OpenAPI: Always run OpenIDConnectSecurityFilter at runtime

extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityAutoAddTestTest.java

@@ -0,0 +1,31 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import java.util.List;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.builder.Version;
+import io.quarkus.maven.dependency.Dependency;
+import io.quarkus.test.QuarkusUnitTest;
+
+class OIDCSecurityAutoAddTestTest extends OIDCSecurityTestBase {
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(OpenApiResource.class, ResourceBean.class)
+                    .addAsResource(
+                            new StringAsset(""
+                                    + "quarkus.smallrye-openapi.security-scheme-name=OIDCCompanyAuthentication\n"
+                                    + "quarkus.smallrye-openapi.security-scheme-description=OIDC Authentication\n"
+                                    + "quarkus.smallrye-openapi.oidc-open-id-connect-url=BUILD-TIME-OVERRIDDEN\n"
+                                    + "quarkus.http.auth.permission.\"oidc\".policy=authenticated\n"
+                                    + "quarkus.http.auth.permission.\"oidc\".paths=/resource/*\n"
+                                    + "quarkus.oidc.auth-server-url=BUILD-TIME-OVERRIDDEN\n"
+                                    + "quarkus.devservices.enabled=false"),
+                            "application.properties"))
+            .setForcedDependencies(List.of(
+                    Dependency.of("io.quarkus", "quarkus-oidc", Version.getVersion())))
+            .overrideRuntimeConfigKey("quarkus.oidc.auth-server-url", "http://localhost:8081/auth/realms/OpenAPIOIDC");
+}

extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityTestBase.java

@@ -0,0 +1,24 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.Matchers.hasEntry;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+
+abstract class OIDCSecurityTestBase {
+
+    @Test
+    void testOIDCAuthentication() {
+        RestAssured.given().header("Accept", "application/json")
+                .when().get("/q/openapi")
+                .then().body("components.securitySchemes.OIDCCompanyAuthentication",
+                        allOf(
+                                hasEntry("type", "openIdConnect"),
+                                hasEntry("description", "OIDC Authentication"),
+                                hasEntry("openIdConnectUrl",
+                                        "http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration")));
+    }
+
+}

extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityWithConfigTestCase.java

@@ -1,14 +1,12 @@
 package io.quarkus.smallrye.openapi.test.jaxrs;
 
-import org.hamcrest.Matchers;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.test.QuarkusUnitTest;
-import io.restassured.RestAssured;
 
-public class OIDCSecurityWithConfigTestCase {
+class OIDCSecurityWithConfigTestCase extends OIDCSecurityTestBase {
+
     @RegisterExtension
     static QuarkusUnitTest runner = new QuarkusUnitTest()
             .withApplicationRoot((jar) -> jar
@@ -18,18 +16,5 @@ public class OIDCSecurityWithConfigTestCase {
                                     + "quarkus.smallrye-openapi.security-scheme-name=OIDCCompanyAuthentication\n"
                                     + "quarkus.smallrye-openapi.security-scheme-description=OIDC Authentication\n"
                                     + "quarkus.smallrye-openapi.oidc-open-id-connect-url=http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration"),
-
                             "application.properties"));
-
-    @Test
-    public void testOIDCAuthentication() {
-        RestAssured.given().header("Accept", "application/json")
-                .when().get("/q/openapi")
-                .then().body("components.securitySchemes.OIDCCompanyAuthentication", Matchers.hasEntry("type", "openIdConnect"))
-                .and()
-                .body("components.securitySchemes.OIDCCompanyAuthentication",
-                        Matchers.hasEntry("description", "OIDC Authentication"))
-                .and().body("components.securitySchemes.OIDCCompanyAuthentication", Matchers.hasEntry("openIdConnectUrl",
-                        "http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration"));
-    }
 }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/OpenApiFilter.java

@@ -26,9 +26,9 @@
      */
     int priority() default 1;
 
-    static enum RunStage {
+    enum RunStage {
         BUILD,
         RUN,
         BOTH
     }
-}
+}

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/AutoBasicSecurityFilter.java

@@ -2,7 +2,6 @@
 
 import java.util.Map;
 
-import org.eclipse.microprofile.openapi.OASFactory;
 import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
 
 /**
@@ -31,10 +30,8 @@ public void setBasicSecuritySchemeValue(String basicSecuritySchemeValue) {
     }
 
