Merge pull request #48529 from michalvavrik/feature/oidc-tenant-multiple-vals

sberyozkin · web-flow · commit 3f0a441ac06c · 2025-06-23T10:12:00.000+01:00
Support linking multiple tenants to a tenant feature
diff --git a/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/TokenCustomizersTest.java b/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/TokenCustomizersTest.java
@@ -0,0 +1,187 @@
+package io.quarkus.oidc.test;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.List;
+
+import jakarta.enterprise.event.Observes;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+import jakarta.json.JsonObject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.arc.All;
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.Oidc;
+import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.oidc.OidcTenantConfigBuilder;
+import io.quarkus.oidc.TenantFeature;
+import io.quarkus.oidc.TokenCustomizer;
+import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.security.Authenticated;
+import io.quarkus.test.QuarkusDevModeTest;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager;
+import io.restassured.RestAssured;
+import io.vertx.ext.web.RoutingContext;
+
+@QuarkusTestResource(KeycloakTestResourceLifecycleManager.class)
+public class TokenCustomizersTest {
+
+    @RegisterExtension
+    static final QuarkusDevModeTest test = new QuarkusDevModeTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(AccessTokenResource.class, GlobalTokenCustomizer.class, AccessTokenResource.Customizers.class,
+                            NamedOneAndTwoCustomizer.class, NamedOneAndTwoAndFourCustomizer.class));
+
+    @Test
+    public void testTokenCustomizers() {
+        RestAssured.given().auth().oauth2(getAccessToken()).get("/access-token")
+                .then().statusCode(200).body(Matchers.is("default"));
+        var customizers = RestAssured.get("/access-token/customizers").then().statusCode(200).extract()
+                .as(AccessTokenResource.Customizers.class);
+        assertTrue(customizers.global);
+        assertFalse(customizers.namedOneAndTwoCustomizer);
+        assertFalse(customizers.namedOneAndTwoAndFourCustomizer);
+        RestAssured.given().auth().oauth2(getAccessToken()).get("/access-token/named-1")
+                .then().statusCode(200).body(Matchers.is("named-1"));
+        customizers = RestAssured.get("/access-token/customizers").then().statusCode(200).extract()
+                .as(AccessTokenResource.Customizers.class);
+        assertTrue(customizers.global);
+        assertTrue(customizers.namedOneAndTwoCustomizer);
+        assertTrue(customizers.namedOneAndTwoAndFourCustomizer);
+        RestAssured.given().auth().oauth2(getAccessToken()).get("/access-token/named-2")
+                .then().statusCode(200).body(Matchers.is("named-2"));
+        customizers = RestAssured.get("/access-token/customizers").then().statusCode(200).extract()
+                .as(AccessTokenResource.Customizers.class);
+        assertTrue(customizers.global);
+        assertTrue(customizers.namedOneAndTwoCustomizer);
+        assertTrue(customizers.namedOneAndTwoAndFourCustomizer);
+        RestAssured.given().auth().oauth2(getAccessToken()).get("/access-token/named-3")
+                .then().statusCode(200).body(Matchers.is("named-3"));
+        customizers = RestAssured.get("/access-token/customizers").then().statusCode(200).extract()
+                .as(AccessTokenResource.Customizers.class);
+        assertTrue(customizers.global);
+        assertFalse(customizers.namedOneAndTwoCustomizer);
+        assertFalse(customizers.namedOneAndTwoAndFourCustomizer);
+        RestAssured.given().auth().oauth2(getAccessToken()).get("/access-token/named-4")
+                .then().statusCode(200).body(Matchers.is("named-4"));
+        customizers = RestAssured.get("/access-token/customizers").then().statusCode(200).extract()
+                .as(AccessTokenResource.Customizers.class);
+        assertTrue(customizers.global);
+        assertFalse(customizers.namedOneAndTwoCustomizer);
