Merge pull request #50899 from michalvavrik/feature/security-checks-for-jakarta-data-repos

Refactor security code to reflect annotation transformations for security annotations

Author: sberyozkin

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -9,6 +9,7 @@
 import static io.quarkus.oidc.runtime.OidcRecorder.ACR_VALUES_TO_MAX_AGE_SEPARATOR;
 import static io.quarkus.oidc.runtime.OidcUtils.DEFAULT_TENANT_ID;
 import static io.quarkus.security.spi.ClassSecurityAnnotationBuildItem.useClassLevelSecurity;
+import static io.quarkus.security.spi.SecurityTransformerBuildItem.createSecurityTransformer;
 import static io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem.toTargetName;
 import static io.quarkus.vertx.http.deployment.HttpSecurityProcessor.collectAnnotatedClasses;
 import static io.quarkus.vertx.http.deployment.HttpSecurityProcessor.collectClassMethodsWithoutRbacAnnotation;
@@ -109,13 +110,14 @@
 import io.quarkus.security.spi.AdditionalSecuredMethodsBuildItem;
 import io.quarkus.security.spi.ClassSecurityAnnotationBuildItem;
 import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
+import io.quarkus.security.spi.SecurityTransformer;
+import io.quarkus.security.spi.SecurityTransformerBuildItem;
 import io.quarkus.smallrye.health.deployment.spi.HealthBuildItem;
 import io.quarkus.tls.deployment.spi.TlsRegistryBuildItem;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem;
 import io.quarkus.vertx.http.deployment.FilterBuildItem;
 import io.quarkus.vertx.http.deployment.HttpAuthMechanismAnnotationBuildItem;
-import io.quarkus.vertx.http.deployment.HttpSecurityUtils;
 import io.quarkus.vertx.http.deployment.PreRouterFinalizationBuildItem;
 import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.quarkus.vertx.http.runtime.VertxHttpBuildTimeConfig;
@@ -437,11 +439,14 @@ public void registerAuthenticationContextInterceptor(Capabilities capabilities,
             BuildProducer<RegisterClassSecurityCheckBuildItem> registerClassSecurityCheckProducer,
             List<ClassSecurityAnnotationBuildItem> classSecurityAnnotations,
             BuildProducer<AdditionalSecuredMethodsBuildItem> additionalSecuredMethodsProducer,
-            BuildProducer<EagerSecurityInterceptorBindingBuildItem> bindingProducer) {
+            BuildProducer<EagerSecurityInterceptorBindingBuildItem> bindingProducer,
+            Optional<SecurityTransformerBuildItem> securityTransformerBuildItem) {
         var authCtxAnnotations = combinedIndexBuildItem.getIndex().getAnnotations(AUTHENTICATION_CONTEXT_NAME);
         if (authCtxAnnotations.isEmpty() || !areEagerSecInterceptorsSupported(capabilities, httpBuildTimeConfig)) {
             return;
         }
+        SecurityTransformer securityTransformer = SecurityTransformerBuildItem.createSecurityTransformer(
+                combinedIndexBuildItem.getIndex(), securityTransformerBuildItem);
         bindingProducer.produce(new EagerSecurityInterceptorBindingBuildItem(recorder.authenticationContextInterceptorCreator(),
                 ai -> {
                     AnnotationValue maxAgeAnnotationValue = ai.value("maxAge");
@@ -468,18 +473,18 @@ public void registerAuthenticationContextInterceptor(Capabilities capabilities,
                 .map(AnnotationInstance::target)
                 .filter(at -> at.kind() == METHOD)
                 .map(AnnotationTarget::asMethod)
-                .toList());
+                .toList(), securityTransformer);
         additionalSecuredMethodsProducer
                 .produce(new AdditionalSecuredMethodsBuildItem(annotatedMethods, Optional.of(List.of("**"))));
         // method-level security; this registers @Authenticated if no RBAC is explicitly declared
         Predicate<ClassInfo> useClassLevelSecurity = useClassLevelSecurity(classSecurityAnnotations);
         Set<MethodInfo> annotatedClassMethods = collectClassMethodsWithoutRbacAnnotation(
-                collectAnnotatedClasses(authCtxAnnotations, Predicate.not(useClassLevelSecurity)));
+                collectAnnotatedClasses(authCtxAnnotations, Predicate.not(useClassLevelSecurity)), securityTransformer);
         additionalSecuredMethodsProducer
                 .produce(new AdditionalSecuredMethodsBuildItem(annotatedClassMethods, Optional.of(List.of("**"))));
         // class-level security; this registers @Authenticated if no RBAC is explicitly declared
         collectAnnotatedClasses(authCtxAnnotations, useClassLevelSecurity).stream()
-                .filter(Predicate.not(HttpSecurityUtils::hasSecurityAnnotation))
+                .filter(Predicate.not(securityTransformer::hasSecurityAnnotation))
                 .forEach(c -> registerClassSecurityCheckProducer.produce(
                         new RegisterClassSecurityCheckBuildItem(c.name(), AnnotationInstance
                                 .builder(Authenticated.class).buildWithTarget(c))));

