Skip to content

fix: Security sonar cleanup#62

Closed
thced wants to merge 24 commits into
masterfrom
fix/security-sonar-cleanup
Closed

fix: Security sonar cleanup#62
thced wants to merge 24 commits into
masterfrom
fix/security-sonar-cleanup

Conversation

@thced

@thced thced commented May 18, 2026

Copy link
Copy Markdown
Contributor

No description provided.

thced added 24 commits May 18, 2026 11:43
Captures the Wave 7 plan from the OpenAPI 3.1 refactor inventory: parse
securitySchemes + security requirements, extract credentials per scheme,
let consumers validate via name-keyed callback, library renders 401/403.
Includes useExternalAuthentication() opt-out for OPA-sidecar deployments
and explicit k6 compatibility constraints.
Operation now carries an Optional<List<SecurityRequirement>> security
field. When a path operation declares "security" in the OpenAPI doc, the
parsed list is present (including an empty list to opt-out of root
security); absent means no operation-level override.
Adds SecurityFilter with OR-of-AND group evaluation. Satisfied groups
update the ScopedValue binding with extracted principals. Rejection path
(Task 9) stubs with UnsupportedOperationException. Includes
ScopedValueHarness test helper and SecurityFilterTest covering the
allowed and no-security cases.
Replace the UnsupportedOperationException placeholder with a full
rejection path: DENIED failures produce 403 Forbidden with no
challenge header; MISSING/MALFORMED failures produce 401 Unauthorized
with one WWW-Authenticate header per distinct scheme. Added a generic
ProblemDetailRenderer.render(status, title, detail) overload used by
the rejection renderer. Three new SecurityFilterTest cases cover
bearer-missing→401, bearer-denied→403, and apiKey-missing→401.
Builder.build() now calls validateSecurityWiring() before constructing
the server when externalAuth is false. It collects all scheme names
referenced by any operation's effective security, and throws
IllegalStateException for unknown, Unsupported, or validator-less schemes.
Add four secured paths under /secure/* to openapi.json and openapi.yaml,
plus a securitySchemes block (apiKeyAuth, bearerAuth, basicAuth). Wire
deny-all SchemeValidator stubs and no-op handlers into ServerBaseTest
(via newBuilder helper) and ServerLauncher so existing tests keep booting.
- OpenApiServer: use record deconstruction pattern for
  SecurityScheme.Unsupported
- CredentialExtractor: rename unused catch binding to _
  (java22 unnamed pattern)
- SecurityBootValidationTest: hoist builder construction out of
  assertThatThrownBy lambdas so only build() can throw
@thced thced closed this May 18, 2026
@thced thced deleted the fix/security-sonar-cleanup branch May 18, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant