From 6160c65afe0c003d5cfcec940e85f87e493a952b Mon Sep 17 00:00:00 2001
From: Michael Edgar <michael@xlate.io>
Date: Thu, 12 Oct 2023 14:59:49 -0400
Subject: [PATCH] OpenAPI: enable auto security filter for auth policy via
 configuration

Signed-off-by: Michael Edgar <michael@xlate.io>
---
 .../deployment/SmallRyeOpenApiProcessor.java  | 29 ++++++++++++++-----
 .../jaxrs/OIDCSecurityAutoAddTestTest.java    | 29 +++++++++++++++++++
 .../test/jaxrs/OIDCSecurityTestBase.java      | 24 +++++++++++++++
 .../jaxrs/OIDCSecurityWithConfigTestCase.java | 18 ++----------
 4 files changed, 77 insertions(+), 23 deletions(-)
 create mode 100644 extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityAutoAddTestTest.java
 create mode 100644 extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityTestBase.java

diff --git a/extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java b/extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java
index 5b1f46f1dd2f5..eff7bfa2f18af 100644
--- a/extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java
+++ b/extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java
@@ -108,6 +108,7 @@
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
 import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.quarkus.vertx.http.deployment.devmode.NotFoundPageDisplayableEndpointBuildItem;
+import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
 import io.quarkus.vertx.http.runtime.management.ManagementInterfaceBuildTimeConfig;
 import io.quarkus.vertx.http.runtime.management.ManagementInterfaceConfiguration;
 import io.smallrye.openapi.api.OpenApiConfig;
@@ -222,15 +223,15 @@ void registerAutoSecurityFilter(BuildProducer<SyntheticBeanBuildItem> syntheticB
             SmallRyeOpenApiConfig openApiConfig,
             OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             List<SecurityInformationBuildItem> securityInformationBuildItems,
-            OpenApiRecorder recorder) {
+            OpenApiRecorder recorder,
+            HttpBuildTimeConfig httpConfig) {
+
         OASFilter autoSecurityFilter = null;
-        if (openApiConfig.autoAddSecurity) {
+
+        if (openApiConfig.autoAddSecurity
+                && hasEnabledAuthPermission(httpConfig, openApiConfig, apiFilteredIndexViewBuildItem)) {
             // Only add the security if there are secured endpoints
-            OASFilter autoRolesAllowedFilter = getAutoRolesAllowedFilter(openApiConfig.securitySchemeName,
-                    apiFilteredIndexViewBuildItem, openApiConfig);
-            if (autoRolesAllowedFilter != null) {
-                autoSecurityFilter = getAutoSecurityFilter(securityInformationBuildItems, openApiConfig);
-            }
+            autoSecurityFilter = getAutoSecurityFilter(securityInformationBuildItems, openApiConfig);
         }
 
         syntheticBeans.produce(SyntheticBeanBuildItem.configure(OASFilter.class).setRuntimeInit()
@@ -543,6 +544,20 @@ private OASFilter getAutoSecurityFilter(List<SecurityInformationBuildItem> secur
         return null;
     }
 
