KeycloakPolicyEnforcerAuthorizer should permit if authentication is n…

…ot done by OIDC
quarkusio · Mar 24, 2021 · 67f148f · 67f148f
1 parent 1b5614a
commit 67f148f
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 21 deletions.
diff --git a/...thorization/deployment/src/test/java/io/quarkus/keycloak/pep/test/PolicyEnforcerTest.java b/...thorization/deployment/src/test/java/io/quarkus/keycloak/pep/test/PolicyEnforcerTest.java
@@ -32,7 +32,8 @@ public class PolicyEnforcerTest {
                 public JavaArchive get() {
                     return ShrinkWrap.create(JavaArchive.class)
                             .addAsResource("application.properties")
-                            .addClasses(ProtectedResource.class, PublicResource.class, UsersResource.class);
+                            .addClasses(ProtectedResource.class, ProtectedResource2.class, PublicResource.class,
+                                    UsersResource.class);
                 }
             });
 

diff --git a/...thorization/deployment/src/test/java/io/quarkus/keycloak/pep/test/ProtectedResource2.java b/...thorization/deployment/src/test/java/io/quarkus/keycloak/pep/test/ProtectedResource2.java
@@ -0,0 +1,17 @@
+package io.quarkus.keycloak.pep.test;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+import io.quarkus.security.Authenticated;
+
+@Path("/api2/resource")
+@Authenticated
+public class ProtectedResource2 {
+
+    @GET
+    public String testResource() {
+        // This method must not be invoked
+        throw new RuntimeException();
+    }
+}
diff --git a/...ntime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java b/...ntime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java
@@ -19,6 +19,7 @@
 import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
 
+import io.quarkus.oidc.AccessTokenCredential;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.common.runtime.OidcCommonConfig.Tls.Verification;
 import io.quarkus.security.identity.SecurityIdentity;
@@ -43,7 +44,17 @@ public Uni<CheckResult> checkPermission(RoutingContext request, Uni<SecurityIden
 
     @Override
     public CheckResult apply(RoutingContext routingContext, SecurityIdentity identity) {
-        VertxHttpFacade httpFacade = new VertxHttpFacade(routingContext,
+
+        AccessTokenCredential credential = identity.getCredential(AccessTokenCredential.class);
+
+        if (credential == null) {
+            // If SecurityIdentity has been created by the authentication mechanism other than quarkus-oidc then do not block
+            // the request.
+            return CheckResult.PERMIT;
+        }
+
+        String token = credential.getToken();
+        VertxHttpFacade httpFacade = new VertxHttpFacade(routingContext, token,
                 configBean.httpConfiguration.readTimeout.toMillis());
         AuthorizationContext result = delegate.authorize(httpFacade);
 

diff --git a/...-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java b/...-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java
@@ -19,11 +19,7 @@
 import org.keycloak.representations.AccessToken;
 
 import io.netty.handler.codec.http.HttpHeaderNames;
-import io.quarkus.oidc.AccessTokenCredential;
-import io.quarkus.security.credential.TokenCredential;
-import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.vertx.http.runtime.VertxInputStream;
-import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
 import io.vertx.core.buffer.Buffer;
 import io.vertx.core.http.HttpServerRequest;
 import io.vertx.core.http.HttpServerResponse;
@@ -35,13 +31,15 @@ public class VertxHttpFacade implements OIDCHttpFacade {
     private final Response response;
     private final RoutingContext routingContext;
     private final Request request;
+    private final String token;
     private final long readTimeout;
 
-    public VertxHttpFacade(RoutingContext routingContext, long readTimeout) {
+    public VertxHttpFacade(RoutingContext routingContext, String token, long readTimeout) {
         this.routingContext = routingContext;
+        this.token = token;
         this.readTimeout = readTimeout;
-        request = createRequest(routingContext);
-        response = createResponse(routingContext);
+        this.request = createRequest(routingContext);
+        this.response = createResponse(routingContext);
     }
 
     @Override
@@ -222,18 +220,6 @@ public void end() {
 
     @Override
     public KeycloakSecurityContext getSecurityContext() {
-        SecurityIdentity identity = QuarkusHttpUser.getSecurityIdentityBlocking(routingContext, null);
-        if (identity == null) {
-            return null;
-        }
-        TokenCredential credential = identity.getCredential(AccessTokenCredential.class);
-
-        if (credential == null) {
-            return null;
-        }
-
-        String token = credential.getToken();
-
         try {
             return new KeycloakSecurityContext(token, new JWSInput(token).readJsonContent(AccessToken.class), null, null);
         } catch (JWSInputException e) {

diff --git a/...tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource2.java b/...tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource2.java
@@ -0,0 +1,17 @@
+package io.quarkus.it.keycloak;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+import io.quarkus.security.Authenticated;
+
+@Path("/api2/resource")
+@Authenticated
+public class ProtectedResource2 {
+
+    @GET
+    public String testResource() {
+        // This method must not be invoked
+        throw new RuntimeException();
+    }
+}