Fixed bugs and converged vendor extentions to annotate jakarata @RolesAllowed

Author: Ignacio-Vidal

docs/generators/jaxrs-cxf-cdi.md

@@ -82,10 +82,10 @@ These options may be applied as additional-properties (cli) or configOptions (pl
 |title|a title describing the application| |OpenAPI Server|
 |useBeanValidation|Use BeanValidation API annotations| |true|
 |useJakartaEe|whether to use Jakarta EE namespace instead of javax| |false|
+|useJakartaSecurityAnnotations|Whether to generate Jakarta security annotations (@RolesAllowed, @PermitAll). Requires useJakartaEe=true. Currently only supported when library is set to quarkus.| |false|
 |useMicroProfileOpenAPIAnnotations|Whether to generate Microprofile OpenAPI annotations. Only valid when library is set to quarkus.| |false|
 |useMutiny|Whether to use Smallrye Mutiny instead of CompletionStage for asynchronous computation. Only valid when library is set to quarkus.| |false|
 |useOneOfInterfaces|whether to use a java interface to describe a set of oneOf options, where each option is a class that implements the interface| |false|
-|useQuarkusSecurityAnnotations|Whether to generate Quarkus security annotations (@Authenticated, @RolesAllowed, @PermitAll). Only valid when library is set to quarkus.| |false|
 |useSwaggerAnnotations|Whether to generate Swagger annotations.| |true|
 |useSwaggerV3Annotations|Whether to generate Swagger v3 (OpenAPI v3) annotations.| |false|
 |useTags|use tags for creating interface and controller classnames| |false|

docs/generators/jaxrs-spec.md

@@ -83,10 +83,10 @@ These options may be applied as additional-properties (cli) or configOptions (pl
 |title|a title describing the application| |OpenAPI Server|
 |useBeanValidation|Use BeanValidation API annotations| |true|
 |useJakartaEe|whether to use Jakarta EE namespace instead of javax| |false|
+|useJakartaSecurityAnnotations|Whether to generate Jakarta security annotations (@RolesAllowed, @PermitAll). Requires useJakartaEe=true. Currently only supported when library is set to quarkus.| |false|
 |useMicroProfileOpenAPIAnnotations|Whether to generate Microprofile OpenAPI annotations. Only valid when library is set to quarkus.| |false|
 |useMutiny|Whether to use Smallrye Mutiny instead of CompletionStage for asynchronous computation. Only valid when library is set to quarkus.| |false|
 |useOneOfInterfaces|whether to use a java interface to describe a set of oneOf options, where each option is a class that implements the interface| |false|
-|useQuarkusSecurityAnnotations|Whether to generate Quarkus security annotations (@Authenticated, @RolesAllowed, @PermitAll). Only valid when library is set to quarkus.| |false|
 |useSwaggerAnnotations|Whether to generate Swagger annotations.| |true|
 |useSwaggerV3Annotations|Whether to generate Swagger v3 (OpenAPI v3) annotations.| |false|
 |useTags|use tags for creating interface and controller classnames| |false|

modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/JakartaSecurityAnnotationProcessor.java

@@ -0,0 +1,155 @@
+/*
+ * Copyright 2018 OpenAPI-Generator Contributors (https://openapi-generator.tech)
+ * Copyright 2018 SmartBear Software
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.openapitools.codegen.languages;
+
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.Operation;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import org.openapitools.codegen.CodegenOperation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Translates an OpenAPI operation's security requirements into Jakarta security
+ * vendor extensions on a {@link CodegenOperation} for downstream Mustache templates.
+ *
+ * <p>The OpenAPI {@code security} array uses OR semantics (any one alternative
+ * satisfies the request); the Jakarta annotations are AND-stacked. The two cannot
+ * always be reconciled, so this class emits the least restrictive annotation that
+ * is still correct for the OR group.
+ *
+ * <p>A single vendor extension {@code x-jakarta-roles-allowed} carries the value to
+ * emit. For the any-authenticated-user case it is set to the singleton list
+ * {@code ["**"]}, producing {@code @RolesAllowed({"**"})}. Future PRs will reuse
+ * the same extension to emit scoped roles (e.g. {@code ["admin"]}) without needing
+ * a second flag or template branch.
+ */
+final class JakartaSecurityAnnotationProcessor {
+
+    static final String VENDOR_X_JAKARTA_ROLES_ALLOWED = "x-jakarta-roles-allowed";
+
+    private static final List<String> ANY_AUTHENTICATED_ROLE = Collections.singletonList("**");
+
+    private final Logger LOGGER = LoggerFactory.getLogger(JakartaSecurityAnnotationProcessor.class);
+
+    /**
+     * Inspects {@code rawOp}'s security requirements (falling back to the global
+     * {@code openAPI.security} when the operation does not override) and sets
+     * {@code x-jakarta-roles-allowed} on {@code op} when the operation qualifies
+     * for {@code @RolesAllowed} emission.
+     */
+    void applyTo(CodegenOperation op, Operation rawOp, OpenAPI openAPI) {
+        // Use the raw Operation here rather than op.authMethods: by the time postProcessOperationsWithModels
+        // runs, DefaultGenerator.filterAuthMethods has flattened all SecurityRequirements into a plain list,
+        // losing the AND-group structure needed to evaluate mixed-scope combinations correctly.
+        List<SecurityRequirement> requirements = rawOp.getSecurity();
+        if (requirements == null) {
+            // Fall back to the global security block when the operation does not override it.
+            requirements = openAPI.getSecurity();
+        }
+        Map<String, SecurityScheme> schemes = resolveSchemes(openAPI);
+
+        if (qualifiesForAnyRoles(requirements, schemes)) {
+            op.vendorExtensions.put(VENDOR_X_JAKARTA_ROLES_ALLOWED, ANY_AUTHENTICATED_ROLE);
+        }
+    }
+
+    /**
+     * Returns true when at least one OR alternative fully qualifies for
+     * {@code @RolesAllowed({"**"})} and no alternative is anonymous ({@code - {}}).
+     *
+     * <p>An empty {@link SecurityRequirement} ({@code - {}}) inside the OR list means
+     * the operation may also be called unauthenticated. When that is present, the
+     * least-restrictive alternative is "no auth required", so emitting
+     * {@code @RolesAllowed({"**"})} would force authentication and contradict the
+     * spec -- we return false instead and let the future {@code @PermitAll} branch
+     * handle that case.
+     */
+    private boolean qualifiesForAnyRoles(List<SecurityRequirement> requirements,
+            Map<String, SecurityScheme> schemes) {
+        if (requirements == null || requirements.isEmpty()) {
+            return false;
+        }
+        boolean anyQualifies = false;
+        for (SecurityRequirement requirement : requirements) {
+            if (requirement.isEmpty()) {
+                // Anonymous OR alternative -- least restrictive wins; do not emit @RolesAllowed.
+                return false;
+            }
+            if (andGroupQualifies(requirement, schemes)) {
+                anyQualifies = true;
+            }
+        }
+        return anyQualifies;
+    }
+
+    /**
+     * A single {@link SecurityRequirement} is an AND group: all schemes must be
+     * satisfied simultaneously. If any scheme in the group has explicit scopes
+     * (e.g. {@code oauth2: [admin:write]}), the combined requirement is more
+     * restrictive than "any authenticated user" and does not qualify.
+     */
+    private boolean andGroupQualifies(SecurityRequirement requirement, Map<String, SecurityScheme> schemes) {
+        for (Map.Entry<String, List<String>> entry : requirement.entrySet()) {
+            SecurityScheme scheme = schemes.get(entry.getKey());
+            if (scheme == null) {
+                LOGGER.warn("Security requirement references undefined scheme '{}' -- skipping Jakarta security annotation for this AND group.",
+                        entry.getKey());
+                return false;
+            }
+            if (!schemeQualifies(scheme, entry.getValue())) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    private boolean schemeQualifies(SecurityScheme scheme, List<String> scopes) {
+        if (scheme.getType() == null) {
+            LOGGER.warn("Security scheme is missing 'type' -- skipping Jakarta security annotation.");
+            return false;
+        }
+        switch (scheme.getType()) {
+            case OAUTH2:
+            case OPENIDCONNECT:
+                // Empty scope list means the operation requires authentication but no specific role,
+                // so @RolesAllowed({"**"}) is correct. Non-empty scopes belong to a future @RolesAllowed({scope}) PR.
+                return scopes == null || scopes.isEmpty();
+            case HTTP:
+            case APIKEY:
+            case MUTUALTLS:
+                // These schemes have no scope concept; any valid credential satisfies them.
+                return true;
+            default:
+                LOGGER.warn("Unrecognised security scheme type '{}' -- skipping Jakarta security annotation.",
+                        scheme.getType());
+                return false;
+        }
+    }
+
+    private static Map<String, SecurityScheme> resolveSchemes(OpenAPI openAPI) {
+        if (openAPI.getComponents() != null && openAPI.getComponents().getSecuritySchemes() != null) {
+            return openAPI.getComponents().getSecuritySchemes();
+        }
+        return Collections.emptyMap();
+    }
+}

modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/JavaJAXRSSpecServerCodegen.java

