java source code of JavaSecurityProcessor

smallrye-open-api-master
- .github
  - project.yml
  - release
    - smallrye-sign.asc.gpg
    - maven-settings.xml.gpg
  - workflows
    - build.yml
    - release.yml
    - pre-release.yml
- message-ranges.txt
- implementation
  - pom.xml
  - .gitignore
- update.fork.sh
- pom.xml
- ui
  - src
    - main
      - webapp
        favicon.ico
        index.html
  - pom.xml
  - README.adoc
- tck
  - src
    - test
      - resources
        smallrye-disable-app-path.properties
        disable-app-path.properties
      - java
        test
        io
        smallrye
        openapi
        tck
        TestNgRunner.java
        TckMessages.java
        TckTest.java
        ArchiveUtil.java
        TckTestRunner.java
        ProxiedTckTest.java
        TckLogging.java
        BaseTckTest.java
        io
        smallrye
        openapi
        tck
        OASConfigScanPackageTckTest.java
        OASConfigExcludePackageTckTest.java
        OASConfigServersTckTest.java
        ModelConstructionTckTest.java
        AirlinesAppTckTest.java
        PetStoreAppTckTest.java
        extra
        extensions
        ExtensionResource.java
        jaxrs
        WidgetResource.java
        IgnoreJsonPropertiesTest.java
        DisabledApplicationPathTest.java
        SmallRyeDisabledApplicationPathTest.java
        ExtensionsTest.java
        ComplexResourceTest.java
        JaxRsTest.java
        complex
        ComplexResource.java
        apppath
        ApplicationPathResource.java
        ApplicationPathApp.java
        Path.java
        jsonignoreproperties
        JsonIgnorePropertiesResource.java
        ApplicationPathTest.java
        OASConfigScanDisableTckTest.java
        OASConfigExcludeClassTckTest.java
        OASConfigScanClassesTckTest.java
        StaticDocumentTckTest.java
        OASConfigWebInfTckTest.java
        FilterTckTest.java
        OASFactoryErrorTckTest.java
        ModelReaderAppTckTest.java
        OASConfigSchemaTckTest.java
        OASConfigExcludeClassesTckTest.java
        OASConfigScanClassTckTest.java
  - pom.xml
- LICENSE
- extension-spring
  - src
    - main
      - resources
        META-INF
        services
        io.smallrye.openapi.runtime.scanner.spi.AnnotationScanner
      - java
        io
        smallrye
        openapi
        spring
        SpringAnnotationScanner.java
        SpringLogging.java
        SpringParameter.java
        SpringConstants.java
        ParameterProcessor.java
    - test
      - resources
        io
        smallrye
        openapi
        runtime
        scanner
        resource.testBasicSpringPutDefinitionScanning.json
        resource.testBasicSpringPostDefinitionScanning.json
        resource.testBasicSpringDeleteDefinitionScanning.json
        resource.testBasicSpringGetDefinitionScanning.json
      - java
        test
        io
        smallrye
        openapi
        runtime
        scanner
        resources
        GreetingPostControllerAlt.java
        GreetingDeleteController.java
        GreetingPutController.java
        GreetingPutControllerAlt.java
        GreetingDeleteControllerAlt.java
        GreetingGetControllerAlt.java
        GreetingPostController.java
        GreetingGetController.java
        entities
        Greeting.java
        io
        smallrye
        openapi
        runtime
        scanner
        SpringAnnotationScannerTest.java
        SpringDataObjectScannerTestBase.java
  - pom.xml
- README.adoc
- release
  - pom.xml
- core
  - src
    - main
      - resources
        META-INF
        services
        org.eclipse.microprofile.openapi.spi.OASFactoryResolver
      - java
        io
        smallrye
        openapi
        api
        models
        security
        OAuthFlowsImpl.java
        SecurityRequirementImpl.java
        OAuthFlowImpl.java
        ScopesImpl.java
        SecuritySchemeImpl.java
        tags
        TagImpl.java
        callbacks
        CallbackImpl.java
        servers
        ServerVariablesImpl.java
        ServerVariableImpl.java
        ServerImpl.java
        parameters
        ParameterImpl.java
        RequestBodyImpl.java
        info
        LicenseImpl.java
        InfoImpl.java
        ContactImpl.java
