DRAFT: [jaxrs-spec][quarkus] Emit @Authenticated for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes

modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/JavaJAXRSSpecServerCodegen.java

@@ -367,6 +367,13 @@ public OperationsMap postProcessOperationsWithModels(OperationsMap objs, List<Mo
                 additionalProperties.put("hasResponseStatusAnnotations", true);
             }
         }
+        if (QUARKUS_LIBRARY.equals(getLibrary()) && useQuarkusSecurityAnnotations) {
+            for (CodegenOperation op : objs.getOperations().getOperation()) {
+                if (shouldAddAuthenticatedAnnotation(op)){
+                    op.vendorExtensions.put("x-quarkus-authenticated", true);
+                }
+            }
+        }
         return objs;
     }
 
@@ -391,4 +398,17 @@ public Map<String, ModelsMap> postProcessAllModels(Map<String, ModelsMap> objs)
         }
         return result;
     }
+
+    protected boolean shouldAddAuthenticatedAnnotation(CodegenOperation op) {
+        if (!op.hasAuthMethods) {
+            return false;
+        }
+        return op.authMethods.stream().anyMatch(m ->
+                (Boolean.TRUE.equals(m.isOAuth) && (m.scopes == null || m.scopes.isEmpty())) ||
+                        (Boolean.TRUE.equals(m.isOpenId) && (m.scopes == null || m.scopes.isEmpty())) ||
+                        Boolean.TRUE.equals(m.isBasicBasic) ||
+                        Boolean.TRUE.equals(m.isBasicBearer) ||
+                        Boolean.TRUE.equals(m.isApiKey)
+        );
+    }
 }

modules/openapi-generator/src/main/resources/JavaJaxRS/spec/libraries/quarkus/apiInterface.mustache

@@ -53,4 +53,7 @@
     {{#vendorExtensions.x-java-success-response-code}}
     @ResponseStatus({{{vendorExtensions.x-java-success-response-code}}})
     {{/vendorExtensions.x-java-success-response-code}}
+    {{#vendorExtensions.x-quarkus-authenticated}}
+    @io.quarkus.security.Authenticated
+    {{/vendorExtensions.x-quarkus-authenticated}}
     {{#supportAsync}}{{>returnAsyncTypeInterface}}{{/supportAsync}}{{^supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}{{#returnResponse}}Response{{/returnResponse}}{{^returnResponse}}{{>returnTypeInterface}}{{/returnResponse}}{{/returnJBossResponse}}{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}});

modules/openapi-generator/src/main/resources/JavaJaxRS/spec/libraries/quarkus/apiMethod.mustache

@@ -47,6 +47,9 @@
                 {{^vendorExtensions.x-java-is-response-void}}@org.eclipse.microprofile.openapi.annotations.media.Content(schema = @org.eclipse.microprofile.openapi.annotations.media.Schema(implementation = {{{baseType}}}.class{{#vendorExtensions.x-microprofile-open-api-return-schema-container}}, type = {{{.}}} {{/vendorExtensions.x-microprofile-open-api-return-schema-container}}{{#vendorExtensions.x-microprofile-open-api-return-unique-items}}, uniqueItems = true {{/vendorExtensions.x-microprofile-open-api-return-unique-items}})){{/vendorExtensions.x-java-is-response-void}}
             }){{^-last}},{{/-last}}{{/responses}}
         }){{/hasProduces}}{{/useMicroProfileOpenAPIAnnotations}}
+    {{#vendorExtensions.x-quarkus-authenticated}}
+    @io.quarkus.security.Authenticated
+    {{/vendorExtensions.x-quarkus-authenticated}}
     public {{#supportAsync}}{{#useMutiny}}Uni{{/useMutiny}}{{^useMutiny}}CompletionStage{{/useMutiny}}<{{/supportAsync}}{{#returnJBossResponse}}{{>returnResponseTypeInterface}}{{/returnJBossResponse}}{{^returnJBossResponse}}Response{{/returnJBossResponse}}{{#supportAsync}}>{{/supportAsync}} {{nickname}}({{#allParams}}{{>queryParams}}{{>pathParams}}{{>cookieParams}}{{>headerParams}}{{>bodyParams}}{{>formParams}}{{^-last}},{{/-last}}{{/allParams}}) {
         return {{#supportAsync}}{{#useMutiny}}Uni.createFrom().item({{/useMutiny}}{{^useMutiny}}CompletableFuture.supplyAsync(() -> {{/useMutiny}}{{/supportAsync}}Response.ok().entity("magic!").build(){{#supportAsync}}){{/supportAsync}};
     }

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-api-key.yaml

@@ -0,0 +1,28 @@
+openapi: 3.0.1
+info:
+  title: Quarkus API Key auth test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - api_key: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    api_key:
+      type: apiKey
+      in: header
+      name: X-API-Key

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-global-oauth2-or-scoped-and-unscoped.yaml

@@ -0,0 +1,39 @@
+openapi: 3.0.1
+info:
+  title: Quarkus global OAuth2 OR — unscoped and scoped entries
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+security:
+  - oauth2_no_scope: []
+  - oauth2_with_scope:
+      - admin
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Inherits global security — unscoped entry in OR list makes it least-restrictive
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Also inherits global security — same OR reasoning applies
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_no_scope:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes: {}
+    oauth2_with_scope:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes:
+            admin: Admin access

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-global-security-one-op-disabled.yaml

@@ -0,0 +1,32 @@
+openapi: 3.0.1
+info:
+  title: Quarkus global security with one operation explicitly disabled
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+security:
+  - basic_auth: []
+  - bearer_auth: []
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Inherits global security (HTTP Basic OR Bearer) — should get @Authenticated
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Explicitly disables security with security:[] — should NOT get @Authenticated
+      security: []
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    basic_auth:
+      type: http
+      scheme: basic
+    bearer_auth:
+      type: http
+      scheme: bearer

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-http-basic.yaml

@@ -0,0 +1,27 @@
+openapi: 3.0.1
+info:
+  title: Quarkus HTTP Basic auth test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - basic_auth: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    basic_auth:
+      type: http
+      scheme: basic

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-http-bearer.yaml

@@ -0,0 +1,27 @@
+openapi: 3.0.1
+info:
+  title: Quarkus HTTP Bearer auth test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - bearer_auth: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    bearer_auth:
+      type: http
+      scheme: bearer

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-oauth2-multi-flow-no-scopes.yaml

@@ -0,0 +1,34 @@
+openapi: 3.0.1
+info:
+  title: Quarkus OAuth2 multi-flow no scopes test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - oauth2_scheme: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_scheme:
+      type: oauth2
+      flows:
+        authorizationCode:
+          authorizationUrl: https://example.com/oauth/authorize
+          tokenUrl: https://example.com/oauth/token
+          scopes: {}
+        implicit:
+          authorizationUrl: https://example.com/api/oauth/dialog
+          scopes: {}

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-oauth2-no-scopes.yaml

@@ -0,0 +1,30 @@
+openapi: 3.0.1
+info:
+  title: Quarkus OAuth2 no scopes test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - oauth2_scheme: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_scheme:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes: {}

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-oauth2-or-empty-and-scoped.yaml

@@ -0,0 +1,42 @@
+openapi: 3.0.1
+info:
+  title: Quarkus OAuth2 OR empty-and-scoped test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items — OR any-authenticated OR scoped
+      security:
+        - oauth2_no_scope: []
+        - oauth2_with_scope:
+            - admin
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item — scoped only
+      security:
+        - oauth2_with_scope:
+            - admin
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_no_scope:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes: {}
+    oauth2_with_scope:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes:
+            admin: Admin access

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-oauth2-scoped-or-api-key.yaml

@@ -0,0 +1,40 @@
+openapi: 3.0.1
+info:
+  title: Quarkus OAuth2 scoped OR API Key — API Key qualifies for @Authenticated
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Scoped OAuth2 alone would not qualify, but API Key in the OR list does
+      security:
+        - oauth2_with_scope:
+            - admin
+        - api_key: []
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Scoped OAuth2 only — no qualifying scheme
+      security:
+        - oauth2_with_scope:
+            - admin
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_with_scope:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes:
+            admin: Admin access
+    api_key:
+      type: apiKey
+      in: header
+      name: X-API-Key

modules/openapi-generator/src/test/resources/3_0/jaxrs-spec/quarkus-oauth2-with-scopes.yaml

@@ -0,0 +1,36 @@
+openapi: 3.0.1
+info:
+  title: Quarkus OAuth2 with scopes test
+  version: '1.0'
+servers:
+  - url: 'http://localhost:8080/'
+paths:
+  /items:
+    get:
+      operationId: getItems
+      summary: Get items
+      security:
+        - oauth2_scheme:
+            - read:items
+      responses:
+        '200':
+          description: OK
+    post:
+      operationId: createItem
+      summary: Create item
+      security:
+        - oauth2_scheme:
+            - write:items
+      responses:
+        '201':
+          description: Created
+components:
+  securitySchemes:
+    oauth2_scheme:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://example.com/oauth/token
+          scopes:
+            read:items: Read items
+            write:items: Write items