Replace ApiKey with SecurityScheme and AuthorizationScope with Scopes (#808)

* add some transforms of springfox security api to swagger v3

* Apply suggestions from code review

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Add recipes to SpringFoxToSpringDoc

* change package to org.openrewrite.java.springdoc

* Use backticks around class names in markdown

* replace body of passAsToSecuritySchemeIn with more robust implementation

* Apply best practice rewrites

- Format ternary operators and else-if chains in FindConfigurationProperties
- Apply Yoda conditions in test assertions
- Add @DocumentExample annotation to test
- Reorder examples in YAML configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Remove copied comment and inline local variable

* Polish `FindConfigurationProperties`

---------

Co-authored-by: Tim te Beek <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude <[email protected]>

Author: 4 people

build.gradle.kts

@@ -187,6 +187,7 @@ dependencies {
     implementation("org.openrewrite:rewrite-yaml")
     implementation("org.openrewrite:rewrite-gradle")
     implementation("org.openrewrite:rewrite-maven")
+    implementation("org.openrewrite.meta:rewrite-analysis:${rewriteVersion}")
     implementation("org.openrewrite.recipe:rewrite-java-dependencies:${rewriteVersion}")
     implementation("org.openrewrite.recipe:rewrite-static-analysis:${rewriteVersion}")
     implementation("org.openrewrite.gradle.tooling:model:${rewriteVersion}")

src/main/java/org/openrewrite/java/spring/search/FindConfigurationProperties.java

@@ -21,6 +21,7 @@
 import org.openrewrite.Recipe;
 import org.openrewrite.SourceFile;
 import org.openrewrite.TreeVisitor;
+import org.openrewrite.internal.ListUtils;
 import org.openrewrite.java.JavaIsoVisitor;
 import org.openrewrite.java.spring.table.ConfigurationPropertiesTable;
 import org.openrewrite.java.tree.Expression;
@@ -45,7 +46,7 @@ public String getDisplayName() {
     public String getDescription() {
         //language=markdown
         return "Find all classes annotated with `@ConfigurationProperties` and extract their prefix values. " +
-               "This is useful for discovering all externalized configuration properties in Spring Boot applications.";
+                "This is useful for discovering all externalized configuration properties in Spring Boot applications.";
     }
 
     @Override
@@ -67,14 +68,11 @@ public J.ClassDeclaration visitClassDeclaration(J.ClassDeclaration classDecl, Ex
                                 prefixInfo.value
                         ));
 
-                        String marker = prefixInfo.isConstant
-                                ? "@ConfigurationProperties(" + prefixInfo.source + " = \"" + prefixInfo.value + "\")"
-                                : "@ConfigurationProperties(\"" + prefixInfo.value + "\")";
-                        c = c.withLeadingAnnotations(
-                                c.getLeadingAnnotations().stream()
-                                        .map(a -> a == annotation ? SearchResult.found(a, marker) : a)
-                                        .collect(java.util.stream.Collectors.toList())
-                        );
+                        String marker = prefixInfo.isConstant ?
+                                "@ConfigurationProperties(" + prefixInfo.source + " = \"" + prefixInfo.value + "\")" :
+                                "@ConfigurationProperties(\"" + prefixInfo.value + "\")";
+                        c = c.withLeadingAnnotations(ListUtils.map(c.getLeadingAnnotations(),
+                                a -> a == annotation ? SearchResult.found(a, marker) : a));
                         break;
                     }
                 }
@@ -105,13 +103,16 @@ private PrefixInfo extractPrefix(J.Annotation annotation, J.ClassDeclaration cla
                         Object value = ((J.Literal) arg).getValue();
                         String prefix = value != null ? value.toString() : "";
                         return new PrefixInfo(prefix, prefix, false);
-                    } else if (arg instanceof J.Identifier) {
+                    }
+                    if (arg instanceof J.Identifier) {
                         // Handle @ConfigurationProperties(PREFIX)
                         return resolveFieldValue((J.Identifier) arg, classDecl);
-                    } else if (arg instanceof J.FieldAccess) {
+                    }
+                    if (arg instanceof J.FieldAccess) {
                         // Handle @ConfigurationProperties(SomeClass.PREFIX)
                         return resolveFieldAccessValue((J.FieldAccess) arg);
-                    } else if (arg instanceof J.Assignment) {
+                    }
+                    if (arg instanceof J.Assignment) {
                         // Handle @ConfigurationProperties(value = "prefix") or @ConfigurationProperties(prefix = "prefix")
                         J.Assignment assignment = (J.Assignment) arg;
                         if (assignment.getVariable() instanceof J.Identifier) {
@@ -122,9 +123,11 @@ private PrefixInfo extractPrefix(J.Annotation annotation, J.ClassDeclaration cla
                                     Object value = ((J.Literal) assignmentValue).getValue();
                                     String prefix = value != null ? value.toString() : "";
                                     return new PrefixInfo(prefix, prefix, false);
-                                } else if (assignmentValue instanceof J.Identifier) {
+                                }
+                                if (assignmentValue instanceof J.Identifier) {
                                     return resolveFieldValue((J.Identifier) assignmentValue, classDecl);
-                                } else if (assignmentValue instanceof J.FieldAccess) {
+                                }
+                                if (assignmentValue instanceof J.FieldAccess) {
                                     return resolveFieldAccessValue((J.FieldAccess) assignmentValue);
                                 }
                             }

src/main/java/org/openrewrite/java/spring/swagger/ApiInfoBuilderToInfo.java renamed to src/main/java/org/openrewrite/java/springdoc/ApiInfoBuilderToInfo.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.openrewrite.java.spring.swagger;
+package org.openrewrite.java.springdoc;
 
 import org.jspecify.annotations.Nullable;
 import org.openrewrite.*;

src/main/java/org/openrewrite/java/springdoc/SecurityContextToSecurityScheme.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Moderne Source Available License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://docs.moderne.io/licensing/moderne-source-available-license
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.java.springdoc;
+
+import org.openrewrite.*;
+import org.openrewrite.analysis.constantfold.ConstantFold;
+import org.openrewrite.analysis.util.CursorUtil;
+import org.openrewrite.java.*;
+import org.openrewrite.java.search.UsesMethod;
+import org.openrewrite.java.tree.Expression;
+import org.openrewrite.java.tree.J;
+
+import java.util.Arrays;
+import java.util.List;
+
+public class SecurityContextToSecurityScheme extends Recipe {
+    private static final MethodMatcher APIKEY_MATCHER = new MethodMatcher("springfox.documentation.service.ApiKey <constructor>(String, String, String)");
+    private static final MethodMatcher AUTHORIZATION_SCOPE_MATCHER = new MethodMatcher("springfox.documentation.service.AuthorizationScope <constructor>(String, String)");
+
+    @Override
+    public String getDisplayName() {
+        return "Replace elements of SpringFox's security with Swagger's security models";
+    }
+
+    @Override
+    public String getDescription() {
+        return "Replace `ApiKey`, `AuthorizationScope`, and `SecurityScheme` elements with Swagger's equivalents.";
+    }
+
+    @Override
+    public TreeVisitor<?, ExecutionContext> getVisitor() {
+
+        return new TreeVisitor<Tree, ExecutionContext>() {
+            @Override
+            public Tree preVisit(Tree tree, ExecutionContext ctx) {
+                stopAfterPreVisit();
+
+                Tree t = replaceApiKey(ctx, tree);
+                return replaceAuthorizationScope(ctx, t);
+            }
+
+            private Tree replaceApiKey(ExecutionContext ctx, Tree t) {
+                return Preconditions.check(new UsesMethod<>(APIKEY_MATCHER), new JavaVisitor<ExecutionContext>() {
+                    // Replace `Contact` constructor
+                    @Override
+                    public J visitNewClass(J.NewClass newClass, ExecutionContext ctx) {
+                        if (APIKEY_MATCHER.matches(newClass)) {
+                            String inValue = passAsToSecuritySchemeIn(newClass.getArguments().get(2));
+                            maybeRemoveImport("springfox.documentation.service.ApiKey");
+                            maybeAddImport("io.swagger.v3.oas.models.security.SecurityScheme");
+                            return JavaTemplate.builder("new SecurityScheme()\n.type(SecurityScheme.Type.APIKEY)\n.name(#{any(String)})\n.in(" + inValue +")")
+                                    .imports("io.swagger.v3.oas.models.security.SecurityScheme")
+                                    .javaParser(JavaParser.fromJavaVersion().classpathFromResources(ctx, "swagger-models"))
+                                    .build()
+                                    .apply(getCursor(), newClass.getCoordinates().replace(), newClass.getArguments().get(1));
+                        }
