mcollovati · mcollovati · Jan 15, 2025 · Oct 14, 2024 · Oct 14, 2024 · Nov 3, 2024
diff --git a/.../src/main/java/com/github/mcollovati/quarkus/hilla/deployment/HillaSecurityBuildItem.java b/.../src/main/java/com/github/mcollovati/quarkus/hilla/deployment/HillaSecurityBuildItem.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2023 Marco Collovati, Dario Götze
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.mcollovati.quarkus.hilla.deployment;
+
+import io.quarkus.builder.item.SimpleBuildItem;
+
+public final class HillaSecurityBuildItem extends SimpleBuildItem {
+
+    private final SecurityModel policy;
+
+    public HillaSecurityBuildItem(SecurityModel securityModel) {
+        this.policy = securityModel;
+    }
+
+    public SecurityModel getSecurityModel() {
+        return policy;
+    }
+
+    boolean isAuthEnabled() {
+        return policy != SecurityModel.NONE;
+    }
+
+    boolean isFormAuthEnabled() {
+        return policy == SecurityModel.FORM;
+    }
+
+    enum SecurityModel {
+        NONE,
+        FORM,
+        OIDC
+    }
+}
diff --git a/...n/java/com/github/mcollovati/quarkus/hilla/deployment/QuarkusHillaExtensionProcessor.java b/...n/java/com/github/mcollovati/quarkus/hilla/deployment/QuarkusHillaExtensionProcessor.java
@@ -73,6 +73,7 @@
 import io.quarkus.undertow.deployment.ServletBuildItem;
 import io.quarkus.vertx.http.deployment.BodyHandlerBuildItem;
 import io.quarkus.vertx.http.deployment.FilterBuildItem;
+import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
 import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
 import org.atmosphere.client.TrackMessageSizeInterceptor;
 import org.atmosphere.cpr.ApplicationConfig;
@@ -248,11 +249,20 @@ void registerJaxrsApplicationToFixApplicationPath(BuildProducer<AdditionalIndexe
     }
 
     @BuildStep
-    AuthFormBuildItem authFormEnabledBuildItem() {
-        boolean authFormEnabled = ConfigProvider.getConfig()
+    HillaSecurityBuildItem hillaSecurityBuildItem(List<SecurityInformationBuildItem> securityInformation) {
+        final boolean authFormEnabled = ConfigProvider.getConfig()
                 .getOptionalValue("quarkus.http.auth.form.enabled", Boolean.class)
                 .orElse(false);
-        return new AuthFormBuildItem(authFormEnabled);
+
+        if (authFormEnabled) return new HillaSecurityBuildItem(HillaSecurityBuildItem.SecurityModel.FORM);
+
+        final boolean oidcEnabled = securityInformation.stream()
+                .map(SecurityInformationBuildItem::getSecurityModel)
+                .anyMatch(model -> model == SecurityInformationBuildItem.SecurityModel.oidc);
+
+        if (oidcEnabled) return new HillaSecurityBuildItem(HillaSecurityBuildItem.SecurityModel.OIDC);
+
+        return new HillaSecurityBuildItem(HillaSecurityBuildItem.SecurityModel.NONE);
     }
 
     @BuildStep
@@ -295,15 +305,9 @@ void registerHillaPushServlet(
             NativeConfig nativeConfig) {
         ServletBuildItem.Builder builder = ServletBuildItem.builder(
                 QuarkusAtmosphereServlet.class.getName(), QuarkusAtmosphereServlet.class.getName());
-        String prefix = endpointConfiguration.getEndpointPrefix();
-        if (prefix.matches("^/?connect/?$")) {
-            prefix = "/";
-        } else if (!prefix.startsWith("/")) {
-            prefix = "/" + prefix;
-        }
-        if (prefix.endsWith("/")) {
-            prefix = prefix.substring(0, prefix.length() - 1);
-        }
+        String prefix = endpointConfiguration.isDefaultEndpointPrefix()
+                ? ""
+                : endpointConfiguration.getStandardizedEndpointPrefix();
         String hillaPushMapping = prefix + "/HILLA/push";
 
         builder.addMapping(hillaPushMapping)
@@ -384,8 +388,9 @@ public void transform(TransformationContext ctx) {
     }
 
