Merge pull request #19680 from phillip-kruger/openapi-autosecurity

OpenAPI Auto security based on extensions

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -38,6 +38,7 @@
 import io.quarkus.oidc.runtime.TenantConfigBean;
 import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
+import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
 import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
 import io.smallrye.jwt.auth.cdi.JsonValueProducer;
@@ -51,6 +52,14 @@ FeatureBuildItem featureBuildItem() {
         return new FeatureBuildItem(Feature.OIDC);
     }
 
+    @BuildStep(onlyIf = IsEnabled.class)
+    public void provideSecurityInformation(BuildProducer<SecurityInformationBuildItem> securityInformationProducer) {
+        // TODO: By default quarkus.oidc.application-type = service
+        // Also look at other options (web-app, hybrid)
+        securityInformationProducer
+                .produce(SecurityInformationBuildItem.OPENIDCONNECT("quarkus.oidc.auth-server-url"));
+    }
+
     @BuildStep(onlyIf = IsEnabled.class)
     AdditionalBeanBuildItem jwtClaimIntegration(Capabilities capabilities) {
         if (!capabilities.isPresent(Capability.JWT)) {

extensions/smallrye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java

@@ -37,6 +37,7 @@
 import io.quarkus.smallrye.jwt.runtime.auth.JwtPrincipalProducer;
 import io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator;
 import io.quarkus.smallrye.jwt.runtime.auth.RawOptionalClaimCreator;
+import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
 import io.smallrye.jwt.algorithm.SignatureAlgorithm;
 import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
@@ -69,6 +70,11 @@ EnableAllSecurityServicesBuildItem security() {
         return new EnableAllSecurityServicesBuildItem();
     }
 
+    @BuildStep(onlyIf = IsEnabled.class)
+    public void provideSecurityInformation(BuildProducer<SecurityInformationBuildItem> securityInformationProducer) {
+        securityInformationProducer.produce(SecurityInformationBuildItem.JWT());
+    }
+
     /**
      * Register the CDI beans that are needed by the MP-JWT extension
      *

extensions/smallrye-openapi-common/deployment/src/main/java/io/quarkus/smallrye/openapi/common/deployment/SmallRyeOpenApiConfig.java

@@ -70,6 +70,12 @@ public final class SmallRyeOpenApiConfig {
     @ConfigItem(defaultValue = "true")
     public boolean autoAddTags;
 
+    /**
+     * This will automatically add security based on the security extension included (if any).
+     */
+    @ConfigItem(defaultValue = "true")
+    public boolean autoAddSecurity;
+
     /**
      * Add a scheme value to the Basic HTTP Security Scheme
      */

extensions/smallrye-openapi/deployment/src/main/java/io/quarkus/smallrye/openapi/deployment/SmallRyeOpenApiProcessor.java

@@ -76,9 +76,14 @@
 import io.quarkus.smallrye.openapi.runtime.OpenApiDocumentService;
 import io.quarkus.smallrye.openapi.runtime.OpenApiRecorder;
 import io.quarkus.smallrye.openapi.runtime.OpenApiRuntimeConfig;
+import io.quarkus.smallrye.openapi.runtime.filter.AutoBasicSecurityFilter;
+import io.quarkus.smallrye.openapi.runtime.filter.AutoJWTSecurityFilter;
+import io.quarkus.smallrye.openapi.runtime.filter.AutoUrl;
+import io.quarkus.smallrye.openapi.runtime.filter.OpenIDConnectSecurityFilter;
 import io.quarkus.vertx.http.deployment.HttpRootPathBuildItem;
 import io.quarkus.vertx.http.deployment.NonApplicationRootPathBuildItem;
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
+import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.quarkus.vertx.http.deployment.devmode.NotFoundPageDisplayableEndpointBuildItem;
 import io.quarkus.vertx.http.runtime.HttpConfiguration;
 import io.smallrye.openapi.api.OpenApiConfig;
@@ -168,9 +173,11 @@ RouteBuildItem handler(LaunchModeBuildItem launch,
             BuildProducer<NotFoundPageDisplayableEndpointBuildItem> displayableEndpoints,
             OpenApiRecorder recorder,
             NonApplicationRootPathBuildItem nonApplicationRootPathBuildItem,
+            List<SecurityInformationBuildItem> securityInformationBuildItems,
             OpenApiRuntimeConfig openApiRuntimeConfig,
             ShutdownContextBuildItem shutdownContext,
             SmallRyeOpenApiConfig openApiConfig,
+            OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             HttpConfiguration httpConfiguration) {
         /*
          * <em>Ugly Hack</em>
@@ -187,7 +194,17 @@ RouteBuildItem handler(LaunchModeBuildItem launch,
             recorder.setupClDevMode(shutdownContext);
         }
 
