All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.helidon.microprofile.security.SecurityCdiExtension Maven / Gradle / Ivy

/*
 * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.helidon.microprofile.security;

import java.lang.System.Logger.Level;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;

import io.helidon.common.context.Contexts;
import io.helidon.config.Config;
import io.helidon.microprofile.cdi.RuntimeStart;
import io.helidon.microprofile.server.JaxRsCdiExtension;
import io.helidon.microprofile.server.ServerCdiExtension;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Security;
import io.helidon.security.providers.abac.AbacProvider;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.AuthorizationProvider;
import io.helidon.webserver.security.SecurityFeature;
import io.helidon.webserver.security.SecurityFeatureConfig;

import jakarta.annotation.Priority;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.Initialized;
import jakarta.enterprise.event.Observes;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.enterprise.inject.spi.BeforeBeanDiscovery;
import jakarta.enterprise.inject.spi.Extension;

import static jakarta.interceptor.Interceptor.Priority.LIBRARY_BEFORE;
import static jakarta.interceptor.Interceptor.Priority.PLATFORM_BEFORE;

/**
 * Extension to register bean {@link SecurityProducer}.
 */
public class SecurityCdiExtension implements Extension {
    private static final System.Logger LOGGER = System.getLogger(SecurityCdiExtension.class.getName());

    private final AtomicReference security = new AtomicReference<>();

    private Security.Builder securityBuilder = Security.builder();
    private Config config;
    private SecurityFeatureConfig.Builder securityFeatureBuilder = SecurityFeature.builder();

    /**
     * Public constructor required by service loader.
     */
    public SecurityCdiExtension() {
    }

    /**
     * Other extensions may update security builder.
     *
     * @return security builder
     */
    public Security.Builder securityBuilder() {
        if (null == securityBuilder) {
            throw new IllegalStateException("Security is already built, you cannot update the builder");
        }
        return securityBuilder;
    }

    /**
     * Access to security instance once it is created from {@link #securityBuilder()}.
     *
     * @return a security instance, or empty if not yet created
     */
    public Optional security() {
        return Optional.ofNullable(security.get());
    }

    private void registerBean(@Observes BeforeBeanDiscovery abd) {
        abd.addAnnotatedType(SecurityProducer.class, "helidon-security-producer")
                .add(ApplicationScoped.Literal.INSTANCE);
    }

    // priority is high, so we update builder from config as soon as possible
    // all additions by other extension will override configuration options
    private void configure(@Observes @RuntimeStart @Priority(PLATFORM_BEFORE + 2) Config config) {
        this.config = config;
        this.securityBuilder.config(config.get("security"));
        this.securityFeatureBuilder.config(config.get("server.features.security"));
    }

    // security must have priority higher than metrics, openapi and health
    // so we can protect these endpoints
    private void registerSecurity(@Observes @Priority(LIBRARY_BEFORE) @Initialized(ApplicationScoped.class) Object adv,
                                  BeanManager bm) {

        if (securityBuilder.noProvider(AuthenticationProvider.class)) {
            LOGGER.log(Level.INFO,
                    "Authentication provider is missing from security configuration, but security extension for microprofile "
                            + "is enabled (requires providers configuration at key security.providers). "
                            + "Security will not have any valid authentication provider");

            securityBuilder.addAuthenticationProvider(this::failingAtnProvider);
        }

        if (securityBuilder.noProvider(AuthorizationProvider.class)) {
            LOGGER.log(Level.INFO,
                    "Authorization provider is missing from security configuration, but security extension for microprofile "
                            + "is enabled (requires providers configuration at key security.providers). "
                            + "ABAC provider is configured for authorization.");
            securityBuilder.addAuthorizationProvider(AbacProvider.create());
        }

        Security tmpSecurity = securityBuilder.build();
        // free it and make sure we fail if somebody wants to update security afterwards
        securityBuilder = null;

        if (!tmpSecurity.enabled()) {
            // security is disabled, we need to set up some basic stuff - injection, security context etc.
            LOGGER.log(Level.INFO, "Security is disabled.");
            tmpSecurity = Security.builder()
                    .enabled(false)
                    .build();
        }

        // we need an effectively final instance to use in lambda
        Security security = tmpSecurity;

        // security is available in global
        Contexts.globalContext().register(security);

        JaxRsCdiExtension jaxrs = bm.getExtension(JaxRsCdiExtension.class);
        ServerCdiExtension server = bm.getExtension(ServerCdiExtension.class);
        server.addFeature(securityFeatureBuilder.build());
        securityFeatureBuilder = null;

        Contexts.context().ifPresent(ctx -> ctx.register(security));

        Config jerseyConfig = config.get("security.jersey");
        if (jerseyConfig.get("enabled").asBoolean().orElse(true)) {
            JerseySecurityFeature feature = JerseySecurityFeature.builder(security)
                    .config(jerseyConfig)
                    .build();

            if (LOGGER.isLoggable(Level.TRACE)) {
                LOGGER.log(Level.TRACE, "Security feature config: {0}. Registered for applications: {1}",
                           feature.featureConfig(),
                           jaxrs.applicationsToRun());
            }

            jaxrs.applicationsToRun()
                    .forEach(app -> app.resourceConfig().register(feature));
        } else {
            SecurityDisabledFeature feature = new SecurityDisabledFeature(security);
            jaxrs.applicationsToRun().forEach(app -> app.resourceConfig().register(feature));
        }

        this.security.set(security);
    }

    private AuthenticationResponse failingAtnProvider(ProviderRequest request) {
        return AuthenticationResponse.failed("No provider configured");
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy