Skip to content

Commit

Permalink
Support for disabling security providers through configuration. (#8521)…
Browse files Browse the repository at this point in the history
… (#8547)

(cherry picked from commit 4f6bf0d)
Signed-off-by: Tomas Langer <[email protected]>
  • Loading branch information
tomas-langer authored Mar 25, 2024
1 parent 3a7250f commit e291ace
Show file tree
Hide file tree
Showing 9 changed files with 262 additions and 2 deletions.
11 changes: 10 additions & 1 deletion docs/se/security/01_introduction.adoc
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
///////////////////////////////////////////////////////////////////////////////

Copyright (c) 2018, 2021 Oracle and/or its affiliates.
Copyright (c) 2018, 2024 Oracle and/or its affiliates.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -61,6 +61,8 @@ Helidon Security provides the following features
logger called "AUDIT" (may be overridden through configuration). AuditProvider
SPI may be implemented to support other auditing options.
Each feature is implemented with the help of "xref:providers.adoc[Security Providers]".
Security module is quite HTTP centric (as most common use cases are related to
HTTP REST), though it is not HTTP specific (the security module may be used to
secure even other transports, such as JMS, Kafka messages etc. if an appropriate
Expand Down Expand Up @@ -136,6 +138,13 @@ See <<_tools,Secure config>> for details about encrypting passwords in
Security security = Security.create(config);
----
As mentioned above, security features are implemented through providers, which are configured under key
`security.providers`. Each element of the list is one security provider. The key of the provider must match
its config key (as documented in xref:providers.adoc[Security Providers] for each supported provider).
A key `enabled` can be used for each provider to provide fine control of which providers are enabled/disabled, for example
to support different setup in testing and in production environments.
[source,yaml]
.Security from configuration - application.yaml
----
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2022 Oracle and/or its affiliates.
* Copyright (c) 2018, 2024 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -38,6 +38,7 @@
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;

Expand Down Expand Up @@ -1294,6 +1295,22 @@ private void providerFromConfig(Map<String, SecurityProviderService> configKeyTo
Map<String, SecurityProviderService> classNameToService,
String knownKeys,
Config pConf) {
boolean enabled = pConf.get("enabled").asBoolean().orElse(true);
if (!enabled) {
// this provider is marked as disabled, we will ignore it
// this is checking the top level provider configuration (see below check for provider specific)
// this section check (example):
/*
security.providers:
- type: "some-type
enabled: false
*/
if (LOGGER.isLoggable(Level.FINEST)) {
LOGGER.finest("Provider with key: " + pConf.key() + " is disabled");
}
return;
}

AtomicReference<SecurityProviderService> service = new AtomicReference<>();
AtomicReference<Config> providerSpecific = new AtomicReference<>();

Expand Down Expand Up @@ -1323,6 +1340,26 @@ private void providerFromConfig(Map<String, SecurityProviderService> configKeyTo
}

String name = resolveProviderName(pConf, className, providerSpecificConfig, providerService);

if (providerSpecificConfig != null && !providerSpecificConfig.get("enabled")
.asBoolean()
.orElse(true)) {
// this provider is marked as disabled, we will ignore it
// this is within the provider specific configuration, to support both simple lists (checked above)
// and nested provider configuration; this section check (example):
/*
security.providers:
- oidc:
enabled: false
*/

if (LOGGER.isLoggable(Level.FINEST)) {
LOGGER.finest("Provider: " + name + " is disabled");
}

return;
}

boolean isAuthn = pConf.get("is-authentication-provider").asBoolean().orElse(true);
boolean isAuthz = pConf.get("is-authorization-provider").asBoolean().orElse(true);
boolean isClientSec = pConf.get("is-client-security-provider").asBoolean().orElse(true);
Expand Down
68 changes: 68 additions & 0 deletions tests/integration/mp-gh-8495/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2024 Oracle and/or its affiliates.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>io.helidon.tests.integration</groupId>
<artifactId>helidon-tests-integration</artifactId>
<version>2.6.7-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>

<artifactId>helidon-tests-integration-mp-gh-8495</artifactId>
<name>Helidon Tests Integration MP GH 8495</name>
<description>Reproducer for Github issue #8495 - SecurityCdiExtension fails with Oidc</description>

<dependencies>
<dependency>
<groupId>io.helidon.microprofile.server</groupId>
<artifactId>helidon-microprofile-server</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.microprofile</groupId>
<artifactId>helidon-microprofile-oidc</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.microprofile</groupId>
<artifactId>helidon-microprofile-security</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.logging</groupId>
<artifactId>helidon-logging-jul</artifactId>
<scope>runtime</scope>
</dependency>

<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-all</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.helidon.microprofile.tests</groupId>
<artifactId>helidon-microprofile-tests-junit5</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* Copyright (c) 2024 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package io.helidon.tests.integration.gh8495;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;

@Path("/greet")
public class Gh8495Resource {
@GET
@Produces(MediaType.TEXT_PLAIN)
public String getDefaultMessage() {
return "Hello World!";
}
}
25 changes: 25 additions & 0 deletions tests/integration/mp-gh-8495/src/main/resources/META-INF/beans.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2024 Oracle and/or its affiliates.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="https://jakarta.ee/xml/ns/jakartaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee
https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
version="4.0"
bean-discovery-mode="annotated">
</beans>
20 changes: 20 additions & 0 deletions tests/integration/mp-gh-8495/src/main/resources/application.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#
# Copyright (c) 2024 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

security:
providers:
- oidc:
enabled: false
23 changes: 23 additions & 0 deletions tests/integration/mp-gh-8495/src/main/resources/logging.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#
# Copyright (c) 2024 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

handlers=io.helidon.logging.jul.HelidonConsoleHandler
java.util.logging.SimpleFormatter.format=%1$tY.%1$tm.%1$td %1$tH:%1$tM:%1$tS %4$s %3$s !thread!: %5$s%6$s%n

.level=WARNING

io.helidon.level=INFO
io.helidon.security.level=FINEST
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
/*
* Copyright (c) 2024 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package io.helidon.tests.integration.gh8495;

import io.helidon.microprofile.tests.junit5.HelidonTest;
import org.junit.jupiter.api.Test;

import javax.inject.Inject;
import javax.ws.rs.client.WebTarget;

import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;

@HelidonTest
public class Gh8495Test {
private final WebTarget target;

@Inject
public Gh8495Test(WebTarget target) {
this.target = target;
}

@Test
public void testServerStarted() {
String response = target
.path("/greet")
.request()
.get(String.class);

assertThat(response, is("Hello World!"));
}
}
1 change: 1 addition & 0 deletions tests/integration/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
<module>mp-gh-4123</module>
<module>mp-gh-4654</module>
<module>mp-gh-8478</module>
<module>mp-gh-8495</module>
<module>kafka</module>
<module>jms</module>
<module>config</module>
Expand Down

0 comments on commit e291ace

Please sign in to comment.