Merge pull request #50700 from michalvavrik/feature/test-security-on-test-class

Fix scenario that combines class-level `@TestSecurity` annotation with method-level `@OidcSecurity` annotation

Author: geoand

integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/ClassLevelTestSecurityLazyAuthTest.java

@@ -0,0 +1,44 @@
+package io.quarkus.it.keycloak;
+
+import static org.hamcrest.Matchers.is;
+
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.test.common.http.TestHTTPEndpoint;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.RestAssured;
+
+@TestSecurity(user = "user1", roles = "viewer")
+@QuarkusTest
+@TestHTTPEndpoint(ProtectedJwtResource.class)
+public class ClassLevelTestSecurityLazyAuthTest {
+
+    @Test
+    public void testClassAnnotationWithDummyUser() {
+        RestAssured.when().get("test-security").then().body(is("user1"));
+    }
+
+    @Test
+    @OidcSecurity(claims = {
+            @Claim(key = "email", value = "[email protected]")
+    })
+    public void testClassAnnotationWithOidcSecurity() {
+        // verify information form security context
+        RestAssured.when().get("test-security").then().body(is("user1"));
+        // verify information from JWT
+        RestAssured.when().get("test-security-jwt").then().body(is("user1:viewer:[email protected]"));
+    }
+
+    @Test
+    @TestSecurity(user = "userJwt", roles = "viewer")
+    @OidcSecurity(claims = {
+            @Claim(key = "email", value = "[email protected]")
+    })
+    public void testMethodLevelTestSecurityOverridesClassAnnotation() {
+        RestAssured.when().get("test-security-jwt").then().body(is("userJwt:viewer:[email protected]"));
+    }
+
+}

test-framework/security/src/main/java/io/quarkus/test/security/QuarkusSecurityTestExtension.java

@@ -15,6 +15,7 @@
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import jakarta.enterprise.inject.Instance;
 import jakarta.enterprise.inject.spi.CDI;
@@ -39,7 +40,7 @@ public class QuarkusSecurityTestExtension implements QuarkusTestBeforeEachCallba
     @Override
     public void afterEach(QuarkusTestMethodContext context) {
         try {
-            if (getAnnotationContainer(context).isPresent()) {
+            if (getTestSecurityContext(context).isPresent()) {
                 final ArcContainer container = Arc.container();
                 container.select(TestAuthController.class).get().setEnabled(true);
                 for (var testMechanism : container.select(AbstractTestHttpAuthenticationMechanism.class)) {
@@ -60,13 +61,12 @@ public void afterEach(QuarkusTestMethodContext context) {
     @Override
     public void beforeEach(QuarkusTestMethodContext context) {
         try {
-            Optional<AnnotationContainer<TestSecurity>> annotationContainerOptional = getAnnotationContainer(context);
-            if (annotationContainerOptional.isEmpty()) {
+            var testSecurityContext = getTestSecurityContext(context);
+            if (!testSecurityContext.isPresent()) {
                 return;
             }
-            var annotationContainer = annotationContainerOptional.get();
-            Annotation[] allAnnotations = annotationContainer.getElement().getAnnotations();
-            TestSecurity testSecurity = annotationContainer.getAnnotation();
+            Annotation[] allAnnotations = testSecurityContext.allAnnotations();
+            TestSecurity testSecurity = testSecurityContext.annotationContainer.getAnnotation();
             final ArcContainer container = Arc.container();
             container.select(TestAuthController.class).get().setEnabled(testSecurity.authorizationEnabled());
             if (testSecurity.user().isEmpty()) {
@@ -163,7 +163,7 @@ void addAction(String action) {
                 possessedPermissions.stream().anyMatch(possessedPermission -> possessedPermission.implies(requiredPermission)));
     }
 
-    private Optional<AnnotationContainer<TestSecurity>> getAnnotationContainer(QuarkusTestMethodContext context)
+    private TestSecurityContext getTestSecurityContext(QuarkusTestMethodContext context)
             throws Exception {
         //the usual ClassLoader hacks to get our copy of the TestSecurity annotation
         ClassLoader cl = Thread.currentThread().getContextClassLoader();
@@ -183,8 +183,9 @@ private Optional<AnnotationContainer<TestSecurity>> getAnnotationContainer(Quark
                 TestSecurity.class);
         if (annotationContainerOptional.isEmpty()) {
             annotationContainerOptional = AnnotationUtils.findAnnotation(original, TestSecurity.class);
+            return new TestSecurityContext(annotationContainerOptional.orElse(null), method);
         }
-        return annotationContainerOptional;
+        return new TestSecurityContext(annotationContainerOptional.orElse(null), null);
     }
 
     private SecurityIdentity augment(SecurityIdentity identity, Annotation[] annotations) {
@@ -194,4 +195,22 @@ private SecurityIdentity augment(SecurityIdentity identity, Annotation[] annotat
         }
         return identity;
     }
+
+    private record TestSecurityContext(AnnotationContainer<TestSecurity> annotationContainer, Method method) {
+        private Annotation[] allAnnotations() {
+            Annotation[] testSecurityElementAnnotations = annotationContainer.getElement().getAnnotations();
+            boolean classLevelTestSecurity = method != null;
+            if (classLevelTestSecurity && method.getAnnotations().length > 0) {
+                // add method-level annotations as there could be for example @OidcSecurity
+                return Stream.concat(
+                        Arrays.stream(method.getAnnotations()),
+                        Arrays.stream(testSecurityElementAnnotations)).toArray(Annotation[]::new);
+            }
+            return testSecurityElementAnnotations;
+        }
+
+        private boolean isPresent() {
+            return annotationContainer != null;
+        }
+    }
 }