convert lambda security to auth mechanism

extensions/amazon-lambda-http/deployment/pom.xml

@@ -19,6 +19,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-core-deployment</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security-deployment</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-vertx-http-deployment</artifactId>

extensions/amazon-lambda-http/deployment/src/main/java/io/quarkus/amazon/lambda/http/deployment/AmazonLambdaHttpProcessor.java

@@ -1,39 +1,39 @@
 package io.quarkus.amazon.lambda.http.deployment;
 
-import static io.quarkus.deployment.annotations.ExecutionTime.STATIC_INIT;
-
 import org.jboss.logging.Logger;
 
 import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
 import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPResponse;
 
 import io.quarkus.amazon.lambda.deployment.LambdaUtil;
 import io.quarkus.amazon.lambda.deployment.ProvidedAmazonLambdaHandlerBuildItem;
+import io.quarkus.amazon.lambda.http.DefaultLambdaIdentityProvider;
+import io.quarkus.amazon.lambda.http.LambdaHttpAuthenticationMechanism;
 import io.quarkus.amazon.lambda.http.LambdaHttpHandler;
-import io.quarkus.amazon.lambda.http.LambdaHttpRecorder;
-import io.quarkus.amazon.lambda.http.SecurityIdentityHandler;
 import io.quarkus.amazon.lambda.http.model.Headers;
 import io.quarkus.amazon.lambda.http.model.MultiValuedTreeMap;
+import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
-import io.quarkus.deployment.annotations.Record;
 import io.quarkus.deployment.builditem.LaunchModeBuildItem;
 import io.quarkus.deployment.builditem.SystemPropertyBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
 import io.quarkus.deployment.pkg.builditem.OutputTargetBuildItem;
-import io.quarkus.deployment.recording.RecorderContext;
 import io.quarkus.runtime.LaunchMode;
-import io.quarkus.vertx.http.deployment.FilterBuildItem;
 import io.quarkus.vertx.http.deployment.RequireVirtualHttpBuildItem;
 import io.vertx.core.file.impl.FileResolver;
 
 public class AmazonLambdaHttpProcessor {
     private static final Logger log = Logger.getLogger(AmazonLambdaHttpProcessor.class);
 
     @BuildStep
-    public void addSecurityFilter(BuildProducer<FilterBuildItem> filters) {
-        filters.produce(new FilterBuildItem(new SecurityIdentityHandler(), FilterBuildItem.AUTHENTICATION + 1));
+    public void setupSecurity(BuildProducer<AdditionalBeanBuildItem> additionalBeans) {
+        AdditionalBeanBuildItem.Builder builder = AdditionalBeanBuildItem.builder().setUnremovable();
+
+        builder.addBeanClass(LambdaHttpAuthenticationMechanism.class)
+                .addBeanClass(DefaultLambdaIdentityProvider.class);
+        additionalBeans.produce(builder.build());
     }
 
     @BuildStep
@@ -85,14 +85,4 @@ public void generateScripts(OutputTargetBuildItem target,
         LambdaUtil.writeFile(target, "sam.native.yaml", output);
     }
 
-    @BuildStep()
-    @Record(STATIC_INIT)
-    public void setSecurityProvider(LambdaHttpBuildTimeConfig config,
-            RecorderContext context,
-            LambdaHttpRecorder recorder) {
-        if (config.identityProvider.isPresent()) {
-            recorder.setLambdaSecurityIdentityProvider(context.newInstance(config.identityProvider.get()));
-        }
-    }
-
 }

extensions/amazon-lambda-http/runtime/pom.xml

@@ -20,6 +20,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-vertx-http</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-amazon-lambda</artifactId>

extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/DefaultLambdaSecurityIdentityProvider.java → extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/DefaultLambdaIdentityProvider.java

@@ -3,18 +3,27 @@
 import java.security.Principal;
 import java.util.Map;
 
+import javax.annotation.Priority;
+import javax.enterprise.context.ApplicationScoped;
+
 import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
 
 import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.runtime.QuarkusSecurityIdentity;
+
+@ApplicationScoped
+@Priority(-1)
+public class DefaultLambdaIdentityProvider implements LambdaIdentityProvider {
 
-public class DefaultLambdaSecurityIdentityProvider implements LambdaSecurityIdentityProvider {
     @Override
-    public SecurityIdentity create(APIGatewayV2HTTPEvent event) {
+    public SecurityIdentity authenticate(APIGatewayV2HTTPEvent event) {
         Principal principal = getPrincipal(event);
-        if (principal != null) {
-            return new LambdaSecurityIdentity(principal);
+        if (principal == null) {
+            return null;
         }
-        return null;
+        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
+        builder.setPrincipal(principal);
+        return builder.build();
     }
 
     protected Principal getPrincipal(APIGatewayV2HTTPEvent request) {

extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/LambdaAuthenticationRequest.java

@@ -0,0 +1,17 @@
+package io.quarkus.amazon.lambda.http;
+
+import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
+
+import io.quarkus.security.identity.request.BaseAuthenticationRequest;
+
+public class LambdaAuthenticationRequest extends BaseAuthenticationRequest {
+    private APIGatewayV2HTTPEvent event;
+
+    public LambdaAuthenticationRequest(APIGatewayV2HTTPEvent event) {
+        this.event = event;
+    }
+
+    public APIGatewayV2HTTPEvent getEvent() {
+        return event;
+    }
+}

extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/LambdaHttpAuthenticationMechanism.java