@@ -17,7 +17,9 @@
 
 package org.openapitools.codegen.languages;
 
+import io.swagger.v3.oas.models.Operation;
 import io.swagger.v3.oas.models.media.Schema;
+import io.swagger.v3.oas.models.servers.Server;
 import java.util.Locale;
 import lombok.Getter;
 import lombok.Setter;
@@ -53,7 +55,7 @@ public class JavaJAXRSSpecServerCodegen extends AbstractJavaJAXRSServerCodegen {
     public static final String USE_MUTINY = "useMutiny";
     public static final String OPEN_API_SPEC_FILE_LOCATION = "openApiSpecFileLocation";
     public static final String GENERATE_JSON_CREATOR = "generateJsonCreator";
-    public static final String USE_QUARKUS_SECURITY_ANNOTATIONS = "useQuarkusSecurityAnnotations";
+    public static final String USE_JAKARTA_SECURITY_ANNOTATIONS = "useJakartaSecurityAnnotations";
 
     public static final String QUARKUS_LIBRARY = "quarkus";
     public static final String THORNTAIL_LIBRARY = "thorntail";
@@ -69,7 +71,9 @@ public class JavaJAXRSSpecServerCodegen extends AbstractJavaJAXRSServerCodegen {
     private boolean useSwaggerV3Annotations = false;
     private boolean useMicroProfileOpenAPIAnnotations = false;
     private boolean useMutiny = false;
-    private boolean useQuarkusSecurityAnnotations = false;
+    private boolean useJakartaSecurityAnnotations = false;
+
+    private final JakartaSecurityAnnotationProcessor jakartaSecurityAnnotationProcessor = new JakartaSecurityAnnotationProcessor();
 
     @Getter @Setter
     protected boolean generateJsonCreator = true;
@@ -149,7 +153,7 @@ public JavaJAXRSSpecServerCodegen() {
         cliOptions.add(CliOption.newString(OPEN_API_SPEC_FILE_LOCATION, "Location where the file containing the spec will be generated in the output folder. No file generated when set to null or empty string."));
         cliOptions.add(CliOption.newBoolean(SUPPORT_ASYNC, "Wrap responses in CompletionStage type, allowing asynchronous computation (requires JAX-RS 2.1).", supportAsync));
         cliOptions.add(CliOption.newBoolean(USE_MUTINY, "Whether to use Smallrye Mutiny instead of CompletionStage for asynchronous computation. Only valid when library is set to quarkus.", useMutiny));
-        cliOptions.add(CliOption.newBoolean(USE_QUARKUS_SECURITY_ANNOTATIONS, "Whether to generate Quarkus security annotations (@Authenticated, @RolesAllowed, @PermitAll). Only valid when library is set to quarkus.", useQuarkusSecurityAnnotations));
+        cliOptions.add(CliOption.newBoolean(USE_JAKARTA_SECURITY_ANNOTATIONS, "Whether to generate Jakarta security annotations (@RolesAllowed, @PermitAll). Requires useJakartaEe=true. Currently only supported when library is set to quarkus.", useJakartaSecurityAnnotations));
         cliOptions.add(CliOption.newBoolean(GENERATE_JSON_CREATOR, "Whether to generate @JsonCreator constructor for required properties.", generateJsonCreator));
     }
 
@@ -192,10 +196,6 @@ public void processOpts() {
             convertPropertyToBooleanAndWriteBack(USE_MUTINY, value -> useMutiny = value);
         }
 
-        if (QUARKUS_LIBRARY.equals(library)) {
-            convertPropertyToBooleanAndWriteBack(USE_QUARKUS_SECURITY_ANNOTATIONS, value -> useQuarkusSecurityAnnotations = value);
-        }
-
         convertPropertyToBooleanAndWriteBack(GENERATE_JSON_CREATOR, this::setGenerateJsonCreator);
 
         if (additionalProperties.containsKey(OPEN_API_SPEC_FILE_LOCATION)) {
@@ -215,6 +215,18 @@ public void processOpts() {
 
         super.processOpts();
 
