forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support for @PermissionsAllowed meta-annotations
- Loading branch information
1 parent
3e728b9
commit 76057e0
Showing
23 changed files
with
879 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
...c/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/CreateOrUpdate.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import java.lang.annotation.ElementType; | ||
import java.lang.annotation.Retention; | ||
import java.lang.annotation.RetentionPolicy; | ||
import java.lang.annotation.Target; | ||
|
||
import io.quarkus.security.PermissionsAllowed; | ||
|
||
@Retention(RetentionPolicy.RUNTIME) | ||
@Target({ ElementType.METHOD, ElementType.TYPE }) | ||
@PermissionsAllowed(value = "farewell", permission = CustomPermissionWithExtraArgs.class, params = { "goodbye", "toWhom", "day", | ||
"place" }) | ||
public @interface CreateOrUpdate { | ||
|
||
} |
51 changes: 51 additions & 0 deletions
51
...oyment/src/test/java/io/quarkus/resteasy/test/security/CustomPermissionWithExtraArgs.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import java.security.Permission; | ||
import java.util.Objects; | ||
|
||
public class CustomPermissionWithExtraArgs extends Permission { | ||
|
||
private final String permName; | ||
private final String goodbye; | ||
private final String toWhom; | ||
private final int day; | ||
private final String place; | ||
|
||
public CustomPermissionWithExtraArgs(String permName, String goodbye, String toWhom, int day, String place) { | ||
super(permName); | ||
this.permName = permName; | ||
this.goodbye = goodbye; | ||
this.toWhom = toWhom; | ||
this.day = day; | ||
this.place = place; | ||
} | ||
|
||
@Override | ||
public boolean implies(Permission permission) { | ||
if (permission instanceof CustomPermissionWithExtraArgs) { | ||
return permission.equals(this); | ||
} | ||
return false; | ||
} | ||
|
||
@Override | ||
public String getActions() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) | ||
return true; | ||
if (o == null || getClass() != o.getClass()) | ||
return false; | ||
CustomPermissionWithExtraArgs that = (CustomPermissionWithExtraArgs) o; | ||
return day == that.day && Objects.equals(permName, that.permName) && Objects.equals(goodbye, that.goodbye) | ||
&& Objects.equals(toWhom, that.toWhom) && Objects.equals(place, that.place); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return Objects.hash(permName, goodbye, toWhom, day, place); | ||
} | ||
} |
27 changes: 27 additions & 0 deletions
27
...eployment/src/test/java/io/quarkus/resteasy/test/security/PermissionsAllowedResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import jakarta.ws.rs.CookieParam; | ||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.HeaderParam; | ||
import jakarta.ws.rs.POST; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.PathParam; | ||
|
||
@Path("/permissions") | ||
public class PermissionsAllowedResource { | ||
|
||
@Path("/string-meta-annotation") | ||
@StringPermissionsAllowedMetaAnnotation | ||
@GET | ||
public String stringMetaAnnotation() { | ||
return "admin"; | ||
} | ||
|
||
@CreateOrUpdate | ||
@Path("/custom-perm-with-args-meta-annotation/{goodbye}") | ||
@POST | ||
public String farewellMetaAnnotation(@PathParam("goodbye") String goodbye, @HeaderParam("toWhom") String toWhom, | ||
@CookieParam("day") int day, String place) { | ||
return String.join(" ", new String[] { goodbye, toWhom, Integer.toString(day), place }); | ||
} | ||
} |
68 changes: 68 additions & 0 deletions
68
...sy/deployment/src/test/java/io/quarkus/resteasy/test/security/PermissionsAllowedTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import org.hamcrest.Matchers; | ||
import org.junit.jupiter.api.BeforeAll; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.RegisterExtension; | ||
|
||
import io.quarkus.security.StringPermission; | ||
import io.quarkus.security.test.utils.TestIdentityController; | ||
import io.quarkus.security.test.utils.TestIdentityProvider; | ||
import io.quarkus.test.QuarkusUnitTest; | ||
import io.restassured.RestAssured; | ||
import io.restassured.response.ValidatableResponse; | ||
|
||
public class PermissionsAllowedTest { | ||
@RegisterExtension | ||
static QuarkusUnitTest runner = new QuarkusUnitTest() | ||
.withApplicationRoot((jar) -> jar | ||
.addClasses(PermissionsAllowedResource.class, TestIdentityProvider.class, TestIdentityController.class, | ||
StringPermissionsAllowedMetaAnnotation.class, CustomPermissionWithExtraArgs.class, | ||
CreateOrUpdate.class)); | ||
|
||
@BeforeAll | ||
public static void setupUsers() { | ||
TestIdentityController.resetRoles() | ||
.add("admin", "admin", new StringPermission("create"), new StringPermission("update"), | ||
new CustomPermissionWithExtraArgs("farewell", "so long", "Nelson", 3, "Ostrava")) | ||
.add("user", "user", new StringPermission("create"), | ||
new CustomPermissionWithExtraArgs("farewell", "so long", "Nelson", 3, "Prague")) | ||
.add("viewer", "viewer"); | ||
} | ||
|
||
@Test | ||
public void testPermissionsAllowedMetaAnnotation_StringPermissions() { | ||
RestAssured.get("/permissions/string-meta-annotation").then().statusCode(401); | ||
RestAssured.given().auth().basic("user", "user").get("/permissions/string-meta-annotation").then().statusCode(403); | ||
RestAssured.given().auth().basic("admin", "admin").get("/permissions/string-meta-annotation").then().statusCode(200); | ||
} | ||
|
||
@Test | ||
public void testPermissionsAllowedMetaAnnotation_CustomPermissionsWithArgs() { | ||
// === explicitly marked method params && blocking endpoint | ||
// admin has permission with place 'Ostrava' | ||
reqExplicitlyMarkedExtraArgs_MetaAnnotation("admin", "Ostrava") | ||
.statusCode(200) | ||
.body(Matchers.equalTo("so long Nelson 3 Ostrava")); | ||
// user has permission with place 'Prague' | ||
reqExplicitlyMarkedExtraArgs_MetaAnnotation("user", "Prague") | ||
.statusCode(200) | ||
.body(Matchers.equalTo("so long Nelson 3 Prague")); | ||
// user doesn't have permission with place 'Ostrava' | ||
reqExplicitlyMarkedExtraArgs_MetaAnnotation("user", "Ostrava") | ||
.statusCode(403); | ||
// viewer has no permission | ||
reqExplicitlyMarkedExtraArgs_MetaAnnotation("viewer", "Ostrava") | ||
.statusCode(403); | ||
} | ||
|
||
private static ValidatableResponse reqExplicitlyMarkedExtraArgs_MetaAnnotation(String user, String place) { | ||
return RestAssured.given() | ||
.auth().basic(user, user) | ||
.pathParam("goodbye", "so long") | ||
.header("toWhom", "Nelson") | ||
.cookie("day", 3) | ||
.body(place) | ||
.post("/permissions/custom-perm-with-args-meta-annotation/{goodbye}").then(); | ||
} | ||
} |
15 changes: 15 additions & 0 deletions
15
...c/test/java/io/quarkus/resteasy/test/security/StringPermissionsAllowedMetaAnnotation.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package io.quarkus.resteasy.test.security; | ||
|
||
import java.lang.annotation.ElementType; | ||
import java.lang.annotation.Retention; | ||
import java.lang.annotation.RetentionPolicy; | ||
import java.lang.annotation.Target; | ||
|
||
import io.quarkus.security.PermissionsAllowed; | ||
|
||
@Retention(RetentionPolicy.RUNTIME) | ||
@Target({ ElementType.METHOD, ElementType.TYPE }) | ||
@PermissionsAllowed(value = { "create", "update" }, inclusive = true) | ||
public @interface StringPermissionsAllowedMetaAnnotation { | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.