Scan Spring Security @Secured annotation (#2055)

* Scan Spring Security `@Secured` annotation

Signed-off-by: Michael Edgar <[email protected]>

* Update tests for `@Secured`/`@RolesAllowed` on Spring methods

Signed-off-by: Michael Edgar <[email protected]>

---------

Signed-off-by: Michael Edgar <[email protected]>

Author: MikeEdgar

core/src/main/java/io/smallrye/openapi/runtime/scanner/processor/JavaSecurityProcessor.java

@@ -3,8 +3,11 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -29,7 +32,9 @@
 public class JavaSecurityProcessor {
 
     public void addRolesAllowedToScopes(String[] roles) {
-        resourceRolesAllowed = roles;
+        if (roles != null) {
+            resourceRolesAllowed.addAll(Arrays.asList(roles));
+        }
         addScopes(roles);
     }
 
@@ -38,13 +43,18 @@ public void addDeclaredRolesToScopes(String[] roles) {
     }
 
     public void processSecurityRoles(MethodInfo method, Operation operation) {
-        processSecurityRolesForMethodOperation(method, operation);
+        processSecurityRolesForMethodOperation(method, operation,
+                () -> context.annotations().getAnnotationValue(method, SecurityConstants.ROLES_ALLOWED));
+    }
+
+    public void processSecurityRoles(MethodInfo method, Operation operation, Supplier<String[]> roleSupplier) {
+        processSecurityRolesForMethodOperation(method, operation, roleSupplier);
     }
 
     private final AnnotationScannerContext context;
     private String currentSecurityScheme;
     private List<OAuthFlow> currentFlows;
-    private String[] resourceRolesAllowed;
+    private final Set<String> resourceRolesAllowed = new LinkedHashSet<>();
 
     public JavaSecurityProcessor(AnnotationScannerContext context) {
         this.context = context;
@@ -53,7 +63,7 @@ public JavaSecurityProcessor(AnnotationScannerContext context) {
     public void initialize(OpenAPI openApi) {
         currentSecurityScheme = null;
         currentFlows = null;
-        resourceRolesAllowed = null;
+        resourceRolesAllowed.clear();
         checkSecurityScheme(openApi);
     }
 
@@ -96,21 +106,22 @@ private void addScopes(String[] roles) {
      * @param method the current JAX-RS method
      * @param operation the OpenAPI Operation
      */
-    private void processSecurityRolesForMethodOperation(MethodInfo method, Operation operation) {
+    private void processSecurityRolesForMethodOperation(MethodInfo method, Operation operation,
+            Supplier<String[]> roleSupplier) {
         if (this.currentSecurityScheme != null) {
-            String[] rolesAllowed = context.annotations().getAnnotationValue(method, SecurityConstants.ROLES_ALLOWED);
+            String[] rolesAllowed = roleSupplier.get();
 
             if (rolesAllowed != null) {
                 addScopes(rolesAllowed);
                 addRolesAllowed(operation, rolesAllowed);
-            } else if (this.resourceRolesAllowed != null) {
+            } else if (!this.resourceRolesAllowed.isEmpty()) {
                 boolean denyAll = context.annotations().getAnnotation(method, SecurityConstants.DENY_ALL) != null;
                 boolean permitAll = context.annotations().getAnnotation(method, SecurityConstants.PERMIT_ALL) != null;
 
                 if (denyAll) {
                     addRolesAllowed(operation, new String[0]);
                 } else if (!permitAll) {
-                    addRolesAllowed(operation, this.resourceRolesAllowed);
+                    addRolesAllowed(operation, this.resourceRolesAllowed.toArray(String[]::new));
                 }
             }
         }

extension-spring/pom.xml

@@ -14,6 +14,7 @@
 
     <properties>
         <version.spring>6.1.13</version.spring>
+        <version.spring-security>6.3.4</version.spring-security>
     </properties>
 
     <dependencyManagement>
@@ -63,6 +64,12 @@
             <artifactId>spring-webmvc</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${version.spring-security}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>javax.servlet-api</artifactId>

extension-spring/src/main/java/io/smallrye/openapi/spring/SpringAnnotationScanner.java

@@ -5,9 +5,11 @@
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Function;
+import java.util.stream.Stream;
 
 import org.eclipse.microprofile.openapi.OASFactory;
 import org.eclipse.microprofile.openapi.models.OpenAPI;
@@ -24,13 +26,16 @@
 import org.jboss.jandex.MethodParameterInfo;
 import org.jboss.jandex.Type;
 
+import io.smallrye.openapi.api.constants.SecurityConstants;
 import io.smallrye.openapi.api.util.ListUtil;
 import io.smallrye.openapi.api.util.MergeUtil;
 import io.smallrye.openapi.runtime.scanner.AnnotationScannerExtension;
 import io.smallrye.openapi.runtime.scanner.ResourceParameters;
 import io.smallrye.openapi.runtime.scanner.dataobject.TypeResolver;
+import io.smallrye.openapi.runtime.scanner.processor.JavaSecurityProcessor;
 import io.smallrye.openapi.runtime.scanner.spi.AbstractAnnotationScanner;
 import io.smallrye.openapi.runtime.scanner.spi.AnnotationScannerContext;
+import io.smallrye.openapi.runtime.util.Annotations;
 import io.smallrye.openapi.runtime.util.ModelUtil;
 
 /**
@@ -211,6 +216,15 @@ private OpenAPI processControllerClass(ClassInfo controllerClass) {
         return openApi;
     }
 
+    @Override
+    public void processJavaSecurity(AnnotationScannerContext context, ClassInfo resourceClass, OpenAPI openApi) {
+        super.processJavaSecurity(context, resourceClass, openApi);
+        JavaSecurityProcessor securityProcessor = context.getJavaSecurityProcessor();
+        securityProcessor
+                .addRolesAllowedToScopes(
+                        context.annotations().getAnnotationValue(resourceClass, SpringConstants.SECURED));
+    }
+
     /**
      * Process the Spring controller Operation methods
      *
@@ -334,7 +348,7 @@ private void processControllerMethod(final ClassInfo resourceClass,
         processExtensions(context, method, operation);
 
         // Process Security Roles
-        context.getJavaSecurityProcessor().processSecurityRoles(method, operation);
+        context.getJavaSecurityProcessor().processSecurityRoles(method, operation, () -> getDeclaredRoles(method));
 
         // Now set the operation on the PathItem as appropriate based on the Http method type
         pathItem.setOperation(methodType, operation);
@@ -357,6 +371,21 @@ private void processControllerMethod(final ClassInfo resourceClass,
         }
     }
 
+    private String[] getDeclaredRoles(MethodInfo method) {
+        Annotations annotations = context.annotations();
+        String[] rolesAllowed = annotations.getAnnotationValue(method, SecurityConstants.ROLES_ALLOWED);
+        String[] securedRoles = annotations.getAnnotationValue(method, SpringConstants.SECURED);
+
+        if (rolesAllowed == null && securedRoles == null) {
+            return null; // NOSONAR
+        }
+
+        return Stream.of(rolesAllowed, securedRoles)
+                .filter(Objects::nonNull)
+                .flatMap(Arrays::stream)
+                .toArray(String[]::new);
+    }
+
     private ResourceParameters getResourceParameters(final ClassInfo resourceClass,
             final MethodInfo method) {
         Function<AnnotationInstance, Parameter> reader = t -> context.io().parameterIO().read(t);

extension-spring/src/main/java/io/smallrye/openapi/spring/SpringConstants.java

@@ -16,6 +16,8 @@
  */
 public class SpringConstants {
 
+    static final DotName SECURED = DotName.createSimple("org.springframework.security.access.annotation.Secured");
+
     static final DotName REST_CONTROLLER = DotName.createSimple("org.springframework.web.bind.annotation.RestController");
     static final DotName REQUEST_MAPPING = DotName.createSimple("org.springframework.web.bind.annotation.RequestMapping");
     static final DotName GET_MAPPING = DotName.createSimple("org.springframework.web.bind.annotation.GetMapping");

extension-spring/src/test/java/test/io/smallrye/openapi/runtime/scanner/resources/GreetingDeleteController.java

@@ -1,8 +1,11 @@
 package test.io.smallrye.openapi.runtime.scanner.resources;
 
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -17,6 +20,8 @@
  */
 @RestController
 @RequestMapping(value = "/greeting", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+@Secured({ "roles:removal" })
+@SecurityScheme(securitySchemeName = "oauth", type = SecuritySchemeType.OAUTH2)
 public class GreetingDeleteController {
 
     // 1) Basic path var test
@@ -28,7 +33,7 @@ public void greet(@PathVariable(name = "id") String id) {
     // 2) ResponseEntity without a type specified
     @DeleteMapping("/greetWithResponse/{id}")
     @APIResponse(responseCode = "204", description = "No Content")
-    public ResponseEntity greetWithResponse(@PathVariable(name = "id") String id) {
+    public ResponseEntity<Void> greetWithResponse(@PathVariable(name = "id") String id) {
         return ResponseEntity.noContent().build();
     }
 

extension-spring/src/test/java/test/io/smallrye/openapi/runtime/scanner/resources/GreetingDeleteControllerAlt.java

@@ -1,6 +1,10 @@
 package test.io.smallrye.openapi.runtime.scanner.resources;
 
+import jakarta.annotation.security.RolesAllowed;
+
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -17,6 +21,8 @@
  */
 @RestController
 @RequestMapping(value = "/greeting", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+@RolesAllowed({ "roles:removal" })
+@SecurityScheme(securitySchemeName = "oauth", type = SecuritySchemeType.OAUTH2)
 public class GreetingDeleteControllerAlt {
 
