* Initial working state of OpenAPI spec generation
Generates an OpenAPI spec but still has lots of issues
* Fix wrong import
* Add NoAuditEvent annotation to test resource methods
* Add OpenAPI browser frontend (POC)
Add basic OpenAPI browser UI using Redoc loaded from CDN. This is a proof
of concept implementation not yet ready for production use.
- Loads Redoc from CDN to avoid webpack bundling complexity
- Displays OpenAPI spec from /api/openapi.yaml endpoint
- Accessible via Help menu → "OpenAPI browser"
- Route: /openapi-browser
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Make both json & yaml formats work
* Implement plugin path prefixing
+ configure the openAPI context directly to be able to
use dependency injection
* Remove logging
* Migrate REST resources from Swagger to OpenAPI 3.x annotations
Migrated ~150 REST resource files from old Swagger annotations
(io.swagger.annotations.*) to OpenAPI 3.x annotations
(io.swagger.v3.oas.annotations.*).
Migration performed using OpenRewrite and manual fixes:
- @Api → @Tag
- @ApiOperation → @Operation
- @ApiParam → @Parameter
- @ApiResponse code → responseCode
- @ApiResponse message → description
- Removed invalid attributes (allowableValues, defaultValue, tags)
- Fixed nickname → operationId
- Removed response= attribute (needs manual restoration)
Note: Some information was intentionally lost and needs restoration:
- Response type schemas (33 instances)
- Parameter allowableValues constraints (58 instances)
- CLOUD_VISIBLE tags (82 instances)
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Restore response type information to OpenAPI annotations
Adds @ApiResponses with @Content and @Schema to restore the 33 instances
of response type information that were lost during the OpenAPI 3.x migration.
- Automated script restored 20 instances
- Manual additions for 8 instances with multi-line annotations
- 5 instances already fixed in previous commit
- All response codes verified against actual implementation
- Total: 33 response types restored with accurate HTTP status codes
Co-Authored-By: Claude <noreply@anthropic.com>
* Restore parameter allowableValues constraints for OpenAPI 3.x migration
Restore allowableValues constraints that were lost during OpenAPI 3.x
migration by converting from @ApiParam(allowableValues) to
@Parameter with @Schema(allowableValues).
This restores API documentation for parameter value constraints across
22 REST resource files, covering ~58 parameter instances.
Changes:
- Migrated allowableValues from Swagger 2.x @ApiParam to OpenAPI 3.x
@Parameter with @Schema(allowableValues = {...})
- Added missing Schema imports where needed
- Fixed several bugs and inconsistencies from master branch
Summary of Semantic Differences (11 files):
Bug Fixes:
- AuthzRolesResource.getUsersForRole(): Fixed incorrect field list that
had user fields (username,full_name,email) instead of role fields
(id,name,description)
- DatanodeResource: Fixed completely wrong field list (title,description,
type) to actual DataNodeDto fields (hostname,data_node_status,
transport_address,cert_valid_until,datanode_version)
- IndexSetTemplateResource: Fixed "name" to "title" (correct field name)
Added Missing Valid Fields:
- DashboardsResource, SavedSearchesResource, ViewsResource: Added
"last_updated_at" which exists in SEARCH_FIELD_MAPPING
- ViewsResource: Added "owner", "description", "summary" (was very
incomplete in master)
- AuthzRolesResource (getList, getListForUser): Added "id" field
- GrokResource, IndexFieldTypeProfileResource: Added "id" and other
valid fields from SEARCH_FIELD_MAPPING
Removed Invalid Fields:
- StreamResource: Removed "updated_at", "status" (not in
SEARCH_FIELD_MAPPING, didn't work)
- GrokResource: Removed "pattern" (not in search mapping)
- IndexSetsMappingResource: Reduced to "field_name" only (other fields
not implemented)
Fixed Constraint Type:
- ClusterLoggersResource: Removed inappropriate allowableValues range
constraint for numeric limit parameter (already has @Min validation)
Files with Identical Field Lists (13 files):
EventDefinitionsResource, EventNotificationsResource, PipelineResource,
RuleResource, CollectorResource, ConfigurationResource, SidecarResource,
ScriptingApiResource, AuthServiceBackendsResource, UsersResource,
TokenUsageResource, LookupTableResource - all have identical semantics,
just migrated annotation syntax.
Rationale:
All semantic differences were introduced to correct API documentation to
match actual backend implementation. Changes ensure that:
1. All advertised sort fields actually work
2. All functional sort fields are advertised
3. API spec accurately reflects backend capabilities
4. Bugs in master branch are fixed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add replacement for CLOUD_VISIBLE tag
* Add @PublicCloudAPI annotation to cloud-visible REST resources
Add @PublicCloudAPI annotation to 82 REST resources that were previously
marked with tags = {CLOUD_VISIBLE} in Swagger 2.x @Api annotations.
This annotation is used by CustomOpenAPIScanner to filter resources when
IS_CLOUD=true, ensuring only cloud-appropriate APIs are exposed in the
OpenAPI specification for cloud deployments.
Resources annotated:
- Events (4 resources): EventDefinitionsResource, EventNotificationsResource, etc.
- Pipeline Processor (5 resources): PipelineResource, RuleResource, SimulatorResource, etc.
- Sidecar (6 resources): SidecarResource, CollectorResource, ConfigurationResource, etc.
- Views/Search (15 resources): DashboardsResource, SavedSearchesResource, ViewsResource, etc.
- Security (6 resources): AuthzRolesResource, CAResource, ClientCertResource, etc.
- System (30+ resources): StreamResource, InputsResource, NotificationsResource, etc.
- Other resources (15+): MessageResource, EntitySuggestionResource, ContentPackResource, etc.
The @PublicCloudAPI annotation:
- Marks resources as available in public cloud deployments
- Does not appear in the generated OpenAPI specification
- Filters resources during OpenAPI generation when isCloud=true
- Replaces the old tags = {CLOUD_VISIBLE} approach from Swagger 2.x
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Migrate McpRestResource from Swagger 2.x to OpenAPI 3.x
Updates the MCP REST resource to use OpenAPI 3.x annotations, completing the migration of all REST resources in the project.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* WIP: add TODOS and subtype resolver prototype
* Add OpenAPI browser to help menu after merge conflict resolution
The OpenAPI browser menu item was lost during the merge when the help menu
was refactored from hardcoded items to a plugin-based registration system.
This restores the menu item in the new bindings.ts format.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Make legacy generator work with new annotations
* Remove unused CLOUD_VISIBLE flag
* Temporarily make test pass
* Use @RequestBody annotation instead of @Parameter
* Synchronize our not thread-safe custom reader
* Add discriminator mapping based on jackson annotations
* WIP command to generate a spec without a running server
* Add output file argument
* Don't hardcode any config parameters
* Add spec generation to maven build
* Move spec generation into profile
* Add generated spec to resources
* Attempt to stabilize spec format
* Adjust test to openapi 3.1 schema
* Resolve registered subtypes
* bind object mapper to provider
* don't skip empty subtype names
* update spec
* Revert extraction of ObjectMapperConfiguration
With the latest changes, it didn't have an effect
anymore.
* Expose OpenAPIContext to not hide the caching behavior
* Apply sorting for both web and command context
* use fully qualified type names in schema
* Fix broken discriminator mapping
* Add custom handling for ImmutableMap
* Split event expression types
Swagger can't deal with the generic type hierarchy.
It would generate faulty allOf's with refs to both
Expression<Boolean> and Expression<Number> in one
schema, e.g. for
`org.graylog.events.conditions.Expr.And`.
* Prevent duplicate operation IDs
* Skip NonApiResource annotated resources
* Add validation to spec command
* Replace terms "spec"/"specification" with "description"
* Update openapi description
* Switch to swagger-ui-react
* Serve description at openapi.yaml / openapi.json again
* Add missing license headers
* Add security schemes but hide them in swagger ui
* Update openapi description
* configure swagger ui
* add changelog
* qualify url to openapi.yaml
* Remove old api browser
* Rudimentary styling for swagger ui
* Fix broken handling of duplicate paths
* update openapi description
* fix changelog
* Remove swagger CSP group & deprecate DocumentationResource
* Update graylog2-server/src/main/java/org/graylog/api/GenerateOpenApiDescriptionCommand.java
Co-authored-by: Kay Roepke <kroepke@googlemail.com>
* create parent path if non-existent
* Polish print statements
* Remove term "Graylog"
* adjust RequestBody annotations to include schema ref in each case
* Update graylog2-server/src/main/java/org/graylog/api/GenerateOpenApiDescriptionCommand.java
Co-authored-by: Kay Roepke <kroepke@googlemail.com>
* Add annotations for success responses with declared response types
* treat Immutable(List|Set) as the java.util equivalents
* semver Version is serialized as a String in our api
* extract helper method and add overrides for joda-time and threeten classes
* HostAndPort is a string in openapi
* for ImmutableMap treat keys with GRN or joda-time DateTime types as strings for schema generation
* Add more missing response schemas
* Remove swagger annotations from datanode resource
* Add forbidden-apis rule for io.swagger.annotations.*
* Get rid of remaining ImmutableMap instances
* Remove openapi.yaml from VCS
* Execute OpenAPI desc generation in separate JVM
to avoid classloader issues due to bouncycastle
registration during command startup
* Add handling for java.time.Duration and simplify scalar type mapping
* More custom handling for various types
* `yarn format`
* Add special handling for FormDataContentDisposition in old swagger specs
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Kay Roepke <kroepke@googlemail.com>
This fixes CVE-2025-12183.
Since the org.lz4:lz4-java library is no longer maintained, we switched
to the maintained at.yawk.lz4:lz4-java community fork.
(as recommended in the security advisory)
See: https://www.sonatype.com/security-advisories/cve-2025-12183
We banned org.lz4:lz4-java via the enforcer plugin and excluded the
dependency in affected dependency declarations.
* add openrewrite infrastructure and necessary junit jupiter api deps
* update openrewrite docs and remove configLocation from plugin config, so we can override it
* initial openrewrite migration to junit5, work in progress
* replace rule with extension, use mongocollections instead of the instance
* fix parameterized test
* replace jukito with guice-extension for junit5 compatibility
* yet more mongocollections injection
* manually create MongoCollections where we need a custom objectmapper for subtypes
* fix license header
* replace junit4 conditional runner with enabledif static methods, only used in a single test anyway
* fix resource name collision in class loader test
* how did this ever compile?
* use explicit temp dir in tests, otherwise we'd need to create the directories
* add extension that tracks search instances and properly calls their clean up methods according to test lifecycle
* add comment explaining how the closing of testable search instances works with the extension
* use convert rule to extension
* convert rule to extension
* remove old import
* convert SkipDefaultIndexTemplateWatcher to junit5 extension api
* migrate from @Rule to @SearchInstance
* convert remaining @Rule to @SearchInstance
* clean up imports
* replace legacy RestoreSystemProperties rules with custom extension
* migrate all remaining junit4 references
* replace legacy system-rules dep with more modern one for system stream capturing
* remove unused junit4 import
* remove junit5-system-extensions, causes junit engine crashes
* remove legacy junit4 dependency for good :party:
* remove unnecessary openrewrite doc
* move forbiddenapi back out of profile, to avoid it being disabled when other profiles are explicitly given
* suppress forbidden api check for search instance detection
* remove jukito + vintage engine and adapt usage of legacy junit4 apis
* add core junit4 classes Test and Assert to forbidden apis
* replace forbidden junit4 api with junit6 equivalent
* remove guava testlib as it pulls in junit4, replaced FakeTicker with a simpler custom implementation for tests
* update testcontainers to 2.0.2 to get rid of the junit4 transitive dependency
needed to remove all ExternalResources
* migrated MongoDBInstance to MongoDBTestService (basically identically anyway)
* inlined some unnecessary interfaces
removed unused imports of junit4 classes
* migrate junit4 api usage
mockito with junit5 is much stricter about argument matcher types, so we need to adapt to Set -> Collection signature change
* actually start the container now that MongoDBInstance.java is gone
* improve test code
* simplify test case
* simplify test case
* simplify test case
* simplify test case
* simplify test case
* simplify test case
* forgot to remove the commented junit4 superclass
* rename MongoDBTestService#create methods to #createStarted and make start() private
* don't close the per-class mongodb instance for @Nested junit test classes
otherwise the first afterAll callback will destroy the instance and subsequent tests will fail
* Remove maven.compiler.* properties from plugin archetype
They are already defined in org.graylog:graylog-parent
* Maven: update java compiler version from 17 to 21
* Update java in Github workflows
* Fix deprecated usage of URL constructor
* Fix deprecated usage of Thread#id
* Catch IllegalArgumentException when URLs are not absolute
* Remove PMD plugin for lack of java 21 support
* Update to Java 21
* Inherig compiler source/target settings from parent
* Use Java 21 in test containers
* Fix URL deprecation error for Java 21
* Setup Mockito Java Agent for surefire
See "Explicitly setting up instrumentation for inline mocking (Java 21+)"
at https://javadoc.io/doc/org.mockito/mockito-core/latest/org.mockito/org/mockito/Mockito.html#0.3
* Switch dependency plugin to test phase and fix argLine
* Get dependency properties in test-compile phase
* Add changelog entry and adjust UPGRADING.md
---------
Co-authored-by: Othello Maurer <othello@graylog.com>
