opendcs · MikeNeilson · Oct 25, 2025 · Oct 26, 2025 · Oct 28, 2025
diff --git a/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/openapi/OpenDcsOpenApiModifier.java b/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/openapi/OpenDcsOpenApiModifier.java
@@ -0,0 +1,31 @@
+package org.opendcs.odcsapi.openapi;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.swagger.v3.jaxrs2.ReaderListener;
+import io.swagger.v3.oas.annotations.OpenAPIDefinition;
+import io.swagger.v3.oas.integration.api.OpenApiReader;
+import io.swagger.v3.oas.models.OpenAPI;
+
+@OpenAPIDefinition
+public class OpenDcsOpenApiModifier implements ReaderListener
+{
+    private static final Logger log = LoggerFactory.getLogger(OpenDcsOpenApiModifier.class);
+    @Override
+    public void beforeScan(OpenApiReader reader, OpenAPI openAPI)
+    {
+        /* do nothing */
+    }
+
+    @Override
+    public void afterScan(OpenApiReader reader, OpenAPI openAPI)
+    {
+        /**
+         * todo: 
+         * 1 update authcheck provider to return security scheme with runtime determined info
+         * 2 add SecuritySchemes
+         */
+    }
+
+}
diff --git a/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/res/OpenDcsResource.java b/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/res/OpenDcsResource.java
@@ -23,7 +23,13 @@
 import decodes.db.DatabaseIO;
 import decodes.tsdb.TimeSeriesDb;
 import io.swagger.v3.oas.annotations.OpenAPIDefinition;
+import io.swagger.v3.oas.annotations.enums.SecuritySchemeType;
 import io.swagger.v3.oas.annotations.info.Info;
+import io.swagger.v3.oas.annotations.security.OAuthFlow;
+import io.swagger.v3.oas.annotations.security.OAuthFlows;
+import io.swagger.v3.oas.annotations.security.SecurityScheme;
+import io.swagger.v3.oas.annotations.security.SecuritySchemes;
+
 import org.opendcs.database.api.OpenDcsDatabase;
 import org.opendcs.odcsapi.dao.OpenDcsDatabaseFactory;
 
@@ -37,6 +43,12 @@
 				version = "0.0.3"
 		)
 )
+@SecuritySchemes({
+@SecurityScheme(name = "default", type = SecuritySchemeType.OAUTH2, 
+	flows = @OAuthFlows(
+		password = @OAuthFlow(tokenUrl = "/odcsapi/credentials")
+	))
+})
 public class OpenDcsResource
 {
 	private static final String UNSUPPORTED_OPERATION_MESSAGE = "Endpoint is unsupported by the OpenDCS REST API.";

diff --git a/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/AbstractAuthorizationCheck.java b/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/AbstractAuthorizationCheck.java
@@ -0,0 +1,66 @@
+/*
+ *  Copyright 2025 OpenDCS Consortium and its Contributors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License")
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.opendcs.odcsapi.sec;
+
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.sql.DataSource;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.SecurityContext;
+
+import decodes.cwms.CwmsTimeSeriesDb;
+import decodes.tsdb.TimeSeriesDb;
+import opendcs.opentsdb.OpenTsdb;
+import org.opendcs.database.api.OpenDcsDatabase;
+import org.opendcs.odcsapi.dao.ApiAuthorizationDAI;
+import org.opendcs.odcsapi.dao.OpenDcsDatabaseFactory;
+import org.opendcs.odcsapi.sec.basicauth.OpenTsdbAuthorizationDAO;
+import org.opendcs.odcsapi.sec.cwms.CwmsAuthorizationDAO;
+
+import static org.opendcs.odcsapi.res.DataSourceContextCreator.DATA_SOURCE_ATTRIBUTE_KEY;
+
+public abstract class AbstractAuthorizationCheck implements AuthorizationCheck
+{
+
+	/**
+	 * Authorizes the current session returning the SecurityContext that will check user roles.
+	 *
+	 * @param requestContext     context for the current session.
+	 * @param httpServletRequest context for the current request.
+	 */
+	public abstract SecurityContext authorize(ContainerRequestContext requestContext,
+			HttpServletRequest httpServletRequest, ServletContext servletContext);
+
+	public abstract boolean supports(String type, ContainerRequestContext requestContext, ServletContext servletContext);
+
+	protected final ApiAuthorizationDAI getAuthDao(ServletContext servletContext)
+	{
+		DataSource dataSource = (DataSource) servletContext.getAttribute(DATA_SOURCE_ATTRIBUTE_KEY);
+		OpenDcsDatabase db = OpenDcsDatabaseFactory.createDb(dataSource);
+		TimeSeriesDb timeSeriesDb = db.getLegacyDatabase(TimeSeriesDb.class)
+				.orElseThrow(() -> new UnsupportedOperationException("Endpoint is unsupported by the OpenDCS REST API."));
+		//Need to figure out a better way to extend the toolkit API to be able to add dao's within the REST API
+		if(timeSeriesDb instanceof CwmsTimeSeriesDb)
+		{
+			return new CwmsAuthorizationDAO(timeSeriesDb);
+		}
+		else if(timeSeriesDb instanceof OpenTsdb)
+		{
+			return new OpenTsdbAuthorizationDAO(timeSeriesDb);
+		}
+		throw new UnsupportedOperationException("Endpoint is unsupported by the OpenDCS REST API.");
+	}
+}
diff --git a/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/AuthorizationCheck.java b/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/AuthorizationCheck.java
@@ -17,22 +17,13 @@
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
-import javax.sql.DataSource;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.core.SecurityContext;
 
-import decodes.cwms.CwmsTimeSeriesDb;
-import decodes.tsdb.TimeSeriesDb;
-import opendcs.opentsdb.OpenTsdb;
-import org.opendcs.database.api.OpenDcsDatabase;
-import org.opendcs.odcsapi.dao.ApiAuthorizationDAI;
-import org.opendcs.odcsapi.dao.OpenDcsDatabaseFactory;
-import org.opendcs.odcsapi.sec.basicauth.OpenTsdbAuthorizationDAO;
-import org.opendcs.odcsapi.sec.cwms.CwmsAuthorizationDAO;
+import io.swagger.v3.oas.models.security.SecurityScheme;
 
-import static org.opendcs.odcsapi.res.DataSourceContextCreator.DATA_SOURCE_ATTRIBUTE_KEY;
 
-public abstract class AuthorizationCheck
+public interface AuthorizationCheck
 {
 
 	/**
@@ -41,27 +32,14 @@ public abstract class AuthorizationCheck
 	 * @param requestContext     context for the current session.
 	 * @param httpServletRequest context for the current request.
 	 */
-	public abstract SecurityContext authorize(ContainerRequestContext requestContext,
+	SecurityContext authorize(ContainerRequestContext requestContext,
 			HttpServletRequest httpServletRequest, ServletContext servletContext);
 
-	public abstract boolean supports(String type, ContainerRequestContext requestContext, ServletContext servletContext);
+	boolean supports(String type, ContainerRequestContext requestContext, ServletContext servletContext);
 
-
-	protected final ApiAuthorizationDAI getAuthDao(ServletContext servletContext)
-	{
-		DataSource dataSource = (DataSource) servletContext.getAttribute(DATA_SOURCE_ATTRIBUTE_KEY);
-		OpenDcsDatabase db = OpenDcsDatabaseFactory.createDb(dataSource);
-		TimeSeriesDb timeSeriesDb = db.getLegacyDatabase(TimeSeriesDb.class)
-				.orElseThrow(() -> new UnsupportedOperationException("Endpoint is unsupported by the OpenDCS REST API."));
-		//Need to figure out a better way to extend the toolkit API to be able to add dao's within the REST API
-		if(timeSeriesDb instanceof CwmsTimeSeriesDb)
-		{
-			return new CwmsAuthorizationDAO(timeSeriesDb);
-		}
-		else if(timeSeriesDb instanceof OpenTsdb)
-		{
-			return new OpenTsdbAuthorizationDAO(timeSeriesDb);
-		}
-		throw new UnsupportedOperationException("Endpoint is unsupported by the OpenDCS REST API.");
-	}
+	/**
+	 * build the OpenApi SecurityScheme to render into the runtime generated spec.
+	 * @return
+	 */
+	SecurityScheme getOaSecurityScheme();
 }
diff --git a/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/basicauth/BasicAuthCheck.java b/opendcs-rest-api/src/main/java/org/opendcs/odcsapi/sec/basicauth/BasicAuthCheck.java
@@ -26,9 +26,12 @@
 
 import com.google.auto.service.AutoService;
 import decodes.tsdb.TimeSeriesDb;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+
 import org.opendcs.database.api.OpenDcsDatabase;
 import org.opendcs.odcsapi.dao.ApiAuthorizationDAI;
 import org.opendcs.odcsapi.dao.OpenDcsDatabaseFactory;
+import org.opendcs.odcsapi.sec.AbstractAuthorizationCheck;
 import org.opendcs.odcsapi.sec.AuthorizationCheck;
 import org.opendcs.odcsapi.sec.OpenDcsApiRoles;
 import org.opendcs.odcsapi.sec.OpenDcsPrincipal;
@@ -37,7 +40,7 @@
 import static org.opendcs.odcsapi.res.DataSourceContextCreator.DATA_SOURCE_ATTRIBUTE_KEY;
 
 @AutoService(AuthorizationCheck.class)
-public final class BasicAuthCheck extends AuthorizationCheck
+public final class BasicAuthCheck extends AbstractAuthorizationCheck
 {
 
 	@Override
@@ -81,4 +84,11 @@ private Set<OpenDcsApiRoles> getUserRoles(String username, ServletContext servle
 			throw new IllegalStateException("Unable to query the database for user authorization", ex);
 		}
 	}
+
+	@Override
+	public SecurityScheme getOaSecurityScheme()
+	{
+		// TODO Auto-generated method stub
+		throw new UnsupportedOperationException("Unimplemented method 'getOaSecurityScheme'");
+	}
 }