        headers
        HeaderImpl.java
        examples
        ExampleImpl.java
        ExternalDocumentationImpl.java
        links
        LinkImpl.java
        media
        MediaTypeImpl.java
        ContentImpl.java
        SchemaImpl.java
        EncodingImpl.java
        XMLImpl.java
        DiscriminatorImpl.java
        responses
        APIResponsesImpl.java
        APIResponseImpl.java
        PathsImpl.java
        OpenAPIImpl.java
        ComponentsImpl.java
        MapModel.java
        OperationImpl.java
        ExtensibleImpl.java
        PathItemImpl.java
        ModelImpl.java
        OpenApiDocument.java
        util
        MergeUtil.java
        FilterUtil.java
        ServersUtil.java
        UtilLogging.java
        ListUtil.java
        constants
        SecurityConstants.java
        OpenApiConstants.java
        MutinyConstants.java
        JacksonConstants.java
        JsonbConstants.java
        JaxbConstants.java
        JDKConstants.java
        OpenApiConfig.java
        OpenApiConfigImpl.java
        ApiMessages.java
        runtime
        OpenApiProcessor.java
        scanner
        CollectionStandin.java
        ScannerMessages.java
        IterableStandin.java
        OpenApiAnnotationScanner.java
        CustomSchemaRegistry.java
        processor
        JavaSecurityProcessor.java
        SchemaRegistry.java
        MapStandin.java
        FilteredIndexView.java
        dataobject
        IgnoreResolver.java
        BeanValidationScanner.java
        DataObjectMessages.java
        AnnotationTargetProcessor.java
        DataObjectLogging.java
        TypeResolver.java
        AugmentedIndexView.java
        DataObjectDeque.java
        TypeProcessor.java
        ResourceParameters.java
        AnnotationScannerExtension.java
        OpenApiDataObjectScanner.java
        ScannerLogging.java
        spi
        AnnotationScannerFactory.java
        AbstractAnnotationScanner.java
        AnnotationScanner.java
        AnnotationScannerContext.java
        OpenApiStaticFile.java
        util
        StringUtil.java
        ModelUtil.java
        TypeUtil.java
        UtilMessages.java
        JandexUtil.java
        io
        xml
        XmlWriter.java
        XmlConstant.java
        XmlReader.java
        discriminator
        DiscriminatorConstant.java
        DiscriminatorWriter.java
        DiscriminatorReader.java
        header
        HeaderWriter.java
        HeaderReader.java
        info
        InfoConstant.java
        InfoWriter.java
        InfoReader.java
        content
        ContentReader.java
        ContentConstant.java
        ContentWriter.java
        ObjectWriter.java
        response
        ResponseConstant.java
        ResponseWriter.java
        ResponseReader.java
        link
        LinkWriter.java
        LinkConstant.java
        LinkReader.java
        parameter
        ParameterConstant.java
        ParameterWriter.java
        ParameterReader.java
        tag
        TagConstant.java
        TagReader.java
        TagWriter.java
        IoMessages.java
        securityscheme
        SecuritySchemeReader.java
        SecuritySchemeWriter.java
        SecuritySchemeConstant.java
        ContentDirection.java
        externaldocs
        ExternalDocsReader.java
        ExternalDocsConstant.java
        ExternalDocsWriter.java
        CurrentScannerInfo.java
        components
        ComponentsReader.java
        ComponentsWriter.java
        ComponentsConstant.java
        requestbody
        RequestBodyConstant.java
        RequestBodyReader.java
        RequestBodyWriter.java
        extension
        ExtensionReader.java
        ExtensionConstant.java
        ExtensionWriter.java
        license
        LicenseReader.java
        LicenseWriter.java
        LicenseConstant.java
        contact
        ContactReader.java
        ContactWriter.java
        ContactConstant.java
        OpenApiSerializer.java
        OpenApiParser.java
        mediatype
        MediaTypeConstant.java
        MediaTypeWriter.java
        MediaTypeReader.java
        servervariable
        ServerVariableWriter.java
        ServerVariableConstant.java
        ServerVariableReader.java
        example
        ExampleWriter.java
        ExampleConstant.java
        ExampleReader.java
        JsonUtil.java
        Parameterizable.java
        operation
        OperationConstant.java
        OperationReader.java
        OperationWriter.java
        Format.java
        server
        ServerReader.java
        ServerWriter.java
        ServerConstant.java
        Referenceable.java
        securityrequirement
        SecurityRequirementWriter.java
        SecurityRequirementConstant.java
        SecurityRequirementReader.java
        definition
        DefinitionReader.java
        DefinitionWriter.java
        DefinitionConstant.java
        callback
        CallbackConstant.java
        CallbackReader.java
        CallbackWriter.java
        IoLogging.java
        schema
        SchemaWriter.java
        SchemaConstant.java
        SchemaFactory.java
        SchemaReader.java
        paths
        PathsConstant.java
        PathsReader.java
        PathsWriter.java
        oauth
        OAuthWriter.java
        OAuthReader.java
        encoding
        EncodingConstant.java
        EncodingWriter.java
        EncodingReader.java
        spi
        SpiMessages.java
        OASFactoryResolverImpl.java
    - test
      - resources
        io
        smallrye
        openapi
        api
        util
        _extensions
        merged.json
        extensions2.json
        extensions1.json
        _pathDocs
        merged.json
        path2.json
        path1.json
        _pathDefault
        pathDefault2.json
        merged.json
        pathDefault1.json
        _opTags
        merged.json
        opTags1.json
        opTags2.json
        _servers
        servers2.json
        merged.json
        servers1.json
        filter-before.json
        _tags
        merged.json
        tags2.json
        tags1.json
        _security
        merged.json
        security2.json
        security1.json
        _callbacks
        merged.json
        callbacks2.json
        callbacks1.json
        filter-after.json
        _info
        merged.json
        info1.json
        info2.json
        runtime
        io
        paths-parameters.json
        paths-get-response-content.json
        components-responses.json
        components-securitySchemes.json
        components-headers.json
        schemas-with-externalDocs.json
        info.yaml
        servers.json
        externalDocs.json
        components-empty.json
        paths-get-callbacks.json
        paths-get-servers.json
        components-examples.json
        components-callbacks.json
        schemas-with-additionalProperties.json
        paths-get-parameters.json
        paths-get-requestBody-example.json
        security.json
        paths-get-security.json
        schemas-with-allOf.json
        simplest.json
        info.json
        paths-with-extensions.json
        components-schemas.json
        servers.yaml
        paths-get-responses.json
        schemas-with-composition.json
        paths-empty.json
        _everything.json
        schemas-with-metaData.json
        paths-ref.json
        paths-get-requestBody-content.json
        simplest.yaml
        paths-get-response-headers.json
        schemas-with-example.json
        schemas-with-xml.json
        paths-get-response-links.json
        paths-get.json
        components-requestBodies.json
        paths-get-requestBody.json
        tags.json
        paths-all-operations.json
        extensions.json
        components-links.json
        paths-servers.json
        schemas-discriminator.json
        _everything.yaml
        components-parameters.json
      - java
        io
        smallrye
        openapi
        api
        util
        FilterUtilTest.java
        MergeUtilTest.java
        OpenApiConfigImplTest.java
        runtime
        scanner
        FilteredIndexViewTest.java
        IndexScannerTestBase.java
        spi
        PathMakerTest.java
        io
        OpenApiParserAndSerializerTest.java
        schema
        SchemaFactoryTest.java
        spi
        OASFactoryResolverImplTest.java
  - pom.xml
- CODEOWNERS
- extension-jaxrs
  - src
    - main
      - resources
        META-INF
        services
        io.smallrye.openapi.runtime.scanner.spi.AnnotationScanner
      - java
