-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add annotation to allow using custom CDI bean methods as permission checkers #43846
base: main
Are you sure you want to change the base?
Add annotation to allow using custom CDI bean methods as permission checkers #43846
Conversation
This comment has been minimized.
This comment has been minimized.
903b9f0
to
793a99f
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Thanks @michalvavrik, sorry for the delay, will start looking tomorrow, need to sign off now |
no worry, if don't have API anyway (I run all the related tests locally, so I don't expect CI issues), take your time, this won't be easy to review even though this PR consist mostly of tests |
docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc
Outdated
Show resolved
Hide resolved
793a99f
to
484114f
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
extensions/security/runtime/src/main/java/io/quarkus/security/runtime/QuarkusPermission.java
Outdated
Show resolved
Hide resolved
...s/security/test/permissionsallowed/checker/NoArgsPermissionCheckerValidationFailureTest.java
Show resolved
Hide resolved
...me/src/main/java/io/quarkus/security/runtime/QuarkusPermissionSecurityIdentityAugmentor.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to be a massive feature, thanks @michalvavrik
@michalvavrik Can I suggest to update the subject a bit to highlight it, something like |
484114f
to
9441bea
Compare
@PermissionChecker
annotation
Changed PR title and fixed the QuarkusPermission javadoc. |
Status for workflow
|
Status | Name | Step | Failures | Logs | Raw logs | Build scan |
---|---|---|---|---|---|---|
✖ | Initial JDK 17 Build | Populate the cache |
Failures | Logs | Raw logs | 🚧 |
Failures
⚙️ Initial JDK 17 Build #
- Failing: extensions/security/runtime-spi extensions/security/spi extensions/websockets/client/runtime
! Skipped: devtools/bom-descriptor-json devtools/cli docs and 571 more
📦 extensions/security/runtime-spi
✖ Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-security-runtime-spi: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT
📦 extensions/security/spi
✖ Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-security-spi: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT
📦 extensions/websockets/client/runtime
✖ Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project quarkus-websockets-client: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT (absent): Could not find artifact io.quarkus.security:quarkus-security:jar:2.1.1-SNAPSHOT
Status for workflow
|
Status | Name | Step | Failures | Logs | Raw logs | Build scan |
---|---|---|---|---|---|---|
✖ | Documentation Build | Build |
Logs | Raw logs | 🚧 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't check the code, just the docs, but the feature is great :)
} | ||
} | ||
---- | ||
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission. | |
<1> The permission required to access the `ProjectResource#renameProject` is the `rename-project` permission. |
} | ||
---- | ||
<1> Permission required to access the `ProjectResource#renameProject` is the `rename-project` permission. | ||
<2> The `ProjectResource#canRenameProject` method authorize access to the `ProjectResource#renameProject` endpoint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<2> The `ProjectResource#canRenameProject` method authorize access to the `ProjectResource#renameProject` endpoint. | |
<2> The `ProjectResource#canRenameProject` method authorizes access to the `ProjectResource#renameProject` endpoint. |
@@ -1155,47 +1225,31 @@ public class SimpleBeanParam { | |||
<3> The `customAuthorizationHeader` field is not public, therefore Quarkus access this field with the `customAuthorizationHeader` accessor. | |||
That is particularly useful with Java records, where generated accessors are not prefixed with `get`. | |||
|
|||
Here is an example of the `BeanParamPermission` permission that checks user principal, custom header and query parameter: | |||
Here is an example of a `@PermissionChecker` method that checks `say-hello` permission based on a user principal, custom header and query parameter: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is an example of a `@PermissionChecker` method that checks `say-hello` permission based on a user principal, custom header and query parameter: | |
Here is an example of a `@PermissionChecker` method that checks the `say-hello` permission based on a user principal, custom header and query parameter: |
Hi @cescoffier, @gsmet, please review this PR, here there will be a few more validators put in place to avoid some possible user errors. |
This PR is ready for review, however CI cannot run until quarkusio/quarkus-security#56 is merged and Quarkus Security API is released and bumped in the Quarkus project.