Add suport for basic auth token propagation

Signed-off-by: gabriel-farache <[email protected]>

Author: gabriel-farache

client/runtime/src/main/java/io/quarkiverse/openapi/generator/AuthConfig.java

@@ -1,14 +1,14 @@
 package io.quarkiverse.openapi.generator;
 
-import java.util.Map;
-import java.util.Optional;
-
 import io.quarkiverse.openapi.generator.providers.ApiKeyAuthenticationProvider;
 import io.quarkiverse.openapi.generator.providers.BasicAuthenticationProvider;
 import io.quarkiverse.openapi.generator.providers.BearerAuthenticationProvider;
 import io.quarkus.runtime.annotations.ConfigGroup;
 import io.quarkus.runtime.annotations.ConfigItem;
 
+import java.util.Map;
+import java.util.Optional;
+
 /**
  * This class represents the runtime authentication related configuration for an individual securityScheme present
  * on an OpenApi spec definition, i.e. the provided files.

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/AbstractAuthProvider.java

@@ -17,6 +17,8 @@
 public abstract class AbstractAuthProvider implements AuthProvider {
 
     private static final String BEARER_WITH_SPACE = "Bearer ";
+    private static final String BASIC_WITH_SPACE = "Basic ";
+
     private static final String CANONICAL_AUTH_CONFIG_PROPERTY_NAME = "quarkus." + RUNTIME_TIME_CONFIG_PREFIX
             + ".%s.auth.%s.%s";
 
@@ -37,6 +39,13 @@ protected static String sanitizeBearerToken(String token) {
         return token;
     }
 
+    protected static String sanitizeBasicToken(String token) {
+        if (token != null && token.toLowerCase().startsWith(BASIC_WITH_SPACE.toLowerCase())) {
+            return token.substring(BASIC_WITH_SPACE.length());
+        }
+        return token;
+    }
+
     public String getOpenApiSpecId() {
         return openApiSpecId;
     }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/AuthUtils.java

@@ -10,10 +10,14 @@ public final class AuthUtils {
     private AuthUtils() {
     }
 
-    public static String basicAuthAccessToken(final String username, final String password) {
+    public static String basicAuthAccessTokenWithoutPrefix(final String username, final String password) {
+        return Base64.getEncoder().encodeToString(String.format("%s:%s", username, password).getBytes());
+    }
+
+    public static String basicAuthAccessToken(final String basicToken) {
         return String.format("%s %s",
                 BASIC_HEADER_PREFIX,
-                Base64.getEncoder().encodeToString(String.format("%s:%s", username, password).getBytes()));
+                basicToken);
     }
 
     public static String authTokenOrBearer(final String scheme, final String token) {

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/BasicAuthenticationProvider.java

@@ -11,20 +11,22 @@
 import org.eclipse.microprofile.config.ConfigProvider;
 
 import io.quarkiverse.openapi.generator.OpenApiGeneratorException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Provider for Basic Authentication.
  * Username and password should be read by generated configuration properties, which is only known after openapi spec processing
  * during build time.
  */
 public class BasicAuthenticationProvider extends AbstractAuthProvider {
+    private static final Logger LOGGER = LoggerFactory.getLogger(BasicAuthenticationProvider.class);
 
     static final String USER_NAME = "username";
     static final String PASSWORD = "password";
 
     public BasicAuthenticationProvider(final String openApiSpecId, String name, List<OperationAuthInfo> operations) {
         super(name, openApiSpecId, operations);
-        validateConfig();
     }
 
     private String getUsername() {
@@ -39,18 +41,18 @@ private String getPassword() {
 
     @Override
     public void filter(ClientRequestContext requestContext) throws IOException {
-        requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION,
-                AuthUtils.basicAuthAccessToken(getUsername(), getPassword()));
-    }
-
-    private void validateConfig() {
+        String basicToken;
         if (isTokenPropagation()) {
-            throw new OpenApiGeneratorException(
-                    "Token propagation is not admitted for the OpenApi securitySchemes of \"type\": \"http\", \"scheme\": \"basic\"."
-                            +
-                            " A potential source of the problem might be that the configuration property " +
-                            getCanonicalAuthConfigPropertyName(TOKEN_PROPAGATION) +
-                            " was set with the value true in your application, please check your configuration.");
+            LOGGER.warn("Token propagation enabled for BasicAuthentication");
+            basicToken = getTokenForPropagation(requestContext.getHeaders());
+            basicToken = sanitizeBasicToken(basicToken);
+        } else {
+            basicToken = AuthUtils.basicAuthAccessTokenWithoutPrefix(getUsername(), getPassword());
         }
+        if (!basicToken.isBlank()) {
+            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION,
+                    AuthUtils.basicAuthAccessToken(basicToken));
+        }
+
     }
 }

client/runtime/src/test/java/io/quarkiverse/openapi/generator/providers/BasicOpenApiSpecProviderTest.java

@@ -1,28 +1,37 @@
 package io.quarkiverse.openapi.generator.providers;
 
+import static io.quarkiverse.openapi.generator.providers.AbstractAuthenticationPropagationHeadersFactory.propagationHeaderName;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.when;
 
 import java.io.IOException;
 import java.util.Base64;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Stream;
 
 import jakarta.ws.rs.core.HttpHeaders;
 
 import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 
 import io.quarkiverse.openapi.generator.AuthConfig;
 
 class BasicOpenApiSpecProviderTest extends AbstractOpenApiSpecProviderTest<BasicAuthenticationProvider> {
 
+    private static final String PROPAGATED_TOKEN = "PROPAGATED_TOKEN";
     private static final String USER = "USER";
     private static final String PASSWORD = "PASSWORD";
 
+    private static final String CUSTOM_SCHEMA = "custom_scheme";
+    private static final String HEADER_NAME = "HEADER_NAME";
+
     private static final String EXPECTED_BASIC_TOKEN = "Basic "
             + Base64.getEncoder().encodeToString((USER + ":" + PASSWORD).getBytes());
 
@@ -33,22 +42,43 @@ protected BasicAuthenticationProvider createProvider() {
 
     @Test
     void filter() throws IOException {
+        filter(EXPECTED_BASIC_TOKEN);
+    }
+
+    private void filter(String expectedAuthorizationHeader) throws IOException {
         provider.filter(requestContext);
-        assertHeader(requestContext.getHeaders(), HttpHeaders.AUTHORIZATION, EXPECTED_BASIC_TOKEN);
+        assertHeader(requestContext.getHeaders(), HttpHeaders.AUTHORIZATION, expectedAuthorizationHeader);
     }
 
-    @Test
-    void tokenPropagationNotSupported() {
+    @ParameterizedTest
+    @MethodSource("filterWithPropagationTestValues")
+    void filterWithPropagation(String headerName,
+            String expectedAuthorizationHeader) throws IOException {
+        String propagatedHeaderName;
+        if (headerName == null) {
+            propagatedHeaderName = propagationHeaderName(OPEN_API_FILE_SPEC_ID, AUTH_SCHEME_NAME,
+                    HttpHeaders.AUTHORIZATION);
+        } else {
+            propagatedHeaderName = propagationHeaderName(OPEN_API_FILE_SPEC_ID, AUTH_SCHEME_NAME,
+                    HEADER_NAME);
+        }
         try (MockedStatic<ConfigProvider> configProviderMocked = Mockito.mockStatic(ConfigProvider.class)) {
             Config mockedConfig = Mockito.mock(Config.class);
             configProviderMocked.when(ConfigProvider::getConfig).thenReturn(mockedConfig);
+
             when(mockedConfig.getOptionalValue(provider.getCanonicalAuthConfigPropertyName(AuthConfig.TOKEN_PROPAGATION),
                     Boolean.class)).thenReturn(Optional.of(true));
+            when(mockedConfig.getOptionalValue(provider.getCanonicalAuthConfigPropertyName(AuthConfig.HEADER_NAME),
+                    String.class)).thenReturn(Optional.of(headerName == null ? HttpHeaders.AUTHORIZATION : headerName));
 
-            assertThatThrownBy(() -> new BasicAuthenticationProvider(OPEN_API_FILE_SPEC_ID, AUTH_SCHEME_NAME, List.of()))
-                    .hasMessageContaining("quarkus.openapi-generator.%s.auth.%s.token-propagation", OPEN_API_FILE_SPEC_ID,
-                            AUTH_SCHEME_NAME);
+            headers.putSingle(propagatedHeaderName, PROPAGATED_TOKEN);
+            filter(expectedAuthorizationHeader);
         }
+    }
 
+    static Stream<Arguments> filterWithPropagationTestValues() {
+        return Stream.of(
+                Arguments.of(null, "Basic " + PROPAGATED_TOKEN),
+                Arguments.of(HEADER_NAME, "Basic " + PROPAGATED_TOKEN));
     }
 }

docs/modules/ROOT/pages/includes/authorization-token-propagation.adoc

@@ -78,7 +78,7 @@ WARNING: When configured, the token propagation applies to all the operations se
 
 === Propagation flow configuration
 
-The token propagation can be used with type "oauth2" or "bearer" security schemes. Finally, considering that a given security scheme might be configured on a set of operations in the same specification file when configured, it'll apply to all these operations.
+The token propagation can be used with type "oauth2", "bearer" or "basic" security schemes. Finally, considering that a given security scheme might be configured on a set of operations in the same specification file when configured, it'll apply to all these operations.
 
 [%autowidth]
 |===