Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenAPI does not correctly generate security schema when @RolesAllowed is used #30997

Closed
jsmrcka opened this issue Feb 8, 2023 · 3 comments · Fixed by #31671
Closed

OpenAPI does not correctly generate security schema when @RolesAllowed is used #30997

jsmrcka opened this issue Feb 8, 2023 · 3 comments · Fixed by #31671
Labels
area/openapi area/security area/smallrye kind/bug Something isn't working
Milestone
3.0.0.Alpha6

Comments

@jsmrcka
Copy link
Contributor

jsmrcka commented Feb 8, 2023

Describe the bug

quarkus-smallrye-openapi creates incorrect security schema for endpoints, which use @RolesAllowed annotation on both class level and method level.
E.g.:

@Path("/roles-allowed-user")
@RolesAllowed("user")
public class RolesAllowedResource {

    @GET
    public void rolesAllowedUser() {
    }

    @GET
    @Path("/roles-allowed-admin")
    @RolesAllowed("admin")
    public void rolesAllowedAdmin() {
    }
}

Then the /q/openapi produces:

---
openapi: 3.0.3
info:
  title: openapi-security-reproducer API
  version: 1.0.0-SNAPSHOT
paths:
  /roles-allowed-user:
    get:
      tags:
      - Roles Allowed Resource
      responses:
        "204":
          description: No Content
        "401":
          description: Not Authorized
        "403":
          description: Not Allowed
      security:
      - SecurityScheme:
        - user
  /roles-allowed-user/roles-allowed-admin:
    get:
      tags:
      - Roles Allowed Resource
      responses:
        "204":
          description: No Content
        "401":
          description: Not Authorized
        "403":
          description: Not Allowed
      security:
      - SecurityScheme:
        - user
components:
  securitySchemes:
    SecurityScheme:
      type: http
      description: Authentication
      scheme: basic

The actual behavior of the /roles-allowed-user/roles-allowed-admin endpoint correctly reflects the security specification and requires the admin role.
However, the OpenAPI schema shows the user role in the endpoint.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

git clone [email protected]:jsmrcka/openapi-security-reproducer.git
mvn -f ./openapi-security-reproducer test

Output of uname -a or ver

Linux ... 6.0.15-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Dec 21 18:33:23 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "11.0.12" 2021-07-20

GraalVM version (if different from Java)

No response

Quarkus version or git rev

999-SNAPSHOT, 2.16.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

3.8.6

Additional information

No response
@jsmrcka jsmrcka added the kind/bug Something isn't working label Feb 8, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 8, 2023

/cc @EricWittmann (openapi), @MikeEdgar (openapi), @phillip-kruger (openapi), @sberyozkin (security)

@phillip-kruger
Copy link
Member

Agree, this is a bug. I'll have a look a.s.a.p. If you are in a hurry please do a PR.

@Plawn
Copy link

Plawn commented Feb 9, 2023

Ok, I'm not crazy, got this issue for months but never bothered to create the issue

MikeEdgar added a commit to MikeEdgar/quarkus that referenced this issue Mar 7, 2023
@MikeEdgar
Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues
43c49de 
- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes quarkusio#30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes quarkusio#30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes quarkusio#27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes quarkusio#21126

Signed-off-by: Michael Edgar <[email protected]>
@MikeEdgar MikeEdgar mentioned this issue Mar 7, 2023
Merged
MikeEdgar added a commit to MikeEdgar/quarkus that referenced this issue Mar 8, 2023
@MikeEdgar
Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues
5ec7d2c 
- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes quarkusio#30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes quarkusio#30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes quarkusio#27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes quarkusio#21126

Signed-off-by: Michael Edgar <[email protected]>
MikeEdgar added a commit to MikeEdgar/quarkus that referenced this issue Mar 8, 2023
@MikeEdgar
Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues
b11fae5 
- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes quarkusio#30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes quarkusio#30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes quarkusio#27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes quarkusio#21126

Signed-off-by: Michael Edgar <[email protected]>
@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Mar 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/openapi area/security area/smallrye kind/bug Something isn't working
Projects
None yet
Milestone
3.0.0.Alpha6
Development

Successfully merging a pull request may close this issue.

Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues MikeEdgar/quarkus
3 participants
@phillip-kruger @Plawn @jsmrcka