get();
-
-                            AutoUrl authorizationUrl = new AutoUrl(
-                                    config.oidcOpenIdConnectUrl.orElse(null),
-                                    info.getUrlConfigKey(),
-                                    "/protocol/openid-connect/auth");
-
-                            AutoUrl refreshUrl = new AutoUrl(
-                                    config.oidcOpenIdConnectUrl.orElse(null),
-                                    info.getUrlConfigKey(),
-                                    "/protocol/openid-connect/token");
-
-                            AutoUrl tokenUrl = new AutoUrl(
-                                    config.oidcOpenIdConnectUrl.orElse(null),
-                                    info.getUrlConfigKey(),
-                                    "/protocol/openid-connect/token/introspect");
-
-                            return new OpenIDConnectSecurityFilter(
-                                    config.securitySchemeName,
-                                    config.securitySchemeDescription,
-                                    authorizationUrl, refreshUrl, tokenUrl);
-
-                        }
-                        break;
+                        return securityInformationBuildItem.getOpenIDConnectInformation()
+                                .map(info -> {
+                                    AutoUrl openIdConnectUrl = new AutoUrl(
+                                            config.oidcOpenIdConnectUrl.orElse(null),
+                                            info.getUrlConfigKey(),
+                                            "/.well-known/openid-configuration");
+
+                                    return new OpenIDConnectSecurityFilter(
+                                            config.securitySchemeName,
+                                            config.securitySchemeDescription,
+                                            openIdConnectUrl);
+                                })
+                                .orElse(null);
                     default:
                         break;
                 }
@@ -523,7 +489,7 @@ private Map<String, List<String>> getRolesAllowedMethodReferences(
                 for (MethodInfo method : methods) {
                     if (isValidOpenAPIMethodForAutoAdd(method, securityRequirement)) {
                         String ref = JandexUtil.createUniqueMethodReference(classInfo, method);
-                        methodReferences.put(ref, List.of(ai.value().asStringArray()));
+                        methodReferences.putIfAbsent(ref, List.of(ai.value().asStringArray()));
                     }
                 }
             }
@@ -758,8 +724,7 @@ public void build(BuildProducer<FeatureBuildItem> feature,
             nativeImageResources.produce(new NativeImageResourceBuildItem(name));
         }
 
-        OpenApiDocument finalStoredOpenApiDocument = storeDocument(out, smallRyeOpenApiConfig, staticModel, annotationModel,
-                openAPIBuildItems);
+        OpenApiDocument finalStoredOpenApiDocument = storeDocument(out, smallRyeOpenApiConfig, finalDocument.get());
         openApiDocumentProducer.produce(new OpenApiDocumentBuildItem(finalStoredOpenApiDocument));
     }
 
@@ -1041,23 +1006,19 @@ private OpenApiDocument loadDocument(OpenAPI staticModel, OpenAPI annotationMode
 
     private OpenApiDocument storeDocument(OutputTargetBuildItem out,
             SmallRyeOpenApiConfig smallRyeOpenApiConfig,
-            OpenAPI staticModel,
-            OpenAPI annotationModel,
-            List<AddToOpenAPIDefinitionBuildItem> openAPIBuildItems) throws IOException {
-        return storeDocument(out, smallRyeOpenApiConfig, staticModel, annotationModel, openAPIBuildItems, true);
+            OpenAPI loadedModel) throws IOException {
+        return storeDocument(out, smallRyeOpenApiConfig, loadedModel, true);
     }
 
     private OpenApiDocument storeDocument(OutputTargetBuildItem out,
             SmallRyeOpenApiConfig smallRyeOpenApiConfig,
-            OpenAPI staticModel,
-            OpenAPI annotationModel,
-            List<AddToOpenAPIDefinitionBuildItem> openAPIBuildItems,
+            OpenAPI loadedModel,
             boolean includeRuntimeFilters) throws IOException {
 
         Config config = ConfigProvider.getConfig();
         OpenApiConfig openApiConfig = new OpenApiConfigImpl(config);
 
-        OpenApiDocument document = prepareOpenApiDocument(staticModel, annotationModel, openAPIBuildItems);
+        OpenApiDocument document = prepareOpenApiDocument(loadedModel, null, Collections.emptyList());
 
         if (includeRuntimeFilters) {
             document.filter(filter(openApiConfig)); // This usually happens at runtime, so when storing we want to filter here too.
@@ -1074,7 +1035,7 @@ private OpenApiDocument storeDocument(OutputTargetBuildItem out,
         } catch (RuntimeException re) {
             if (includeRuntimeFilters) {
                 // This is a Runtime filter, so it might not work at build time. In that case we ignore the filter.
-                return storeDocument(out, smallRyeOpenApiConfig, staticModel, annotationModel, openAPIBuildItems, false);
+                return storeDocument(out, smallRyeOpenApiConfig, loadedModel, false);
             } else {
                 throw re;
             }
@@ -1083,7 +1044,6 @@ private OpenApiDocument storeDocument(OutputTargetBuildItem out,
         boolean shouldStore = smallRyeOpenApiConfig.storeSchemaDirectory.isPresent();
         if (shouldStore) {
             for (Format format : Format.values()) {
-                String name = OpenApiConstants.BASE_NAME + format;
                 byte[] schemaDocument = OpenApiSerializer.serialize(document.get(), format).getBytes(StandardCharsets.UTF_8);
                 storeGeneratedSchema(smallRyeOpenApiConfig, out, schemaDocument, format);
             }