io.quarkus.vertx.http.runtime.security.RolesAllowedHttpSecurityPolicy Maven / Gradle / Ivy
package io.quarkus.vertx.http.runtime.security;
import java.security.Permission;
import java.security.Principal;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import io.quarkus.security.credential.Credential;
import io.quarkus.security.identity.SecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
/**
* permission checker that handles role based permissions
*/
public class RolesAllowedHttpSecurityPolicy implements HttpSecurityPolicy {
private List rolesAllowed;
private final boolean grantPermissions;
private final Map> roleToPermissions;
public RolesAllowedHttpSecurityPolicy(List rolesAllowed) {
this.rolesAllowed = rolesAllowed;
this.grantPermissions = false;
this.roleToPermissions = null;
}
public RolesAllowedHttpSecurityPolicy() {
this.grantPermissions = false;
this.roleToPermissions = null;
}
public RolesAllowedHttpSecurityPolicy(List rolesAllowed, Map> roleToPermissions) {
this.rolesAllowed = rolesAllowed;
this.grantPermissions = true;
this.roleToPermissions = roleToPermissions;
}
public List getRolesAllowed() {
return rolesAllowed;
}
public RolesAllowedHttpSecurityPolicy setRolesAllowed(List rolesAllowed) {
this.rolesAllowed = rolesAllowed;
return this;
}
@Override
public Uni checkPermission(RoutingContext request, Uni identity,
AuthorizationRequestContext requestContext) {
return identity.map(new Function() {
@Override
public CheckResult apply(SecurityIdentity securityIdentity) {
for (String i : rolesAllowed) {
if (securityIdentity.hasRole(i) || ("**".equals(i) && !securityIdentity.isAnonymous())) {
if (grantPermissions) {
// permit access and add augment security identity with additional permissions
return grantPermissions(securityIdentity);
}
return CheckResult.PERMIT;
}
}
return CheckResult.DENY;
}
});
}
private CheckResult grantPermissions(SecurityIdentity securityIdentity) {
Set roles = securityIdentity.getRoles();
if (roles != null && !roles.isEmpty()) {
Set permissions = new HashSet<>();
for (String role : roles) {
if (roleToPermissions.containsKey(role)) {
permissions.addAll(roleToPermissions.get(role));
}
}
if (!permissions.isEmpty()) {
return new CheckResult(true, augmentIdentity(securityIdentity, permissions));
}
}
return CheckResult.PERMIT;
}
private static SecurityIdentity augmentIdentity(SecurityIdentity securityIdentity, Set permissions) {
return new SecurityIdentity() {
@Override
public Principal getPrincipal() {
return securityIdentity.getPrincipal();
}
@Override
public boolean isAnonymous() {
return securityIdentity.isAnonymous();
}
@Override
public Set getRoles() {
return securityIdentity.getRoles();
}
@Override
public boolean hasRole(String s) {
return securityIdentity.hasRole(s);
}
@Override
public T getCredential(Class aClass) {
return securityIdentity.getCredential(aClass);
}
@Override
public Set getCredentials() {
return securityIdentity.getCredentials();
}
@Override
public T getAttribute(String s) {
return securityIdentity.getAttribute(s);
}
@Override
public Map getAttributes() {
return securityIdentity.getAttributes();
}
@Override
public Uni checkPermission(Permission requiredPermission) {
for (Permission possessedPermission : permissions) {
if (possessedPermission.implies(requiredPermission)) {
return Uni.createFrom().item(true);
}
}
return securityIdentity.checkPermission(requiredPermission);
}
@Override
public boolean checkPermissionBlocking(Permission requiredPermission) {
for (Permission possessedPermission : permissions) {
if (possessedPermission.implies(requiredPermission)) {
return true;
}
}
return securityIdentity.checkPermissionBlocking(requiredPermission);
}
};
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy