diff --git a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java index 18a959a7ff5f7..070128488a689 100644 --- a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java +++ b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java @@ -2,8 +2,10 @@ import java.util.Map; +import javax.inject.Singleton; + import io.quarkus.arc.deployment.AdditionalBeanBuildItem; -import io.quarkus.arc.deployment.BeanContainerBuildItem; +import io.quarkus.arc.deployment.SyntheticBeanBuildItem; import io.quarkus.deployment.Feature; import io.quarkus.deployment.annotations.BuildStep; import io.quarkus.deployment.annotations.ExecutionTime; @@ -12,6 +14,7 @@ import io.quarkus.deployment.builditem.FeatureBuildItem; import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer; import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerConfig; +import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerConfigBean; import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder; import io.quarkus.oidc.runtime.OidcBuildTimeConfig; import io.quarkus.oidc.runtime.OidcConfig; @@ -72,11 +75,18 @@ ExtensionSslNativeSupportBuildItem enableSslInNative() { @Record(ExecutionTime.RUNTIME_INIT) @BuildStep - public void setup(OidcBuildTimeConfig oidcBuildTimeConfig, OidcConfig oidcRunTimeConfig, TlsConfig tlsConfig, - KeycloakPolicyEnforcerConfig keycloakConfig, KeycloakPolicyEnforcerRecorder recorder, BeanContainerBuildItem bc, + public SyntheticBeanBuildItem setup(OidcBuildTimeConfig oidcBuildTimeConfig, OidcConfig oidcRunTimeConfig, + TlsConfig tlsConfig, + KeycloakPolicyEnforcerConfig keycloakConfig, KeycloakPolicyEnforcerRecorder recorder, HttpConfiguration httpConfiguration) { if (oidcBuildTimeConfig.enabled && keycloakConfig.policyEnforcer.enable) { - recorder.setup(oidcRunTimeConfig, keycloakConfig, tlsConfig, bc.getValue(), httpConfiguration); + return SyntheticBeanBuildItem.configure(KeycloakPolicyEnforcerConfigBean.class).unremovable() + .types(KeycloakPolicyEnforcerConfigBean.class) + .supplier(recorder.setup(oidcRunTimeConfig, keycloakConfig, tlsConfig, httpConfiguration)) + .scope(Singleton.class) + .setRuntimeInit() + .done(); } + return null; } } diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java index 5c9bafafe9073..e7a6f79ff1241 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java @@ -8,9 +8,10 @@ import java.util.function.Function; import java.util.stream.Collectors; +import javax.annotation.PostConstruct; +import javax.inject.Inject; import javax.inject.Singleton; -import org.jboss.logging.Logger; import org.keycloak.AuthorizationContext; import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer; @@ -20,12 +21,8 @@ import io.quarkus.oidc.OidcTenantConfig; import io.quarkus.oidc.common.runtime.OidcCommonConfig.Tls.Verification; -import io.quarkus.oidc.runtime.OidcConfig; -import io.quarkus.runtime.TlsConfig; -import io.quarkus.security.AuthenticationFailedException; import io.quarkus.security.identity.SecurityIdentity; import io.quarkus.security.runtime.QuarkusSecurityIdentity; -import io.quarkus.vertx.http.runtime.HttpConfiguration; import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy; import io.smallrye.mutiny.Uni; import io.vertx.ext.web.RoutingContext; @@ -33,10 +30,10 @@ @Singleton public class KeycloakPolicyEnforcerAuthorizer implements HttpSecurityPolicy, BiFunction { - private static final Logger LOG = Logger.getLogger(KeycloakPolicyEnforcerAuthorizer.class); - private volatile KeycloakAdapterPolicyEnforcer delegate; - private volatile long readTimeout; + @Inject + KeycloakPolicyEnforcerConfigBean configBean; + private KeycloakAdapterPolicyEnforcer delegate; @Override public Uni checkPermission(RoutingContext request, Uni identity, @@ -46,12 +43,8 @@ public Uni checkPermission(RoutingContext request, Uni apply(Permission permission) { }).build(); } - public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, TlsConfig tlsConfig, - HttpConfiguration httpConfiguration) { + @PostConstruct + public void init() { AdapterConfig adapterConfig = new AdapterConfig(); - String authServerUrl = oidcConfig.defaultTenant.getAuthServerUrl().get(); + String authServerUrl = configBean.oidcConfig.defaultTenant.getAuthServerUrl().get(); try { adapterConfig.setRealm(authServerUrl.substring(authServerUrl.lastIndexOf('/') + 1)); @@ -111,22 +104,24 @@ public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, Tls throw new RuntimeException("Failed to parse the realm name.", cause); } - adapterConfig.setResource(oidcConfig.defaultTenant.getClientId().get()); - adapterConfig.setCredentials(getCredentials(oidcConfig.defaultTenant)); + adapterConfig.setResource(configBean.oidcConfig.defaultTenant.getClientId().get()); + adapterConfig.setCredentials(getCredentials(configBean.oidcConfig.defaultTenant)); - boolean trustAll = oidcConfig.defaultTenant.tls.getVerification().isPresent() - ? oidcConfig.defaultTenant.tls.getVerification().get() == Verification.NONE - : tlsConfig.trustAll; + boolean trustAll = configBean.oidcConfig.defaultTenant.tls.getVerification().isPresent() + ? configBean.oidcConfig.defaultTenant.tls.getVerification().get() == Verification.NONE + : configBean.tlsConfig.trustAll; if (trustAll) { adapterConfig.setDisableTrustManager(true); adapterConfig.setAllowAnyHostname(true); } - if (oidcConfig.defaultTenant.proxy.host.isPresent()) { - adapterConfig.setProxyUrl(oidcConfig.defaultTenant.proxy.host.get() + ":" + oidcConfig.defaultTenant.proxy.port); + if (configBean.oidcConfig.defaultTenant.proxy.host.isPresent()) { + adapterConfig.setProxyUrl(configBean.oidcConfig.defaultTenant.proxy.host.get() + ":" + + configBean.oidcConfig.defaultTenant.proxy.port); } - PolicyEnforcerConfig enforcerConfig = getPolicyEnforcerConfig(config, adapterConfig); + PolicyEnforcerConfig enforcerConfig = getPolicyEnforcerConfig(configBean.keycloakPolicyEnforcerConfig, + adapterConfig); if (enforcerConfig == null) { return; @@ -134,7 +129,6 @@ public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, Tls adapterConfig.setPolicyEnforcerConfig(enforcerConfig); - this.readTimeout = httpConfiguration.readTimeout.toMillis(); this.delegate = new KeycloakAdapterPolicyEnforcer( new PolicyEnforcer(KeycloakDeploymentBuilder.build(adapterConfig), adapterConfig)); } diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfigBean.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfigBean.java new file mode 100644 index 0000000000000..0dbb1217c6239 --- /dev/null +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfigBean.java @@ -0,0 +1,22 @@ +package io.quarkus.keycloak.pep.runtime; + +import io.quarkus.oidc.runtime.OidcConfig; +import io.quarkus.runtime.TlsConfig; +import io.quarkus.vertx.http.runtime.HttpConfiguration; + +public class KeycloakPolicyEnforcerConfigBean { + + final OidcConfig oidcConfig; + final KeycloakPolicyEnforcerConfig keycloakPolicyEnforcerConfig; + final TlsConfig tlsConfig; + final HttpConfiguration httpConfiguration; + + public KeycloakPolicyEnforcerConfigBean(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig keycloakPolicyEnforcerConfig, + TlsConfig tlsConfig, + HttpConfiguration httpConfiguration) { + this.oidcConfig = oidcConfig; + this.keycloakPolicyEnforcerConfig = keycloakPolicyEnforcerConfig; + this.tlsConfig = tlsConfig; + this.httpConfiguration = httpConfiguration; + } +} diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java index 23037ec5bc072..712995e8015a1 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java @@ -1,6 +1,7 @@ package io.quarkus.keycloak.pep.runtime; -import io.quarkus.arc.runtime.BeanContainer; +import java.util.function.Supplier; + import io.quarkus.oidc.OIDCException; import io.quarkus.oidc.OidcTenantConfig; import io.quarkus.oidc.runtime.OidcConfig; @@ -11,12 +12,16 @@ @Recorder public class KeycloakPolicyEnforcerRecorder { - public void setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, TlsConfig tlsConfig, - BeanContainer beanContainer, - HttpConfiguration httpConfiguration) { + public Supplier setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, + TlsConfig tlsConfig, HttpConfiguration httpConfiguration) { if (oidcConfig.defaultTenant.applicationType == OidcTenantConfig.ApplicationType.WEB_APP) { throw new OIDCException("Application type [" + oidcConfig.defaultTenant.applicationType + "] is not supported"); } - beanContainer.instance(KeycloakPolicyEnforcerAuthorizer.class).init(oidcConfig, config, tlsConfig, httpConfiguration); + return new Supplier() { + @Override + public KeycloakPolicyEnforcerConfigBean get() { + return new KeycloakPolicyEnforcerConfigBean(oidcConfig, config, tlsConfig, httpConfiguration); + } + }; } }