Elytron-security support for Database Identity Store

bom/deployment/pom.xml

@@ -476,6 +476,11 @@
                 <artifactId>quarkus-test-maven</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-elytron-security-jdbc-deployment</artifactId>
+                <version>${project.version}</version>
+            </dependency>
 
         </dependencies>
     </dependencyManagement>

bom/runtime/pom.xml

@@ -1666,6 +1666,11 @@
                 <artifactId>wildfly-elytron-realm-token</artifactId>
                 <version>${wildfly-elytron.version}</version>
             </dependency>
+            <dependency>
+              <groupId>org.wildfly.security</groupId>
+              <artifactId>wildfly-elytron-realm-jdbc</artifactId>
+              <version>${wildfly-elytron.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.wildfly.security</groupId>
                 <artifactId>wildfly-elytron-ssl</artifactId>
@@ -2350,6 +2355,11 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-elytron-security-jdbc</artifactId>
+                <version>${project.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

extensions/elytron-security-jdbc/deployment/pom.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-elytron-security-jdbc-parent</artifactId>
+        <version>999-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>quarkus-elytron-security-jdbc-deployment</artifactId>
+    <name>Quarkus - Elytron Security Jdbc - Deployment</name>
+
+    <dependencies>
+        <dependency>
+           <groupId>io.quarkus</groupId>
+           <artifactId>quarkus-elytron-security-jdbc</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-core-deployment</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security-deployment</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-agroal-deployment</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5-internal</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-h2</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <annotationProcessorPaths>
+                        <path>
+                            <groupId>io.quarkus</groupId>
+                            <artifactId>quarkus-extension-processor</artifactId>
+                            <version>${project.version}</version>
+                        </path>
+                    </annotationProcessorPaths>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

extensions/elytron-security-jdbc/deployment/src/main/java/io/quarkus/elytron/security/jdbc/deployment/ElytronSecurityJdbcProcessor.java

@@ -0,0 +1,53 @@
+package io.quarkus.elytron.security.jdbc.deployment;
+
+import java.util.Optional;
+
+import org.wildfly.security.auth.server.SecurityRealm;
+
+import io.quarkus.agroal.deployment.DataSourceInitializedBuildItem;
+import io.quarkus.deployment.annotations.BuildProducer;
+import io.quarkus.deployment.annotations.BuildStep;
+import io.quarkus.deployment.annotations.ExecutionTime;
+import io.quarkus.deployment.annotations.Record;
+import io.quarkus.deployment.builditem.FeatureBuildItem;
+import io.quarkus.elytron.security.deployment.SecurityRealmBuildItem;
+import io.quarkus.elytron.security.jdbc.JdbcRecorder;
+import io.quarkus.elytron.security.jdbc.JdbcSecurityRealmConfig;
+import io.quarkus.runtime.RuntimeValue;
+
+class ElytronSecurityJdbcProcessor {
+
+    private static final String FEATURE = "elytron-security-jdbc";
+
+    JdbcSecurityRealmConfig jdbc;
+
+    @BuildStep(providesCapabilities = "io.quarkus.elytron.security.jdbc")
+    FeatureBuildItem feature() {
+        return new FeatureBuildItem(FEATURE);
+    }
+
+    /**
+     * Check to see if a JdbcRealmConfig was specified and enabled and create a
+     * {@linkplain org.wildfly.security.auth.realm.JdbcSecurityRealmConfig}
+     * runtime value to process the user/roles properties files. This also registers the names of the user/roles properties
+     * files
+     * to include the build artifact.
+     *
+     * @param recorder - runtime security recorder
+     * @param securityRealm - the producer factory for the SecurityRealmBuildItem
+     *        // * @param beanContainer - ensure CDI bean container is ready
+     * @param dataSourceInitialized - ensure that Agroal DataSource is initialized first
+     * @throws Exception - on any failure
+     */
+    @BuildStep
+    @Record(ExecutionTime.STATIC_INIT)
+    void configureJdbcRealmAuthConfig(JdbcRecorder recorder,
+            BuildProducer<SecurityRealmBuildItem> securityRealm,
+            Optional<DataSourceInitializedBuildItem> dataSourceInitialized) throws Exception {
+        if (jdbc.enabled) {
+            RuntimeValue<SecurityRealm> realm = recorder.createRealm(jdbc);
+            securityRealm.produce(new SecurityRealmBuildItem(realm, jdbc.realmName, null));
+        }
+    }
+
+}

extensions/elytron-security-jdbc/deployment/src/test/java/io/quarkus/elytron/security/jdbc/BcryptPasswordMapperTest.java

@@ -0,0 +1,17 @@
+package io.quarkus.elytron.security.jdbc;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class BcryptPasswordMapperTest extends JdbcSecurityRealmTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(testClasses)
+                    .addAsResource("bcrypt-password-mapper/application.properties", "application.properties"));
+
+}

extensions/elytron-security-jdbc/deployment/src/test/java/io/quarkus/elytron/security/jdbc/CustomRoleDecoder.java

@@ -0,0 +1,28 @@
+package io.quarkus.elytron.security.jdbc;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.StreamSupport;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.wildfly.security.authz.Attributes;
+import org.wildfly.security.authz.AuthorizationIdentity;
+import org.wildfly.security.authz.RoleDecoder;
+import org.wildfly.security.authz.Roles;
+
+@ApplicationScoped
+public class CustomRoleDecoder implements RoleDecoder {
+
+    @Override
+    public Roles decodeRoles(AuthorizationIdentity authorizationIdentity) {
+        Attributes.Entry groupsEntry = authorizationIdentity.getAttributes().get("groups");
+        Set<String> roles = new HashSet<>();
+        StreamSupport.stream(groupsEntry.spliterator(), false).forEach(groups -> {
+            for (String role : groups.split(",")) {
+                roles.add(role.trim());
+            }
+        });
+        return Roles.fromSet(roles);
+    }
+}

extensions/elytron-security-jdbc/deployment/src/test/java/io/quarkus/elytron/security/jdbc/CustomRoleDecoderTest.java

@@ -0,0 +1,24 @@
+package io.quarkus.elytron.security.jdbc;
+
+import java.util.Arrays;
+import java.util.stream.Stream;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class CustomRoleDecoderTest extends JdbcSecurityRealmTest {
+
+    static Class[] testClassesWithCustomRoleDecoder = Stream.concat(
+            Arrays.stream(testClasses),
+            Arrays.stream(new Class[] { CustomRoleDecoder.class })).toArray(Class[]::new);
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(testClassesWithCustomRoleDecoder)
+                    .addAsResource("custom-role-decoder/application.properties", "application.properties"));
+
+}

extensions/elytron-security-jdbc/deployment/src/test/java/io/quarkus/elytron/security/jdbc/JdbcSecurityRealmTest.java

