Swagger/Oauth add http bearer auth (#3118)

+ disable unsupported OAuth 2 flows

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2026-06-05 15:48:10 +03:00
committed by GitHub
parent 97df5bf8d1
commit 6a85a43dde

View File

@@ -10,7 +10,7 @@
package org.eclipse.hawkbit.mgmt.rest.resource; package org.eclipse.hawkbit.mgmt.rest.resource;
import java.util.Comparator; import java.util.Comparator;
import java.util.HashMap; import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
@@ -43,6 +43,8 @@ public class MgmtOpenApiConfiguration {
private static final String BASIC_AUTH_SEC_SCHEME_NAME = "Basic"; private static final String BASIC_AUTH_SEC_SCHEME_NAME = "Basic";
private static final String BEARER_AUTH_SEC_SCHEME_NAME = "Bearer"; private static final String BEARER_AUTH_SEC_SCHEME_NAME = "Bearer";
private static final String OAUTH2_AUTH_SEC_SCHEME_NAME = "OAuth2";
private static final String DESCRIPTION_SUFFIX = " Authentication";
@Bean @Bean
@ConditionalOnProperty( @ConditionalOnProperty(
@@ -54,28 +56,36 @@ public class MgmtOpenApiConfiguration {
@Autowired(required = false) @Qualifier("hawkbitOAuth2ResourceServerCustomizer") final Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer, @Autowired(required = false) @Qualifier("hawkbitOAuth2ResourceServerCustomizer") final Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer,
final HawkbitSecurityProperties hawkbitSecurityProperties final HawkbitSecurityProperties hawkbitSecurityProperties
) { ) {
boolean oauth2Enabled = oauth2ResourceServerCustomizer != null; final boolean oauth2Enabled = oauth2ResourceServerCustomizer != null;
Map<String, SecurityScheme> securitySchemeMap = new HashMap<>(); final Map<String, SecurityScheme> securitySchemeMap = new LinkedHashMap<>(); // linked map to keep the order
final SecurityRequirement securityRequirement = new SecurityRequirement(); final SecurityRequirement securityRequirement = new SecurityRequirement();
if (!oauth2Enabled || hawkbitSecurityProperties.isAllowHttpBasicOnOAuthEnabled()) { if (!oauth2Enabled || hawkbitSecurityProperties.isAllowHttpBasicOnOAuthEnabled()) {
securityRequirement.addList(BASIC_AUTH_SEC_SCHEME_NAME); securityRequirement.addList(BASIC_AUTH_SEC_SCHEME_NAME);
securitySchemeMap.put(BASIC_AUTH_SEC_SCHEME_NAME, securitySchemeMap.put(BASIC_AUTH_SEC_SCHEME_NAME, new SecurityScheme()
new SecurityScheme() .description(BASIC_AUTH_SEC_SCHEME_NAME + DESCRIPTION_SUFFIX)
.description(BASIC_AUTH_SEC_SCHEME_NAME + " Authentication") .type(SecurityScheme.Type.HTTP)
.type(SecurityScheme.Type.HTTP) .scheme("basic"));
.scheme("basic"));
} }
if (oauth2Enabled) { if (oauth2Enabled) {
securityRequirement.addList(BEARER_AUTH_SEC_SCHEME_NAME); securityRequirement.addList(BEARER_AUTH_SEC_SCHEME_NAME);
securitySchemeMap.put(BEARER_AUTH_SEC_SCHEME_NAME, securitySchemeMap.put(BEARER_AUTH_SEC_SCHEME_NAME, new SecurityScheme()
new SecurityScheme() .description(BEARER_AUTH_SEC_SCHEME_NAME + DESCRIPTION_SUFFIX)
.description(BEARER_AUTH_SEC_SCHEME_NAME + " Authentication") .type(SecurityScheme.Type.HTTP)
.type(SecurityScheme.Type.OAUTH2) .bearerFormat("JWT")
.flows(new OAuthFlows() .scheme("bearer"));
.authorizationCode(new OAuthFlow().authorizationUrl(authorizationUrl).tokenUrl(tokenUrl)) if (!tokenUrl.isBlank()) {
.clientCredentials(new OAuthFlow().tokenUrl(tokenUrl))) securityRequirement.addList(BEARER_AUTH_SEC_SCHEME_NAME);
.bearerFormat("JWT") securitySchemeMap.put(OAUTH2_AUTH_SEC_SCHEME_NAME, new SecurityScheme()
.scheme("bearer")); .description(OAUTH2_AUTH_SEC_SCHEME_NAME + DESCRIPTION_SUFFIX)
.type(SecurityScheme.Type.OAUTH2)
.flows(authorizationUrl.isBlank()
? new OAuthFlows().clientCredentials(new OAuthFlow().tokenUrl(tokenUrl))
: new OAuthFlows()
.authorizationCode(new OAuthFlow().tokenUrl(tokenUrl).authorizationUrl(authorizationUrl))
.clientCredentials(new OAuthFlow().tokenUrl(tokenUrl)))
.bearerFormat("JWT")
.scheme("bearer"));
}
} }
// @formatter:off // @formatter:off
return GroupedOpenApi return GroupedOpenApi
@@ -99,10 +109,7 @@ public class MgmtOpenApiConfiguration {
new Server().url("/")) new Server().url("/"))
: List.of(new Server().url("/"))) : List.of(new Server().url("/")))
.addSecurityItem(securityRequirement) .addSecurityItem(securityRequirement)
.components( .components(openApi.getComponents().securitySchemes(securitySchemeMap))
openApi
.getComponents()
.securitySchemes(securitySchemeMap))
.tags(sort(openApi.getTags()))) .tags(sort(openApi.getTags())))
.build(); .build();
// @formatter:on // @formatter:on