search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.82k stars 2.69k forks source link

TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth #44479

Open cmasantos opened 1 day ago

cmasantos commented 1 day ago

Description

Hello,

The TestSecurity#permissions method says that "If you need to test custom permissions, you can add them with io. quarkus. security. identity. SecurityIdentityAugmentor.. But when we use it with a custom annotation like following example, that permission does not get invoked.

Example:

@Path("/hello")
public class GreetingResource {

    @PermissionsAllowed(
        value = "myPermission",
        permission = CustomPermission.class
    )
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello(@QueryParam("user") String user) {
        return "Hello from Quarkus REST " + user;
    }

}

with custom permission:

public class CustomPermission extends BasicPermission {

    private String user;

    public CustomPermission(String name, String user) {
        super(name);
        this.user = user;
    }

  @Override
  public boolean implies(Permission p) {
    System.out.println("Checking permission for user: " + user);
    return true;
  }
}

then on the test:

@QuarkusTest
class GreetingResourceTest {
    @Test
    @TestSecurity(user="admin", permissions = {"myPermission"})
    void testHelloEndpoint() {
        given()
          .when().get("/hello")
          .then()
             .statusCode(200)
             .body(is("Hello from Quarkus REST"));
    }

}

it ends up on a 403 - (Quarkus 3.16.2) -

If we try to user the SecurityIdentityAugmentor it will not have any different effect, the identity will be anonymous and no permission will get call.

Implementation ideas

No response

quarkus-bot[bot] commented 1 day ago

/cc @sberyozkin (security)

michalvavrik commented 1 day ago

To clarify situation TestSecurity#permissions using SecurityIdentityAugmentor only work with proactive auth - the TestSecurity#permission works, but it sets string permissions. So the issue I can see is that your augmentor is not applied.

Internally, it may require radical changes as we basically need to drop TestIdentityAssociation or apply augmentors in there (which feels wrong). I'll have try it. Thanks