Clean up callbacks and web hooks

limentas · limentas · commit e7f21d8aeb12 · 2026-05-11T13:13:19.000+02:00
diff --git a/modules/openapi-generator/src/main/java/org/openapitools/codegen/OpenAPINormalizer.java b/modules/openapi-generator/src/main/java/org/openapitools/codegen/OpenAPINormalizer.java
@@ -679,7 +679,7 @@ private void cleanupSecuritySchemeReferences(Iterable<String> schemesToClean) {
             return;
         }
 
-        // clean up global security requirements
+        // Global security requirements
         if (openAPI.getSecurity() != null) {
             List<SecurityRequirement> cleanRequirements = cleanupSecurityRequirements(openAPI.getSecurity(),
                     schemesToClean);
@@ -688,24 +688,58 @@ private void cleanupSecuritySchemeReferences(Iterable<String> schemesToClean) {
             }
         }
 
-        // loop through all the paths and operations to clean up the references
+        // Paths
         if (openAPI.getPaths() != null) {
             for (PathItem path : openAPI.getPaths().values()) {
-                List<Operation> operations = new ArrayList<>(path.readOperations());
-                for (Operation operation : operations) {
-                    if (operation.getSecurity() == null) {
-                        continue;
-                    }
+                cleanupPathItemSecuritySchemes(path, schemesToClean);
+            }
+        }
 
-                    List<SecurityRequirement> cleanRequirements = cleanupSecurityRequirements(operation.getSecurity(), schemesToClean);
-                    if (cleanRequirements.size() != operation.getSecurity().size()) {
-                        operation.setSecurity(cleanRequirements);
-                    }
+        // Webhooks
+        if (openAPI.getWebhooks() != null) {
+            for (PathItem path : openAPI.getWebhooks().values()) {
+                cleanupPathItemSecuritySchemes(path, schemesToClean);
+            }
+        }
+
+        // Callbacks
+        if (openAPI.getComponents() != null && openAPI.getComponents().getCallbacks() != null) {
+            Map<String, Callback> callbacks = openAPI.getComponents().getCallbacks();
+            for (Callback callback : callbacks.values()) {
+                if (callback == null)
+                    continue;
+
+                for (PathItem path : callback.values()) {
+                    cleanupPathItemSecuritySchemes(path, schemesToClean);
                 }
             }
         }
     }
 
+    /**
+     * Cleans up the references to the security schemes that are removed by the filter in a given PathItem.
+     * @param path the PathItem to clean up
+     * @param schemesToClean the security schemes keys to remove
+     */
+    private void cleanupPathItemSecuritySchemes(PathItem path, Iterable<String> schemesToClean) {
+        if (path == null || schemesToClean == null) {
+            return;
+        }
+
+        List<Operation> operations = new ArrayList<>(path.readOperations());
+        for (Operation operation : operations) {
+            if (operation.getSecurity() == null) {
+                continue;
+            }
+
+            List<SecurityRequirement> cleanRequirements = cleanupSecurityRequirements(operation.getSecurity(),
+                    schemesToClean);
+            if (cleanRequirements.size() != operation.getSecurity().size()) {
+                operation.setSecurity(cleanRequirements);
+            }
+        }
+    }
+
     /**
      * Removes given security schemes from the list of security requirements and remove the requirement if it becomes empty after the cleanup.
      *
diff --git a/modules/openapi-generator/src/test/java/org/openapitools/codegen/OpenAPINormalizerTest.java b/modules/openapi-generator/src/test/java/org/openapitools/codegen/OpenAPINormalizerTest.java
@@ -948,8 +948,8 @@ public void testSecuritySchemesFilter() {
         assertEquals(openAPI.getComponents().getSecuritySchemes().containsKey("openIdConnect1"), false);
         assertEquals(openAPI.getComponents().getSecuritySchemes().containsKey("openIdConnect2"), false);
 
-        // Check how we clean up the references to the removed security schemes in the
-        // global security requirement
+        // Check how we clean up the references to the removed security schemes
+        // Global security requirements
         assertTrue(openAPI.getSecurity().stream().anyMatch(map -> map.containsKey("api_key1")));
         assertFalse(openAPI.getSecurity().stream().anyMatch(map -> map.containsKey("api_key2")));
         assertFalse(openAPI.getSecurity().stream().anyMatch(map -> map.containsKey("http1")));
@@ -963,8 +963,7 @@ public void testSecuritySchemesFilter() {
         // We should leave only one (the original one) empty security requirement object
         assertEquals(openAPI.getSecurity().stream().filter(map -> map.isEmpty()).count(), 1);
 