        io
        smallrye
        openapi
        jaxrs
        JaxRsLogging.java
        JaxRsSubResourceLocator.java
        JaxRsAnnotationScanner.java
        ParameterProcessor.java
        RestEasyConstants.java
        JaxRsParameter.java
        JaxRsConstants.java
    - test
      - resources
        io
        smallrye
        openapi
        runtime
        scanner
        resource.tags.multilocation.json
        refsEnabled.nested.schema.family.expected.json
        params.uuid-params-responses.json
        params.parameter-in-bean-from-field.json
        params.param-name-override.json
        ignore.jsonIgnorePropertiesOnField.expected.json
        refsEnabled.generic.complexInheritance.expected.json
        params.path-segment-param.json
        refsEnabled.duration.fields.expected.json
        polymorphism.declared-discriminator-empty-mapping.json
        polymorphism.declared-discriminator.json
        resource.parameters.string-implementation-wrapped.json
        params.beanparam-multipartform-inherited.json
        ignore.jsonIgnorePropertiesOnClass.expected.json
        refsEnabled.generic.complexNesting.expected.json
        generic.fields.overriddenNames.expected.json
        generic.withBounds.expected.json
        resource.testHiddenOperationPathNotPresent.json
        generic.complexNesting.expected.json
        enumRequired.expected.json
        params.all-the-params.json
        ignore.jsonIgnoreField.expected.json
        generic.fields.expected.json
        refsEnabled.generic.withBounds.expected.json
        refsEnabled.kitchenSink.expected.json
        responses.multipart-generation.json
        unresolvable.expected.json
        responses.generation-enabled-by-incomplete-api-response.json
        generic.nested.expected.json
        polymorphism.declared-discriminator-no-mapping-schema.json
        special.wildcardWithSuperBound.expected.json
        refsEnabled.period.fields.expected.json
        params.matrix-params-on-resource-method-args.json
        refsEnabled.resource.testNestedSchemaOnParameter.json
        refsEnabled.generic.fields.expected.json
        params.enum-form-param.json
        responses.void-nonpost-response-generation.json
        responses.exception-mapper-generation.json
        ignore.jsonIgnoreType.expected.json
        params.resteasy-multipart-form-data-map.json
        resource.testBasicJaxRsDeleteDefinitionScanning.json
        resource.testHiddenOperationNotPresent.json
        params.ignored-mp-openapi-headers.json
        resource.tags.ordergiven.annotation.json
        refsEnabled.generic.nested.expected.json
        refsEnabled.resource.simple.expected.json
        params.parameter-on-method.json
        dataobject
        resource.testBeanValidationDocument.json
        special.dataObjectList.expected.json
        resource.parameters.primitive-array-param.json
        extensions.parsing.expected.json
        resource.testBasicJaxRsPostDefinitionScanning.json
        refsEnabled.unresolvable.expected.json
        special.wildcardWithExtendBound.expected.json
        params.resteasy-fields-and-setters.json
        resource.parameters.primitive-array-schema.json
        resource.testBasicJaxRsPutDefinitionScanning.json
        resource.testPackageInfoDefinitionScanning.json
        ignore.schemaHiddenField.expected.json
        polymorphism.declared-discriminator-no-property-name.json
        responses.generic-collection.set-unindexed.json
        responses.void-post-response-generation.json
        params.multipart-form.json
        resource.parameters.type-variable.json
        responses.exception-mapper-overridden-by-method-annotation-generation.json
        resource.subresources-with-params.json
        special.simple.expected.json
        resource.testRequestBodyComponentGeneration.json
        polymorphism.declared-discriminator-no-mapping-key.json
        params.parameters-in-constructor.json
        responses.generation-suppressed-by-api-responses-annotation.json
        cycle.expected.json
        responses.void-async-response-generation.json
        resource.parameters.primitive-array-polymorphism.json
        ignore.jsonbTransientField.expected.json
        responses.generic-collection.set-indexed.json