@@ -0,0 +1,61 @@
+package io.quarkus.amazon.lambda.http;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
+
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.vertx.http.runtime.QuarkusHttpHeaders;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
+import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
+import io.smallrye.mutiny.Uni;
+import io.vertx.core.MultiMap;
+import io.vertx.ext.web.RoutingContext;
+
+@ApplicationScoped
+public class LambdaHttpAuthenticationMechanism implements HttpAuthenticationMechanism {
+    @Override
+    public Uni<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
+        MultiMap qheaders = routingContext.request().headers();
+        if (qheaders instanceof QuarkusHttpHeaders) {
+            Map<Class<?>, Object> contextObjects = ((QuarkusHttpHeaders) qheaders).getContextObjects();
+            if (contextObjects.containsKey(APIGatewayV2HTTPEvent.class)) {
+                APIGatewayV2HTTPEvent event = (APIGatewayV2HTTPEvent) contextObjects.get(APIGatewayV2HTTPEvent.class);
+                Uni<SecurityIdentity> identity = identityProviderManager
+                        .authenticate(HttpSecurityUtils.setRoutingContextAttribute(
+                                new LambdaAuthenticationRequest(event), routingContext));
+                return identity;
+            }
+        }
+        return Uni.createFrom().optional(Optional.empty());
+    }
+
+    @Override
+    public Uni<Boolean> sendChallenge(RoutingContext context) {
+        return Uni.createFrom().item(false);
+    }
+
+    @Override
+    public Uni<ChallengeData> getChallenge(RoutingContext context) {
+        return Uni.createFrom().nullItem();
+    }
+
+    @Override
+    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+        return Collections.singleton(LambdaAuthenticationRequest.class);
+    }
+
+    @Override
+    public HttpCredentialTransport getCredentialTransport() {
+        return null;
+    }
+}

extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/LambdaHttpHandler.java

@@ -39,7 +39,6 @@
 import io.quarkus.amazon.lambda.http.model.Headers;
 import io.quarkus.netty.runtime.virtual.VirtualClientConnection;
 import io.quarkus.netty.runtime.virtual.VirtualResponseHandler;
-import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.vertx.http.runtime.QuarkusHttpHeaders;
 import io.quarkus.vertx.http.runtime.VertxHttpRecorder;
 
@@ -170,10 +169,13 @@ private APIGatewayV2HTTPResponse nettyDispatch(InetSocketAddress clientAddress,
         quarkusHeaders.setContextObject(Context.class, context);
         quarkusHeaders.setContextObject(APIGatewayV2HTTPEvent.class, request);
         quarkusHeaders.setContextObject(APIGatewayV2HTTPEvent.RequestContext.class, request.getRequestContext());
-        final SecurityIdentity identity = LambdaHttpRecorder.identityProvider.create(request);
-        if (identity != null) {
-            quarkusHeaders.setContextObject(SecurityIdentity.class, identity);
-        }
+        /*
+         * final SecurityIdentity identity = LambdaHttpRecorder.identityProvider.create(request);
+         * if (identity != null) {
+         * quarkusHeaders.setContextObject(SecurityIdentity.class, identity);
+         * }
+         * 
+         */
         DefaultHttpRequest nettyRequest = new DefaultHttpRequest(HttpVersion.HTTP_1_1,
                 HttpMethod.valueOf(request.getRequestContext().getHttp().getMethod()), ofNullable(request.getRawQueryString())
                         .filter(q -> !q.isEmpty()).map(q -> request.getRawPath() + '?' + q).orElse(request.getRawPath()),

extensions/amazon-lambda-http/runtime/src/main/java/io/quarkus/amazon/lambda/http/LambdaIdentityProvider.java

@@ -0,0 +1,42 @@
+package io.quarkus.amazon.lambda.http;
+
+import java.util.Optional;
+
+import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
+
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.smallrye.mutiny.Uni;
+
+/**
+ * Helper interface that removes some boilerplate for creating
+ * an IdentityProvider that processes APIGatewayV2HTTPEvent
+ */
+public interface LambdaIdentityProvider extends IdentityProvider<LambdaAuthenticationRequest> {
+    @Override
+    default public Class<LambdaAuthenticationRequest> getRequestType() {
+        return LambdaAuthenticationRequest.class;
+    }
+
+    @Override
+    default Uni<SecurityIdentity> authenticate(LambdaAuthenticationRequest request, AuthenticationRequestContext context) {
+        APIGatewayV2HTTPEvent event = request.getEvent();
+        SecurityIdentity identity = authenticate(event);
+        if (identity == null) {
+            return Uni.createFrom().optional(Optional.empty());
+        }
+        return Uni.createFrom().item(identity);
+    }
+
+    /**
+     * Helper method that reduces some code. You can ignore if you directly override
+     * IdentityProvider.authenticate
+     *
+     * @param event
+     * @return
+     */
+    default SecurityIdentity authenticate(APIGatewayV2HTTPEvent event) {
+        return null;
+    }
+}