Disable authentication on generated CORS options

CORS preflight options checks are sent without authentication, and so
the generated OPTIONS integrations should have an empty
"security" list.

Author: JordonPhillips

aws/smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/AddCorsPreflightIntegration.java

@@ -17,6 +17,7 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
@@ -137,6 +138,7 @@ private static OperationObject createPreflightOperation(
             String path, PathItem pathItem, Map<CorsHeader, String> headers) {
         return OperationObject.builder()
                 .tags(ListUtils.of("CORS"))
+                .security(Collections.emptyList())
                 .description("Handles CORS-preflight requests")
                 .operationId(createOperationId(path))
                 .putResponse("200", createPreflightResponse(headers))

aws/smithy-aws-apigateway-openapi/src/test/resources/software/amazon/smithy/aws/apigateway/openapi/cors-model.openapi.json

@@ -234,6 +234,7 @@
             }
           }
         },
+        "security": [],
         "x-amazon-apigateway-integration": {
           "passThroughBehavior": "when_no_match",
           "requestTemplates": {
@@ -336,6 +337,7 @@
             }
           }
         },
+        "security": [],
         "x-amazon-apigateway-integration": {
           "passThroughBehavior": "when_no_match",
           "requestTemplates": {

smithy-openapi/src/main/java/software/amazon/smithy/openapi/fromsmithy/mappers/RemoveUnusedComponents.java

@@ -15,6 +15,7 @@
 
 package software.amazon.smithy.openapi.fromsmithy.mappers;
 
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -143,7 +144,7 @@ private OpenApi removeUnusedSecuritySchemes(OpenApi openapi) {
 
         for (PathItem path : openapi.getPaths().values()) {
             for (OperationObject operation : path.getOperations().values()) {
-                for (Map<String, List<String>> entry : operation.getSecurity()) {
+                for (Map<String, List<String>> entry : operation.getSecurity().orElse(Collections.emptyList())) {
                     used.addAll(entry.keySet());
                 }
             }

smithy-openapi/src/main/java/software/amazon/smithy/openapi/model/OperationObject.java

@@ -56,7 +56,11 @@ private OperationObject(Builder builder) {
         responses = Collections.unmodifiableMap(new TreeMap<>(builder.responses));
         deprecated = builder.deprecated;
         callbacks = Collections.unmodifiableMap(new TreeMap<>(builder.callbacks));
-        security = ListUtils.copyOf(builder.security);
+        if (builder.security != null) {
+            security = ListUtils.copyOf(builder.security);
+        } else {
+            security = null;
+        }
         servers = ListUtils.copyOf(builder.servers);
     }
 
@@ -104,8 +108,8 @@ public boolean isDeprecated() {
         return deprecated;
     }
 
-    public List<Map<String, List<String>>> getSecurity() {
-        return security;
+    public Optional<List<Map<String, List<String>>>> getSecurity() {
+        return Optional.ofNullable(security);
     }
 
     public List<ServerObject> getServers() {
@@ -139,8 +143,8 @@ protected ObjectNode.Builder createNodeBuilder() {
                     .collect(ObjectNode.collectStringKeys(Map.Entry::getKey, Map.Entry::getValue)));
         }
 
-        if (!security.isEmpty()) {
-            builder.withMember("security", getSecurity().stream()
+        if (getSecurity().isPresent()) {
+            builder.withMember("security", getSecurity().get().stream()
                     .map(map -> map.entrySet().stream()
                             .sorted(Comparator.comparing(Map.Entry::getKey))
                             .map(entry -> Pair.of(entry.getKey(), entry.getValue().stream().map(Node::from)
@@ -163,9 +167,8 @@ protected ObjectNode.Builder createNodeBuilder() {
 
     @Override
     public Builder toBuilder() {
-        return builder()
+        Builder builder = builder()
                 .extensions(getExtensions())
-                .security(security)
                 .callbacks(callbacks)
                 .responses(responses)
                 .parameters(parameters)
@@ -177,14 +180,16 @@ public Builder toBuilder() {
                 .externalDocs(externalDocs)
                 .operationId(operationId)
                 .requestBody(requestBody);
+        getSecurity().ifPresent(builder::security);
+        return builder;
     }
 
     public static final class Builder extends Component.Builder<Builder, OperationObject> {
         private final List<String> tags = new ArrayList<>();
         private final List<ParameterObject> parameters = new ArrayList<>();
         private final Map<String, ResponseObject> responses = new TreeMap<>();
         private final Map<String, CallbackObject> callbacks = new TreeMap<>();
-        private final List<Map<String, List<String>>> security = new ArrayList<>();
+        private List<Map<String, List<String>>> security;
         private final List<ServerObject> servers = new ArrayList<>();
         private String summary;
         private String description;
@@ -275,12 +280,15 @@ public Builder deprecated(boolean deprecated) {
         }
 
         public Builder security(Collection<Map<String, List<String>>> security) {
-            this.security.clear();
+            this.security = new ArrayList<>();
             this.security.addAll(security);
             return this;
         }
 
         public Builder addSecurity(Map<String, List<String>> security) {
+            if (this.security == null) {
+                this.security = new ArrayList<>();
+            }
             this.security.add(security);
             return this;
         }

smithy-openapi/src/test/java/software/amazon/smithy/openapi/fromsmithy/OpenApiConverterTest.java

@@ -21,6 +21,7 @@
 import static org.hamcrest.Matchers.empty;
 import static org.hamcrest.Matchers.not;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import org.junit.jupiter.api.Assertions;
@@ -206,7 +207,7 @@ public void canOmitSecurityRequirements() {
                 .convert(model, ShapeId.from("smithy.example#Service"));
 
         assertThat(result.getSecurity(), empty());
-        assertThat(result.getPaths().get("/2").getGet().get().getSecurity(), empty());
+        assertThat(result.getPaths().get("/2").getGet().get().getSecurity().orElse(Collections.emptyList()), empty());
     }
 
     private static final class ConstantSecurity implements OpenApiMapper {
@@ -231,6 +232,6 @@ public void canChangeSecurityRequirementName() {
                 .convert(model, ShapeId.from("smithy.example#Service"));
 
         assertThat(result.getSecurity().get(0).keySet(), contains("foo_baz"));
-        assertThat(result.getPaths().get("/2").getGet().get().getSecurity().get(0).keySet(), contains("foo_baz"));
+        assertThat(result.getPaths().get("/2").getGet().get().getSecurity().get().get(0).keySet(), contains("foo_baz"));
     }
 }