Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new AuthorizationPolicy annotation to bind named HttpSecurityPolicy to a Jakarta REST endpoints #42749

Conversation

michalvavrik
Copy link
Member

@michalvavrik michalvavrik commented Aug 25, 2024

New annotation @AuthorizationPolicy allows to select HttpSecurityPolicy on endpoints via annotations as alternative to path-matching rules. This allows for general authorization check without augmentation of a SecurityIdentity.

@michalvavrik michalvavrik changed the title Add new AuthorizationPolicy annotation Add new AuthorizationPolicy annotation to bind named HttpSecurityPolicy to a Jakarta REST endpoints Aug 25, 2024
@michalvavrik michalvavrik marked this pull request as draft August 25, 2024 18:47
Copy link

github-actions bot commented Aug 25, 2024

🙈 The PR is closed and the preview is expired.

@michalvavrik michalvavrik force-pushed the feature/add-authorization-policy-annotation branch from cee0a89 to a2ef0ca Compare August 25, 2024 19:08
@michalvavrik michalvavrik marked this pull request as ready for review August 25, 2024 19:09

This comment has been minimized.

@michalvavrik michalvavrik marked this pull request as draft August 25, 2024 19:50
@michalvavrik michalvavrik force-pushed the feature/add-authorization-policy-annotation branch from a2ef0ca to ce3a5a5 Compare August 25, 2024 20:21
@michalvavrik michalvavrik marked this pull request as ready for review August 25, 2024 20:21

This comment has been minimized.

This comment has been minimized.

@michalvavrik
Copy link
Member Author

While CI looks ugly, I can see in the Develocity this io.quarkus.grpc.cli.GrpcCliTest.testCommand test is also failing elsewhere. Additionally, I cannot reproduce it locally. @sberyozkin maybe you can simply review and when I address your change requests, we will see if it gets better.

@sberyozkin
Copy link
Member

Hi @michalvavrik I think this is exactly what we'd like to do at the moment, have a super easy way to bind custom policies to specific JAX-RS classes or methods, and we can evolve @AuthorizationPolicy with more options.
I can't even see what to ask about in this PR, it all looks really precise.

A question that I have so far is this one.

Let's say we have a named HttpSecurityPolicy bean declared as a CDI bean, not even referenced in application.properties, is this policy run at all if it has a non null name() ?
If not then all is clear, but if yes,
and the user also binds it to a method with @AuthorizationPolicy then that would mean the policy will be run twice...

Please clarify it.

@michalvavrik
Copy link
Member Author

michalvavrik commented Aug 26, 2024

Let's say we have a named HttpSecurityPolicy bean declared as a CDI bean, not even referenced in application.properties, is this policy run at all if it has a non null name() ?

Yes. We don't care whether it is named bean or not, as long as there is CDI HTTPSecurityPolicy bean without name it is applied on every request. You can find information about that right above https://quarkus.io/guides/security-authorize-web-endpoints-reference#matching-on-paths-and-methods (scroll up with one stroke).

If not then all is clear, but if yes,
and the user also binds it to a method with @AuthorizationPolicy then that would mean the policy will be run twice...

In @AuthorizationPolicy you only can specify beans with HttpSecurityPolicy#getName, so it cannot run twice. I think I understand what is your question and let me explain it:

@sberyozkin
Copy link
Member

Hi Michal, thanks, but I'm still not getting something. I'm totally fine with not using @Named, my question is different.

So let's say, even without this PR, I have

@ApplicationScoped
class MyPolicy implements HttpSecurityPolicy {
    String name() {return "mypolicy";}
} 

You say we don't really mind if it returns name or not, so does it mean this policy will be called on every request ?

See what I mean when I asked what happens if we refer to this policy from @AuthorizationPolicy(name="mypolicy") ? If the named policy, being a CDI bean, is run anyway, then we have a duplicate call with the annotation.

@michalvavrik
Copy link
Member Author

michalvavrik commented Aug 26, 2024

You say we don't really mind if it returns name or not, so does it mean this policy will be called on every request ?

Let me try to put it differently:

  • on current main your MyPolicy is only called for path /hi:
quarkus.http.auth.permission.permit1.paths=/hi
quarkus.http.auth.permission.permit1.policy=custom

while

@ApplicationScoped
class MyPolicy implements HttpSecurityPolicy {
    String name() {return null;}
} 

is always called. I believe it is rather well documented both in Javadoc https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityPolicy.java#L26 and https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityPolicy.java#L14 and in Quarkus documentation https://quarkus.io/guides/security-authorize-web-endpoints-reference#custom-http-security-policy (end of that section)

Which reminds me I should add note about @AuthorizationPolcy to HTTPSecurityPolicy javadoc. Thanks!

  • with this PR additionally, you can replace
quarkus.http.auth.permission.permit1.paths=/hi
quarkus.http.auth.permission.permit1.policy=mypolicy

with @AuthorizationPolicy(name="mypolicy").

See what I mean when I asked what happens if we refer to this policy from @AuthorizationPolicy(name="mypolicy") ? If the named policy, being a CDI bean, is run anyway, then we have a duplicate call with the annotation.

I am really sorry for being slow, but I am yet to understand. There is no duplicate call because your mypolicy is only applied when selected by annotation or configuration properties. Is this maybe opportunity for documentation improvements you can suggest?

This comment has been minimized.

This comment has been minimized.

@michalvavrik michalvavrik force-pushed the feature/add-authorization-policy-annotation branch from 0a40903 to 31474b8 Compare August 27, 2024 13:05

This comment has been minimized.

This comment has been minimized.

@michalvavrik
Copy link
Member Author

heck, I've already run formatting twice. I'll try again.

@michalvavrik michalvavrik force-pushed the feature/add-authorization-policy-annotation branch from 31474b8 to 624195b Compare August 27, 2024 15:36

This comment has been minimized.

This comment has been minimized.

@michalvavrik michalvavrik force-pushed the feature/add-authorization-policy-annotation branch from 624195b to fcb8abb Compare August 28, 2024 15:12
Copy link

quarkus-bot bot commented Aug 28, 2024

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit fcb8abb.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

Copy link

quarkus-bot bot commented Aug 28, 2024

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit fcb8abb.

Failing Jobs

Status Name Step Failures Logs Raw logs Build scan
Native Tests - Virtual Thread - Messaging Build ⚠️ Check → Logs Raw logs 🔍

You can consult the Develocity build scans.

@michalvavrik
Copy link
Member Author

The Kafka virtual thread failure doesn't seem related. @sberyozkin CI looks good now, please have a look.

@sberyozkin
Copy link
Member

Thanks @michalvavrik

@sberyozkin sberyozkin merged commit d6e82b7 into quarkusio:main Aug 28, 2024
54 of 55 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Aug 28, 2024
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Aug 28, 2024
@michalvavrik michalvavrik deleted the feature/add-authorization-policy-annotation branch August 28, 2024 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

Successfully merging this pull request may close these issues.

Introduce AuthorizationPolicy annotation
3 participants