extensions/resteasy-classic/resteasy/deployment/src/main/java/io/quarkus/resteasy/deployment/DenyJaxRsTransformer.java

@@ -3,6 +3,9 @@
 import static io.quarkus.resteasy.reactive.common.deployment.QuarkusResteasyReactiveDotNames.HTTP_SERVER_REQUEST;
 import static io.quarkus.resteasy.reactive.common.deployment.QuarkusResteasyReactiveDotNames.HTTP_SERVER_RESPONSE;
 import static io.quarkus.resteasy.reactive.common.deployment.QuarkusResteasyReactiveDotNames.ROUTING_CONTEXT;
+import static io.quarkus.security.spi.SecurityTransformer.AuthorizationType.AUTHORIZATION_POLICY;
+import static io.quarkus.security.spi.SecurityTransformer.AuthorizationType.SECURITY_CHECK;
+import static io.quarkus.security.spi.SecurityTransformerBuildItem.createSecurityTransformer;
 import static io.quarkus.vertx.http.deployment.EagerSecurityInterceptorMethodsBuildItem.collectInterceptedMethods;
 import static java.util.stream.Collectors.toList;
 import static org.jboss.resteasy.reactive.common.processor.ResteasyReactiveDotNames.DATE_FORMAT;
@@ -218,11 +221,11 @@
 import io.quarkus.security.AuthenticationRedirectException;
 import io.quarkus.security.ForbiddenException;
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
-import io.quarkus.security.spi.SecurityTransformerUtils;
+import io.quarkus.security.spi.SecurityTransformer;
+import io.quarkus.security.spi.SecurityTransformerBuildItem;
 import io.quarkus.vertx.http.deployment.AuthorizationPolicyInstancesBuildItem;
 import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorMethodsBuildItem;
 import io.quarkus.vertx.http.deployment.FilterBuildItem;
-import io.quarkus.vertx.http.deployment.HttpSecurityUtils;
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
 import io.quarkus.vertx.http.runtime.RouteConstants;
 import io.quarkus.vertx.http.runtime.VertxHttpBuildTimeConfig;
@@ -1765,10 +1768,13 @@ public void securityExceptionMappers(BuildProducer<ExceptionMapperBuildItem> exc
     MethodScannerBuildItem integrateEagerSecurity(Capabilities capabilities, CombinedIndexBuildItem indexBuildItem,
             Optional<AuthorizationPolicyInstancesBuildItem> authorizationPolicyInstancesItemOpt,
             List<EagerSecurityInterceptorMethodsBuildItem> eagerSecurityInterceptors, JaxRsSecurityConfig securityConfig,
-            Optional<PermissionsAllowedMetaAnnotationBuildItem> permsAllowedMetaAnnotationItemOptional) {
+            Optional<PermissionsAllowedMetaAnnotationBuildItem> permsAllowedMetaAnnotationItemOptional,
+            Optional<SecurityTransformerBuildItem> securityTransformerBuildItem) {
         if (!capabilities.isPresent(Capability.SECURITY)) {
             return null;
         }
+        SecurityTransformer securityTransformer = SecurityTransformerBuildItem.createSecurityTransformer(
+                indexBuildItem.getIndex(), securityTransformerBuildItem);
         var authZPolicyInstancesItem = authorizationPolicyInstancesItemOpt.get();
         var permsAllowedMetaAnnotationItem = permsAllowedMetaAnnotationItemOptional.get();
 
