feat: Support securitySchemes#60
Merged
Merged
Conversation
Captures the Wave 7 plan from the OpenAPI 3.1 refactor inventory: parse securitySchemes + security requirements, extract credentials per scheme, let consumers validate via name-keyed callback, library renders 401/403. Includes useExternalAuthentication() opt-out for OPA-sidecar deployments and explicit k6 compatibility constraints.
Operation now carries an Optional<List<SecurityRequirement>> security field. When a path operation declares "security" in the OpenAPI doc, the parsed list is present (including an empty list to opt-out of root security); absent means no operation-level override.
Adds SecurityFilter with OR-of-AND group evaluation. Satisfied groups update the ScopedValue binding with extracted principals. Rejection path (Task 9) stubs with UnsupportedOperationException. Includes ScopedValueHarness test helper and SecurityFilterTest covering the allowed and no-security cases.
Replace the UnsupportedOperationException placeholder with a full rejection path: DENIED failures produce 403 Forbidden with no challenge header; MISSING/MALFORMED failures produce 401 Unauthorized with one WWW-Authenticate header per distinct scheme. Added a generic ProblemDetailRenderer.render(status, title, detail) overload used by the rejection renderer. Three new SecurityFilterTest cases cover bearer-missing→401, bearer-denied→403, and apiKey-missing→401.
Builder.build() now calls validateSecurityWiring() before constructing the server when externalAuth is false. It collects all scheme names referenced by any operation's effective security, and throws IllegalStateException for unknown, Unsupported, or validator-less schemes.
Add four secured paths under /secure/* to openapi.json and openapi.yaml, plus a securitySchemes block (apiKeyAuth, bearerAuth, basicAuth). Wire deny-all SchemeValidator stubs and no-op handlers into ServerBaseTest (via newBuilder helper) and ServerLauncher so existing tests keep booting.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.