     @BuildStep
-    void registerHillaSecurityPolicy(AuthFormBuildItem authFormEnabled, BuildProducer<AdditionalBeanBuildItem> beans) {
-        if (authFormEnabled.isEnabled()) {
+    void registerHillaSecurityPolicy(
+            HillaSecurityBuildItem hillaSecurityBuildItem, BuildProducer<AdditionalBeanBuildItem> beans) {
+        if (hillaSecurityBuildItem.isAuthEnabled()) {
             beans.produce(AdditionalBeanBuildItem.builder()
                     .addBeanClasses(HillaSecurityPolicy.class)
                     .setDefaultScope(DotNames.APPLICATION_SCOPED)
@@ -397,10 +402,10 @@ void registerHillaSecurityPolicy(AuthFormBuildItem authFormEnabled, BuildProduce
     @BuildStep
     @Record(ExecutionTime.RUNTIME_INIT)
     void registerHillaFormAuthenticationMechanism(
-            AuthFormBuildItem authFormBuildItem,
+            HillaSecurityBuildItem hillaSecurityBuildItem,
             HillaSecurityRecorder recorder,
             BuildProducer<SyntheticBeanBuildItem> producer) {
-        if (authFormBuildItem.isEnabled()) {
+        if (hillaSecurityBuildItem.isFormAuthEnabled()) {
             producer.produce(SyntheticBeanBuildItem.configure(HillaFormAuthenticationMechanism.class)
                     .types(HttpAuthenticationMechanism.class)
                     .setRuntimeInit()
@@ -416,9 +421,14 @@ void registerHillaFormAuthenticationMechanism(
     @Record(ExecutionTime.RUNTIME_INIT)
     @Consume(SyntheticBeansRuntimeInitBuildItem.class)
     void configureHillaSecurityComponents(
-            AuthFormBuildItem authFormBuildItem, HillaSecurityRecorder recorder, BeanContainerBuildItem beanContainer) {
-        if (authFormBuildItem.isEnabled()) {
-            recorder.configureHttpSecurityPolicy(beanContainer.getValue());
+            HillaSecurityBuildItem hillaSecurityBuildItem,
+            HillaSecurityRecorder recorder,
+            BeanContainerBuildItem beanContainer) {
+        if (hillaSecurityBuildItem.isFormAuthEnabled()) {
+            recorder.configureFormLoginHttpSecurityPolicy(beanContainer.getValue());
+        }
+        if (hillaSecurityBuildItem.isAuthEnabled()) {
+            recorder.markSecurityPolicyUsed();
         }
     }
 
@@ -447,41 +457,50 @@ void configureNavigationControlAccessCheckers(
 
     @BuildStep
     void registerNavigationAccessControl(
-            AuthFormBuildItem authFormBuildItem,
+            HillaSecurityBuildItem hillaSecurityBuildItem,
             CombinedIndexBuildItem index,
             BuildProducer<AdditionalBeanBuildItem> beans,
             BuildProducer<NavigationAccessControlBuildItem> accessControlProducer,
             BuildProducer<NavigationAccessCheckerBuildItem> accessCheckerProducer) {
 
-        Set<DotName> securityAnnotations = Set.of(
-                DotName.createSimple(DenyAll.class.getName()),
-                DotName.createSimple(AnonymousAllowed.class.getName()),
-                DotName.createSimple(RolesAllowed.class.getName()),
-                DotName.createSimple(PermitAll.class.getName()));
-        boolean hasSecuredRoutes =
-                index.getComputingIndex().getAnnotations(DotName.createSimple(Route.class.getName())).stream()
-                        .flatMap(route -> route.target().annotations().stream().map(AnnotationInstance::name))
-                        .anyMatch(securityAnnotations::contains);
-        if (authFormBuildItem.isEnabled()) {
+        if (hillaSecurityBuildItem.isAuthEnabled()) {
             beans.produce(AdditionalBeanBuildItem.builder()
                     .addBeanClasses(
                             QuarkusNavigationAccessControl.class,
                             QuarkusNavigationAccessControl.Installer.class,
                             DefaultAccessCheckDecisionResolver.class)
                     .setUnremovable()
                     .build());
-            if (hasSecuredRoutes) {
+
+            if (hasSecuredRoutes(index)) {
                 accessCheckerProducer.produce(
                         new NavigationAccessCheckerBuildItem(DotName.createSimple(AnnotatedViewAccessChecker.class)));
             }
 
