-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #30026 from michalvavrik/feature/fix-issue-30011
Prevent repeated Quarkus Security exception handling that lead to duplicate headers during OIDC redirect
- Loading branch information
Showing
9 changed files
with
570 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
100 changes: 100 additions & 0 deletions
100
.../test/java/io/quarkus/resteasy/test/security/AuthenticationFailedExceptionHeaderTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import static io.vertx.core.http.HttpHeaders.LOCATION; | ||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
||
import java.util.Set; | ||
|
||
import javax.enterprise.context.ApplicationScoped; | ||
import javax.ws.rs.GET; | ||
import javax.ws.rs.Path; | ||
|
||
import org.jboss.shrinkwrap.api.asset.StringAsset; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.RegisterExtension; | ||
|
||
import io.quarkus.security.AuthenticationFailedException; | ||
import io.quarkus.security.identity.AuthenticationRequestContext; | ||
import io.quarkus.security.identity.IdentityProvider; | ||
import io.quarkus.security.identity.IdentityProviderManager; | ||
import io.quarkus.security.identity.SecurityIdentity; | ||
import io.quarkus.security.identity.request.AuthenticationRequest; | ||
import io.quarkus.security.identity.request.BaseAuthenticationRequest; | ||
import io.quarkus.test.QuarkusUnitTest; | ||
import io.quarkus.vertx.http.runtime.security.ChallengeData; | ||
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism; | ||
import io.restassured.RestAssured; | ||
import io.restassured.http.Header; | ||
import io.smallrye.mutiny.Uni; | ||
import io.vertx.ext.web.RoutingContext; | ||
|
||
public class AuthenticationFailedExceptionHeaderTest { | ||
|
||
private static final String APP_PROPS = "" + | ||
"quarkus.http.auth.permission.default.paths=/*\n" + | ||
"quarkus.http.auth.permission.default.policy=authenticated"; | ||
|
||
@RegisterExtension | ||
static QuarkusUnitTest runner = new QuarkusUnitTest() | ||
.withApplicationRoot((jar) -> jar | ||
.addAsResource(new StringAsset(APP_PROPS), "application.properties")); | ||
|
||
@Test | ||
public void testHeaders() { | ||
// case-insensitive test that there is only one location header | ||
// there has been duplicate location when both default auth failure handler and auth ex mapper send challenge | ||
var response = RestAssured | ||
.given() | ||
.redirects() | ||
.follow(false) | ||
.when() | ||
.get("/secured-route"); | ||
response.then().statusCode(302); | ||
assertEquals(1, response.headers().asList().stream().map(Header::getName).map(String::toLowerCase) | ||
.filter(LOCATION.toString()::equals).count()); | ||
} | ||
|
||
@Path("/hello") | ||
public static class HelloResource { | ||
@GET | ||
public String hello() { | ||
return "hello"; | ||
} | ||
} | ||
|
||
@ApplicationScoped | ||
public static class FailingAuthenticator implements HttpAuthenticationMechanism { | ||
|
||
@Override | ||
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) { | ||
return Uni.createFrom().failure(new AuthenticationFailedException()); | ||
} | ||
|
||
@Override | ||
public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() { | ||
return Set.of(BaseAuthenticationRequest.class); | ||
} | ||
|
||
@Override | ||
public Uni<ChallengeData> getChallenge(RoutingContext context) { | ||
return Uni.createFrom().item(new ChallengeData(302, LOCATION, "http://localhost:8080/")); | ||
} | ||
|
||
} | ||
|
||
@ApplicationScoped | ||
public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> { | ||
|
||
@Override | ||
public Class<BaseAuthenticationRequest> getRequestType() { | ||
return BaseAuthenticationRequest.class; | ||
} | ||
|
||
@Override | ||
public Uni<SecurityIdentity> authenticate( | ||
BaseAuthenticationRequest simpleAuthenticationRequest, | ||
AuthenticationRequestContext authenticationRequestContext) { | ||
return Uni.createFrom().nothing(); | ||
} | ||
} | ||
} |
109 changes: 109 additions & 0 deletions
109