+    private boolean hasEnabledAuthPermission(HttpBuildTimeConfig httpConfig,
+            SmallRyeOpenApiConfig openApiConfig,
+            OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem) {
+        return httpConfig.auth.permissions.values()
+                .stream()
+                .map(mapping -> mapping.enabled)
+                // By default, if the permission set is defined, it is enabled.
+                .map(enabled -> enabled.orElse(Boolean.TRUE))
+                .filter(Boolean.TRUE::equals)
+                .findFirst()
+                .orElseGet(() -> getAutoRolesAllowedFilter(openApiConfig.securitySchemeName,
+                        apiFilteredIndexViewBuildItem, openApiConfig) != null);
+    }
+
     private OASFilter getAutoRolesAllowedFilter(String securitySchemeName,
             OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             SmallRyeOpenApiConfig config) {
diff --git a/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityAutoAddTestTest.java b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityAutoAddTestTest.java
new file mode 100644
index 0000000000000..ad51275b87e15
--- /dev/null
+++ b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityAutoAddTestTest.java
@@ -0,0 +1,29 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import java.util.List;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.builder.Version;
+import io.quarkus.maven.dependency.Dependency;
+import io.quarkus.test.QuarkusUnitTest;
+
+class OIDCSecurityAutoAddTestTest extends OIDCSecurityTestBase {
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(OpenApiResource.class, ResourceBean.class)
+                    .addAsResource(
+                            new StringAsset(""
+                                    + "quarkus.smallrye-openapi.security-scheme-name=OIDCCompanyAuthentication\n"
+                                    + "quarkus.smallrye-openapi.security-scheme-description=OIDC Authentication\n"
+                                    + "quarkus.http.auth.permission.\"oidc\".policy=authenticated\n"
+                                    + "quarkus.http.auth.permission.\"oidc\".paths=/resource/*\n"
+                                    + "quarkus.oidc.auth-server-url=http://localhost:8081/auth/realms/OpenAPIOIDC"),
+                            "application.properties"))
+            .setForcedDependencies(List.of(
+                    Dependency.of("io.quarkus", "quarkus-oidc", Version.getVersion())));
+
+}
diff --git a/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityTestBase.java b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityTestBase.java
new file mode 100644
index 0000000000000..300d438c5903b
--- /dev/null
+++ b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityTestBase.java
@@ -0,0 +1,24 @@
+package io.quarkus.smallrye.openapi.test.jaxrs;
+
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.Matchers.hasEntry;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+
+abstract class OIDCSecurityTestBase {
+
+    @Test
+    void testOIDCAuthentication() {
+        RestAssured.given().header("Accept", "application/json")
+                .when().get("/q/openapi")
+                .then().body("components.securitySchemes.OIDCCompanyAuthentication",
+                        allOf(
+                                hasEntry("type", "openIdConnect"),
+                                hasEntry("description", "OIDC Authentication"),
+                                hasEntry("openIdConnectUrl",
+                                        "http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration")));
+    }
+
+}
diff --git a/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityWithConfigTestCase.java b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityWithConfigTestCase.java
index e5de3451f5414..3036041178742 100644
--- a/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityWithConfigTestCase.java
+++ b/extensions/smallrye-openapi/deployment/src/test/java/io/quarkus/smallrye/openapi/test/jaxrs/OIDCSecurityWithConfigTestCase.java
@@ -1,14 +1,12 @@
 package io.quarkus.smallrye.openapi.test.jaxrs;
 
-import org.hamcrest.Matchers;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.test.QuarkusUnitTest;
-import io.restassured.RestAssured;
 
-public class OIDCSecurityWithConfigTestCase {
+class OIDCSecurityWithConfigTestCase extends OIDCSecurityTestBase {
+
     @RegisterExtension
     static QuarkusUnitTest runner = new QuarkusUnitTest()
             .withApplicationRoot((jar) -> jar
@@ -18,18 +16,6 @@ public class OIDCSecurityWithConfigTestCase {
                                     + "quarkus.smallrye-openapi.security-scheme-name=OIDCCompanyAuthentication\n"
                                     + "quarkus.smallrye-openapi.security-scheme-description=OIDC Authentication\n"
                                     + "quarkus.smallrye-openapi.oidc-open-id-connect-url=http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration"),
-
                             "application.properties"));
 
-    @Test
-    public void testOIDCAuthentication() {
-        RestAssured.given().header("Accept", "application/json")
-                .when().get("/q/openapi")
-                .then().body("components.securitySchemes.OIDCCompanyAuthentication", Matchers.hasEntry("type", "openIdConnect"))
-                .and()
-                .body("components.securitySchemes.OIDCCompanyAuthentication",
-                        Matchers.hasEntry("description", "OIDC Authentication"))
-                .and().body("components.securitySchemes.OIDCCompanyAuthentication", Matchers.hasEntry("openIdConnectUrl",
-                        "http://localhost:8081/auth/realms/OpenAPIOIDC/.well-known/openid-configuration"));
-    }
 }