Authorized set to false fix (#8295)

Authorized set to false fix

Signed-off-by: David Kral <david.k.kral@oracle.com>

microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -229,11 +229,13 @@ public void analyzerResponse(AnnotationAnalyzer analyzer, AnnotationAnalyzer.Ana
             default -> {}
         }
 
-        this.requiresAuthorization = switch (analyzerResponse.authorizationResponse()) {
-            case REQUIRED, OPTIONAL -> true;
-            case FORBIDDEN -> false;
-            default -> null;
-        };
+        if (this.requiresAuthorization == null) {
+            this.requiresAuthorization = switch (analyzerResponse.authorizationResponse()) {
+                case REQUIRED, OPTIONAL -> true;
+                case FORBIDDEN -> false;
+                default -> null;
+            };
+        }
 
         this.authenticator = analyzerResponse.authenticator().orElse(this.authenticator);
         this.authorizer = analyzerResponse.authorizer().orElse(this.authorizer);

tests/integration/security/pom.xml

@@ -41,5 +41,6 @@
         <module>gh2772</module>
         <module>path-params</module>
         <module>security-response-mapper</module>
+        <module>security-annotation</module>
     </modules>
 </project>

tests/integration/security/security-annotation/pom.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2024 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.helidon.tests.integration</groupId>
+        <artifactId>helidon-tests-integration-security</artifactId>
+        <version>4.0.0-SNAPSHOT</version>
+    </parent>
+
+
+    <artifactId>helidon-tests-integration-security-annotation</artifactId>
+    <name>Helidon Tests Integration Security Annotations</name>
+
+    <description>
+        Integration test for security annotations
+    </description>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.helidon.microprofile.bundles</groupId>
+            <artifactId>helidon-microprofile</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.microprofile.testing</groupId>
+            <artifactId>helidon-microprofile-testing-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>

tests/integration/security/security-annotation/src/main/java/io/helidon/tests/integration/security/annotation/AdminResource.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.annotation;
+
+import io.helidon.security.annotations.Authenticated;
+import io.helidon.security.annotations.Authorized;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+/**
+ * An admin resource that should not be accessible without proper credentials.
+ */
+@Path("/admin")
+public class AdminResource {
+
+    /**
+     * The resource.
+     *
+     * @return admin secret.
+     */
+    @GET
+    @Authenticated
+    @Authorized
+    @RolesAllowed("admin")
+    public String admin() {
+        return "admin";
+    }
+
+
+    /**
+     * The resource.
+     *
+     * @return admin secret.
+     */
+    @GET
+    @Path("/unauthorized")
+    @Authenticated
+    @Authorized(false)
+    @RolesAllowed("admin")
+    public String unauthorizedAdmin() {
+        return "unauthorized admin";
+    }
+}

tests/integration/security/security-annotation/src/main/resources/META-INF/beans.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<beans xmlns="https://jakarta.ee/xml/ns/jakartaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee
+                           https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
+       version="3.0"
+       bean-discovery-mode="annotated">
+</beans>
+k

tests/integration/security/security-annotation/src/main/resources/application.yaml

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2024 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+server.port: 0
+security:
+  providers:
+    - abac:
+    - http-basic-auth:
+        realm: "helidon"
+        users:
+          - login: "success"
+            password: "password"
+            roles: ["admin"]
+          - login: "fail"
+            password: "password"

tests/integration/security/security-annotation/src/main/resources/logging.properties

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2024 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Example Logging Configuration File
+# For more information see $JAVA_HOME/jre/lib/logging.properties
+
+# Send messages to the console
+handlers=io.helidon.logging.jul.HelidonConsoleHandler
+
+# HelidonConsoleHandler uses a SimpleFormatter subclass that replaces "!thread!" with the current thread
+java.util.logging.SimpleFormatter.format=%1$tY.%1$tm.%1$td %1$tH:%1$tM:%1$tS %4$s %3$s !thread!: %5$s%6$s%n
+
+# Global logging level. Can be overridden by specific loggers
+.level=INFO
+AUDIT.level=FINEST
+

tests/integration/security/security-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.pathparams;
+
+import java.util.Base64;
+
+import io.helidon.http.Status;
+import io.helidon.microprofile.testing.junit5.HelidonTest;
+
+import jakarta.ws.rs.client.WebTarget;
+import jakarta.ws.rs.core.Response;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@HelidonTest
+class AdminTest {
+
+    @Test
+    void testProtectedAdminEndpoint(WebTarget target) {
+        try (Response response = target.path("/admin")
+                .request()
+                .header("Authorization", basic("fail"))
+                .get()) {
+            assertThat(response.getStatus(), is(Status.FORBIDDEN_403.code()));
+        }
+        try (Response response = target.path("/admin")
+                .request()
+                .header("Authorization", basic("success"))
+                .get()) {
+            assertThat(response.getStatus(), is(Status.OK_200.code()));
+            assertThat(response.readEntity(String.class), is("admin"));
+        }
+    }
+
+    @Test
+    void testUnauthorizedAdminEndpoint(WebTarget target) {
+        try (Response response = target.path("/admin/unauthorized")
+                .request()
+                .header("Authorization", basic("fail"))
+                .get()) {
+            assertThat(response.getStatus(), is(Status.OK_200.code()));
+            assertThat(response.readEntity(String.class), is("unauthorized admin"));
+        }
+        try (Response response = target.path("/admin/unauthorized")
+                .request()
+                .header("Authorization", basic("success"))
+                .get()) {
+            assertThat(response.getStatus(), is(Status.OK_200.code()));
+            assertThat(response.readEntity(String.class), is("unauthorized admin"));
+        }
+    }
+
+    private String basic(String user) {
+        String uap = user + ":password";
+        return "basic " + Base64.getEncoder().encodeToString(uap.getBytes());
+    }
+}