-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #42749 from michalvavrik/feature/add-authorization…
…-policy-annotation Add new AuthorizationPolicy annotation to bind named HttpSecurityPolicy to a Jakarta REST endpoints
- Loading branch information
Showing
60 changed files
with
2,114 additions
and
323 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
165 changes: 165 additions & 0 deletions
165
...t/java/io/quarkus/resteasy/test/security/authzpolicy/AbstractAuthorizationPolicyTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
package io.quarkus.resteasy.test.security.authzpolicy; | ||
|
||
import org.hamcrest.Matchers; | ||
import org.junit.jupiter.api.BeforeAll; | ||
import org.junit.jupiter.api.Test; | ||
|
||
import io.quarkus.security.test.utils.TestIdentityController; | ||
import io.quarkus.security.test.utils.TestIdentityProvider; | ||
import io.restassured.RestAssured; | ||
|
||
public abstract class AbstractAuthorizationPolicyTest { | ||
|
||
protected static final Class<?>[] TEST_CLASSES = { TestIdentityProvider.class, TestIdentityController.class, | ||
ForbidAllButViewerAuthorizationPolicy.class, ForbidViewerClassLevelPolicyResource.class, | ||
ForbidViewerMethodLevelPolicyResource.class, NoAuthorizationPolicyResource.class, | ||
PermitUserAuthorizationPolicy.class, ClassRolesAllowedMethodAuthZPolicyResource.class, | ||
ClassAuthZPolicyMethodRolesAllowedResource.class, ViewerAugmentingPolicy.class, | ||
AuthorizationPolicyAndPathMatchingPoliciesResource.class }; | ||
|
||
protected static final String APPLICATION_PROPERTIES = """ | ||
quarkus.http.auth.policy.admin-role.roles-allowed=admin | ||
quarkus.http.auth.policy.viewer-role.roles-allowed=viewer | ||
quarkus.http.auth.permission.jax-rs1.paths=/no-authorization-policy/jax-rs-path-matching-http-perm | ||
quarkus.http.auth.permission.jax-rs1.policy=admin-role | ||
quarkus.http.auth.permission.jax-rs1.applies-to=JAXRS | ||
quarkus.http.auth.permission.standard1.paths=/no-authorization-policy/path-matching-http-perm | ||
quarkus.http.auth.permission.standard1.policy=admin-role | ||
quarkus.http.auth.permission.jax-rs2.paths=/authz-policy-and-path-matching-policies/jax-rs-path-matching-http-perm | ||
quarkus.http.auth.permission.jax-rs2.policy=viewer-role | ||
quarkus.http.auth.permission.jax-rs2.applies-to=JAXRS | ||
quarkus.http.auth.permission.standard2.paths=/authz-policy-and-path-matching-policies/path-matching-http-perm | ||
quarkus.http.auth.permission.standard2.policy=viewer-role | ||
"""; | ||
|
||
@BeforeAll | ||
public static void setupUsers() { | ||
TestIdentityController.resetRoles() | ||
.add("admin", "admin", "admin", "viewer") | ||
.add("user", "user") | ||
.add("viewer", "viewer", "viewer"); | ||
} | ||
|
||
@Test | ||
public void testNoAuthorizationPolicy() { | ||
// unsecured endpoint | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer").get("/no-authorization-policy/unsecured") | ||
.then().statusCode(200).body(Matchers.equalTo("viewer")); | ||
|
||
// secured with JAX-RS path-matching roles allowed HTTP permission requiring 'admin' role | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/no-authorization-policy/jax-rs-path-matching-http-perm") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/no-authorization-policy/jax-rs-path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
|
||
// secured with path-matching roles allowed HTTP permission requiring 'admin' role | ||
RestAssured.given().auth().preemptive().basic("user", "user").get("/no-authorization-policy/path-matching-http-perm") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/no-authorization-policy/path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
|
||
// secured with @RolesAllowed("admin") | ||
RestAssured.given().auth().preemptive().basic("user", "user").get("/no-authorization-policy/roles-allowed-annotation") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/no-authorization-policy/roles-allowed-annotation") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
} | ||
|
||
@Test | ||
public void testMethodLevelAuthorizationPolicy() { | ||
// policy placed on the endpoint directly, requires 'viewer' principal and must not pass anyone else | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/forbid-viewer-method-level-policy") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer").get("/forbid-viewer-method-level-policy") | ||
.then().statusCode(200).body(Matchers.equalTo("viewer")); | ||
|
||
// which means the other endpoint inside same resource class must not be affected by the policy | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/forbid-viewer-method-level-policy/unsecured") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
} | ||
|
||
@Test | ||
public void testClassLevelAuthorizationPolicy() { | ||
// policy placed on the resource, requires 'viewer' principal and must not pass anyone else | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/forbid-viewer-class-level-policy") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer").get("/forbid-viewer-class-level-policy") | ||
.then().statusCode(200).body(Matchers.equalTo("viewer")); | ||
} | ||
|
||
@Test | ||
public void testAuthorizationPolicyOnMethodAndRolesAllowedOnClass() { | ||
// class with @RolesAllowed("admin") | ||
// method with @AuthorizationPolicy(policy = "permit-user") | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/roles-allowed-class-authorization-policy-method") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("user", "user").get("/roles-allowed-class-authorization-policy-method") | ||
.then().statusCode(200).body(Matchers.equalTo("user")); | ||
|
||
// no @AuthorizationPolicy on method, therefore require admin | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/roles-allowed-class-authorization-policy-method/no-authz-policy") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/roles-allowed-class-authorization-policy-method/no-authz-policy") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
} | ||
|
||
@Test | ||
public void testAuthorizationPolicyOnClassRolesAllowedOnMethod() { | ||
// class with @AuthorizationPolicy(policy = "permit-user") | ||
// method with @RolesAllowed("admin") | ||
RestAssured.given().auth().preemptive().basic("user", "user").get("/authorization-policy-class-roles-allowed-method") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin").get("/authorization-policy-class-roles-allowed-method") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
|
||
// class with @AuthorizationPolicy(policy = "permit-user") | ||
// method has no annotation, therefore expect to permit only the user | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/authorization-policy-class-roles-allowed-method/no-roles-allowed") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/authorization-policy-class-roles-allowed-method/no-roles-allowed") | ||
.then().statusCode(200).body(Matchers.equalTo("user")); | ||
} | ||
|
||
@Test | ||
public void testCombinationOfAuthzPolicyAndPathConfigPolicies() { | ||
// ViewerAugmentingPolicy adds 'admin' role to the viewer | ||
|
||
// here we test that both @AuthorizationPolicy and path-matching policies work together | ||
// viewer role is required by (JAX-RS) path-matching HTTP policies, | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/authz-policy-and-path-matching-policies/jax-rs-path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("true")); | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer") | ||
.get("/authz-policy-and-path-matching-policies/jax-rs-path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("true")); | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/authz-policy-and-path-matching-policies/jax-rs-path-matching-http-perm") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/authz-policy-and-path-matching-policies/path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("true")); | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer") | ||
.get("/authz-policy-and-path-matching-policies/path-matching-http-perm") | ||
.then().statusCode(200).body(Matchers.equalTo("true")); | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/authz-policy-and-path-matching-policies/path-matching-http-perm") | ||
.then().statusCode(403); | ||
|
||
// endpoint is annotated with @RolesAllowed("admin"), therefore class-level @AuthorizationPolicy is not applied | ||
RestAssured.given().auth().preemptive().basic("admin", "admin") | ||
.get("/authz-policy-and-path-matching-policies/roles-allowed-annotation") | ||
.then().statusCode(200).body(Matchers.equalTo("admin")); | ||
RestAssured.given().auth().preemptive().basic("viewer", "viewer") | ||
.get("/authz-policy-and-path-matching-policies/roles-allowed-annotation") | ||
.then().statusCode(403); | ||
RestAssured.given().auth().preemptive().basic("user", "user") | ||
.get("/authz-policy-and-path-matching-policies/roles-allowed-annotation") | ||
.then().statusCode(403); | ||
} | ||
} |
34 changes: 34 additions & 0 deletions
34
...esteasy/test/security/authzpolicy/AuthorizationPolicyAndPathMatchingPoliciesResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package io.quarkus.resteasy.test.security.authzpolicy; | ||
|
||
import jakarta.annotation.security.RolesAllowed; | ||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.core.Context; | ||
import jakarta.ws.rs.core.SecurityContext; | ||
|
||
import io.quarkus.vertx.http.security.AuthorizationPolicy; | ||
|
||
@AuthorizationPolicy(name = "viewer-augmenting-policy") | ||
@Path("authz-policy-and-path-matching-policies") | ||
public class AuthorizationPolicyAndPathMatchingPoliciesResource { | ||
|
||
@GET | ||
@Path("jax-rs-path-matching-http-perm") | ||
public boolean jaxRsPathMatchingHttpPerm(@Context SecurityContext securityContext) { | ||
return securityContext.isUserInRole("admin"); | ||
} | ||
|
||
@GET | ||
@Path("path-matching-http-perm") | ||
public boolean pathMatchingHttpPerm(@Context SecurityContext securityContext) { | ||
return securityContext.isUserInRole("admin"); | ||
} | ||
|
||
@RolesAllowed("admin") | ||
@GET | ||
@Path("roles-allowed-annotation") | ||
public String rolesAllowed(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
} |
27 changes: 27 additions & 0 deletions
27
.../test/java/io/quarkus/resteasy/test/security/authzpolicy/BasicAuthenticationResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package io.quarkus.resteasy.test.security.authzpolicy; | ||
|
||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.core.Context; | ||
import jakarta.ws.rs.core.SecurityContext; | ||
|
||
import io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication; | ||
import io.quarkus.vertx.http.security.AuthorizationPolicy; | ||
|
||
@Path("basic-auth-ann") | ||
@BasicAuthentication | ||
public class BasicAuthenticationResource { | ||
|
||
@GET | ||
public String noAuthorizationPolicy(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
@Path("authorization-policy") | ||
@AuthorizationPolicy(name = "forbid-all-but-viewer") | ||
@GET | ||
public String authorizationPolicy(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
} |
27 changes: 27 additions & 0 deletions
27
...uarkus/resteasy/test/security/authzpolicy/ClassAuthZPolicyMethodRolesAllowedResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package io.quarkus.resteasy.test.security.authzpolicy; | ||
|
||
import jakarta.annotation.security.RolesAllowed; | ||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.core.Context; | ||
import jakarta.ws.rs.core.SecurityContext; | ||
|
||
import io.quarkus.vertx.http.security.AuthorizationPolicy; | ||
|
||
@AuthorizationPolicy(name = "permit-user") | ||
@Path("authorization-policy-class-roles-allowed-method") | ||
public class ClassAuthZPolicyMethodRolesAllowedResource { | ||
|
||
@RolesAllowed("admin") | ||
@GET | ||
public String principal(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
@Path("no-roles-allowed") | ||
@GET | ||
public String noAuthorizationPolicy(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
} |
27 changes: 27 additions & 0 deletions
27
...uarkus/resteasy/test/security/authzpolicy/ClassRolesAllowedMethodAuthZPolicyResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package io.quarkus.resteasy.test.security.authzpolicy; | ||
|
||
import jakarta.annotation.security.RolesAllowed; | ||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.core.Context; | ||
import jakarta.ws.rs.core.SecurityContext; | ||
|
||
import io.quarkus.vertx.http.security.AuthorizationPolicy; | ||
|
||
@RolesAllowed("admin") | ||
@Path("roles-allowed-class-authorization-policy-method") | ||
public class ClassRolesAllowedMethodAuthZPolicyResource { | ||
|
||
@AuthorizationPolicy(name = "permit-user") | ||
@GET | ||
public String principal(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
@Path("no-authz-policy") | ||
@GET | ||
public String noAuthorizationPolicy(@Context SecurityContext securityContext) { | ||
return securityContext.getUserPrincipal().getName(); | ||
} | ||
|
||
} |
Oops, something went wrong.