Merge pull request quarkusio#10004 from jmartisk/master-issue-10001

Enable programmatic security in SmallRye GraphQL endpoints

extensions/smallrye-graphql/deployment/pom.xml

@@ -70,6 +70,16 @@
             <artifactId>quarkus-smallrye-opentracing</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security-properties-file</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

extensions/smallrye-graphql/deployment/src/main/java/io/quarkus/smallrye/graphql/deployment/SmallRyeGraphQLProcessor.java

@@ -191,7 +191,9 @@ void buildEndpoints(
             BuildProducer<NotFoundPageDisplayableEndpointBuildItem> notFoundPageDisplayableEndpointProducer,
             LaunchModeBuildItem launchMode,
             SmallRyeGraphQLRecorder recorder,
-            ShutdownContextBuildItem shutdownContext) throws IOException {
+            ShutdownContextBuildItem shutdownContext,
+            BeanContainerBuildItem beanContainerBuildItem // don't remove this - makes sure beanContainer is initialized
+    ) {
 
         /*
          * <em>Ugly Hack</em>

extensions/smallrye-graphql/deployment/src/test/java/io/quarkus/smallrye/graphql/deployment/SecurityTest.java

@@ -0,0 +1,79 @@
+package io.quarkus.smallrye.graphql.deployment;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
+
+import javax.annotation.security.RolesAllowed;
+import javax.enterprise.context.ApplicationScoped;
+
+import org.eclipse.microprofile.graphql.GraphQLApi;
+import org.eclipse.microprofile.graphql.Query;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.restassured.RestAssured;
+import io.restassured.http.Header;
+
+public class SecurityTest extends AbstractGraphQLTest {
+
+    @RegisterExtension
+    static QuarkusUnitTest test = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClass(SecuredApi.class)
+                    .addAsResource("application-secured.properties", "application.properties")
+                    .addAsResource("users.properties")
+                    .addAsResource("roles.properties")
+                    .addAsManifestResource(EmptyAsset.INSTANCE, "beans.xml"));
+
+    @Test
+    public void testAuthenticatedUser() {
+        String query = getPayload("{ foo }");
+        RestAssured.given()
+                .header(new Header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz"))
+                .body(query)
+                .contentType(MEDIATYPE_JSON)
+                .post("/graphql/")
+                .then()
+                .assertThat()
+                .body("errors", nullValue())
+                .body("data.foo", equalTo("foo"));
+    }
+
+    @Test
+    public void testUnauthorizedRole() {
+        String query = getPayload("{ bar }");
+        RestAssured.given()
+                .header(new Header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz"))
+                .body(query)
+                .contentType(MEDIATYPE_JSON)
+                .post("/graphql")
+                .then()
+                .assertThat()
+                .body("errors", notNullValue())
+                .body("data.bar", nullValue());
+    }
+
+    @GraphQLApi
+    @ApplicationScoped
+    public static class SecuredApi {
+
+        @Query
+        @RolesAllowed("fooRole")
+        public String foo() {
+            return "foo";
+        }
+
+        @Query
+        @RolesAllowed("barRole")
+        public String bar() {
+            return "bar";
+        }
+
+    }
+
+}

extensions/smallrye-graphql/deployment/src/test/resources/application-secured.properties

@@ -0,0 +1,5 @@
+quarkus.security.users.file.enabled=true
+quarkus.security.users.file.plain-text=true
+quarkus.security.users.file.users=users.properties
+quarkus.security.users.file.roles=roles.properties
+quarkus.http.auth.basic=true

extensions/smallrye-graphql/deployment/src/test/resources/roles.properties

@@ -0,0 +1 @@
+david=fooRole

extensions/smallrye-graphql/deployment/src/test/resources/users.properties

@@ -0,0 +1 @@
+david=qwerty123

extensions/smallrye-graphql/runtime/src/main/java/io/quarkus/smallrye/graphql/runtime/SmallRyeGraphQLExecutionHandler.java

@@ -13,6 +13,8 @@
 
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ManagedContext;
+import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
 import io.smallrye.graphql.execution.ExecutionService;
 import io.vertx.core.Handler;
 import io.vertx.core.buffer.Buffer;
@@ -29,9 +31,11 @@ public class SmallRyeGraphQLExecutionHandler implements Handler<RoutingContext>
     private static final String QUERY = "query";
     private static final String OK = "OK";
     private volatile ExecutionService executionService;
+    private final CurrentIdentityAssociation currentIdentityAssociation;
 
-    public SmallRyeGraphQLExecutionHandler(boolean allowGet) {
+    public SmallRyeGraphQLExecutionHandler(boolean allowGet, CurrentIdentityAssociation currentIdentityAssociation) {
         this.allowGet = allowGet;
+        this.currentIdentityAssociation = currentIdentityAssociation;
     }
 
     @Override
@@ -50,6 +54,10 @@ public void handle(final RoutingContext ctx) {
     }
 
     private void doHandle(final RoutingContext ctx) {
+        if (currentIdentityAssociation != null) {
+            currentIdentityAssociation.setIdentity(QuarkusHttpUser.getSecurityIdentity(ctx, null));
+        }
+
         HttpServerRequest request = ctx.request();
         HttpServerResponse response = ctx.response();
 

extensions/smallrye-graphql/runtime/src/main/java/io/quarkus/smallrye/graphql/runtime/SmallRyeGraphQLRecorder.java

@@ -2,9 +2,13 @@
 
 import java.util.function.Supplier;
 
+import javax.enterprise.inject.Instance;
+import javax.enterprise.inject.spi.CDI;
+
 import io.quarkus.arc.runtime.BeanContainer;
 import io.quarkus.runtime.ShutdownContext;
 import io.quarkus.runtime.annotations.Recorder;
+import io.quarkus.security.identity.CurrentIdentityAssociation;
 import io.quarkus.smallrye.graphql.runtime.spi.QuarkusClassloadingService;
 import io.quarkus.vertx.http.runtime.ThreadLocalHandler;
 import io.smallrye.graphql.cdi.producer.GraphQLProducer;
@@ -24,7 +28,15 @@ public void createExecutionService(BeanContainer beanContainer, Schema schema) {
     }
 
     public Handler<RoutingContext> executionHandler(boolean allowGet) {
-        return new SmallRyeGraphQLExecutionHandler(allowGet);
+        Instance<CurrentIdentityAssociation> identityAssociations = CDI.current()
+                .select(CurrentIdentityAssociation.class);
+        CurrentIdentityAssociation association;
+        if (identityAssociations.isResolvable()) {
+            association = identityAssociations.get();
+        } else {
+            association = null;
+        }
+        return new SmallRyeGraphQLExecutionHandler(allowGet, association);
     }
 
     public Handler<RoutingContext> schemaHandler() {