+                        return super.visitNewClass(newClass, ctx);
+                    }
+
+                    private String passAsToSecuritySchemeIn(Expression passAsExpr) {
+                        return CursorUtil.findCursorForTree(getCursor(), passAsExpr)
+                                .bind(c -> ConstantFold.findConstantLiteralValue(c, String.class))
+                                .map(passAs -> {
+                                    switch (passAs) {
+                                        case "cookie": return "SecurityScheme.In.COOKIE";
+                                        case "query": return "SecurityScheme.In.QUERY";
+                                        default: return "SecurityScheme.In.HEADER";
+                                    }
+                                })
+                                .orSome("SecurityScheme.In.HEADER");
+                    }
+                }).visitNonNull(t, ctx, getCursor().getParentOrThrow());
+            }
+
+            private Tree replaceAuthorizationScope(ExecutionContext ctx, Tree t) {
+                return Preconditions.check(new UsesMethod<>(AUTHORIZATION_SCOPE_MATCHER), new JavaVisitor<ExecutionContext>() {
+                    @Override
+                    public J visitNewClass(J.NewClass newClass, ExecutionContext ctx) {
+                        if (AUTHORIZATION_SCOPE_MATCHER.matches(newClass)) {
+                            maybeRemoveImport("springfox.documentation.service.AuthorizationScope");
+                            maybeAddImport("io.swagger.v3.oas.models.security.Scopes");
+                            return JavaTemplate.builder("new Scopes().addString(#{any(String)}, #{any(String)})")
+                                    .imports("io.swagger.v3.oas.models.security.Scopes")
+                                    .javaParser(JavaParser.fromJavaVersion().classpathFromResources(ctx, "swagger-models"))
+                                    .build()
+                                    .apply(getCursor(), newClass.getCoordinates().replace(), newClass.getArguments().get(0), newClass.getArguments().get(1));
+                        }
+                        return super.visitNewClass(newClass, ctx);
+                    }
+
+                }).visitNonNull(t, ctx, getCursor().getParentOrThrow());
+            }
+        };
+    }
+
+    @Override
+    public List<Recipe> getRecipeList() {
+        return Arrays.asList(
+                new ChangeType(
+                        "springfox.documentation.service.ApiKey",
+                        "io.swagger.v3.oas.models.security.SecurityScheme",
+                        true),
+                new ChangeType(
+                        "springfox.documentation.service.AuthorizationScope",
+                        "io.swagger.v3.oas.models.security.Scopes",
+                        true),
+                new ChangeType(
+                        "springfox.documentation.service.SecurityScheme",
+                        "io.swagger.v3.oas.models.security.SecurityScheme",
+                        true)
+        );
+    }
+}

src/main/java/org/openrewrite/java/spring/swagger/package-info.java renamed to src/main/java/org/openrewrite/java/springdoc/package-info.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 @NullMarked @NonNullFields
-package org.openrewrite.java.spring.swagger;
+package org.openrewrite.java.springdoc;
 
 import org.jspecify.annotations.NullMarked;
 import org.openrewrite.internal.lang.NonNullFields;

src/main/resources/META-INF/rewrite/examples.yml

@@ -5142,7 +5142,41 @@ examples:
     language: java
 ---
 type: specs.openrewrite.org/v1beta/example
-recipeName: org.openrewrite.java.spring.swagger.ApiInfoBuilderToInfo
+recipeName: org.openrewrite.java.spring.test.SpringRulesToJUnitExtension
+examples:
+- description: '`SpringRulesToJUnitExtensionTest#migrateWithSpringBootTestPresent`'
+  sources:
+  - before: |
+      import org.springframework.boot.test.context.SpringBootTest;
+      import org.springframework.test.context.junit4.rules.SpringClassRule;
+      import org.springframework.test.context.junit4.rules.SpringMethodRule;
+      import org.junit.ClassRule;
+      import org.junit.Rule;
+
+      @SpringBootTest
+      class SomeTest {
+
+          @ClassRule
+          public static final SpringClassRule springClassRule = new SpringClassRule();
+
+          @Rule
+          public final SpringMethodRule springMethodRule = new SpringMethodRule();
+
+      }
+    after: |
+      import org.junit.jupiter.api.extension.ExtendWith;
+      import org.springframework.boot.test.context.SpringBootTest;
+      import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+      @ExtendWith(SpringExtension.class)
+      @SpringBootTest
+      class SomeTest {
+
+      }
+    language: java
+---
+type: specs.openrewrite.org/v1beta/example
+recipeName: org.openrewrite.java.springdoc.ApiInfoBuilderToInfo
 examples:
 - description: '`ApiInfoBuilderToInfoTest#transformApiInfoBuilder`'
   sources:
@@ -5183,40 +5217,6 @@ examples:
     language: java
 ---
 type: specs.openrewrite.org/v1beta/example
-recipeName: org.openrewrite.java.spring.test.SpringRulesToJUnitExtension
-examples:
-- description: '`SpringRulesToJUnitExtensionTest#migrateWithSpringBootTestPresent`'
-  sources:
-  - before: |
-      import org.springframework.boot.test.context.SpringBootTest;
-      import org.springframework.test.context.junit4.rules.SpringClassRule;
-      import org.springframework.test.context.junit4.rules.SpringMethodRule;
-      import org.junit.ClassRule;
-      import org.junit.Rule;
-
-      @SpringBootTest
-      class SomeTest {
-
-          @ClassRule
-          public static final SpringClassRule springClassRule = new SpringClassRule();
-
-          @Rule
-          public final SpringMethodRule springMethodRule = new SpringMethodRule();
-
-      }
-    after: |
-      import org.junit.jupiter.api.extension.ExtendWith;
-      import org.springframework.boot.test.context.SpringBootTest;
-      import org.springframework.test.context.junit.jupiter.SpringExtension;
-
-      @ExtendWith(SpringExtension.class)
-      @SpringBootTest
-      class SomeTest {
-
-      }
-    language: java
----
-type: specs.openrewrite.org/v1beta/example
 recipeName: org.openrewrite.java.springdoc.MigrateSpringdocCommon
 examples:
 - description: '`MigrateSpringdocCommonTest#fixCustomiserAndGroupedOpenApi`'
@@ -5266,6 +5266,32 @@ examples:
     language: java
 ---
 type: specs.openrewrite.org/v1beta/example
+recipeName: org.openrewrite.java.springdoc.SecurityContextToSecurityScheme
+examples:
+- description: '`SecurityContextToSecuritySchemeTest#apiKeyToSecurityScheme`'
+  sources:
+  - before: |
+      import springfox.documentation.service.ApiKey;
+
+      class Test {
+          ApiKey apiKey() {
+              return new ApiKey("api_key", "X-API-KEY", "header");
+          }
+      }
+    after: |
+      import io.swagger.v3.oas.models.security.SecurityScheme;
+
+      class Test {
+          SecurityScheme apiKey() {
+              return new SecurityScheme()
+                      .type(SecurityScheme.Type.APIKEY)
+                      .name("X-API-KEY")
+                      .in(SecurityScheme.In.HEADER);
+          }
+      }
+    language: java
+---
+type: specs.openrewrite.org/v1beta/example
 recipeName: org.openrewrite.java.springdoc.UpgradeSpringDoc_2
 examples:
 - description: '`UpgradeSpringDoc2Test#upgradeMaven`'

src/main/resources/META-INF/rewrite/springdoc.yml

@@ -27,6 +27,8 @@ tags:
 recipeList:
   - org.openrewrite.java.springdoc.SwaggerToSpringDoc
   - org.openrewrite.java.springdoc.ReplaceSpringFoxDependencies
+  - org.openrewrite.java.springdoc.ApiInfoBuilderToInfo
+  - org.openrewrite.java.springdoc.SecurityContextToSecurityScheme
   - org.openrewrite.java.springdoc.MigrateSpringdocCommon
 
 ---