        params.optional-types.json
        enum.expected.json
        resource.inheritance.params.json
        params.path-param-templates.json
        generic.complexInheritance.expected.json
        resource.testBasicJaxRsGetDefinitionScanning.json
        refsEnabled.generic.fields.overriddenNames.expected.json
        responses.generation-suppressed-by-status-omission.json
        params.resteasy-multipart-mixed-array.json
        resource.tags.ordergiven.staticfile.json
        params.resteasy-multipart-form-data-input.json
        resource.parameters.simpleSchema.json
        params.path-param-with-form-params.json
        params.matrix-params-on-resource-method-custom-name.json
        polymorphism.declared-discriminator-no-mapping.json
        params.char-sequence-arrays.json
        responses.generation-suppressed-by-supplied-default-api-response.json
        resource.parameters.time.json
        refsEnabled.cycle.expected.json
        params.common-annotation-target-method.json
        params.parameter-on-field.json
        special.wildcard.expected.json
        params.matrix-params-on-method-and-field-args.json
        refsEnabled.enumRequired.expected.json
        refsEnabled.enum.expected.json
        params.multiple-content-types-with-form-params.json
        ignore.transientField.expected.json
        params.method-target-nojaxrs.json
        params.resteasy-multipart-mixed.json
        params.parameter-in-bean-from-setter.json
        params.resteasy-multipart-related-input.json
        responses.unknown-type.empty-schema.json
        _filtered
        _expected.json
        static.json
        _modelReader
        _expected.json
        testApimanGatewayWAR.expected.json
        _static
        _expected.json
        static.json
      - java
        test
        io
        smallrye
        openapi
        runtime
        scanner
        resources
        FooResource.java
        NestedSchemaOnParameterResource.java
        HiddenOperationResource.java
        ParameterResource.java
        VisibleOperationResource.java
        GreetingPutResource.java
        GreetingGetResource.java
        GreetingPostResource.java
        RequestBodyTestApplication.java
        PackageInfoTestApplication.java
        GreetingDeleteResource.java
        package-info.java
        entities
        FieldNameOverride.java
        Bar.java
        Foo.java
        BazEnum.java
        GenericFieldTestContainer.java
        SpecialCaseTestContainer.java
        NestedSchemaSiblingB.java
        IgnoreType.java
        KustomPair.java
        IgnoreTestContainer.java
        JsonIgnoreOnFieldExample.java
        Ultimate.java
        Greeting.java
        NestedSchemaSiblingA.java
        TransientFieldExample.java
        IgnoreSchemaOnFieldExample.java
        NestedSchemaParent.java
        JsonbTransientOnFieldExample.java
        EnumContainer.java
        EnumRequiredContainer.java
        JsonIgnorePropertiesOnClassExample.java
        Fuzz.java
        SimpleValues.java
        JsonIgnoreTypeExample.java
        GenericTypeTestContainer.java
        KitchenSink.java
        Bazzy.java
        Baz.java
        BuzzLinkedList.java
        io
        smallrye
        openapi
        runtime
        scanner
        SubresourceScanTests.java
        ExpectationTests.java
        ResourceInheritanceTests.java
        IgnoreTests.java
        ParameterScanTests.java
        JaxRsDataObjectScannerTestBase.java
        KitchenSinkTest.java
        dataobject
        BeanValidationResourceTest.java
        TypeResolverTests.java
        BeanValidationScannerTest.java
        JaxRsAnnotationScannerBasicTest.java
        JaxRsAnnotationScannerTest.java
        ExpectationWithRefsTests.java
        DiscriminatorMappingTests.java
        ExceptionMapperScanTests.java
        SpecialCaseTests.java
        ApiResponseTests.java
        ResourceParameterTests.java
        SchemaRegistryTests.java
        NestedSchemaReferenceTests.java
        ExtensionParsingTests.java
        CustomExtensionParsingTests.java
        RequestBodyScanTests.java
        RolesAllowedScopeScanTests.java
        util
        JandexUtilTests.java
        TypeUtilTest.java
  - pom.xml
- .gitignore

