forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request quarkusio#44669 from michalvavrik/feature/improve-…
…secure-field-detection Quarkus REST Jackson: Improve detection of generic fields annotated with the `@SecureField` and allow to explicitly enable secure serialization
- Loading branch information
Showing
9 changed files
with
230 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
94 changes: 94 additions & 0 deletions
94
.../io/quarkus/resteasy/reactive/jackson/deployment/test/DisableSecureSerializationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package io.quarkus.resteasy.reactive.jackson.deployment.test; | ||
|
||
import jakarta.ws.rs.Consumes; | ||
import jakarta.ws.rs.GET; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.Produces; | ||
import jakarta.ws.rs.core.MediaType; | ||
|
||
import org.hamcrest.Matchers; | ||
import org.jboss.shrinkwrap.api.ShrinkWrap; | ||
import org.jboss.shrinkwrap.api.spec.JavaArchive; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.RegisterExtension; | ||
|
||
import io.quarkus.resteasy.reactive.jackson.DisableSecureSerialization; | ||
import io.quarkus.resteasy.reactive.jackson.EnableSecureSerialization; | ||
import io.quarkus.resteasy.reactive.jackson.SecureField; | ||
import io.quarkus.security.test.utils.TestIdentityController; | ||
import io.quarkus.security.test.utils.TestIdentityProvider; | ||
import io.quarkus.test.QuarkusUnitTest; | ||
import io.restassured.RestAssured; | ||
import io.restassured.response.ValidatableResponse; | ||
|
||
public class DisableSecureSerializationTest { | ||
|
||
@RegisterExtension | ||
static QuarkusUnitTest test = new QuarkusUnitTest() | ||
.setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class) | ||
.addClasses(TestIdentityProvider.class, TestIdentityController.class)); | ||
|
||
@Test | ||
public void testDisablingOfSecureSerialization() { | ||
request("disabled", "user").body("secretField", Matchers.is("secret")); | ||
request("disabled", "admin").body("secretField", Matchers.is("secret")); | ||
request("enabled", "user").body("secretField", Matchers.nullValue()); | ||
request("enabled", "admin").body("secretField", Matchers.is("secret")); | ||
} | ||
|
||
private static ValidatableResponse request(String subPath, String user) { | ||
TestIdentityController.resetRoles().add(user, user, user); | ||
return RestAssured | ||
.with() | ||
.auth().preemptive().basic(user, user) | ||
.get("/test/" + subPath) | ||
.then() | ||
.statusCode(200) | ||
.body("publicField", Matchers.is("public")); | ||
} | ||
|
||
@DisableSecureSerialization | ||
@Produces(MediaType.APPLICATION_JSON) | ||
@Consumes(MediaType.APPLICATION_JSON) | ||
@Path("test") | ||
public static class GreetingsResource { | ||
|
||
@Path("disabled") | ||
@GET | ||
public Dto disabled() { | ||
return Dto.createDto(); | ||
} | ||
|
||
@EnableSecureSerialization | ||
@Path("enabled") | ||
@GET | ||
public Dto enabled() { | ||
return Dto.createDto(); | ||
} | ||
} | ||
|
||
public static class Dto { | ||
|
||
public Dto(String secretField, String publicField) { | ||
this.secretField = secretField; | ||
this.publicField = publicField; | ||
} | ||
|
||
@SecureField(rolesAllowed = "admin") | ||
private final String secretField; | ||
|
||
private final String publicField; | ||
|
||
public String getSecretField() { | ||
return secretField; | ||
} | ||
|
||
public String getPublicField() { | ||
return publicField; | ||
} | ||
|
||
private static Dto createDto() { | ||
return new Dto("secret", "public"); | ||
} | ||
} | ||
} |
16 changes: 16 additions & 0 deletions
16
.../deployment/src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/Fruit.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package io.quarkus.resteasy.reactive.jackson.deployment.test; | ||
|
||
import java.util.List; | ||
|
||
public class Fruit { | ||
|
||
public String name; | ||
|
||
public List<Price> prices; | ||
|
||
public Fruit(String name, Float price) { | ||
this.name = name; | ||
this.prices = List.of(new Price("USD", price)); | ||
} | ||
|
||
} |
14 changes: 14 additions & 0 deletions
14
...nt/src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/GenericWrapper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package io.quarkus.resteasy.reactive.jackson.deployment.test; | ||
|
||
public class GenericWrapper<T> { | ||
|
||
public String name; | ||
|
||
public T entity; | ||
|
||
public GenericWrapper(String name, T entity) { | ||
this.name = name; | ||
this.entity = entity; | ||
} | ||
|
||
} |
17 changes: 17 additions & 0 deletions
17
.../deployment/src/test/java/io/quarkus/resteasy/reactive/jackson/deployment/test/Price.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package io.quarkus.resteasy.reactive.jackson.deployment.test; | ||
|
||
import io.quarkus.resteasy.reactive.jackson.SecureField; | ||
|
||
public class Price { | ||
|
||
@SecureField(rolesAllowed = "admin") | ||
public Float price; | ||
|
||
public String currency; | ||
|
||
public Price(String currency, Float price) { | ||
this.currency = currency; | ||
this.price = price; | ||
} | ||
|
||
} |
Oops, something went wrong.