From d44fa875749c91753ad9eebcf36bc7c3e6be87f4 Mon Sep 17 00:00:00 2001
From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Wed, 13 Oct 2021 18:04:40 +1100
Subject: [PATCH] Make sure to resume request when challenging

Fixes #20193
---
 .../AbstractRolesAllowedTestCase.java         | 19 +++++++++++++++++++
 .../RolesAllowedLazyAuthTestCase.java         |  1 +
 .../http/security/RolesAllowedTestCase.java   |  1 +
 .../runtime/security/HttpAuthenticator.java   |  4 ++++
 4 files changed, 25 insertions(+)

diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java
index d1eb8c66e563b..d786e2873a722 100644
--- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java
+++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java
@@ -240,4 +240,23 @@ public void testWildcardMatchingWithoutSlash() {
                 .assertThat()
                 .statusCode(401);
     }
+
+    @Test
+    public void testLargeBodyRejected() {
+
+        StringBuilder sb = new StringBuilder("HELLO WORLD");
+        for (int i = 0; i < 20; ++i) {
+            sb.append(sb);
+        }
+        for (int i = 0; i < 10; ++i) {
+            RestAssured
+                    .given()
+                    .body(sb.toString())
+                    .post("/roles1")
+                    .then()
+                    .assertThat()
+                    .statusCode(401);
+        }
+
+    }
 }
diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java
index 92728c43150d8..fb01c0faa25e4 100644
--- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java
+++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java
@@ -19,6 +19,7 @@ public class RolesAllowedLazyAuthTestCase extends AbstractRolesAllowedTestCase {
 
     private static final String APP_PROPS = "" +
             "quarkus.http.auth.basic=true\n" +
+            "quarkus.http.limits.max-body-size=100m\n" +
             "quarkus.http.auth.policy.r1.roles-allowed=test\n" +
             "quarkus.http.auth.policy.r2.roles-allowed=admin\n" +
             "quarkus.http.auth.permission.roles1.paths=/roles1,/deny,/permit,/combined,/wildcard1/*,/wildcard2*\n" +
diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java
index 5f2fad2e21769..92db42d6dcc32 100644
--- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java
+++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java
@@ -19,6 +19,7 @@ public class RolesAllowedTestCase extends AbstractRolesAllowedTestCase {
 
     private static final String APP_PROPS = "" +
             "quarkus.http.auth.basic=true\n" +
+            "quarkus.http.limits.max-body-size=100m\n" +
             "quarkus.http.auth.policy.r1.roles-allowed=test\n" +
             "quarkus.http.auth.policy.r2.roles-allowed=admin\n" +
             "quarkus.http.auth.permission.roles1.paths=/roles1,/deny,/permit,/combined,/wildcard1/*,/wildcard2*\n" +
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java
index 86e8d38578616..73c252b4f5969 100644
--- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java
+++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java
@@ -140,6 +140,10 @@ public Uni<SecurityIdentity> apply(SecurityIdentity data) {
      * @return
      */
     public Uni<Boolean> sendChallenge(RoutingContext routingContext) {
+        //we want to consume any body content if present
+        //challenges won't read the body, and if we don't consume
+        //things can get stuck
+        routingContext.request().resume();
         Uni<Boolean> result = null;
 
         HttpAuthenticationMechanism matchingMech = routingContext.get(HttpAuthenticationMechanism.class.getName());