-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix mixing @testsecurity with HTTP request credentials
- Loading branch information
1 parent
4e2000c
commit f81a1ee
Showing
9 changed files
with
190 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
...urity/src/main/java/io/quarkus/test/security/FallbackTestHttpAuthenticationMechanism.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package io.quarkus.test.security; | ||
|
||
import jakarta.enterprise.context.ApplicationScoped; | ||
|
||
/** | ||
* This test mechanism is fallback when no other mechanism manages to authenticate. | ||
* When the test method is annotated with the {@link TestSecurity} annotation, | ||
* users can still send credentials inside HTTP request and the credentials will have priority. | ||
*/ | ||
@ApplicationScoped | ||
public class FallbackTestHttpAuthenticationMechanism extends AbstractTestHttpAuthenticationMechanism { | ||
|
||
} |
60 changes: 60 additions & 0 deletions
60
...rity/src/main/java/io/quarkus/test/security/PathBasedTestHttpAuthenticationMechanism.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package io.quarkus.test.security; | ||
|
||
import static io.netty.handler.codec.http.HttpHeaderNames.AUTHORIZATION; | ||
|
||
import jakarta.enterprise.context.ApplicationScoped; | ||
|
||
import io.quarkus.security.identity.IdentityProviderManager; | ||
import io.quarkus.security.identity.SecurityIdentity; | ||
import io.smallrye.mutiny.Uni; | ||
import io.vertx.core.http.Cookie; | ||
import io.vertx.ext.web.RoutingContext; | ||
|
||
/** | ||
* When authentication mechanism is selected with the {@link TestSecurity#authMechanism()} annotation attribute, | ||
* we must be sure that the test mechanism is primary identity provider for that authentication type. | ||
* <p> | ||
* For example when a test method is annotated with `@TestSecurity(authMechanism = "basic")`, | ||
* we want to be the ones providing basic authentication when no authorization headers are present, | ||
* and not the {@link io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism} mechanism. | ||
* This test mechanism must exist because when a path-specific authentication mechanism is selected, | ||
* for example via {@link io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication}, | ||
* it is also required and therefore exactly one mechanism is enforced. | ||
*/ | ||
@ApplicationScoped | ||
public class PathBasedTestHttpAuthenticationMechanism extends AbstractTestHttpAuthenticationMechanism { | ||
|
||
@Override | ||
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) { | ||
if (authMechanism != null && requestNotAuthenticated(context)) { | ||
// return the SecurityIdentity defined via @TestSecurity | ||
return super.authenticate(context, identityProviderManager); | ||
} | ||
// do not authenticate - give a change to other mechanisms | ||
return Uni.createFrom().nullItem(); | ||
} | ||
|
||
@Override | ||
public int getPriority() { | ||
return 3000; | ||
} | ||
|
||
private static boolean requestNotAuthenticated(RoutingContext context) { | ||
// on a best-effort basis try to guess whether incoming request is authorized | ||
return context.request().getHeader(AUTHORIZATION) == null | ||
&& !hasOidcSessionCookieCandidate(context); | ||
} | ||
|
||
private static boolean hasOidcSessionCookieCandidate(RoutingContext context) { | ||
if (context.request().cookies() == null) { | ||
return false; | ||
} | ||
for (Cookie cookie : context.request().cookies()) { | ||
if (cookie.getName() != null && cookie.getName().startsWith("q_session")) { | ||
// there is a possibility this is an OIDC session cookie | ||
return true; | ||
} | ||
} | ||
return false; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters