Merge pull request #45800 from michalvavrik/feature/ws-next-http-upgrade-authz-events

WebSockets Next: fire authorization sucesss and failure events for HTTP upgrade security checks

Author: sberyozkin

extensions/websockets-next/deployment/src/main/java/io/quarkus/websockets/next/deployment/WebSocketProcessor.java

@@ -1,5 +1,6 @@
 package io.quarkus.websockets.next.deployment;
 
+import static io.quarkus.arc.processor.DotNames.EVENT;
 import static io.quarkus.deployment.annotations.ExecutionTime.RUNTIME_INIT;
 
 import java.util.ArrayList;
@@ -95,6 +96,8 @@
 import io.quarkus.security.spi.ClassSecurityCheckStorageBuildItem;
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
 import io.quarkus.security.spi.SecurityTransformerUtils;
+import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
+import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
 import io.quarkus.security.spi.runtime.SecurityCheck;
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
 import io.quarkus.vertx.http.runtime.HandlerType;
@@ -680,7 +683,10 @@ void createSecurityHttpUpgradeCheck(BuildProducer<SyntheticBeanBuildItem> produc
                     .scope(BuiltinScope.SINGLETON.getInfo())
                     .priority(SecurityHttpUpgradeCheck.BEAN_PRIORITY)
                     .setRuntimeInit()
-                    .supplier(recorder.createSecurityHttpUpgradeCheck(endpointIdToSecurityCheck))
+                    .addInjectionPoint(ClassType.create(DotNames.BEAN_MANAGER))
+                    .addInjectionPoint(ParameterizedType.create(EVENT, ClassType.create(AuthorizationFailureEvent.class)))
+                    .addInjectionPoint(ParameterizedType.create(EVENT, ClassType.create(AuthorizationSuccessEvent.class)))
+                    .createWith(recorder.createSecurityHttpUpgradeCheck(endpointIdToSecurityCheck))
                     .done());
         }
     }

extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/security/HttpUpgradeRolesAllowedAnnotationTest.java

@@ -7,16 +7,20 @@
 
 import java.net.URI;
 import java.util.concurrent.CompletionException;
+import java.util.concurrent.atomic.AtomicInteger;
 
 import jakarta.annotation.security.RolesAllowed;
+import jakarta.enterprise.event.Observes;
 import jakarta.inject.Inject;
 
+import org.jboss.shrinkwrap.api.asset.StringAsset;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.runtime.util.ExceptionUtil;
 import io.quarkus.security.ForbiddenException;
 import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.quarkus.security.spi.runtime.SecurityEvent;
 import io.quarkus.security.test.utils.TestIdentityController;
 import io.quarkus.security.test.utils.TestIdentityProvider;
 import io.quarkus.test.QuarkusUnitTest;
@@ -33,8 +37,11 @@ public class HttpUpgradeRolesAllowedAnnotationTest extends SecurityTestBase {
     @RegisterExtension
     static final QuarkusUnitTest config = new QuarkusUnitTest()
             .withApplicationRoot((jar) -> jar
+                    .addAsResource(new StringAsset("""
+                            quarkus.security.events.enabled=false
+                            """), "application.properties")
                     .addClasses(Endpoint.class, WSClient.class, TestIdentityProvider.class, TestIdentityController.class,
-                            AdminEndpoint.class));
+                            AdminEndpoint.class, SecurityEventObserver.class));
 
     @TestHTTPResource("admin-end")
     URI adminEndpointUri;
@@ -56,6 +63,9 @@ public void testInsufficientRights() {
             client.waitForMessages(2);
             assertEquals("hello", client.getMessages().get(1).toString());
         }
+
+        // assert no security events when the events are disabled
+        assertEquals(0, SecurityEventObserver.count.get());
     }
 
     @RolesAllowed("admin")
@@ -101,4 +111,13 @@ String error(ForbiddenException t) {
         }
 
     }
+
+    public static class SecurityEventObserver {
+
+        private static final AtomicInteger count = new AtomicInteger();
+
+        void observe(@Observes SecurityEvent securityEvent) {
+            count.incrementAndGet();
+        }
+    }
 }