-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support @PermissionsAllowed with @BeanParam parameters
- Loading branch information
1 parent
4cab5df
commit 0a03ff2
Showing
27 changed files
with
1,509 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
.../quarkus/resteasy/reactive/server/test/security/BeanParamPermissionIdentityAugmentor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import java.security.Permission; | ||
|
||
import jakarta.enterprise.context.ApplicationScoped; | ||
|
||
import io.quarkus.security.StringPermission; | ||
import io.quarkus.security.identity.AuthenticationRequestContext; | ||
import io.quarkus.security.identity.SecurityIdentity; | ||
import io.quarkus.security.identity.SecurityIdentityAugmentor; | ||
import io.quarkus.security.runtime.QuarkusSecurityIdentity; | ||
import io.smallrye.mutiny.Uni; | ||
|
||
@ApplicationScoped | ||
public class BeanParamPermissionIdentityAugmentor implements SecurityIdentityAugmentor { | ||
|
||
@Override | ||
public Uni<SecurityIdentity> augment(SecurityIdentity securityIdentity, | ||
AuthenticationRequestContext authenticationRequestContext) { | ||
var possessedPermission = createPossessedPermission(securityIdentity); | ||
var augmentedIdentity = QuarkusSecurityIdentity | ||
.builder(securityIdentity) | ||
.addPermissionChecker(requiredPermission -> Uni | ||
.createFrom() | ||
.item(requiredPermission.implies(possessedPermission))) | ||
.build(); | ||
return Uni.createFrom().item(augmentedIdentity); | ||
} | ||
|
||
private Permission createPossessedPermission(SecurityIdentity securityIdentity) { | ||
// here comes your business logic | ||
return securityIdentity.isAnonymous() ? new StringPermission("list") : new StringPermission("read"); | ||
} | ||
} |
11 changes: 11 additions & 0 deletions
11
...ployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/MyBeanParam.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import jakarta.ws.rs.BeanParam; | ||
|
||
import org.jboss.resteasy.reactive.RestHeader; | ||
import org.jboss.resteasy.reactive.RestQuery; | ||
|
||
public record MyBeanParam(@RestQuery String queryParam, @BeanParam Headers headers) { | ||
public record Headers(@RestHeader String authorization) { | ||
} | ||
} |
47 changes: 47 additions & 0 deletions
47
...loyment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/MyPermission.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import java.security.Permission; | ||
import java.util.Objects; | ||
|
||
public class MyPermission extends Permission { | ||
|
||
static final MyPermission EMPTY = new MyPermission("my-perm", null, null); | ||
|
||
private final String authorization; | ||
private final String queryParam; | ||
|
||
public MyPermission(String permissionName, String authorization, String queryParam) { | ||
super(permissionName); | ||
this.authorization = authorization; | ||
this.queryParam = queryParam; | ||
} | ||
|
||
@Override | ||
public boolean implies(Permission permission) { | ||
if (permission instanceof MyPermission myPermission) { | ||
return myPermission.authorization != null && "query1".equals(myPermission.queryParam); | ||
} | ||
return false; | ||
} | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) | ||
return true; | ||
if (o == null || getClass() != o.getClass()) | ||
return false; | ||
MyPermission that = (MyPermission) o; | ||
return Objects.equals(authorization, that.authorization) | ||
&& Objects.equals(queryParam, that.queryParam); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return Objects.hash(authorization, queryParam); | ||
} | ||
|
||
@Override | ||
public String getActions() { | ||
return ""; | ||
} | ||
} |
30 changes: 30 additions & 0 deletions
30
...yment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/OtherBeanParam.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import jakarta.ws.rs.HeaderParam; | ||
import jakarta.ws.rs.QueryParam; | ||
import jakarta.ws.rs.core.Context; | ||
import jakarta.ws.rs.core.SecurityContext; | ||
import jakarta.ws.rs.core.UriInfo; | ||
|
||
public class OtherBeanParam { | ||
|
||
@HeaderParam("CustomAuthorization") | ||
private String customAuthorizationHeader; | ||
|
||
@Context | ||
SecurityContext securityContext; | ||
|
||
@Context | ||
public UriInfo uriInfo; | ||
|
||
@QueryParam("query") | ||
public String query; | ||
|
||
public SecurityContext getSecurityContext() { | ||
return securityContext; | ||
} | ||
|
||
public String customAuthorizationHeader() { | ||
return customAuthorizationHeader; | ||
} | ||
} |
60 changes: 60 additions & 0 deletions
60
...test/java/io/quarkus/resteasy/reactive/server/test/security/OtherBeanParamPermission.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import java.security.Permission; | ||
|
||
public class OtherBeanParamPermission extends Permission { | ||
|
||
private final String actions; | ||
|
||
public OtherBeanParamPermission(String permissionName, String customAuthorizationHeader, String name, String query) { | ||
super(permissionName); | ||
this.actions = computeActions(customAuthorizationHeader, name, query); | ||
} | ||
|
||
@Override | ||
public String getActions() { | ||
return actions; | ||
} | ||
|
||
@Override | ||
public boolean implies(Permission p) { | ||
boolean nameMatches = getName().equals(p.getName()); | ||
boolean actionMatches = getActions().equals(p.getActions()); | ||
return nameMatches && actionMatches; | ||
} | ||
|
||
@Override | ||
public boolean equals(Object obj) { | ||
return false; | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return 0; | ||
} | ||
|
||
private static String computeActions(String customAuthorizationHeader, String name, String query) { | ||
boolean queryParamAllowedForPermissionName = checkQueryParams(query); | ||
boolean usernameWhitelisted = isUserNameWhitelisted(name); | ||
boolean customAuthorizationMatches = checkCustomAuthorization(customAuthorizationHeader); | ||
var isAuthorized = queryParamAllowedForPermissionName && usernameWhitelisted && customAuthorizationMatches; | ||
if (isAuthorized) { | ||
return "hello"; | ||
} else { | ||
return "goodbye"; | ||
} | ||
} | ||
|
||
private static boolean checkCustomAuthorization(String customAuthorization) { | ||
return "customAuthorization".equals(customAuthorization); | ||
} | ||
|
||
private static boolean isUserNameWhitelisted(String userName) { | ||
return "admin".equals(userName); | ||
} | ||
|
||
private static boolean checkQueryParams(String queryParam) { | ||
return "myQueryParam".equals(queryParam); | ||
} | ||
|
||
} |
Oops, something went wrong.