Move Keycloak Authorization Enforcer Tenant config to runtime and improve usability with aggregated policy enforcer paths

[michalvavrik]

• closes: Quarkus keycloak authorization usability improvements. #14851
• one of prerequisities for: Support the dynamic KeycloakPolicyEnforcerAuthorizer tenants #17664

Changes:

• move tenant config to runtime as we already create them at runtime and do not leverage tenat knowledge at build time. Dynamic tenants will also be created at runtime. Experience from HTTP permissions says some users want to configure similar stuff during runtime, for which reason we moved them to the runtime. No Quarkiverse extension uses this extension https://mvnrepository.com/artifact/io.quarkus/quarkus-keycloak-authorization/usages therefore we are unlikely to break things
• allow to specify more than one path per enforcer (usability improvement - Quarkus keycloak authorization usability improvements. #14851)
• fixes documentation statement, paths are not relative to the application context if that means HTTP app / non-app root path. if original note means something else, it's not descriptive enough as it confused at least one user Quarkus keycloak authorization usability improvements. #14851 (comment) (plus me)

[github-actions]

🙈 The PR is closed and the preview is expired.

[michalvavrik]

ad integration-tests/oidc-client failure - failed over pulling docker image, not related

[michalvavrik]

As said failures not related, but I've rebased on current main to (hopefully) get green CI. No other changes.

[michalvavrik]

cc @pedroigor

[sberyozkin]

LGTM. But would like @pedroigor to have a look

[sberyozkin]

Hi @pedroigor, Michal's clarification re the body handler makes sense IMHO, so should be a safe update, with the tests passing

[sberyozkin]

@michalvavrik Quick question, did you replace all occurrences of .path with .paths ? If yes, then I think we should keep at least one test keeping testing this deprecated property

[michalvavrik]

@michalvavrik Quick question, did you replace all occurrences of .path with .paths ? If yes, then I think we should keep at least one test keeping testing this deprecated property

I made changes, rerun tests without adjustments to be sure it works and then I replaced all the occurrences. So I know it works at this moment. You are right, I'll revert at least one of them now.

[michalvavrik]

Done.

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit ff4f116.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

⚠️ There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit ff4f116.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

[cescoffier]

This PR is not valid - it has a risk to register multiple body handlers.

[cescoffier]

@sberyozkin @michalvavrik can you please amend it or revert it?

[michalvavrik]

@sberyozkin @michalvavrik can you please amend it or revert it?

yes, but I'm just finishing PR that depends on this, hence I'd like to understand first. but sure, let's do it.

This PR is not valid - it has a risk to register multiple body handlers.

can you give some info how that will happen, please? I don't understand how situation has changed

[michalvavrik]

btw I'd like instead of reverting to provide alternative solution because changes here are important for dynamic config resolver

[michalvavrik]

@cescoffier I re-read changes and I am still missing how situation has changed in regards of multiple-times registering body handler. Could you please give me a hint so that I can fix it? Thank you

[cescoffier]

You iterate over your supplier - if multiple return yes, you will register the body handler twice

[cescoffier]

Ah there is break statement I didn't catch.

[michalvavrik]

Yep. Thanks for checking the PR.

[cescoffier]

When you change that class make sure you ask me to review. Typically, having an array is not homogeneous.

[michalvavrik]

When you change that class make sure you ask me to review. Typically, having an array is not homogeneous.

Understood, will do that in the future.