How to emulate TestSecurity functionality when invoking secured methods directly, not going through HTTP calls?

[okarmazin]

Hello, I would like to annotate not only controllers, but also services with Roles/PermissionsAllowed as a defense-in-depth measure.

When I do so, I cannot properly unittest these services in isolation by injecting them directly to tests since @TestSecurity only works when going through the entire HTTP stack with RestAssured (in which case it works beautifully and flawlessly). The @RolesAllowed-annotated service is handed an empty SecurityIdentity, so when it tries to authorize the function invocation, my SecurityIdentityAugmentor dies screaming for lack of OIDC UserInfo attribute.

I want to be able to properly set up the security context in unit tests, as if I was performing an HTTP call from a test method with TestSecurity + OidcSecurity annotations. Can I emulate how these annotations work, instantiating a SecurityIdentity with predefined values, and then bootstrap the security context with that SecurityIdentity such that my augmentor gets these values and can properly augment it?

I tried building a QuarkusSecurityIdentity in the test method and then installing it with QUarkusMock.installMockForType, but couldn't get it to work due to java.lang.ClassCastException: class io.quarkus.security.runtime.QuarkusSecurityIdentity cannot be cast to class io.quarkus.security.runtime.SecurityIdentityProxy. Is that even a workable angle?

Ideally TestSecurity would be enhanced in the future such that it works in any @QuarkusTest, if at all possible. The ergonomics of TestSecurity is hard to beat.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[okarmazin]

Found an answer - I can inject CurrentIdentityAssociation into the test and set a manually constructed SecurityIdentity. This can further be combined with the TestSecurity and OidcSecurity annotations on the very same test method.

The manually constructed identity will be used for any direct invocations on injected secured beans, and if I perform a HTTP call with RestAssured, the identity will be constructed from the annotations.

This can be mixed and matched, so I can "direct-init" using an injected service instance (like inserting database rows through it), and then have that data returned and inspected using RestAssured.

@QuarkusTest
class SecuredResourceTest {

@Inject
lateinit var service: SecuredService

@Inject
lateinit var identityAssociation: CurrentIdentityAssociation

@Test
@TestSecurity(user = "Regular User", augmentors = [TestSecurityIdentityAugmentor::class])
@OidcSecurity(
    userinfo = [
        UserInfo(key = "sub", value = "regularUser"),
        UserInfo(key = "email", value = "test@example.com"),
        UserInfo(key = "name", value = "Test User Name"),
    ]
)
fun testWithDirectCallsAndRestassured() {
    val userInfoJson = buildJsonObject {
        put("sub", "adminUser")
        put("email", "admin@example.com")
        put("name", "Test Admin Name")
    }
    val userinfo = UserInfo(userInfoJson.toString())
    val identity = QuarkusSecurityIdentity.builder()
        .addAttribute("userinfo", userinfo)
        .setPrincipal { "Test Admin Name" }
        .build()
    // assuming the static augmentIdentity() is what TestSecurityIdentityAugmentor calls internally too
    identityAssociation.identity = TestSecurityIdentityAugmentor.augmentIdentity(identity)
    
    // uses admin identity from association
    service.methodRequiringAdminPrivileges()
    
    // uses user identity constructed from annotations
    When {
        get("/adminEndpoint") // 403
    }
    When {
        get("/userEndpoint") // 200
    }
}