-        // Check how we clean up the references to the removed security schemes in the
-        // paths
+        // Paths
         assertTrue(openAPI.getPaths().get("/api_keys").getGet().getSecurity().stream()
                 .anyMatch(map -> map.containsKey("api_key1")));
         assertFalse(openAPI.getPaths().get("/api_keys").getGet().getSecurity().stream()
@@ -1005,14 +1004,82 @@ public void testSecuritySchemesFilter() {
                 .anyMatch(map -> map.containsKey("openIdConnect1")));
         assertFalse(openAPI.getPaths().get("/openIdConnect2").getPost().getSecurity().stream()
                 .anyMatch(map -> map.containsKey("openIdConnect2")));
-        // One of security requirements becomes empty after clean up - we should remove it
+        // One of security requirements becomes empty after clean up - we should remove
+        // it
         assertEquals(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().size(), 1);
         // Another requirement should contain only api_key1 and oauth2_1 schemes
         assertEquals(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).size(), 2);
-        assertTrue(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).containsKey("api_key1"));
-        assertTrue(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).containsKey("oauth2_1"));
-        assertEquals(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).get("oauth2_1").size(), 1);
-        assertEquals(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).get("oauth2_1").get(0), "read:pets");
+        assertTrue(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0)
+                .containsKey("api_key1"));
+        assertTrue(openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0)
+                .containsKey("oauth2_1"));
+        assertEquals(
+                openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).get("oauth2_1").size(),
+                1);
+        assertEquals(
+                openAPI.getPaths().get("/multipleSecuritySchemes").getGet().getSecurity().get(0).get("oauth2_1").get(0),
+                "read:pets");
+
+        // Webhooks
+        assertTrue(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("api_key1")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("api_key2")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("http1")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("http2")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("mutualTLS1")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("mutualTLS2")));
+        assertTrue(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("oauth2_1")));
+        assertTrue(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("oauth2_2")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("openIdConnect1")));
+        assertFalse(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("openIdConnect2")));
+        // We should leave only one (the original one) empty security requirement object
+        assertEquals(openAPI.getWebhooks().get("webhookAllSecuritySchemes").getPost().getSecurity().stream()
+                .filter(map -> map.isEmpty()).count(), 1);
+
+        // Callbacks
+        assertTrue(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("api_key1")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("api_key2")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("http1")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("http2")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("mutualTLS1")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("mutualTLS2")));
+        assertTrue(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("oauth2_1")));
+        assertTrue(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("oauth2_2")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("openIdConnect1")));
+        assertFalse(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream()
+                .anyMatch(map -> map.containsKey("openIdConnect2")));
+        // We should leave only one (the original one) empty security requirement object
+        assertEquals(openAPI.getComponents().getCallbacks().get("callbackAllSecuritySchemes")
+                .get("{$request.body#/callbackUrl}").getPost().getSecurity().stream().filter(map -> map.isEmpty())
+                .count(), 1);
     }
 
     @Test
diff --git a/modules/openapi-generator/src/test/resources/3_1/all_security_schemes.yaml b/modules/openapi-generator/src/test/resources/3_1/all_security_schemes.yaml
@@ -260,6 +260,32 @@ components:
       description: OpenID Connect Authentication sample 2
       openIdConnectUrl: 'http://petstore.swagger.io/.well-known/openid-configuration2'
 
+  callbacks:
+    callbackAllSecuritySchemes:
+      '{$request.body#/callbackUrl}':
+        post:
+          requestBody:
+            description: Callback payload
+            content:
+              application/json:
+                schema:
+                  $ref: '#/components/schemas/Dummy'
+          responses:
+            '200':
+              description: successful operation
+          security:
+            - {}
+            - api_key1: []
+            - api_key2: []
+            - http1: []
+            - http2: []
+            - mutualTLS1: []
+            - mutualTLS2: []
+            - oauth2_1: ["read:pets"]
+            - oauth2_2: ["write:pets", "read:pets"]
+            - openIdConnect1: []
+            - openIdConnect2: []
+
   schemas:
     Dummy:
       title: Dummy schema
@@ -269,3 +295,30 @@ components:
         id:
           type: integer
           format: int64
+
+webhooks:
+  webhookAllSecuritySchemes:
+    post:
+      summary: Dummy webhook endpoint
+      operationId: dummyWebhook
+      requestBody:
+        description: Webhook payload
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Dummy'
+      responses:
+        '200':
+          description: successful operation
+      security:
+          - {}
+          - api_key1: []
+          - api_key2: []
+          - http1: []
+          - http2: []
+          - mutualTLS1: []
+          - mutualTLS2: []
+          - oauth2_1: ["read:pets"]
+          - oauth2_2: ["write:pets", "read:pets"]
+          - openIdConnect1: []
+          - openIdConnect2: []