...est/java/io/quarkus/resteasy/test/security/AuthenticationRedirectExceptionHeaderTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import static io.vertx.core.http.HttpHeaders.CACHE_CONTROL; | ||
import static io.vertx.core.http.HttpHeaders.LOCATION; | ||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
||
import java.util.Set; | ||
|
||
import javax.enterprise.context.ApplicationScoped; | ||
import javax.ws.rs.GET; | ||
import javax.ws.rs.Path; | ||
|
||
import org.jboss.shrinkwrap.api.asset.StringAsset; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.RegisterExtension; | ||
|
||
import io.quarkus.security.AuthenticationRedirectException; | ||
import io.quarkus.security.identity.AuthenticationRequestContext; | ||
import io.quarkus.security.identity.IdentityProvider; | ||
import io.quarkus.security.identity.IdentityProviderManager; | ||
import io.quarkus.security.identity.SecurityIdentity; | ||
import io.quarkus.security.identity.request.AuthenticationRequest; | ||
import io.quarkus.security.identity.request.BaseAuthenticationRequest; | ||
import io.quarkus.test.QuarkusUnitTest; | ||
import io.quarkus.vertx.http.runtime.security.ChallengeData; | ||
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism; | ||
import io.restassured.RestAssured; | ||
import io.restassured.http.Header; | ||
import io.restassured.response.Response; | ||
import io.smallrye.mutiny.Uni; | ||
import io.vertx.ext.web.RoutingContext; | ||
|
||
public class AuthenticationRedirectExceptionHeaderTest { | ||
|
||
private static final String APP_PROPS = "" + | ||
"quarkus.http.auth.permission.default.paths=/*\n" + | ||
"quarkus.http.auth.permission.default.policy=authenticated"; | ||
|
||
@RegisterExtension | ||
static QuarkusUnitTest runner = new QuarkusUnitTest() | ||
.withApplicationRoot((jar) -> jar | ||
.addAsResource(new StringAsset(APP_PROPS), "application.properties")); | ||
|
||
@Test | ||
public void testHeaders() { | ||
// case-insensitive test that Pragma, cache-control and location headers are only present once | ||
// there were duplicate headers when both default auth failure handler and auth ex mapper set headers | ||
var response = RestAssured | ||
.given() | ||
.redirects() | ||
.follow(false) | ||
.when() | ||
.get("/secured-route"); | ||
response.then().statusCode(302); | ||
assertEquals(1, getHeaderCount(response, LOCATION.toString())); | ||
assertEquals(1, getHeaderCount(response, CACHE_CONTROL.toString())); | ||
assertEquals(1, getHeaderCount(response, "Pragma")); | ||
} | ||
|
||
private static int getHeaderCount(Response response, String headerName) { | ||
headerName = headerName.toLowerCase(); | ||
return (int) response.headers().asList().stream().map(Header::getName).map(String::toLowerCase) | ||
.filter(headerName::equals).count(); | ||
} | ||
|
||
@Path("/hello") | ||
public static class HelloResource { | ||
@GET | ||
public String hello() { | ||
return "hello"; | ||
} | ||
} | ||
|
||
@ApplicationScoped | ||
public static class RedirectingAuthenticator implements HttpAuthenticationMechanism { | ||
|
||
@Override | ||
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) { | ||
return Uni.createFrom().failure(new AuthenticationRedirectException(302, "https://quarkus.io/")); | ||
} | ||
|
||
@Override | ||
public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() { | ||
return Set.of(BaseAuthenticationRequest.class); | ||
} | ||
|
||
@Override | ||
public Uni<ChallengeData> getChallenge(RoutingContext context) { | ||
return Uni.createFrom().item(new ChallengeData(302, "header-name", "header-value")); | ||
} | ||
|
||
} | ||
|
||
@ApplicationScoped | ||
public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> { | ||
|
||
@Override | ||
public Class<BaseAuthenticationRequest> getRequestType() { | ||
return BaseAuthenticationRequest.class; | ||
} | ||
|
||
@Override | ||
public Uni<SecurityIdentity> authenticate( | ||
BaseAuthenticationRequest simpleAuthenticationRequest, | ||
AuthenticationRequestContext authenticationRequestContext) { | ||
return Uni.createFrom().nothing(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.