@@ -0,0 +1,143 @@
+package io.quarkus.elytron.security.jdbc;
+
+import static org.hamcrest.Matchers.equalTo;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+
+/**
+ * Tests of BASIC authentication mechanism with the minimal config required
+ */
+public abstract class JdbcSecurityRealmTest {
+
+    protected static Class[] testClasses = {
+            SingleRoleSecuredServlet.class, TestApplication.class, RolesEndpointClassLevel.class,
+            ParametrizedPathsResource.class, SubjectExposingResource.class
+    };
+
+    // Basic @ServletSecurity tests
+    @Test()
+    public void testSecureAccessFailure() {
+        RestAssured.when().get("/servlet-secured").then()
+                .statusCode(401);
+    }
+
+    @Test()
+    public void testSecureRoleFailure() {
+        RestAssured.given().auth().preemptive().basic("noRoleUser", "noRoleUser")
+                .when().get("/servlet-secured").then()
+                .statusCode(403);
+    }
+
+    @Test()
+    public void testSecureAccessSuccess() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/servlet-secured").then()
+                .statusCode(200);
+    }
+
+    /**
+     * Test access a secured jaxrs resource without any authentication. should see 401 error code.
+     */
+    @Test
+    public void testJaxrsGetFailure() {
+        RestAssured.when().get("/jaxrs-secured/roles-class").then()
+                .statusCode(401);
+    }
+
+    /**
+     * Test access a secured jaxrs resource with authentication, but no authorization. should see 403 error code.
+     */
+    @Test
+    public void testJaxrsGetRoleFailure() {
+        RestAssured.given().auth().preemptive().basic("noRoleUser", "noRoleUser")
+                .when().get("/jaxrs-secured/roles-class").then()
+                .statusCode(403);
+    }
+
+    /**
+     * Test access a secured jaxrs resource with authentication, and authorization. should see 200 success code.
+     */
+    @Test
+    public void testJaxrsGetRoleSuccess() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/roles-class").then()
+                .statusCode(200);
+    }
+
+    /**
+     * Test access a secured jaxrs resource with authentication, and authorization. should see 200 success code.
+     */
+    @Test
+    public void testJaxrsPathAdminRoleSuccess() {
+        RestAssured.given().auth().preemptive().basic("admin", "admin")
+                .when().get("/jaxrs-secured/parameterized-paths/my/banking/admin").then()
+                .statusCode(200);
+    }
+
+    @Test
+    public void testJaxrsPathAdminRoleFailure() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/parameterized-paths/my/banking/admin").then()
+                .statusCode(403);
+    }
+
+    /**
+     * Test access a secured jaxrs resource with authentication, and authorization. should see 200 success code.
+     */
+    @Test
+    public void testJaxrsPathUserRoleSuccess() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/parameterized-paths/my/banking/view").then()
+                .statusCode(200);
+    }
+
+    /**
+     * Test access a secured jaxrs resource with authentication, and authorization. should see 200 success code.
+     */
+    @Test
+    public void testJaxrsUserRoleSuccess() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/subject/secured").then()
+                .statusCode(200)
+                .body(equalTo("user"));
+    }
+
+    @Test
+    public void testJaxrsInjectedPrincipalSuccess() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/subject/principal-secured").then()
+                .statusCode(200)
+                .body(equalTo("user"));
+    }
+
+    /**
+     * Test access a @PermitAll secured jaxrs resource without any authentication. should see a 200 success code.
+     */
+    @Test
+    public void testJaxrsGetPermitAll() {
+        RestAssured.when().get("/jaxrs-secured/subject/unsecured").then()
+                .statusCode(200)
+                .body(equalTo("anonymous"));
+    }
+
+    /**
+     * Test access a @DenyAll secured jaxrs resource without authentication. should see a 401 success code.
+     */
+    @Test
+    public void testJaxrsGetDenyAllWithoutAuth() {
+        RestAssured.when().get("/jaxrs-secured/subject/denied").then()
+                .statusCode(401);
+    }
+
+    /**
+     * Test access a @DenyAll secured jaxrs resource with authentication. should see a 403 success code.
+     */
+    @Test
+    public void testJaxrsGetDenyAllWithAuth() {
+        RestAssured.given().auth().preemptive().basic("user", "user")
+                .when().get("/jaxrs-secured/subject/denied").then()
+                .statusCode(403);
+    }
+}

extensions/elytron-security-jdbc/deployment/src/test/java/io/quarkus/elytron/security/jdbc/MinimalConfigurationTest.java

@@ -0,0 +1,17 @@
+package io.quarkus.elytron.security.jdbc;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class MinimalConfigurationTest extends JdbcSecurityRealmTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(testClasses)
+                    .addAsResource("minimal-config/application.properties", "application.properties"));
+
+}