+        assertTrue(customizers.namedOneAndTwoAndFourCustomizer);
+    }
+
+    private static String getAccessToken() {
+        return KeycloakTestResourceLifecycleManager.getAccessToken("alice");
+    }
+
+    @Unremovable
+    @Singleton
+    public static class GlobalTokenCustomizer implements TokenCustomizer {
+
+        volatile boolean called = false;
+
+        @Override
+        public JsonObject customizeHeaders(JsonObject headers) {
+            called = true;
+            return null;
+        }
+    }
+
+    @Unremovable
+    @Singleton
+    @TenantFeature({ "named-1", "named-2" })
+    public static class NamedOneAndTwoCustomizer implements TokenCustomizer {
+
+        volatile boolean called = false;
+
+        @Override
+        public JsonObject customizeHeaders(JsonObject headers) {
+            called = true;
+            return null;
+        }
+    }
+
+    @Unremovable
+    @Singleton
+    @TenantFeature({ "named-1", "named-2", "named-4" })
+    public static class NamedOneAndTwoAndFourCustomizer implements TokenCustomizer {
+
+        volatile boolean called = false;
+
+        @Override
+        public JsonObject customizeHeaders(JsonObject headers) {
+            called = true;
+            return null;
+        }
+    }
+
+    @Path("/access-token")
+    public static class AccessTokenResource {
+
+        private GlobalTokenCustomizer globalTokenCustomizer;
+        private NamedOneAndTwoCustomizer namedOneAndTwoCustomizer;
+        private NamedOneAndTwoAndFourCustomizer namedOneAndTwoAndFourCustomizer;
+
+        @Inject
+        RoutingContext context;
+
+        public AccessTokenResource(@All List<TokenCustomizer> tokenCustomizers) {
+            for (TokenCustomizer tokenCustomizer : tokenCustomizers) {
+                if (tokenCustomizer instanceof GlobalTokenCustomizer i) {
+                    globalTokenCustomizer = i;
+                } else if (tokenCustomizer instanceof NamedOneAndTwoCustomizer i) {
+                    namedOneAndTwoCustomizer = i;
+                } else if (tokenCustomizer instanceof NamedOneAndTwoAndFourCustomizer i) {
+                    namedOneAndTwoAndFourCustomizer = i;
+                }
+            }
+        }
+
+        @Authenticated
+        @GET
+        public String defaultTenantAccessTokenName() {
+            return "default";
+        }
+
+        @Authenticated
+        @Path("/{tenant-id}")
+        @GET
+        public String namedTenantAccessTokenName() {
+            return context.<OidcTenantConfig> get(OidcTenantConfig.class.getName()).tenantId().get();
+        }
+
+        record Customizers(boolean global, boolean namedOneAndTwoCustomizer, boolean namedOneAndTwoAndFourCustomizer) {
+        }
+
+        @Path("/customizers")
+        @GET
+        public Customizers customizers() {
+            try {
+                return new Customizers(globalTokenCustomizer.called, namedOneAndTwoCustomizer.called,
+                        namedOneAndTwoAndFourCustomizer.called);
+            } finally {
+                globalTokenCustomizer.called = false;
+                namedOneAndTwoCustomizer.called = false;
+                namedOneAndTwoAndFourCustomizer.called = false;
+            }
+        }
+
+        void configureOidc(@Observes Oidc oidc, OidcConfig oidcConfig) {
+            var defaultTenantConfigBuilder = new OidcTenantConfigBuilder(OidcConfig.getDefaultTenant(oidcConfig));
+            oidc.create(defaultTenantConfigBuilder.tenantId("named-1").build());
+            oidc.create(defaultTenantConfigBuilder.tenantId("named-2").build());
+            oidc.create(defaultTenantConfigBuilder.tenantId("named-3").build());
+            oidc.create(defaultTenantConfigBuilder.tenantId("named-4").build());
+        }
+    }
+
+}
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/TenantFeature.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/TenantFeature.java
@@ -10,45 +10,19 @@
 import java.lang.annotation.Retention;
 import java.lang.annotation.Target;
 
-import jakarta.enterprise.util.AnnotationLiteral;
 import jakarta.inject.Qualifier;
 
 /**
- * Qualifier used to specify which named tenant is associated with one or more OIDC feature.
+ * Qualifier used to specify which named tenants are associated with one or more OIDC feature.
  */
 @Target({ METHOD, FIELD, PARAMETER, TYPE })
 @Retention(RUNTIME)
 @Documented
 @Qualifier
 public @interface TenantFeature {
     /**
-     * Identifies an OIDC tenant to which a given feature applies.
+     * Identifies OIDC tenants to which a given feature applies.
      */
-    String value();
+    String[] value();
 
-    /**
-     * Supports inline instantiation of the {@link TenantFeature} qualifier.
-     */
-    final class TenantFeatureLiteral extends AnnotationLiteral<TenantFeature> implements TenantFeature {
-
-        private final String value;
-
-        private TenantFeatureLiteral(String value) {
-            this.value = value;
-        }
-
-        @Override
-        public String value() {
-            return value;
-        }
-
-        @Override
-        public String toString() {
-            return "TenantFeatureLiteral [value=" + value + "]";
-        }
-
-        public static TenantFeature of(String value) {
-            return new TenantFeatureLiteral(value);
-        }
-    }
 }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantFeatureFinder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantFeatureFinder.java
@@ -1,17 +1,18 @@
 package io.quarkus.oidc.runtime;
 
+import java.lang.annotation.Annotation;
 import java.util.ArrayList;
 import java.util.List;
 
-import jakarta.enterprise.inject.Default;
+import jakarta.inject.Named;
+import jakarta.json.JsonObject;
 
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ArcContainer;
 import io.quarkus.arc.InstanceHandle;
 import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TenantFeature;
-import io.quarkus.oidc.TenantFeature.TenantFeatureLiteral;
 import io.quarkus.oidc.TokenCustomizer;
 
 public class TenantFeatureFinder {
@@ -35,25 +36,55 @@ public static TokenCustomizer find(OidcTenantConfig oidcConfig) {
                     throw new OIDCException("Unable to find TokenCustomizer " + customizerName);
                 }
             } else if (oidcConfig.tenantId().isPresent()) {
-                return container
-                        .instance(TokenCustomizer.class, TenantFeature.TenantFeatureLiteral.of(oidcConfig.tenantId().get()))
-                        .get();
+                List<TokenCustomizer> tokenCustomizers = find(oidcConfig, TokenCustomizer.class);
+                if (tokenCustomizers.isEmpty()) {
+                    return null;
+                }
+                if (tokenCustomizers.size() == 1) {
+                    return tokenCustomizers.get(0);
+                }
+                return new TokenCustomizer() {
+                    @Override
+                    public JsonObject customizeHeaders(JsonObject headers) {
+                        JsonObject result = headers;
+                        for (TokenCustomizer tokenCustomizer : tokenCustomizers) {
+                            var customizedHeaders = tokenCustomizer.customizeHeaders(result);
+                            if (customizedHeaders != null) {
+                                result = customizedHeaders;
+                            }
+                        }
+                        return result == headers ? null : result;
+                    }
+                };
             }
         }
         return null;
     }
 
     public static <T> List<T> find(OidcTenantConfig oidcTenantConfig, Class<T> tenantFeatureClass) {
-        if (oidcTenantConfig != null && oidcTenantConfig.tenantId().isPresent()) {
+        ArcContainer container = Arc.container();
+        if (oidcTenantConfig != null && container != null) {
             var tenantsValidators = new ArrayList<T>();
-            for (var instance : Arc.container().listAll(tenantFeatureClass, Default.Literal.INSTANCE)) {
-                if (instance.isAvailable()) {
-                    tenantsValidators.add(instance.get());
-                }
-            }
-            for (var instance : Arc.container().listAll(tenantFeatureClass,
-                    TenantFeatureLiteral.of(oidcTenantConfig.tenantId().get()))) {
+            allFeatureClasses: for (InstanceHandle<T> instance : container.listAll(tenantFeatureClass)) {
                 if (instance.isAvailable()) {
+                    qualifiers: for (Annotation qualifier : instance.getBean().getQualifiers()) {
+                        if (qualifier instanceof TenantFeature tenantFeature) {
+                            String thisTenantId = oidcTenantConfig.tenantId().get();
+                            for (String thatTenantId : tenantFeature.value()) {
+                                if (thisTenantId.equals(thatTenantId)) {
+                                    // adds tenant validator
+                                    break qualifiers;
+                                }
+                            }
+                            // don't continue as this is a TenantFeature but not for our tenant
+                            continue allFeatureClasses;
+                        } else if (qualifier instanceof Named) {
+                            // following is done so that we don't include some features that are not meant to be global
+                            // but users want to include them using configuration properties
+                            // like 'io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer'
+                            continue allFeatureClasses;
+                        }
+                    }
                     tenantsValidators.add(instance.get());
                 }
             }