package io.smallrye.openapi.runtime.scanner.processor;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;

import org.eclipse.microprofile.openapi.models.OpenAPI;
import org.eclipse.microprofile.openapi.models.Operation;
import org.eclipse.microprofile.openapi.models.security.OAuthFlow;
import org.eclipse.microprofile.openapi.models.security.OAuthFlows;
import org.eclipse.microprofile.openapi.models.security.SecurityRequirement;
import org.eclipse.microprofile.openapi.models.security.SecurityScheme;
import org.jboss.jandex.MethodInfo;

import io.smallrye.openapi.api.constants.SecurityConstants;
import io.smallrye.openapi.api.models.security.ScopesImpl;
import io.smallrye.openapi.api.models.security.SecurityRequirementImpl;
import io.smallrye.openapi.runtime.util.TypeUtil;

/**
 * This helps to apply java security (@RolesAllowed etc.).
 * 
 * @author Eric Wittmann ([email protected])
 * @author Phillip Kruger ([email protected])
 */
public class JavaSecurityProcessor {
    private static final ThreadLocal<JavaSecurityProcessor> current = new ThreadLocal<>();

    public static void register(OpenAPI openApi) {
        JavaSecurityProcessor registry = new JavaSecurityProcessor(openApi);
        current.set(registry);
    }

    public static void addRolesAllowedToScopes(String[] roles) {
        current.get().resourceRolesAllowed = roles;
        current.get().addScopes(roles);
    }

    public static void addDeclaredRolesToScopes(String[] roles) {
        current.get().addScopes(roles);
    }

    public static void processSecurityRoles(MethodInfo method, Operation operation) {
        current.get().processSecurityRolesForMethodOperation(method, operation);
    }

    public static void remove() {
        current.remove();
    }

    private String currentSecurityScheme;
    private List<OAuthFlow> currentFlows;
    private String[] resourceRolesAllowed;

    private JavaSecurityProcessor(OpenAPI openApi) {
        checkSecurityScheme(openApi);
    }

    /**
     * Adds the array of roles as scopes to each of the OAuth2 flows stored previously.
     * The flows are those declared by the application in components/securitySchemes
     * using annotations where the scopes were not defined. The description of the scope
     * will be set to the role name plus the string " role".
     *
     * @param roles array of roles from either <code>@DeclareRoles</code> or
     *        <code>@RolesAllowed</code>
     */
    private void addScopes(String[] roles) {
        if (roles == null || this.currentFlows == null) {
            return;
        }

        this.currentFlows.forEach(flow -> {
            // TODO: Replace ScopesImpl with Map for MicroProfile OpenAPI 2.0
            // if (flow.getScopes() == null) {
            //     flow.setScopes(new LinkedHashMap<>());
            // }
            // Arrays.stream(roles).forEach(role -> flow.addScope(role, role + " role"));

            if (flow.getScopes() == null) {
                flow.setScopes(new ScopesImpl());
            }
            Arrays.stream(roles).forEach(role -> flow.getScopes().addScope(role, role + " role"));
        });
    }

    /**
     * Add method-level or resource-level <code>RolesAllowed</code> values as
     * scopes to the current operation.
     * 
     * <ul>
     * <li>If a <code>DenyAll</code> annotation is present (and a method-level
     * <code>RolesAllowed</code> is not), the roles allowed will be set to an
     * empty array.
     * 
     * <li>If none of a <code>PermitAll</code>, a <code>DenyAll</code>, and a
     * <code>RolesAllowed</code> annotation is present at the method-level, the
     * roles allowed will be set to the resource's <code>RolesAllowed</code>.
     * </ul>
     * 
     * @param method the current JAX-RS method
     * @param operation the OpenAPI Operation
     */
    private void processSecurityRolesForMethodOperation(MethodInfo method, Operation operation) {
        if (this.currentSecurityScheme != null) {
            String[] rolesAllowed = TypeUtil.getAnnotationValue(method, SecurityConstants.ROLES_ALLOWED);

            if (rolesAllowed != null) {
                addScopes(rolesAllowed);
                addRolesAllowed(operation, rolesAllowed);
            } else if (this.resourceRolesAllowed != null) {
                boolean denyAll = TypeUtil.getAnnotation(method, SecurityConstants.DENY_ALL) != null;
                boolean permitAll = TypeUtil.getAnnotation(method, SecurityConstants.PERMIT_ALL) != null;

                if (denyAll) {
                    addRolesAllowed(operation, new String[0]);
                } else if (!permitAll) {
                    addRolesAllowed(operation, this.resourceRolesAllowed);
                }
            }
        }
    }