     // 1) Basic path var test
@@ -28,7 +34,7 @@ public void greet(@PathVariable(name = "id") String id) {
     // 2) ResponseEntity without a type specified
     @RequestMapping(value = "/greetWithResponse/{id}", method = RequestMethod.DELETE)
     @APIResponse(responseCode = "204", description = "No Content")
-    public ResponseEntity greetWithResponse(@PathVariable(name = "id") String id) {
+    public ResponseEntity<Void> greetWithResponse(@PathVariable(name = "id") String id) {
         return ResponseEntity.noContent().build();
     }
 

extension-spring/src/test/java/test/io/smallrye/openapi/runtime/scanner/resources/GreetingGetController.java

@@ -4,11 +4,14 @@
 import java.util.List;
 import java.util.Optional;
 
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
 import org.eclipse.microprofile.openapi.annotations.media.Content;
 import org.eclipse.microprofile.openapi.annotations.media.Schema;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +29,7 @@
  */
 @RestController
 @RequestMapping(value = "/greeting", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+@SecurityScheme(securitySchemeName = "oauth", type = SecuritySchemeType.OAUTH2)
 public class GreetingGetController {
 
     // 1) Basic path var test
@@ -48,11 +52,13 @@ public Optional<Greeting> helloOptional(@PathVariable(name = "name") String name
 
     // 4) Basic request param test
     @GetMapping(path = "/helloRequestParam")
+    @Secured({ "roles:retrieval-by-query" })
     public Greeting helloRequestParam(@RequestParam(value = "name", required = false) String name) {
         return new Greeting("Hello " + name);
     }
 
     // 5) ResponseEntity without a type specified
+    @SuppressWarnings("rawtypes")
     @GetMapping("/helloPathVariableWithResponse/{name}")
     @APIResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(ref = "#/components/schemas/Greeting")))
     public ResponseEntity helloPathVariableWithResponse(@PathVariable(name = "name") String name) {

extension-spring/src/test/java/test/io/smallrye/openapi/runtime/scanner/resources/GreetingGetControllerAlt.java

@@ -4,9 +4,13 @@
 import java.util.List;
 import java.util.Optional;
 
+import jakarta.annotation.security.RolesAllowed;
+
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
 import org.eclipse.microprofile.openapi.annotations.media.Content;
 import org.eclipse.microprofile.openapi.annotations.media.Schema;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -28,6 +32,7 @@
  */
 @RestController
 @RequestMapping(value = "/greeting", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+@SecurityScheme(securitySchemeName = "oauth", type = SecuritySchemeType.OAUTH2)
 public class GreetingGetControllerAlt {
 
     // 1) Basic path var test
@@ -50,11 +55,13 @@ public Optional<Greeting> helloOptional(@PathVariable(name = "name") String name
 
     // 4) Basic request param test
     @RequestMapping(value = "/helloRequestParam", method = RequestMethod.GET)
+    @RolesAllowed({ "roles:retrieval-by-query" })
     public Greeting helloRequestParam(@RequestParam(value = "name", required = false) String name) {
         return new Greeting("Hello " + name);
     }
 
     // 5) ResponseEntity without a type specified
+    @SuppressWarnings("rawtypes")
     @RequestMapping(value = "/helloPathVariableWithResponse/{name}", method = RequestMethod.GET)
     @APIResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(ref = "#/components/schemas/Greeting")))
     public ResponseEntity helloPathVariableWithResponse(@PathVariable(name = "name") String name) {

extension-spring/src/test/java/test/io/smallrye/openapi/runtime/scanner/resources/GreetingGetControllerAlt2.java

@@ -4,11 +4,14 @@
 import java.util.List;
 import java.util.Optional;
 
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
 import org.eclipse.microprofile.openapi.annotations.media.Content;
 import org.eclipse.microprofile.openapi.annotations.media.Schema;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -28,6 +31,7 @@
  */
 @RestController
 @RequestMapping(path = "/greeting", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+@SecurityScheme(securitySchemeName = "oauth", type = SecuritySchemeType.OAUTH2)
 public class GreetingGetControllerAlt2 {
 
     // 1) Basic path var test
@@ -50,11 +54,13 @@ public Optional<Greeting> helloOptional(@PathVariable(name = "name") String name
 
     // 4) Basic request param test
     @RequestMapping(path = "/helloRequestParam", method = RequestMethod.GET)
+    @Secured({ "roles:retrieval-by-query" })
     public Greeting helloRequestParam(@RequestParam(value = "name", required = false) String name) {
         return new Greeting("Hello " + name);
     }
 
     // 5) ResponseEntity without a type specified
+    @SuppressWarnings("rawtypes")
     @RequestMapping(path = "/helloPathVariableWithResponse/{name}", method = RequestMethod.GET)
     @APIResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(ref = "#/components/schemas/Greeting")))
     public ResponseEntity helloPathVariableWithResponse(@PathVariable(name = "name") String name) {