+        // We need to call super.processOpts() before evaluating the `library`, otherwise `library` is null when set via `configOptions` instead of via `library.set("quarkus")` in Gradle
+        if (QUARKUS_LIBRARY.equals(library)) {
+            convertPropertyToBooleanAndWriteBack(USE_JAKARTA_SECURITY_ANNOTATIONS, value -> useJakartaSecurityAnnotations = value);
+        }
+
+        if (useJakartaSecurityAnnotations && !useJakartaEe) {
+            throw new IllegalArgumentException(
+                    "Flag '" + USE_JAKARTA_SECURITY_ANNOTATIONS + "' requires '" + USE_JAKARTA_EE
+                            + "=true'. The generated annotation '@jakarta.annotation.security.RolesAllowed' "
+                            + "is incompatible with the javax.* namespace.");
+        }
+
         // expose flags to templates
         additionalProperties.put(USE_SWAGGER_ANNOTATIONS, useSwaggerAnnotations);
         additionalProperties.put(USE_SWAGGER_V3_ANNOTATIONS, useSwaggerV3Annotations);
@@ -391,4 +403,13 @@ public Map<String, ModelsMap> postProcessAllModels(Map<String, ModelsMap> objs)
         }
         return result;
     }
+
+    @Override
+    public CodegenOperation fromOperation(String path, String httpMethod, Operation operation, List<Server> servers) {
+        CodegenOperation op = super.fromOperation(path, httpMethod, operation, servers);
+        if (QUARKUS_LIBRARY.equals(getLibrary()) && useJakartaSecurityAnnotations) {
+            jakartaSecurityAnnotationProcessor.applyTo(op, operation, openAPI);
+        }
+        return op;
+    }
 }

modules/openapi-generator/src/main/resources/JavaJaxRS/spec/libraries/quarkus/apiInterface.mustache

@@ -53,4 +53,4 @@
     {{#vendorExtensions.x-java-success-response-code}}
     @ResponseStatus({{{vendorExtensions.x-java-success-response-code}}})
     {{/vendorExtensions.x-java-success-response-code}}
-    {{#supportAsync}}{{>returnAsyncTypeInterface}}{{/supportAsync}}{{^supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}{{#returnResponse}}Response{{/returnResponse}}{{^returnResponse}}{{>returnTypeInterface}}{{/returnResponse}}{{/returnJBossResponse}}{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}});
+    {{>jakartaSecurityAnnotations}}{{#supportAsync}}{{>returnAsyncTypeInterface}}{{/supportAsync}}{{^supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}{{#returnResponse}}Response{{/returnResponse}}{{^returnResponse}}{{>returnTypeInterface}}{{/returnResponse}}{{/returnJBossResponse}}{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}});

modules/openapi-generator/src/main/resources/JavaJaxRS/spec/libraries/quarkus/apiMethod.mustache

@@ -47,6 +47,6 @@
                 {{^vendorExtensions.x-java-is-response-void}}@org.eclipse.microprofile.openapi.annotations.media.Content(schema = @org.eclipse.microprofile.openapi.annotations.media.Schema(implementation = {{{baseType}}}.class{{#vendorExtensions.x-microprofile-open-api-return-schema-container}}, type = {{{.}}} {{/vendorExtensions.x-microprofile-open-api-return-schema-container}}{{#vendorExtensions.x-microprofile-open-api-return-unique-items}}, uniqueItems = true {{/vendorExtensions.x-microprofile-open-api-return-unique-items}})){{/vendorExtensions.x-java-is-response-void}}
             }){{^-last}},{{/-last}}{{/responses}}
         }){{/hasProduces}}{{/useMicroProfileOpenAPIAnnotations}}
-    public {{#supportAsync}}{{#useMutiny}}Uni{{/useMutiny}}{{^useMutiny}}CompletionStage{{/useMutiny}}<{{/supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}Response{{/returnJBossResponse}}{{#supportAsync}}>{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}}) {
+    {{>jakartaSecurityAnnotations}}public {{#supportAsync}}{{#useMutiny}}Uni{{/useMutiny}}{{^useMutiny}}CompletionStage{{/useMutiny}}<{{/supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}Response{{/returnJBossResponse}}{{#supportAsync}}>{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}}) {
         return {{#supportAsync}}{{#useMutiny}}Uni.createFrom().item({{/useMutiny}}{{^useMutiny}}CompletableFuture.supplyAsync(() -> {{/useMutiny}}{{/supportAsync}}Response.ok().entity("magic!").build(){{#supportAsync}}){{/supportAsync}};
     }

modules/openapi-generator/src/main/resources/JavaJaxRS/spec/libraries/quarkus/jakartaSecurityAnnotations.mustache

@@ -0,0 +1,2 @@
+{{#vendorExtensions.x-jakarta-roles-allowed.0}}@jakarta.annotation.security.RolesAllowed({{openbrace}}{{#vendorExtensions.x-jakarta-roles-allowed}}"{{.}}"{{^-last}},{{/-last}}{{/vendorExtensions.x-jakarta-roles-allowed}}{{closebrace}})
+    {{/vendorExtensions.x-jakarta-roles-allowed.0}}