-            ConfigProvider.getConfig()
-                    .getOptionalValue("quarkus.http.auth.form.login-page", String.class)
-                    .map(NavigationAccessControlBuildItem::new)
-                    .ifPresent(accessControlProducer::produce);
+            switch (hillaSecurityBuildItem.getSecurityModel()) {
+                case FORM -> ConfigProvider.getConfig()
+                        .getOptionalValue("quarkus.http.auth.form.login-page", String.class)
+                        .map(NavigationAccessControlBuildItem::new)
+                        .ifPresent(accessControlProducer::produce);
+                case OIDC -> ConfigProvider.getConfig()
+                        .getOptionalValue("vaadin.oidc.login.path", String.class)
+                        .map(NavigationAccessControlBuildItem::new)
+                        .ifPresent(accessControlProducer::produce);
+            }
         }
     }
 
+    private boolean hasSecuredRoutes(CombinedIndexBuildItem indexBuildItem) {
+        Set<DotName> securityAnnotations = Set.of(
+                DotName.createSimple(DenyAll.class.getName()),
+                DotName.createSimple(AnonymousAllowed.class.getName()),
+                DotName.createSimple(RolesAllowed.class.getName()),
+                DotName.createSimple(PermitAll.class.getName()));
+        return indexBuildItem.getComputingIndex().getAnnotations(DotName.createSimple(Route.class.getName())).stream()
+                .flatMap(route -> route.target().annotations().stream().map(AnnotationInstance::name))
+                .anyMatch(securityAnnotations::contains);
+    }
+
     @BuildStep
     void registerServiceInitEventPropagator(
             QuarkusHillaEnvironmentBuildItem quarkusHillaEnv,

diff --git a/.../main/java/com/github/mcollovati/quarkus/hilla/deployment/devui/AccessAnnotationInfo.java b/.../main/java/com/github/mcollovati/quarkus/hilla/deployment/devui/AccessAnnotationInfo.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2024 Marco Collovati, Dario Götze
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.mcollovati.quarkus.hilla.deployment.devui;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import io.quarkus.arc.deployment.devui.Name;
+import org.jboss.jandex.AnnotationInstance;
+import org.jboss.jandex.DotName;
+
+public record AccessAnnotationInfo(Name name, List<String> roles) {
+
+    public static DotName ROLES_ALLOWED_ANNOTATION = DotName.createSimple("jakarta.annotation.security.RolesAllowed");
+
+    public static AccessAnnotationInfo from(AnnotationInstance annotation) {
+        if (annotation.name().equals(ROLES_ALLOWED_ANNOTATION)) {
+            return new AccessAnnotationInfo(
+                    Name.from(annotation.name()),
+                    Arrays.asList(annotation.value("value").asStringArray()));
+        }
+        return new AccessAnnotationInfo(Name.from(annotation.name()), Collections.emptyList());
+    }
+}
diff --git a/...src/main/java/com/github/mcollovati/quarkus/hilla/deployment/devui/EndpointBuildItem.java b/...src/main/java/com/github/mcollovati/quarkus/hilla/deployment/devui/EndpointBuildItem.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2024 Marco Collovati, Dario Götze
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.mcollovati.quarkus.hilla.deployment.devui;
+
+import java.util.List;
+
+import io.quarkus.builder.item.SimpleBuildItem;
+
+public final class EndpointBuildItem extends SimpleBuildItem {
+
+    private final List<EndpointInfo> endpoints;
+
+    public EndpointBuildItem(List<EndpointInfo> endpoints) {
+        this.endpoints = endpoints;
+    }
+
+    public List<EndpointInfo> getEndpoints() {
+        return endpoints;
+    }
+
+    public int getEndpointMethodCount() {
+        return endpoints.stream().mapToInt(a -> a.children().size()).sum();
+    }
+}