quarkus: OpenAPI generation: `@RolesAllowed` roles are sometimes missing (random behavior)
Describe the bug
We have OIDC security provider with RESTEasy Classic and our endpoint /secured/admin is annotated with @RolesAllowed("admin"). Sometimes, generated security scheme is empty (once in a few days, you can see our CI). Interestingly, we have identical endpoint with RESTEasy Reactive and this problem occasionally occur too.
Expected behavior
OpenAPI definition must be deterministic (and ideally with roles).
Actual behavior
Most of the times, we get "/secured/admin":{"get":{"tags":["Secured Resource"],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"string"}}}},"403":{"description":"Not Allowed"},"401":{"description":"Not Authorized"}},"security":[{"SecurityScheme":["admin"]}]}}, but sometimes we get "/secured/admin":{"get":{"tags":["Secured Resource"],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"string"}}}},"403":{"description":"Not Allowed"},"401":{"description":"Not Authorized"}},"security":[{"SecurityScheme":[]}]}}
How to Reproduce?
Steps to reproduce:
git clone git@github.com:michalvavrik/quarkus-test-suite.gitcd quarkus-test-suite && git checkout reproducer/openapi-definition-generationcd security/keycloak-oidc-client-extended/mvn clean verify -Dit.test=OpenApiStoreSchemaIT(repeat till you experience failure, good luck)
Please checkout daily builds of our CI for failures we experienced https://github.com/quarkus-qe/quarkus-test-suite/actions/workflows/daily.yaml, notably build #770.
Output of uname -a or ver
Linux
Output of java -version
openjdk 17.0.4 2022-07-19
GraalVM version (if different from Java)
OpenJDK Runtime Environment GraalVM CE 23.2
Quarkus version or git rev
999-SNAPSHOT
Build tool (ie. output of mvnw --version or gradlew --version)
Apache Maven 3.8.6
Additional information
No response
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 17 (16 by maintainers)
Commits related to this issue
- Disable OpenAPI definition check for allowed roles in security scheme Disables assertion of roles allowed to access path in generated OpenAPI definition. We already had to [disable same check for OID... — committed to michalvavrik/quarkus-test-suite by michalvavrik a year ago
- Disable OpenAPI definition check for allowed roles in security scheme Disables assertion of roles allowed to access path in generated OpenAPI definition. We already had to [disable same check for OID... — committed to michalvavrik/quarkus-test-suite by michalvavrik a year ago
- Disable OpenAPI definition check for allowed roles in security scheme Disables assertion of roles allowed to access path in generated OpenAPI definition. We already had to [disable same check for OID... — committed to michalvavrik/quarkus-test-suite by michalvavrik a year ago
- Disable OpenAPI definition check for allowed roles in security scheme (#1141) Disables assertion of roles allowed to access path in generated OpenAPI definition. We already had to [disable same check... — committed to quarkus-qe/quarkus-test-suite by michalvavrik a year ago
- Disable HTTP Basic authentication for OpenAPI OIDC tests Fixes quarkusio/quarkus#32112 Signed-off-by: Michael Edgar <michael@xlate.io> — committed to MikeEdgar/quarkus-test-suite by MikeEdgar a year ago
Sorry @MikeEdgar, I missed your comment somehow. Sounds good, sure, I’d report it here if there were any related failures.
I’m glad we are further now, but bug (or missing support, whatever we call it) still can affect customers, therefore I’d prefer to keep issue open. Thanks again
I will take a look at this today. HTTP basic should not be in the output anymore… I’ll post here what I find.