-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
currentVertxRequest.getCurrent in a SecurityIdentityAugmentor became null since 3.2.9 with GraphQL #37457
Comments
/cc @sberyozkin (security) |
@cescoffier Can it be related to the recent duplicated context fixes ? @michalvavrik AFAIK, the fixes you worked upon did not touch on anything related to the current requests, for 3.2.9 specifcally, the duplicated contexts updates in were done earlier and related to the quarkus-oidc work, this null request problem is on an anonymous identity path. @JDoumerc Can you check please if |
@sberyozkin no unrelated to that change, or it would have been wrong anyway. |
this happens when request context is activated and RoutingContext is request before it is there. Reproducer can't be true, for example this does not happen when proactive authentication is disabled and there is no HTTP Sec policy. I'd suggest it would be easy peasy find out if we had reproducer we could start. I honestly don't know from top of my head what changed in this relation, but what augmentor does is wrong. |
ad
what example does will work only in very special situations. But I don't know GraphQL so maybe it works there. In any case, it can't work with proactive auth or before your stack sets the context. Why don't you take RoutingContext from |
Thanks for your efforts.
Called on the very first line of the public augment method, it is null also.
I don't know how to do so. The Interface AuthenticationRequestContext does not provide any other method than the I haven't precised it but the SecurityAugmentor is implemented in a dedicated Jar (that gots its Jandex index), imported into the GraphQL/Rest server. There was no issue with 3.2.8 on GET on smallrye-metrics or smallrye-health endpoint or GraphQL queries, it is now happening from the 3.2.9. There first was other configuration changes that I completely reverted (what were the authenticated paths) to be sure it was coming from the Quarkus update. |
apologies @JDoumerc you are right, in augmentor you can't take it from context. However you should be able to take it from identity like this Line 18 in 0686575
alright, do you think you can create some reproducer because trying to reproduce it from issue description would take a lot of effort (try many combinations). you described it as easy, so please push it to github and I'll have a look what changed between 3.2.8 and 3.2.9 @JDoumerc thanks for reporting it |
Thanks @cescoffier @michalvavrik for the early feedback on Friday afternoon :-). Michal, that property will likely not work in the anonymous identity case. @JDoumerc Can you please come up with a simple reproducer as Michal asked ? Perhaps you can try to register a custom |
@JDoumerc By the way, did it work in 3.2.8 ? |
I was wrong. |
Thanks you all for your help. I made several tests and share the results with you all:
I attached the whole stack trace on a GraphQL call. The stacktraces of the REST call do not differ between 3.2.8 and 3.2.9 (and that is also why I checked not authenticated REST on another server without GraphQL). The not anymore called entries: at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:144)
at io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLOverWebSocketHandler.doHandle(SmallRyeGraphQLOverWebSocketHandler.java:68)
at io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLAbstractHandler.handleWithIdentity(SmallRyeGraphQLAbstractHandler.java:95)
at io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLAbstractHandler.handle(SmallRyeGraphQLAbstractHandler.java:76)
at io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLAbstractHandler.handle(SmallRyeGraphQLAbstractHandler.java:30)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1286) I am wondering if I wasn't somehow using a hack using the SecurityAugmentor (well I needed it and I will have to keep it for roles augmentations as proposed in the documented example). I still don't get why GraphQL queries ends calling the I keep in mind that using the |
Oh! We fixed something related in graphql. That might be a consequence of this fix. |
This is because the websocket handler is now running AFTER the So how should we fix it? Either the |
This can't be done with I didn't do it yet, as I thought there must be a good reason why it is not there. Can @cescoffier provide some reasons why shouldn't we do it?
This is not problem only for GraphQL, users keep activating CDI request context and that breaks what RESTEasy Reactive does etc. |
I should mention there are other issues that require |
That can be done, but the problem is activation of CDI request context as a pattern unless there will be changes in RESTEasy Reactive. |
Describe the bug
From 3.1.X to 3.2.8, the following SecurityIdentityAugmentor implementation:
was able to retrieve a
currentVertxRequest.getCurrent()
value upon unauthenticated requests on any path of my application.Then the class was granting a limited right service account authentication to simulate kind of a not authenticated Guest access to all endpoints.
From 3.2.9, the returned current Vertx context is null.
Trying to workaround with RoutingContext injection leads to the following exception (in both POST GraphQL or GET rest http requests):
Expected behavior
currentVertxRequest.getCurrent()
still returns something when an Http query (REST or GraphQL) has been received and routed to the SecurityAugmentor.Actual behavior
currentVertxRequest.getCurrent()
returns null.Injection of
RutingContext
leads to an exception.How to Reproduce?
Steps to reproduce:
Output of
uname -a
orver
Windows
Output of
java -version
java version "17" 2021-09-14 LTS Java(TM) SE Runtime Environment (build 17+35-LTS-2724) Java HotSpot(TM) 64-Bit Server VM (build 17+35-LTS-2724, mixed mode, sharing)
Quarkus version or git rev
3.2.9.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.2
Additional information
The 3.2.9 release note includes some backports (from 3.7) related to RoutingContext, GraphQL (and Vertx), mainly for WebSocket, but I didn't see any direct correlation from those commits that could have lead to this current change of behavior.
Neither did I found any other way to retrieve the RoutingContext in the Tests that were added.
The text was updated successfully, but these errors were encountered: