Keycloak Claim Information Point - NPE when trying to read body

[tpenakov]

When you try to read body through Claim Information Point the result is Null Pointer Exception.

When you add the following to your application.properties file:

quarkus.keycloak.policy-enforcer.claim-information-point.claims.claim-from-body={request.body}

And execute the post request against the endpoint /api/auth-entry

The result is:

ERROR: HTTP Request to /api/auth-entry failed, error id: d73bb86a-aa3e-40bc-9497-7683a11b1a92-1
java.lang.NullPointerException
	at io.quarkus.keycloak.pep.VertxHttpFacade$1.getInputStream(VertxHttpFacade.java:124)
	at org.keycloak.adapters.authorization.util.RequestPlaceHolderResolver.resolve(RequestPlaceHolderResolver.java:107)
	at org.keycloak.adapters.authorization.util.PlaceHolders.parsePlaceHolders(PlaceHolders.java:93)
	at org.keycloak.adapters.authorization.util.PlaceHolders.resolve(PlaceHolders.java:45)

Here is the Sample Project

You can create the quarkus realm from src/test/resources/keycloack/quarkus-realm.json file.

Then you can retrieve the token for user (alice/alice) as described here: https://quarkus.io/guides/security-keycloak-authorization

Then you have to put the token in org.otaibe.enforcer.claim.can.not.read.body.web.controller.RestControllerTest#TOKEN

If you execute the test org.otaibe.enforcer.claim.can.not.read.body.web.controller.RestControllerTest#testPostEndpoint

Then you will receive the NPE

[gsmet]

@sberyozkin @pedroigor any chance you could have a look at that one before tomorrow evening?

[pedroigor]

@gsmet Looking ...

[pedroigor]

@gsmet @tpenakov I think I'll not be able to deliver this fix until tomorrow.

Although I managed to fix the original issue so that we can properly read the request body, it is not possible to read the body again by the application. For this one, I'm stuck and I don't have yet a clue how to allow the request inputstream to be read twice (by security handlers + later on by the application).

@sberyozkin @stuartwdouglas Any clue how we can achieve this? Is there some way to buffer the inputstream and/or use a markSupported one ? Or maybe prove a wrapper for vert.x request so that we can buffer the stream ....

[pedroigor]

Regarding the original problem (NPE when obtaining the body) the cause of the exception is that the body needs to be read first by a handler (blocking). The solution I found is to reuse the VertxInputStream from Resteasy extension.

[pedroigor]

I think I have a prototype that might work. But not sure whether or not it is the best way to achieve it. Here are the changes https://github.com/quarkusio/quarkus/compare/master...pedroigor:issue-5959?expand=1.

Basically, after reading the request from the security layer, we set a buffered stream in the routing context so that later it can be reused. There is a change to Resteasy that checks whether or not the buffered stream is set and if so, uses it instead of trying to read again from the connection.

[pedroigor]

@gsmet I have tested changes from @stuartwdouglas and they will serve as a baseline for this fix. Once the PR is merged I'll apply other minor changes and we should be good.

[tpenakov]

@pedroigor - You are referring fix in Resteasy. Is this means that the fix will not going to work for Reactive Routes?

[pedroigor]

@pedroigor - You are referring fix in Resteasy. Is this means that the fix will not going to work for Reactive Routes?

I was just talking about reusing some class to fix the issue, which is part of the PR that fix this issue.

AFAIK, you should also have it working for reactive routes as per changes from Stuart.

[tpenakov]

I've just tested it with 1.1.1.Final and can confirm that is fixed.
Thank you!

[tpenakov]

@pedroigor - I need your help here :)
I've tried to add a custom ClaimInformationPointProvider. The provider is dummy and just read the request body and log it to the console. It is updated in the same sample test project.
The provider class is: org.otaibe.enforcer.claim.can.not.read.body.cip.FhirClaimInformationPointProvider
I've figured out that the correct way to read the request body and then to be able to reuse it is through
httpFacade.getRequest().getInputStream(true)
It worked fine in the sample test project, but when I've tried to port the same code in the real project it stopped to work.
The reason was:
In the test project httpFacade.getRequest().getInputStream(true) returns ByteArrayInputStream, but on the real one it returns VertxInputStream. The first one allow multiple reads, but the second one doesn't.
After a while I've managed to make my real project to work too, but this was like a magic to me :)
If I add this line to the application.properties file the body is buffered and can be read correctly:

quarkus.keycloak.policy-enforcer.claim-information-point.claims.claim-from-body={request.body}

After commented the very same line in the sample test project it stopped to work too.

I understand that this workaround with adding the line to the application.properties file will do the trick for me, but it will be great if you help me to enforce the same behavior in the correct way?

Could you please help me with that?

[vamsikrishna-VK31]

When i was using CIP for api . Request is going twice to Claim information point provider
can i know y?