     @Override
-    protected SecurityScheme getSecurityScheme() {
-        SecurityScheme securityScheme = OASFactory.createSecurityScheme();
+    protected void updateSecurityScheme(SecurityScheme securityScheme) {
         securityScheme.setType(SecurityScheme.Type.HTTP);
         securityScheme.setScheme(basicSecuritySchemeValue);
-        return securityScheme;
     }
 }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/AutoBearerTokenSecurityFilter.java

@@ -2,7 +2,6 @@
 
 import java.util.Map;
 
-import org.eclipse.microprofile.openapi.OASFactory;
 import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
 
 /**
@@ -42,11 +41,9 @@ public void setBearerFormat(String bearerFormat) {
     }
 
     @Override
-    protected SecurityScheme getSecurityScheme() {
-        SecurityScheme securityScheme = OASFactory.createSecurityScheme();
+    protected void updateSecurityScheme(SecurityScheme securityScheme) {
         securityScheme.setType(SecurityScheme.Type.HTTP);
         securityScheme.setScheme(securitySchemeValue);
         securityScheme.setBearerFormat(bearerFormat);
-        return securityScheme;
     }
 }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/AutoSecurityFilter.java

@@ -1,7 +1,8 @@
 package io.quarkus.smallrye.openapi.runtime.filter;
 
-import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Optional;
 
 import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
@@ -56,30 +57,40 @@ public void setSecuritySchemeExtensions(Map<String, String> securitySchemeExtens
         this.securitySchemeExtensions = securitySchemeExtensions;
     }
 
+    public boolean runtimeRequired() {
+        return false;
+    }
+
     @Override
     public void filterOpenAPI(OpenAPI openAPI) {
         // Make sure components are created
         if (openAPI.getComponents() == null) {
             openAPI.setComponents(OASFactory.createComponents());
         }
 
-        Map<String, SecurityScheme> securitySchemes = new HashMap<>();
+        Map<String, SecurityScheme> securitySchemes = new LinkedHashMap<>();
 
         // Add any existing security
-        if (openAPI.getComponents().getSecuritySchemes() != null
-                && !openAPI.getComponents().getSecuritySchemes().isEmpty()) {
-            securitySchemes.putAll(openAPI.getComponents().getSecuritySchemes());
+        Optional.ofNullable(openAPI.getComponents().getSecuritySchemes())
+                .ifPresent(securitySchemes::putAll);
+
+        SecurityScheme securityScheme = securitySchemes.computeIfAbsent(
+                securitySchemeName,
+                name -> OASFactory.createSecurityScheme());
+
+        updateSecurityScheme(securityScheme);
+
+        if (securitySchemeDescription != null) {
+            securityScheme.setDescription(securitySchemeDescription);
         }
 
-        SecurityScheme securityScheme = getSecurityScheme();
-        securityScheme.setDescription(securitySchemeDescription);
         securitySchemeExtensions.forEach(securityScheme::addExtension);
 
         securitySchemes.put(securitySchemeName, securityScheme);
         openAPI.getComponents().setSecuritySchemes(securitySchemes);
     }
 
-    protected abstract SecurityScheme getSecurityScheme();
+    protected abstract void updateSecurityScheme(SecurityScheme securityScheme);
 
     protected String getUrl(String configKey, String defaultValue, String shouldEndWith) {
         Config c = ConfigProvider.getConfig();
@@ -92,4 +103,4 @@ protected String getUrl(String configKey, String defaultValue, String shouldEndW
         return u;
     }
 
-}
+}

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/OpenIDConnectSecurityFilter.java

@@ -2,7 +2,6 @@
 
 import java.util.Map;
 
-import org.eclipse.microprofile.openapi.OASFactory;
 import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
 
 /**
@@ -32,11 +31,14 @@ public void setOpenIdConnectUrl(AutoUrl openIdConnectUrl) {
     }
 
     @Override
-    protected SecurityScheme getSecurityScheme() {
-        SecurityScheme securityScheme = OASFactory.createSecurityScheme();
+    public boolean runtimeRequired() {
+        return true;
+    }
+
+    @Override
+    protected void updateSecurityScheme(SecurityScheme securityScheme) {
         securityScheme.setType(SecurityScheme.Type.OPENIDCONNECT);
         securityScheme.setOpenIdConnectUrl(openIdConnectUrl.getFinalUrlValue());
-        return securityScheme;
     }
 
 }