From 4ec5c0babf4514cc148d112c395123cb018c08d5 Mon Sep 17 00:00:00 2001
From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Thu, 26 Sep 2019 17:17:24 +0200
Subject: [PATCH] Wire up @Authenticated when used with JAX-RS

This will be changed to use CDI at some point, but for now just make it like up with what we already have
---
 bom/runtime/pom.xml                           |  9 ++++++++-
 .../resteasy/runtime/RolesAllowedFilter.java  |  2 +-
 .../runtime/RolesFilterRegistrar.java         | 10 +++++++++-
 extensions/security/runtime/pom.xml           |  4 ++++
 .../jwt/test/RolesAllowedUnitTest.java        | 19 +++++++++++++++++++
 .../io/quarkus/jwt/test/RolesEndpoint.java    | 12 ++++++++++++
 6 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/bom/runtime/pom.xml b/bom/runtime/pom.xml
index 31ae695d649dd..30cb430799ae7 100644
--- a/bom/runtime/pom.xml
+++ b/bom/runtime/pom.xml
@@ -164,7 +164,8 @@
         <mockito.version>3.0.0</mockito.version>
         <jna.version>5.3.1</jna.version>
         <antlr.version>4.7.2</antlr.version>
-        <quarkus-security.version>1.0.0.Alpha1</quarkus-security.version>
+        <quarkus-security.version>1.0.0.Alpha2</quarkus-security.version>
+        <javax.interceptor-api.version>1.2</javax.interceptor-api.version>
     </properties>
 
     <dependencyManagement>
@@ -1125,6 +1126,12 @@
                 <artifactId>validation-api</artifactId>
                 <version>${validation-api.version}</version>
             </dependency>
+
+            <dependency>
+                <groupId>javax.interceptor</groupId>
+                <artifactId>javax.interceptor-api</artifactId>
+                <version>${javax.interceptor-api.version}</version>
+            </dependency>
             <dependency>
                 <groupId>javax.ws.rs</groupId>
                 <artifactId>javax.ws.rs-api</artifactId>
diff --git a/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesAllowedFilter.java b/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesAllowedFilter.java
index 44ed4f44bc1e6..627847f90f682 100644
--- a/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesAllowedFilter.java
+++ b/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesAllowedFilter.java
@@ -24,7 +24,7 @@ public class RolesAllowedFilter implements ContainerRequestFilter {
     private final Set<String> allowedRoles;
     private final boolean allRolesAllowed;
 
-    public RolesAllowedFilter(String[] allowedRoles) {
+    public RolesAllowedFilter(String... allowedRoles) {
         this.allowedRoles = new HashSet<>(asList(allowedRoles));
         this.allRolesAllowed = this.allowedRoles.stream().anyMatch("*"::equals);
     }
diff --git a/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesFilterRegistrar.java b/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesFilterRegistrar.java
index 46568e5756d21..2ab5874a363d2 100644
--- a/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesFilterRegistrar.java
+++ b/extensions/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/RolesFilterRegistrar.java
@@ -21,6 +21,8 @@
 import javax.ws.rs.core.FeatureContext;
 import javax.ws.rs.ext.Provider;
 
+import io.quarkus.security.Authenticated;
+
 /**
  * A JAXRS provider that installs security filters to support the RBAC access to endpoints based on the
  * common security annotations.
@@ -30,7 +32,7 @@ public class RolesFilterRegistrar implements DynamicFeature {
 
     private static final DenyAllFilter denyAllFilter = new DenyAllFilter();
     private final Set<Class<? extends Annotation>> mpJwtAnnotations = new HashSet<>(
-            asList(DenyAll.class, PermitAll.class, RolesAllowed.class));
+            asList(DenyAll.class, PermitAll.class, RolesAllowed.class, Authenticated.class));
 
     @Override
     public void configure(ResourceInfo resourceInfo, FeatureContext context) {
@@ -40,6 +42,8 @@ public void configure(ResourceInfo resourceInfo, FeatureContext context) {
                 configureDenyAll(context);
             } else if (mpJwtAnnotation instanceof RolesAllowed) {
                 configureRolesAllowed((RolesAllowed) mpJwtAnnotation, context);
+            } else if (mpJwtAnnotation instanceof Authenticated) {
+                configureAuthenticated(context);
             }
         } else {
             // the resource method is not annotated and the class is not annotated either
@@ -54,6 +58,10 @@ private void configureRolesAllowed(RolesAllowed mpJwtAnnotation, FeatureContext
         context.register(new RolesAllowedFilter(mpJwtAnnotation.value()));
     }
 
+    private void configureAuthenticated(FeatureContext context) {
+        context.register(new RolesAllowedFilter("*"));
+    }
+
     private void configureDenyAll(FeatureContext context) {
         context.register(denyAllFilter);
     }
diff --git a/extensions/security/runtime/pom.xml b/extensions/security/runtime/pom.xml
index e4e9e83c40098..eff2fd7584efe 100644
--- a/extensions/security/runtime/pom.xml
+++ b/extensions/security/runtime/pom.xml
@@ -18,6 +18,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-arc</artifactId>
         </dependency>
+        <dependency>
+            <groupId>javax.interceptor</groupId>
+            <artifactId>javax.interceptor-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.oracle.substratevm</groupId>
             <artifactId>svm</artifactId>
diff --git a/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesAllowedUnitTest.java b/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesAllowedUnitTest.java
index 4afb9d08098e1..bfb0c7300e750 100644
--- a/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesAllowedUnitTest.java
+++ b/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesAllowedUnitTest.java
@@ -53,6 +53,25 @@ public void callEchoNoAuth() {
                 .statusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
     }
 
+    @Test()
+    public void testAuthenticatedAnnotation() {
+        RestAssured.given()
+                .when()
+                .queryParam("input", "hello")
+                .get("/endp/authenticated")
+                .then()
+                .statusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
+
+        io.restassured.response.Response response = RestAssured.given().auth()
+                .oauth2(token)
+                .when()
+                .get("/endp/authenticated").andReturn();
+
+        Assertions.assertEquals(HttpURLConnection.HTTP_OK, response.getStatusCode());
+        String replyString = response.body().asString();
+        Assertions.assertEquals("jdoe@example.com", replyString);
+    }
+
     /**
      * Validate a request without an MP-JWT to unsecured endpoint has HTTP_OK with expected response
      */
diff --git a/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesEndpoint.java b/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesEndpoint.java
index f4bfab980016b..949c5b468b1d0 100644
--- a/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesEndpoint.java
+++ b/extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/RolesEndpoint.java
@@ -20,6 +20,8 @@
 import org.eclipse.microprofile.jwt.ClaimValue;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
+import io.quarkus.security.Authenticated;
+
 @Path("/endp")
 @DenyAll
 @RequestScoped
@@ -124,6 +126,16 @@ public String getReasonPhrase() {
         return response;
     }
 
+    @GET
+    @Path("/authenticated")
+    @Authenticated
+    public String checkAuthenticated(@Context SecurityContext sec) {
+        if (sec.getUserPrincipal() != null) {
+            return sec.getUserPrincipal().getName();
+        }
+        return "FAILED";
+    }
+
     @GET
     @Path("/getInjectedPrincipal")
     @RolesAllowed("Tester")