    /**
     * Add an array of roles to the operation's security requirements.
     * 
     * If no security requirements yet exists, one is created with the name of the
     * single OAUTH/OPENIDCONNECT previously defined in the OpenAPI's Components
     * section.
     * 
     * Otherwise, the roles are added to only a single existing requirement
     * where the name of the requirement's scheme matches the name of the
     * single OAUTH/OPENIDCONNECT previously defined in the OpenAPI's Components
     * section.
     * 
     * @param operation the OpenAPI Operation
     * @param roles a list of JAX-RS roles to use as scopes
     */
    private void addRolesAllowed(Operation operation, String[] roles) {
        List<SecurityRequirement> requirements = operation.getSecurity();

        if (requirements == null) {
            SecurityRequirement requirement = new SecurityRequirementImpl();
            requirement.addScheme(currentSecurityScheme, new ArrayList<>(Arrays.asList(roles)));
            operation.setSecurity(new ArrayList<>(Arrays.asList(requirement)));
        } else if (requirements.size() == 1) {
            SecurityRequirement requirement = requirements.get(0);

            if (requirement.hasScheme(currentSecurityScheme)) {
                // The name of the declared requirement must match the scheme's name
                List<String> scopes = requirement.getScheme(currentSecurityScheme);
                for (String role : roles) {
                    if (!scopes.contains(role)) {
                        scopes.add(role);
                    }
                }
            }
        }
    }

    /**
     * If there is a single security scheme defined by the <code>@OpenAPIDefinition</code>
     * annotations and the scheme is OAuth2 or OpenIdConnect, any of the flows
     * where no scopes have yet been provided are eligible to have scopes
     * filled by <code>@DeclareRoles</code>/<code>@RolesAllowed</code> annotations.
     * 
     * @param oai the current OpenAPI result
     */
    private void checkSecurityScheme(OpenAPI openApi) {
        if (openApi.getComponents() == null) {
            return;
        }

        Map<String, SecurityScheme> schemes = openApi.getComponents().getSecuritySchemes();

        if (schemes != null && schemes.size() == 1) {
            Map.Entry<String, SecurityScheme> scheme = schemes.entrySet().iterator().next();
            SecurityScheme.Type schemeType = scheme.getValue().getType();

            if (schemeType != null) {
                switch (schemeType) {
                    case OAUTH2:
                    case OPENIDCONNECT:
                        saveSecurityScheme(scheme.getKey(), scheme.getValue());
                        break;
                    default:
                        break;
                }
            }
        }
    }

    /**
     * Saves the name of the SecurityScheme and references to any flows
     * that did not have scopes defined by the application via a component
     * defined in <code>@OpenAPIDefinition</code> annotations. The saved
     * flows may have scopes added by values discovered in <code>@RolesAllowed</code>
     * annotations during scanning.
     * 
     * @param scheme the scheme to save for further role processing.
     */
    private void saveSecurityScheme(String schemeName, SecurityScheme scheme) {
        this.currentSecurityScheme = schemeName;
        this.currentFlows = new ArrayList<>();

        OAuthFlows flows = scheme.getFlows();

        if (flows != null) {
            saveFlow(flows.getAuthorizationCode());
            saveFlow(flows.getClientCredentials());
            saveFlow(flows.getImplicit());
            saveFlow(flows.getPassword());
        }
    }

    /**
     * Saves an {@link OAuthFlow} object in the list of flows for further processing.
     * Only saved if no scopes were defined by the application using annotations.
     * 
     * @param flow
     */
    private void saveFlow(OAuthFlow flow) {
        if (flow != null && flow.getScopes() == null) {
            this.currentFlows.add(flow);
        }
    }
}