Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add annotation to allow using custom CDI bean methods as permission checkers #43846

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add annotation to allow using custom CDI bean methods as permission checkers #43846

wants to merge 1 commit into from

Conversation

michalvavrik
Copy link
Member

This PR is ready for review, however CI cannot run until quarkusio/quarkus-security#56 is merged and Quarkus Security API is released and bumped in the Quarkus project.

@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/docstyle issues related for manual docstyle review area/documentation area/rest area/security labels Oct 13, 2024
@michalvavrik michalvavrik mentioned this pull request Oct 13, 2024
Merged
@quarkus-bot

This comment has been minimized.

Sign in to view
@michalvavrik michalvavrik force-pushed the feature/permissions-allowed-user-exp-improvements branch from 903b9f0 to 793a99f Compare October 13, 2024 20:55
@quarkus-bot

This comment has been minimized.

Sign in to view
@quarkus-bot

This comment has been minimized.

Sign in to view
@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member

Thanks @michalvavrik, sorry for the delay, will start looking tomorrow, need to sign off now

@michalvavrik
Copy link
Member Author

Thanks @michalvavrik, sorry for the delay, will start looking tomorrow, need to sign off now

no worry, if don't have API anyway (I run all the related tests locally, so I don't expect CI issues), take your time, this won't be easy to review even though this PR consist mostly of tests

@michalvavrik michalvavrik force-pushed the feature/permissions-allowed-user-exp-improvements branch from 793a99f to 484114f Compare October 14, 2024 23:05
@quarkus-bot

This comment has been minimized.

Sign in to view
@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin sberyozkin self-requested a review October 15, 2024 18:05
sberyozkin
sberyozkin approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to be a massive feature, thanks @michalvavrik

@sberyozkin
Copy link
Member

@michalvavrik Can I suggest to update the subject a bit to highlight it, something like
Add PermissionChecker annotation to allow using custom CDI bean methods as permission checkers ?

@michalvavrik michalvavrik force-pushed the feature/permissions-allowed-user-exp-improvements branch from 484114f to 9441bea Compare October 15, 2024 18:42
@michalvavrik michalvavrik changed the title Provide simpler way to define permission checks with the @PermissionChecker annotation Add annotation to allow using custom CDI bean methods as permission checkers Oct 15, 2024
@michalvavrik
Copy link
Member Author

@michalvavrik Can I suggest to update the subject a bit to highlight it, something like Add PermissionChecker annotation to allow using custom CDI bean methods as permission checkers ?

Changed PR title and fixed the QuarkusPermission javadoc.

@quarkus-bot
Copy link

quarkus-bot bot commented Oct 15, 2024

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 9441bea.

Failing Jobs

Status Name Step Failures Logs Raw logs Build scan
Initial JDK 17 Build Populate the cache Failures Logs Raw logs 🚧

Failures

⚙️ Initial JDK 17 Build #

- Failing: extensions/security/runtime-spi extensions/security/spi extensions/websockets/client/runtime 
! Skipped: devtools/bom-descriptor-json devtools/cli docs and 571 more

📦 extensions/security/runtime-spi

Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-security-runtime-spi: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT

📦 extensions/security/spi

Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-security-spi: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT

📦 extensions/websockets/client/runtime

Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-websockets-client: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT

@quarkus-bot
Copy link

quarkus-bot bot commented Oct 15, 2024

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 9441bea.

Failing Jobs

⚠️ Artifacts of the workflow run were not available thus the report misses some details.

Status Name Step Failures Logs Raw logs Build scan
Documentation Build Build ⚠️ Check → Logs Raw logs 🚧

FroMage
FroMage approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@FroMage FroMage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't check the code, just the docs, but the feature is great :)

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
}
}
----
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission.
<1> The permission required to access the `ProjectResource#renameProject` is the `rename-project` permission.

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
}
----
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission.
<2> The `ProjectResource#canRenameProject` method authorize access to the `ProjectResource#renameProject` endpoint.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<2> The `ProjectResource#canRenameProject` method authorize access to the `ProjectResource#renameProject` endpoint.
<2> The `ProjectResource#canRenameProject` method authorizes access to the `ProjectResource#renameProject` endpoint.

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
@@ -1155,47 +1225,31 @@ public class SimpleBeanParam {
<3> The `customAuthorizationHeader` field is not public, therefore Quarkus access this field with the `customAuthorizationHeader` accessor.
That is particularly useful with Java records, where generated accessors are not prefixed with `get`.

Here is an example of the `BeanParamPermission` permission that checks user principal, custom header and query parameter:
Here is an example of a `@PermissionChecker` method that checks `say-hello` permission based on a user principal, custom header and query parameter:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Here is an example of a `@PermissionChecker` method that checks `say-hello` permission based on a user principal, custom header and query parameter:
Here is an example of a `@PermissionChecker` method that checks the `say-hello` permission based on a user principal, custom header and query parameter:

@sberyozkin
Copy link
Member

Hi @cescoffier, @gsmet, please review this PR, here there will be a few more validators put in place to avoid some possible user errors.
quarkusio/quarkus-security#56 is only adding an interface

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FroMage FroMage FroMage approved these changes

@sberyozkin sberyozkin sberyozkin approved these changes

@cescoffier cescoffier Awaiting requested review from cescoffier

@gsmet gsmet Awaiting requested review from gsmet

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/docstyle issues related for manual docstyle review area/documentation area/rest area/security release/noteworthy-feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Idea for custom permission annotations that can work on user model and endpoint parameters
3 participants
@michalvavrik @sberyozkin @FroMage