Merge pull request quarkusio#44238 from michalvavrik/feature/improve-…

…repeated-permissions-allowed-in-quaruks-rest Refactor SecurityTransformerUtils to consider repeated annotations
gsmet · Oct 31, 2024 · 3d022be · 3d022be
2 parents 80ed777 + de34b6f
commit 3d022be
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 0 deletions.
diff --git a/...ava/io/quarkus/resteasy/reactive/server/test/security/RepeatedPermissionsAllowedTest.java b/...ava/io/quarkus/resteasy/reactive/server/test/security/RepeatedPermissionsAllowedTest.java
@@ -0,0 +1,113 @@
+package io.quarkus.resteasy.reactive.server.test.security;
+
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.PermissionsAllowed;
+import io.quarkus.security.StringPermission;
+import io.quarkus.security.test.utils.TestIdentityController;
+import io.quarkus.security.test.utils.TestIdentityProvider;
+import io.quarkus.test.QuarkusUnitTest;
+import io.restassured.RestAssured;
+import io.vertx.core.json.JsonObject;
+
+public class RepeatedPermissionsAllowedTest {
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(TestIdentityProvider.class, TestIdentityController.class, HelloResource.class)
+                    .addAsResource(
+                            new StringAsset(
+                                    "quarkus.log.category.\"io.quarkus.vertx.http.runtime.QuarkusErrorHandler\".level=OFF"
+                                            + System.lineSeparator()),
+                            "application.properties"));
+
+    @BeforeAll
+    public static void setupUsers() {
+        TestIdentityController.resetRoles()
+                .add("user", "user", new StringPermission("read"))
+                .add("admin", "admin", new StringPermission("read"), new StringPermission("write"));
+    }
+
+    @Test
+    public void testRepeatedPermissionsAllowedOnClass() {
+        // anonymous user
+        RestAssured.given()
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello")
+                .then()
+                .statusCode(401);
+        // authenticated user, insufficient rights
+        RestAssured.given()
+                .auth().preemptive().basic("user", "user")
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello")
+                .then()
+                .statusCode(403);
+        // authorized user, invalid payload
+        RestAssured.given()
+                .auth().preemptive().basic("admin", "admin")
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello")
+                .then()
+                .statusCode(500);
+    }
+
+    @Test
+    public void testRepeatedPermissionsAllowedOnInterface() {
+        // anonymous user
+        RestAssured.given()
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello-interface")
+                .then()
+                .statusCode(401);
+        // authenticated user, insufficient rights
+        RestAssured.given()
+                .auth().preemptive().basic("user", "user")
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello-interface")
+                .then()
+                .statusCode(403);
+        // authorized user, invalid payload
+        RestAssured.given()
+                .auth().preemptive().basic("admin", "admin")
+                .body("{%$$#!#@") // assures checks are eager
+                .post("/hello-interface")
+                .then()
+                .statusCode(500);
+    }
+
+    @Path("/hello")
+    public static class HelloResource {
+
+        @PermissionsAllowed(value = "write")
+        @PermissionsAllowed(value = "read")
+        @POST
+        public String sayHello(JsonObject entity) {
+            return "ignored";
+        }
+    }
+
+    @Path("/hello-interface")
+    public interface HelloInterface {
+
+        @PermissionsAllowed(value = "write")
+        @PermissionsAllowed(value = "read")
+        @POST
+        String sayHello(JsonObject entity);
+    }
+
+    public static class HelloInterfaceImpl implements HelloInterface {
+
+        @Override
+        public String sayHello(JsonObject entity) {
+            return "ignored";
+        }
+    }
+}
diff --git a/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java b/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java
@@ -23,6 +23,7 @@ public final class SecurityTransformerUtils {
     public static final DotName DENY_ALL = DotName.createSimple(DenyAll.class.getName());
     private static final Set<DotName> SECURITY_ANNOTATIONS = Set.of(DotName.createSimple(RolesAllowed.class.getName()),
             DotName.createSimple(PermissionsAllowed.class.getName()),
+            DotName.createSimple(PermissionsAllowed.List.class.getName()),
             DotName.createSimple(Authenticated.class.getName()),
             DotName.createSimple(DenyAll.class.getName()),
             DotName.createSimple(PermitAll.class.getName()));