@@ -1787,17 +1793,19 @@ public List<HandlerChainCustomizer> scan(MethodInfo method, ClassInfo actualEndp
                     boolean isMethodIntercepted = interceptedMethods.containsKey(endpointImpl);
                     if (isMethodIntercepted) {
                         return createEagerSecCustomizerWithInterceptor(interceptedMethods, endpointImpl, method, endpointImpl,
-                                withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem);
+                                withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem,
+                                securityTransformer);
                     } else {
                         isMethodIntercepted = interceptedMethods.containsKey(method);
                         if (isMethodIntercepted && !endpointImpl.equals(method)) {
                             return createEagerSecCustomizerWithInterceptor(interceptedMethods, method, method, endpointImpl,
-                                    withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem);
+                                    withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem,
+                                    securityTransformer);
                         }
                     }
                 }
                 return List.of(newEagerSecurityHandlerCustomizerInstance(method, endpointImpl, withDefaultSecurityCheck,
-                        applyAuthorizationPolicy, permsAllowedMetaAnnotationItem));
+                        applyAuthorizationPolicy, permsAllowedMetaAnnotationItem, securityTransformer));
             }
         });
     }
@@ -1810,28 +1818,32 @@ private static boolean shouldApplyAuthZPolicy(MethodInfo method, MethodInfo endp
     private static List<HandlerChainCustomizer> createEagerSecCustomizerWithInterceptor(
             Map<MethodInfo, Boolean> interceptedMethods, MethodInfo method, MethodInfo originalMethod, MethodInfo endpointImpl,
             boolean withDefaultSecurityCheck, boolean applyAuthorizationPolicy,
-            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem) {
+            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem,
+            SecurityTransformer securityTransformer) {
         var requiresSecurityCheck = interceptedMethods.get(method);
         final HandlerChainCustomizer eagerSecCustomizer;
         if (requiresSecurityCheck && !applyAuthorizationPolicy) {
             // standard security annotation and possibly authorization using configuration
             eagerSecCustomizer = new HttpPermissionsAndSecurityChecksCustomizer();
         } else {
             eagerSecCustomizer = newEagerSecurityHandlerCustomizerInstance(originalMethod, endpointImpl,
-                    withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem);
+                    withDefaultSecurityCheck, applyAuthorizationPolicy, permsAllowedMetaAnnotationItem,
+                    securityTransformer);
         }
         return List.of(EagerSecurityInterceptorHandler.Customizer.newInstance(), eagerSecCustomizer);
     }
 
     private static HandlerChainCustomizer newEagerSecurityHandlerCustomizerInstance(MethodInfo method, MethodInfo endpointImpl,
             boolean withDefaultSecurityCheck, boolean applyAuthorizationPolicy,
-            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem) {
+            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem,
+            SecurityTransformer securityTransformer) {
         if (applyAuthorizationPolicy) {
             // @AuthorizationPolicy and possibly authorization using configuration
             return new AuthZPolicyCustomizer();
         }
         if (withDefaultSecurityCheck
-                || consumesStandardSecurityAnnotations(method, endpointImpl, permsAllowedMetaAnnotationItem)) {
+                || consumesStandardSecurityAnnotations(method, endpointImpl, permsAllowedMetaAnnotationItem,
+                        securityTransformer)) {
             // standard security annotation and possibly authorization using configuration
             return new HttpPermissionsAndSecurityChecksCustomizer();
         }
@@ -1904,25 +1916,27 @@ void registerSecurityBeans(Capabilities capabilities,
     }
 
     private static boolean consumesStandardSecurityAnnotations(MethodInfo methodInfo, MethodInfo endpointImpl,
-            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem) {
+            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem,
+            SecurityTransformer securityTransformer) {
         // invoked method
-        if (consumesStandardSecurityAnnotations(endpointImpl, permsAllowedMetaAnnotationItem)) {
+        if (consumesStandardSecurityAnnotations(endpointImpl, permsAllowedMetaAnnotationItem, securityTransformer)) {
             return true;
         }
 
         // fallback to original behavior
         return !endpointImpl.equals(methodInfo)
-                && consumesStandardSecurityAnnotations(methodInfo, permsAllowedMetaAnnotationItem);
+                && consumesStandardSecurityAnnotations(methodInfo, permsAllowedMetaAnnotationItem, securityTransformer);
     }
 
     private static boolean consumesStandardSecurityAnnotations(MethodInfo methodInfo,
-            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem) {
-        boolean hasMethodLevelSecurityAnnotation = SecurityTransformerUtils.hasSecurityAnnotation(methodInfo)
+            PermissionsAllowedMetaAnnotationBuildItem permsAllowedMetaAnnotationItem,
+            SecurityTransformer securityTransformer) {
+        boolean hasMethodLevelSecurityAnnotation = securityTransformer.hasSecurityAnnotation(methodInfo, SECURITY_CHECK)
                 || permsAllowedMetaAnnotationItem.hasPermissionsAllowed(methodInfo);
         if (hasMethodLevelSecurityAnnotation) {
             return true;
         }
-        if (HttpSecurityUtils.hasAuthorizationPolicyAnnotation(methodInfo)) {
+        if (securityTransformer.hasSecurityAnnotation(methodInfo, AUTHORIZATION_POLICY)) {
             // security annotations cannot be combined
             // and the most specific wins, so if we have both class-level security check
             // and the method-level @AuthorizationPolicy, the policy wins as it is more specific
@@ -1931,7 +1945,7 @@ private static boolean consumesStandardSecurityAnnotations(MethodInfo methodInfo
             // on a method level thanks to validation
             return false;
         }
-        return SecurityTransformerUtils.hasSecurityAnnotation(methodInfo.declaringClass())
+        return securityTransformer.hasSecurityAnnotation(methodInfo.declaringClass(), SECURITY_CHECK)
                 || permsAllowedMetaAnnotationItem.hasPermissionsAllowed(methodInfo.declaringClass());
     }
 

extensions/resteasy-reactive/rest/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java

@@ -6,14 +6,20 @@
 import org.jboss.jandex.ClassInfo;
 import org.jboss.jandex.MethodInfo;
 
-import io.quarkus.security.spi.SecurityTransformerUtils;
+import io.quarkus.security.spi.SecurityTransformer;
 
 final class DenyUnannotatedPredicate implements Predicate<ClassInfo> {
 
+    private final SecurityTransformer securityTransformer;
+
+    DenyUnannotatedPredicate(SecurityTransformer securityTransformer) {
+        this.securityTransformer = securityTransformer;
+    }
+
     @Override
     public boolean test(ClassInfo classInfo) {
         List<MethodInfo> methods = classInfo.methods();
-        return !SecurityTransformerUtils.hasSecurityAnnotation(classInfo)
-                && methods.stream().anyMatch(SecurityTransformerUtils::hasSecurityAnnotation);
+        return !securityTransformer.hasSecurityAnnotation(classInfo)
+                && methods.stream().anyMatch(securityTransformer::hasSecurityAnnotation);
     }
 }