Resolve Sec. Identity in RESTEasy Reactive when Proactive Auth disabled

f ix #23547 for RESTEasy Reactive cases (e.g. the issue reproducer)
quarkusio · Jun 30, 2022 · 551edd2 · 551edd2
1 parent f150b14
commit 551edd2
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 7 deletions.
diff --git a/...c/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java b/...c/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java
@@ -1025,7 +1025,8 @@ public void securityExceptionMappers(BuildProducer<ExceptionMapperBuildItem> exc
     }
 
     @BuildStep
-    MethodScannerBuildItem integrateEagerSecurity(Capabilities capabilities, CombinedIndexBuildItem indexBuildItem) {
+    MethodScannerBuildItem integrateEagerSecurity(Capabilities capabilities, CombinedIndexBuildItem indexBuildItem,
+            HttpBuildTimeConfig httpBuildTimeConfig) {
         if (!capabilities.isPresent(Capability.SECURITY)) {
             return null;
         }
@@ -1036,7 +1037,8 @@ public List<HandlerChainCustomizer> scan(MethodInfo method, ClassInfo actualEndp
                     Map<String, Object> methodContext) {
                 return Objects.requireNonNullElse(
                         consumeStandardSecurityAnnotations(method, actualEndpointClass, index,
-                                (c) -> Collections.singletonList(new EagerSecurityHandler.Customizer())),
+                                (c) -> Collections.singletonList(
+                                        EagerSecurityHandler.Customizer.newInstance(httpBuildTimeConfig.auth.proactive))),
                         Collections.emptyList());
             }
         });

diff --git a/.../io/quarkus/resteasy/reactive/server/test/security/LazyAuthRolesAllowedJaxRsTestCase.java b/.../io/quarkus/resteasy/reactive/server/test/security/LazyAuthRolesAllowedJaxRsTestCase.java
@@ -4,6 +4,7 @@
 
 import java.util.Arrays;
 
+import org.hamcrest.Matchers;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -41,6 +42,8 @@ public void testRolesAllowed() {
             RestAssured.given().auth().basic("user", "user").get(path).then().statusCode(200);
             RestAssured.given().auth().basic("admin", "admin").get(path + "/admin").then().statusCode(200);
             RestAssured.given().auth().basic("user", "user").get(path + "/admin").then().statusCode(403);
+            RestAssured.given().auth().basic("admin", "admin").get(path + "/admin/security-identity").then().statusCode(200)
+                    .body(Matchers.is("admin"));
         });
     }
 

diff --git a/.../java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedBlockingResource.java b/.../java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedBlockingResource.java
@@ -2,10 +2,13 @@
 
 import javax.annotation.security.PermitAll;
 import javax.annotation.security.RolesAllowed;
+import javax.inject.Inject;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 
+import io.quarkus.security.identity.CurrentIdentityAssociation;
 import io.smallrye.common.annotation.Blocking;
+import io.smallrye.common.annotation.NonBlocking;
 
 /**
  * @author Michal Szynkiewicz, [email protected]
@@ -14,6 +17,10 @@
 @PermitAll
 @Blocking
 public class RolesAllowedBlockingResource {
+
+    @Inject
+    CurrentIdentityAssociation currentIdentityAssociation;
+
     @GET
     @RolesAllowed({ "user", "admin" })
     public String defaultSecurity() {
@@ -27,4 +34,12 @@ public String admin() {
         return "admin";
     }
 
+    @NonBlocking
+    @Path("/admin/security-identity")
+    @RolesAllowed("admin")
+    @GET
+    public String getSecurityIdentity() {
+        return currentIdentityAssociation.getIdentity().getPrincipal().getName();
+    }
+
 }
diff --git a/...src/test/java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedResource.java b/...src/test/java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedResource.java
@@ -2,15 +2,23 @@
 
 import javax.annotation.security.PermitAll;
 import javax.annotation.security.RolesAllowed;
+import javax.inject.Inject;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 
+import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.smallrye.common.annotation.NonBlocking;
+
 /**
  * @author Michal Szynkiewicz, [email protected]
  */
 @Path("/roles")
 @PermitAll
 public class RolesAllowedResource {
+
+    @Inject
+    CurrentIdentityAssociation currentIdentityAssociation;
+
     @GET
     @RolesAllowed({ "user", "admin" })
     public String defaultSecurity() {
@@ -24,4 +32,12 @@ public String admin() {
         return "admin";
     }
 
+    @NonBlocking
+    @Path("/admin/security-identity")
+    @RolesAllowed("admin")
+    @GET
+    public String getSecurityIdentity() {
+        return currentIdentityAssociation.getIdentity().getPrincipal().getName();
+    }
+
 }
diff --git a/.../main/java/io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.java b/.../main/java/io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.java
@@ -20,6 +20,7 @@
 import io.quarkus.security.spi.runtime.MethodDescription;
 import io.quarkus.security.spi.runtime.SecurityCheck;
 import io.quarkus.security.spi.runtime.SecurityCheckStorage;
+import io.smallrye.mutiny.Uni;
 import io.smallrye.mutiny.subscription.UniSubscriber;
 import io.smallrye.mutiny.subscription.UniSubscription;
 
@@ -37,10 +38,15 @@ public void apply(SecurityIdentity identity, MethodDescription method, Object[]
         }
     };
 
+    private final boolean isProactiveAuthDisabled;
     private volatile InjectableInstance<CurrentIdentityAssociation> currentIdentityAssociation;
     private volatile SecurityCheck check;
     private volatile AuthorizationController authorizationController;
 
+    public EagerSecurityHandler(boolean isProactiveAuthDisabled) {
+        this.isProactiveAuthDisabled = isProactiveAuthDisabled;
+    }
+
     @Override
     public void handle(ResteasyReactiveRequestContext requestContext) throws Exception {
         if (this.check == NULL_SENTINEL) {
@@ -66,11 +72,25 @@ public void handle(ResteasyReactiveRequestContext requestContext) throws Excepti
         if (!authorizationController.isAuthorizationEnabled()) {
             return;
         }
+
         requestContext.requireCDIRequestScope();
         SecurityCheck theCheck = check;
         if (!theCheck.isPermitAll()) {
             requestContext.suspend();
-            getCurrentIdentityAssociation().get().getDeferredIdentity().map(new Function<SecurityIdentity, Object>() {
+            Uni<SecurityIdentity> deferredIdentity = getCurrentIdentityAssociation().get().getDeferredIdentity();
+
+            // if proactive auth is disabled, then accessing SecurityIdentity is a blocking operation for synchronous methods
+            // setting identity here will enable SecurityInterceptors registered in Quarkus Security Deployment to run checks
+            if (isProactiveAuthDisabled && lazyMethod.isNonBlocking) {
+                deferredIdentity = deferredIdentity.call(securityIdentity -> {
+                    if (securityIdentity != null) {
+                        getCurrentIdentityAssociation().get().setIdentity(securityIdentity);
+                    }
+                    return Uni.createFrom().item(securityIdentity);
+                });
+            }
+
+            deferredIdentity.map(new Function<SecurityIdentity, Object>() {
                 @Override
                 public Object apply(SecurityIdentity securityIdentity) {
                     theCheck.apply(securityIdentity, methodDescription,
@@ -105,14 +125,38 @@ private InjectableInstance<CurrentIdentityAssociation> getCurrentIdentityAssocia
         return identityAssociation;
     }
 
-    public static class Customizer implements HandlerChainCustomizer {
+    public static abstract class Customizer implements HandlerChainCustomizer {
+
+        public static Customizer newInstance(boolean isProactiveAuthEnabled) {
+            return isProactiveAuthEnabled ? new ProactiveAuthEnabledCustomizer() : new ProactiveAuthDisabledCustomizer();
+        }
+
+        protected abstract boolean isProactiveAuthDisabled();
+
         @Override
         public List<ServerRestHandler> handlers(Phase phase, ResourceClass resourceClass,
                 ServerResourceMethod serverResourceMethod) {
             if (phase == Phase.AFTER_MATCH) {
-                return Collections.singletonList(new EagerSecurityHandler());
+                return Collections.singletonList(new EagerSecurityHandler(isProactiveAuthDisabled()));
             }
             return Collections.emptyList();
         }
+
+        public static class ProactiveAuthEnabledCustomizer extends Customizer {
+
+            @Override
+            protected boolean isProactiveAuthDisabled() {
+                return false;
+            }
+        }
+
+        public static class ProactiveAuthDisabledCustomizer extends Customizer {
+
+            @Override
+            protected boolean isProactiveAuthDisabled() {
+                return true;
+            }
+        }
+
     }
 }
diff --git a/.../main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java b/.../main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java
@@ -176,7 +176,8 @@ public RuntimeResource buildResourceMethod(ResourceClass clazz,
         }
 
         ResteasyReactiveResourceInfo lazyMethod = new ResteasyReactiveResourceInfo(method.getName(), resourceClass,
-                parameterDeclaredUnresolvedTypes, classAnnotationNames, method.getMethodAnnotationNames());
+                parameterDeclaredUnresolvedTypes, classAnnotationNames, method.getMethodAnnotationNames(),
+                !defaultBlocking && !method.isBlocking());
 
         RuntimeInterceptorDeployment.MethodInterceptorContext interceptorDeployment = runtimeInterceptorDeployment
                 .forMethod(method, lazyMethod);

diff --git a/...me/src/main/java/org/jboss/resteasy/reactive/server/spi/ResteasyReactiveResourceInfo.java b/...me/src/main/java/org/jboss/resteasy/reactive/server/spi/ResteasyReactiveResourceInfo.java
@@ -20,6 +20,10 @@ public class ResteasyReactiveResourceInfo implements ResourceInfo {
     private final Class[] parameterTypes;
     private final Set<String> classAnnotationNames;
     private final Set<String> methodAnnotationNames;
+    /**
+     * If it's non-blocking method within the runtime that won't always default to blocking
+     */
+    public final boolean isNonBlocking;
 
     private volatile Annotation[] classAnnotations;
     private volatile Method method;
@@ -28,12 +32,13 @@ public class ResteasyReactiveResourceInfo implements ResourceInfo {
     private volatile String methodId;
 
     public ResteasyReactiveResourceInfo(String name, Class<?> declaringClass, Class[] parameterTypes,
-            Set<String> classAnnotationNames, Set<String> methodAnnotationNames) {
+            Set<String> classAnnotationNames, Set<String> methodAnnotationNames, boolean isNonBlocking) {
         this.name = name;
         this.declaringClass = declaringClass;
         this.parameterTypes = parameterTypes;
         this.classAnnotationNames = classAnnotationNames;
         this.methodAnnotationNames = methodAnnotationNames;
+        this.isNonBlocking = isNonBlocking;
     }
 
     public String getName() {