Merge pull request #40308 from geoand/#40305

Always populate metrics uri in presence of auth failures

extensions/resteasy-reactive/rest/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ObservabilityIntegrationBuildItem.java

@@ -0,0 +1,9 @@
+package io.quarkus.resteasy.reactive.server.deployment;
+
+import io.quarkus.builder.item.SimpleBuildItem;
+
+/**
+ * A marker build item signifying that observability features have been integrated
+ */
+public final class ObservabilityIntegrationBuildItem extends SimpleBuildItem {
+}

extensions/resteasy-reactive/rest/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ObservabilityProcessor.java

@@ -12,6 +12,7 @@
 
 import io.quarkus.deployment.Capabilities;
 import io.quarkus.deployment.Capability;
+import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
@@ -42,17 +43,20 @@ public List<HandlerChainCustomizer> scan(MethodInfo method, ClassInfo actualEndp
 
     @BuildStep
     @Record(value = ExecutionTime.STATIC_INIT)
-    FilterBuildItem preAuthFailureFilter(Capabilities capabilities,
+    void preAuthFailureFilter(Capabilities capabilities,
             Optional<MetricsCapabilityBuildItem> metricsCapability,
             ObservabilityIntegrationRecorder recorder,
-            ResteasyReactiveDeploymentBuildItem deployment) {
+            ResteasyReactiveDeploymentBuildItem deployment,
+            BuildProducer<FilterBuildItem> filterProducer,
+            BuildProducer<ObservabilityIntegrationBuildItem> observabilityIntegrationProducer) {
         boolean integrationNeeded = integrationNeeded(capabilities, metricsCapability);
         if (!integrationNeeded) {
-            return null;
+            return;
         }
 
-        return FilterBuildItem.ofPreAuthenticationFailureHandler(
-                recorder.preAuthFailureHandler(deployment.getDeployment()));
+        filterProducer.produce(FilterBuildItem.ofPreAuthenticationFailureHandler(
+                recorder.preAuthFailureHandler(deployment.getDeployment())));
+        observabilityIntegrationProducer.produce(new ObservabilityIntegrationBuildItem());
     }
 
     private boolean integrationNeeded(Capabilities capabilities,

extensions/resteasy-reactive/rest/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java

@@ -1365,9 +1365,13 @@ private static boolean notFoundCustomExMapper(String builtInExSignature, String
 
     @BuildStep
     @Record(value = ExecutionTime.STATIC_INIT)
-    public FilterBuildItem addDefaultAuthFailureHandler(ResteasyReactiveRecorder recorder) {
+    public FilterBuildItem addDefaultAuthFailureHandler(ResteasyReactiveRecorder recorder,
+            ResteasyReactiveDeploymentBuildItem deployment,
+            Optional<ObservabilityIntegrationBuildItem> observabilityIntegrationBuildItem) {
         // replace default auth failure handler added by vertx-http so that our exception mappers can customize response
-        return new FilterBuildItem(recorder.defaultAuthFailureHandler(), FilterBuildItem.AUTHENTICATION - 1);
+        return new FilterBuildItem(
+                recorder.defaultAuthFailureHandler(deployment.getDeployment(), observabilityIntegrationBuildItem.isPresent()),
+                FilterBuildItem.AUTHENTICATION - 1);
     }
 
     private void checkForDuplicateEndpoint(ResteasyReactiveConfig config, Map<String, List<EndpointConfig>> allMethods) {

extensions/resteasy-reactive/rest/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java

@@ -53,6 +53,7 @@
 import io.quarkus.resteasy.reactive.common.runtime.ArcBeanFactory;
 import io.quarkus.resteasy.reactive.common.runtime.ArcThreadSetupAction;
 import io.quarkus.resteasy.reactive.common.runtime.ResteasyReactiveCommonRecorder;
+import io.quarkus.resteasy.reactive.server.runtime.observability.ObservabilityIntegrationRecorder;
 import io.quarkus.runtime.BlockingOperationControl;
 import io.quarkus.runtime.ExecutorRecorder;
 import io.quarkus.runtime.LaunchMode;
@@ -341,11 +342,16 @@ public ServerSerialisers createServerSerialisers() {
         return new ServerSerialisers();
     }
 
-    public Handler<RoutingContext> defaultAuthFailureHandler() {
+    public Handler<RoutingContext> defaultAuthFailureHandler(
+            RuntimeValue<Deployment> deployment, boolean setTemplatePath) {
         return new Handler<RoutingContext>() {
             @Override
             public void handle(RoutingContext event) {
                 if (event.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER) instanceof DefaultAuthFailureHandler) {
+                    if (setTemplatePath) {
+                        ObservabilityIntegrationRecorder.setTemplatePath(event, deployment.getValue());
+                    }
+
                     // fail event rather than end it, so it's handled by abort handlers (see #addFailureHandler method)
                     event.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new FailingDefaultAuthFailureHandler());
                 }

extensions/resteasy-reactive/rest/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/observability/ObservabilityIntegrationRecorder.java

@@ -47,82 +47,85 @@ private boolean shouldHandle(RoutingContext event) {
                         || event.failure() instanceof ForbiddenException
                         || event.failure() instanceof UnauthorizedException;
             }
+        };
+    }
 
-            private void setTemplatePath(RoutingContext rc, Deployment deployment) {
-                // do what RestInitialHandler does
-                var initMappers = new RequestMapper<>(deployment.getClassMappers());
-                var requestMatch = initMappers.map(getPathWithoutPrefix(rc, deployment));
-                var remaining = requestMatch.remaining.isEmpty() ? "/" : requestMatch.remaining;
-
-                var serverRestHandlers = requestMatch.value.handlers;
-                if (serverRestHandlers == null || serverRestHandlers.length < 1) {
-                    // nothing we can do
-                    return;
-                }
-                var firstHandler = serverRestHandlers[0];
-                if (!(firstHandler instanceof ClassRoutingHandler)) {
-                    // nothing we can do
-                    return;
-                }
-
-                var classRoutingHandler = (ClassRoutingHandler) firstHandler;
-                var mappers = classRoutingHandler.getMappers();
-
-                var requestMethod = rc.request().method().name();
-
-                // do what ClassRoutingHandler does
-                var mapper = mappers.get(requestMethod);
-                if (mapper == null) {
-                    if (requestMethod.equals(HttpMethod.HEAD) || requestMethod.equals(HttpMethod.OPTIONS)) {
-                        mapper = mappers.get(HttpMethod.GET);
-                    }
-                    if (mapper == null) {
-                        mapper = mappers.get(null);
-                    }
-                    if (mapper == null) {
-                        // can't match the path
-                        return;
-                    }
+    public static void setTemplatePath(RoutingContext rc, Deployment deployment) {
+        // do what RestInitialHandler does
+        var initMappers = new RequestMapper<>(deployment.getClassMappers());
+        var requestMatch = initMappers.map(getPathWithoutPrefix(rc, deployment));
+        if (requestMatch == null) {
+            return;
+        }
+        var remaining = requestMatch.remaining.isEmpty() ? "/" : requestMatch.remaining;
+
+        var serverRestHandlers = requestMatch.value.handlers;
+        if (serverRestHandlers == null || serverRestHandlers.length < 1) {
+            // nothing we can do
+            return;
+        }
+        var firstHandler = serverRestHandlers[0];
+        if (!(firstHandler instanceof ClassRoutingHandler)) {
+            // nothing we can do
+            return;
+        }
+
+        var classRoutingHandler = (ClassRoutingHandler) firstHandler;
+        var mappers = classRoutingHandler.getMappers();
+
+        var requestMethod = rc.request().method().name();
+
+        // do what ClassRoutingHandler does
+        var mapper = mappers.get(requestMethod);
+        if (mapper == null) {
+            if (requestMethod.equals(HttpMethod.HEAD) || requestMethod.equals(HttpMethod.OPTIONS)) {
+                mapper = mappers.get(HttpMethod.GET);
+            }
+            if (mapper == null) {
+                mapper = mappers.get(null);
+            }
+            if (mapper == null) {
+                // can't match the path
+                return;
+            }
+        }
+        var target = mapper.map(remaining);
+        if (target == null) {
+            if (requestMethod.equals(HttpMethod.HEAD)) {
+                mapper = mappers.get(HttpMethod.GET);
+                if (mapper != null) {
+                    target = mapper.map(remaining);
                 }
-                var target = mapper.map(remaining);
-                if (target == null) {
-                    if (requestMethod.equals(HttpMethod.HEAD)) {
-                        mapper = mappers.get(HttpMethod.GET);
-                        if (mapper != null) {
-                            target = mapper.map(remaining);
-                        }
-                    }
+            }
 