-        Handler<RoutingContext> handler = recorder.handler(openApiRuntimeConfig, httpConfiguration);
+        OASFilter autoSecurityFilter = null;
+        if (openApiConfig.autoAddSecurity) {
+            // Only add the security if there are secured endpoints
+            OASFilter autoRolesAllowedFilter = getAutoRolesAllowedFilter(openApiConfig.securitySchemeName,
+                    apiFilteredIndexViewBuildItem, openApiConfig);
+            if (autoRolesAllowedFilter != null) {
+                autoSecurityFilter = getAutoSecurityFilter(securityInformationBuildItems, openApiConfig);
+            }
+        }
+
+        Handler<RoutingContext> handler = recorder.handler(openApiRuntimeConfig, httpConfiguration, autoSecurityFilter);
         return nonApplicationRootPathBuildItem.routeBuilder()
                 .route(openApiConfig.path)
                 .routeConfigKey("quarkus.smallrye-openapi.path")
@@ -277,6 +294,64 @@ void addSecurityFilter(BuildProducer<AddToOpenAPIDefinitionBuildItem> addToOpenA
 
     }
 
+    private OASFilter getAutoSecurityFilter(List<SecurityInformationBuildItem> securityInformationBuildItems,
+            SmallRyeOpenApiConfig config) {
+
+        // Auto add a security from security extension(s)
+        if (!config.securityScheme.isPresent() && securityInformationBuildItems != null
+                && !securityInformationBuildItems.isEmpty()) {
+            // This needs to be a filter in runtime as the config we use to auto configure is in runtime
+            for (SecurityInformationBuildItem securityInformationBuildItem : securityInformationBuildItems) {
+                SecurityInformationBuildItem.SecurityModel securityModel = securityInformationBuildItem.getSecurityModel();
+                switch (securityModel) {
+                    case jwt:
+                        return new AutoJWTSecurityFilter(
+                                config.securitySchemeName,
+                                config.securitySchemeDescription,
+                                config.jwtSecuritySchemeValue,
+                                config.jwtBearerFormat);
+                    case basic:
+                        return new AutoBasicSecurityFilter(
+                                config.securitySchemeName,
+                                config.securitySchemeDescription,
+                                config.basicSecuritySchemeValue);
+                    case oidc:
+                        Optional<SecurityInformationBuildItem.OpenIDConnectInformation> maybeInfo = securityInformationBuildItem
+                                .getOpenIDConnectInformation();
+
+                        if (maybeInfo.isPresent()) {
+                            SecurityInformationBuildItem.OpenIDConnectInformation info = maybeInfo.get();
+
+                            AutoUrl authorizationUrl = new AutoUrl(
+                                    config.oidcOpenIdConnectUrl.orElse(null),
+                                    info.getUrlConfigKey(),
+                                    "/protocol/openid-connect/auth");
+
+                            AutoUrl refreshUrl = new AutoUrl(
+                                    config.oidcOpenIdConnectUrl.orElse(null),
+                                    info.getUrlConfigKey(),
+                                    "/protocol/openid-connect/token");
+
+                            AutoUrl tokenUrl = new AutoUrl(
+                                    config.oidcOpenIdConnectUrl.orElse(null),
+                                    info.getUrlConfigKey(),
+                                    "/protocol/openid-connect/token/introspect");
+
+                            return new OpenIDConnectSecurityFilter(
+                                    config.securitySchemeName,
+                                    config.securitySchemeDescription,
+                                    authorizationUrl, refreshUrl, tokenUrl);
+
+                        }
+                        break;
+                    default:
+                        break;
+                }
+            }
+        }
+        return null;
+    }
+
     private OASFilter getAutoRolesAllowedFilter(String securitySchemeName,
             OpenApiFilteredIndexViewBuildItem apiFilteredIndexViewBuildItem,
             SmallRyeOpenApiConfig config) {

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/OpenApiDocumentService.java

@@ -4,7 +4,6 @@
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 
-import javax.annotation.PostConstruct;
 import javax.enterprise.context.ApplicationScoped;
 
 import org.eclipse.microprofile.config.Config;
@@ -30,16 +29,15 @@ public class OpenApiDocumentService implements OpenApiDocumentHolder {
 
     private OpenApiDocumentHolder documentHolder;
 
-    @PostConstruct
-    void create() throws IOException {
+    void init(OASFilter autoSecurityFilter) {
 
         Config config = ConfigProvider.getConfig();
         this.alwaysRunFilter = config.getOptionalValue("quarkus.smallrye-openapi.always-run-filter", Boolean.class)
                 .orElse(Boolean.FALSE);
         if (alwaysRunFilter) {
-            this.documentHolder = new DynamicDocument(config);
+            this.documentHolder = new DynamicDocument(config, autoSecurityFilter);
         } else {
-            this.documentHolder = new StaticDocument(config);
+            this.documentHolder = new StaticDocument(config, autoSecurityFilter);
         }
     }
 
@@ -59,7 +57,7 @@ class StaticDocument implements OpenApiDocumentHolder {
         private byte[] jsonDocument;
         private byte[] yamlDocument;
 
-        StaticDocument(Config config) {
+        StaticDocument(Config config, OASFilter autoFilter) {
             ClassLoader cl = OpenApiConstants.classLoader == null ? Thread.currentThread().getContextClassLoader()
                     : OpenApiConstants.classLoader;
             try (InputStream is = cl.getResourceAsStream(OpenApiConstants.BASE_NAME + Format.JSON)) {
@@ -72,6 +70,9 @@ class StaticDocument implements OpenApiDocumentHolder {
                         document.reset();
                         document.config(openApiConfig);
                         document.modelFromStaticFile(OpenApiProcessor.modelFromStaticFile(staticFile));
+                        if (autoFilter != null) {
+                            document.filter(autoFilter);
+                        }
                         document.filter(OpenApiProcessor.getFilter(openApiConfig, cl));
                         document.initialize();
 
@@ -104,17 +105,19 @@ class DynamicDocument implements OpenApiDocumentHolder {
 
         private OpenAPI generatedOnBuild;
         private OpenApiConfig openApiConfig;
-        private OASFilter filter;
+        private OASFilter userFilter;
+        private OASFilter autoFilter;
 
-        DynamicDocument(Config config) {
+        DynamicDocument(Config config, OASFilter autoFilter) {
             ClassLoader cl = OpenApiConstants.classLoader == null ? Thread.currentThread().getContextClassLoader()
                     : OpenApiConstants.classLoader;
             try (InputStream is = cl.getResourceAsStream(OpenApiConstants.BASE_NAME + Format.JSON)) {
                 if (is != null) {
                     try (OpenApiStaticFile staticFile = new OpenApiStaticFile(is, Format.JSON)) {
                         this.generatedOnBuild = OpenApiProcessor.modelFromStaticFile(staticFile);
                         this.openApiConfig = new OpenApiConfigImpl(config);
-                        this.filter = OpenApiProcessor.getFilter(openApiConfig, cl);
+                        this.userFilter = OpenApiProcessor.getFilter(openApiConfig, cl);
+                        this.autoFilter = autoFilter;
                     }
                 }
             } catch (IOException ex) {
@@ -153,7 +156,10 @@ private OpenApiDocument getOpenApiDocument() {
             document.reset();
             document.config(this.openApiConfig);
             document.modelFromStaticFile(this.generatedOnBuild);
-            document.filter(this.filter);
+            if (this.autoFilter != null) {
+                document.filter(this.autoFilter);
+            }
+            document.filter(this.userFilter);
             document.initialize();
             return document;
         }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/OpenApiHandler.java

@@ -2,6 +2,8 @@
 
 import java.util.List;
 
+import org.eclipse.microprofile.openapi.OASFilter;
+
 import io.quarkus.arc.Arc;
 import io.smallrye.openapi.runtime.io.Format;
 import io.vertx.core.Handler;
@@ -32,9 +34,11 @@ public class OpenApiHandler implements Handler<RoutingContext> {
     }
 
     final boolean corsEnabled;
+    final OASFilter autoSecurityFilter;
 
-    public OpenApiHandler(boolean corsEnabled) {
+    public OpenApiHandler(boolean corsEnabled, OASFilter autoSecurityFilter) {
         this.corsEnabled = corsEnabled;
+        this.autoSecurityFilter = autoSecurityFilter;
     }
 
     @Override
@@ -77,6 +81,7 @@ public void handle(RoutingContext event) {
     private OpenApiDocumentService getOpenApiDocumentService() {
         if (this.openApiDocumentService == null) {
             this.openApiDocumentService = Arc.container().instance(OpenApiDocumentService.class).get();
+            this.openApiDocumentService.init(this.autoSecurityFilter);
         }
         return this.openApiDocumentService;
     }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/OpenApiRecorder.java

@@ -5,6 +5,7 @@
 import java.net.URL;
 import java.util.Enumeration;
 
+import org.eclipse.microprofile.openapi.OASFilter;
 import org.eclipse.microprofile.openapi.spi.OASFactoryResolver;
 
 import io.quarkus.runtime.ShutdownContext;
@@ -16,9 +17,10 @@
 @Recorder
 public class OpenApiRecorder {
 
-    public Handler<RoutingContext> handler(OpenApiRuntimeConfig runtimeConfig, HttpConfiguration configuration) {
+    public Handler<RoutingContext> handler(OpenApiRuntimeConfig runtimeConfig, HttpConfiguration configuration,
+            OASFilter autoSecurityFilter) {
         if (runtimeConfig.enable) {
-            return new OpenApiHandler(configuration.corsEnabled);
+            return new OpenApiHandler(configuration.corsEnabled, autoSecurityFilter);
         } else {
             return new OpenApiNotFoundHandler();
         }

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/AutoBasicSecurityFilter.java

@@ -0,0 +1,37 @@
+package io.quarkus.smallrye.openapi.runtime.filter;
+
+import org.eclipse.microprofile.openapi.OASFactory;
+import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
+
+/**
+ * Add Basic Authentication security automatically based on the added security extensions
+ */
+public class AutoBasicSecurityFilter extends AutoSecurityFilter {
+    private String basicSecuritySchemeValue;
+
+    public AutoBasicSecurityFilter() {
+        super();
+    }
+
+    public AutoBasicSecurityFilter(String securitySchemeName, String securitySchemeDescription,
+            String basicSecuritySchemeValue) {
+        super(securitySchemeName, securitySchemeDescription);
+        this.basicSecuritySchemeValue = basicSecuritySchemeValue;
+    }
+
+    public String getBasicSecuritySchemeValue() {
+        return basicSecuritySchemeValue;
+    }
+
+    public void setBasicSecuritySchemeValue(String basicSecuritySchemeValue) {
+        this.basicSecuritySchemeValue = basicSecuritySchemeValue;
+    }
+
+    @Override
+    protected SecurityScheme getSecurityScheme() {
+        SecurityScheme securityScheme = OASFactory.createSecurityScheme();
+        securityScheme.setType(SecurityScheme.Type.HTTP);
+        securityScheme.setScheme(basicSecuritySchemeValue);
+        return securityScheme;
+    }
+}

extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/filter/AutoJWTSecurityFilter.java

@@ -0,0 +1,48 @@
+package io.quarkus.smallrye.openapi.runtime.filter;
+
+import org.eclipse.microprofile.openapi.OASFactory;
+import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
+
+/**
+ * Add JWT Authentication security automatically based on the added security extensions
+ */
+public class AutoJWTSecurityFilter extends AutoSecurityFilter {
+    private String jwtSecuritySchemeValue;
+    private String jwtBearerFormat;
+
+    public AutoJWTSecurityFilter() {
+        super();
+    }
+
+    public AutoJWTSecurityFilter(String securitySchemeName, String securitySchemeDescription, String jwtSecuritySchemeValue,
+            String jwtBearerFormat) {
+        super(securitySchemeName, securitySchemeDescription);
+        this.jwtSecuritySchemeValue = jwtSecuritySchemeValue;
+        this.jwtBearerFormat = jwtBearerFormat;
+    }
+
+    public String getJwtSecuritySchemeValue() {
+        return jwtSecuritySchemeValue;
+    }
+
+    public void setJwtSecuritySchemeValue(String jwtSecuritySchemeValue) {
+        this.jwtSecuritySchemeValue = jwtSecuritySchemeValue;
+    }
+
+    public String getJwtBearerFormat() {
+        return jwtBearerFormat;
+    }
+
+    public void setJwtBearerFormat(String jwtBearerFormat) {
+        this.jwtBearerFormat = jwtBearerFormat;
+    }
+
+    @Override
+    protected SecurityScheme getSecurityScheme() {
+        SecurityScheme securityScheme = OASFactory.createSecurityScheme();
+        securityScheme.setType(SecurityScheme.Type.HTTP);
+        securityScheme.setScheme(jwtSecuritySchemeValue);
+        securityScheme.setBearerFormat(jwtBearerFormat);
+        return securityScheme;
+    }
+}