diff --git a/extensions/resteasy-reactive/rest/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/RepeatedPermissionsAllowedTest.java b/extensions/resteasy-reactive/rest/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/RepeatedPermissionsAllowedTest.java new file mode 100644 index 0000000000000..19e41ddfa6652 --- /dev/null +++ b/extensions/resteasy-reactive/rest/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/RepeatedPermissionsAllowedTest.java @@ -0,0 +1,113 @@ +package io.quarkus.resteasy.reactive.server.test.security; + +import jakarta.ws.rs.POST; +import jakarta.ws.rs.Path; + +import org.jboss.shrinkwrap.api.asset.StringAsset; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.RegisterExtension; + +import io.quarkus.security.PermissionsAllowed; +import io.quarkus.security.StringPermission; +import io.quarkus.security.test.utils.TestIdentityController; +import io.quarkus.security.test.utils.TestIdentityProvider; +import io.quarkus.test.QuarkusUnitTest; +import io.restassured.RestAssured; +import io.vertx.core.json.JsonObject; + +public class RepeatedPermissionsAllowedTest { + + @RegisterExtension + static QuarkusUnitTest runner = new QuarkusUnitTest() + .withApplicationRoot((jar) -> jar + .addClasses(TestIdentityProvider.class, TestIdentityController.class, HelloResource.class) + .addAsResource( + new StringAsset( + "quarkus.log.category.\"io.quarkus.vertx.http.runtime.QuarkusErrorHandler\".level=OFF" + + System.lineSeparator()), + "application.properties")); + + @BeforeAll + public static void setupUsers() { + TestIdentityController.resetRoles() + .add("user", "user", new StringPermission("read")) + .add("admin", "admin", new StringPermission("read"), new StringPermission("write")); + } + + @Test + public void testRepeatedPermissionsAllowedOnClass() { + // anonymous user + RestAssured.given() + .body("{%$$#!#@") // assures checks are eager + .post("/hello") + .then() + .statusCode(401); + // authenticated user, insufficient rights + RestAssured.given() + .auth().preemptive().basic("user", "user") + .body("{%$$#!#@") // assures checks are eager + .post("/hello") + .then() + .statusCode(403); + // authorized user, invalid payload + RestAssured.given() + .auth().preemptive().basic("admin", "admin") + .body("{%$$#!#@") // assures checks are eager + .post("/hello") + .then() + .statusCode(500); + } + + @Test + public void testRepeatedPermissionsAllowedOnInterface() { + // anonymous user + RestAssured.given() + .body("{%$$#!#@") // assures checks are eager + .post("/hello-interface") + .then() + .statusCode(401); + // authenticated user, insufficient rights + RestAssured.given() + .auth().preemptive().basic("user", "user") + .body("{%$$#!#@") // assures checks are eager + .post("/hello-interface") + .then() + .statusCode(403); + // authorized user, invalid payload + RestAssured.given() + .auth().preemptive().basic("admin", "admin") + .body("{%$$#!#@") // assures checks are eager + .post("/hello-interface") + .then() + .statusCode(500); + } + + @Path("/hello") + public static class HelloResource { + + @PermissionsAllowed(value = "write") + @PermissionsAllowed(value = "read") + @POST + public String sayHello(JsonObject entity) { + return "ignored"; + } + } + + @Path("/hello-interface") + public interface HelloInterface { + + @PermissionsAllowed(value = "write") + @PermissionsAllowed(value = "read") + @POST + String sayHello(JsonObject entity); + } + + public static class HelloInterfaceImpl implements HelloInterface { + + @Override + public String sayHello(JsonObject entity) { + return "ignored"; + } + } +} diff --git a/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java b/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java index c85c497a3db9b..39ab0bf50c575 100644 --- a/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java +++ b/extensions/security/spi/src/main/java/io/quarkus/security/spi/SecurityTransformerUtils.java @@ -23,6 +23,7 @@ public final class SecurityTransformerUtils { public static final DotName DENY_ALL = DotName.createSimple(DenyAll.class.getName()); private static final Set SECURITY_ANNOTATIONS = Set.of(DotName.createSimple(RolesAllowed.class.getName()), DotName.createSimple(PermissionsAllowed.class.getName()), + DotName.createSimple(PermissionsAllowed.List.class.getName()), DotName.createSimple(Authenticated.class.getName()), DotName.createSimple(DenyAll.class.getName()), DotName.createSimple(PermitAll.class.getName()));