-                    if (target == null) {
-                        // can't match the path
-                        return;
-                    }
-                }
+            if (target == null) {
+                // can't match the path
+                return;
+            }
+        }
 
-                var templatePath = requestMatch.template.template + target.template.template;
-                if (templatePath.endsWith("/")) {
-                    templatePath = templatePath.substring(0, templatePath.length() - 1);
-                }
+        var templatePath = requestMatch.template.template + target.template.template;
+        if (templatePath.endsWith("/")) {
+            templatePath = templatePath.substring(0, templatePath.length() - 1);
+        }
 
-                setUrlPathTemplate(rc, templatePath);
-            }
+        setUrlPathTemplate(rc, templatePath);
+    }
 
-            public String getPath(RoutingContext rc) {
-                return rc.normalizedPath();
-            }
+    private static String getPath(RoutingContext rc) {
+        return rc.normalizedPath();
+    }
 
-            public String getPathWithoutPrefix(RoutingContext rc, Deployment deployment) {
-                String path = getPath(rc);
-                if (path != null) {
-                    String prefix = deployment.getPrefix();
-                    if (!prefix.isEmpty()) {
-                        if (path.startsWith(prefix)) {
-                            return path.substring(prefix.length());
-                        }
-                    }
+    private static String getPathWithoutPrefix(RoutingContext rc, Deployment deployment) {
+        String path = getPath(rc);
+        if (path != null) {
+            String prefix = deployment.getPrefix();
+            if (!prefix.isEmpty()) {
+                if (path.startsWith(prefix)) {
+                    return path.substring(prefix.length());
                 }
-                return path;
             }
-        };
+        }
+        return path;
     }
 }

integration-tests/micrometer-security/pom.xml

@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-integration-tests-parent</artifactId>
+        <version>999-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>quarkus-integration-test-micrometer-security</artifactId>
+    <name>Quarkus - Integration Tests - Micrometer Security</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-micrometer-registry-prometheus</artifactId>
+        </dependency>
+
+        <!-- JAX-RS -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-jackson</artifactId>
+        </dependency>
+
+        <!-- Security -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security</artifactId>
+        </dependency>
+
+        <!-- Test Dependencies -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-micrometer-registry-prometheus-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-jackson-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

integration-tests/micrometer-security/src/main/java/io/quarkus/it/micrometer/security/SecuredResource.java

@@ -0,0 +1,20 @@
+package io.quarkus.it.micrometer.security;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+import io.smallrye.mutiny.Uni;
+
+@Path("/secured")
+public class SecuredResource {
+
+    @GET
+    @Path("/{message}")
+    @Produces(MediaType.TEXT_PLAIN)
+    public Uni<String> message(@PathParam("message") String message) {
+        return Uni.createFrom().item(message);
+    }
+}

integration-tests/micrometer-security/src/main/resources/application.properties

@@ -0,0 +1,2 @@
+quarkus.http.auth.permission.default.paths=/secured/*
+quarkus.http.auth.permission.default.policy=authenticated