Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth #44479

Closed
cmasantos opened this issue Nov 13, 2024 · 3 comments · Fixed by #44535
Closed

TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth #44479

cmasantos opened this issue Nov 13, 2024 · 3 comments · Fixed by #44535
Assignees
@michalvavrik
Labels
area/security kind/enhancement New feature or request
Milestone
3.17.0

Comments

@cmasantos
Copy link

Description

Hello,

The TestSecurity#permissions method says that " If you need to test custom permissions, you can add them with io. quarkus. security. identity. SecurityIdentityAugmentor.. But when we use it with a custom annotation like following example, that permission does not get invoked.

Example:

@Path("/hello")
public class GreetingResource {

    @PermissionsAllowed(
        value = "myPermission",
        permission = CustomPermission.class
    )
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello(@QueryParam("user") String user) {
        return "Hello from Quarkus REST " + user;
    }

}

with custom permission:

public class CustomPermission extends BasicPermission {

    private String user;

    public CustomPermission(String name, String user) {
        super(name);
        this.user = user;
    }

  @Override
  public boolean implies(Permission p) {
    System.out.println("Checking permission for user: " + user);
    return true;
  }
}

then on the test:

@QuarkusTest
class GreetingResourceTest {
    @Test
    @TestSecurity(user="admin", permissions = {"myPermission"})
    void testHelloEndpoint() {
        given()
          .when().get("/hello")
          .then()
             .statusCode(200)
             .body(is("Hello from Quarkus REST"));
    }

}

it ends up on a 403 - (Quarkus 3.16.2) -

If we try to user the SecurityIdentityAugmentor it will not have any different effect, the identity will be anonymous and no permission will get call.

Implementation ideas

No response
@cmasantos cmasantos added the kind/enhancement New feature or request label Nov 13, 2024
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Nov 13, 2024

/cc @sberyozkin (security)

@cmasantos cmasantos changed the title TestSecurity#permissions use SecurityIdentityAugmentor only work with proactive auth TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth Nov 13, 2024
@michalvavrik michalvavrik self-assigned this Nov 13, 2024
@michalvavrik
Copy link
Member

To clarify situation TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth - the TestSecurity#permission works, but it sets string permissions. So the issue I can see is that your augmentor is not applied.

Internally, it may require radical changes as we basically need to drop TestIdentityAssociation or apply augmentors in there (which feels wrong). I'll have try it. Thanks

@michalvavrik
Copy link
Member

I have looked into this, it turns out augmentors were not applied to the identity produced with @TestSecurity at all. Thank you for bringing this up. I'll open PR in few minutes that will fix it.

@michalvavrik michalvavrik mentioned this issue Nov 15, 2024
Merged
@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Nov 19, 2024
@gsmet gsmet modified the milestones: 3.18 - main, 3.17.0 Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michalvavrik michalvavrik

Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
3.17.0
3 participants
@gsmet @cmasantos @michalvavrik