feat(security-jpa): configure multiple PUs programmatically

Author: michalvavrik

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc

@@ -600,6 +600,7 @@ The same authorization can be required with the `@PermissionsAllowed(value = { "
 * xref:security-authentication-mechanisms.adoc#mtls-programmatic-set-up[Set up the mutual TLS client authentication programmatically]
 * xref:security-cors.adoc#cors-filter-programmatic-set-up[Configuring the CORS filter programmatically]
 * xref:security-csrf-prevention.adoc#csrf-prevention-programmatic-set-up[Configuring the CSRF prevention programmatically]
+* xref:security-jpa.adoc#programmatic-set-up[Set up Basic authentication with Jakarta Persistence programmatically]
 
 [[standard-security-annotations]]
 == Authorization using annotations

docs/src/main/asciidoc/security-jpa.adoc

@@ -222,6 +222,64 @@ For more information about proactive authentication, see the Quarkus xref:securi
 
 include::{generated-dir}/config/quarkus-security-jpa.adoc[opts=optional, leveloffset=+2]
 
+[[programmatic-set-up]]
+== Set up Security JPA programmatically
+
+If you need to combine authentication mechanisms with different identity providers or persistence units, you can leverage the `io.quarkus.vertx.http.security.HttpSecurity` CDI event.
+For example, if you combine the built-in Basic and the Form-based authentication mechanisms, you can configure different persistence unit for each of mechanism like in the example below:
+
+[source,java]
+----
+package org.acme.http.security;
+
+import static io.quarkus.security.jpa.SecurityJpa.jpa;
+
+import io.quarkus.vertx.http.security.Form;
+import io.quarkus.vertx.http.security.HttpSecurity;
+import jakarta.enterprise.event.Observes;
+
+class HttpSecurityConfiguration {
+
+    void configure(@Observes HttpSecurity httpSecurity) {
+            httpSecurity
+                    .basic(jpa().persistence("basic-pu"))   <1>
+                    .mechanism(Form.create(), jpa().persistence("form-pu"));    <2>
+    }
+
+}
+----
+<1> Configure the Basic authentication to store the users information in the `basic-pu` persistence unit.
+<2> Also use the Security JPA identity providers, but this time with the `form-pu` persistence unit.
+
+Another situation when you can use the `io.quarkus.security.jpa.SecurityJpa` API is when you need to apply different `SecurityIdentityAugmentor` to a different authentication mechanism:
+
+[source,java]
+----
+package org.acme.http.security;
+
+import static io.quarkus.security.jpa.SecurityJpa.jpa;
+
+import io.quarkus.vertx.http.security.Form;
+import io.quarkus.vertx.http.security.HttpSecurity;
+import jakarta.enterprise.event.Observes;
+
+class HttpSecurityConfiguration {
+
+    void configure(@Observes HttpSecurity httpSecurity) {
+        httpSecurity
+                .mechanism(Form.create(), jpa().augmentor((securityIdentity, ignored) -> {
+                    // augment the SecurityIdentity produced by the Form-based authentication
+                    return Uni.createFrom().item(securityIdentity);
+                }))
+                .basic(jpa().augmentor((securityIdentity, ignored) -> {
+                    // augment the SecurityIdentity produced by the Basic authentication
+                    return Uni.createFrom().item(securityIdentity);
+                }));
+    }
+
+}
+----
+
 == References
 
 * xref:security-getting-started-tutorial.adoc[Getting started with Security by using Basic authentication and Jakarta Persistence]

extensions/security-jpa-common/deployment/src/main/java/io/quarkus/security/jpa/common/deployment/QuarkusSecurityJpaCommonProcessor.java

@@ -1,21 +1,29 @@
 package io.quarkus.security.jpa.common.deployment;
 
 import static io.quarkus.security.jpa.common.deployment.JpaSecurityIdentityUtil.getSingleAnnotatedElement;
+import static org.objectweb.asm.Opcodes.ACC_PRIVATE;
+import static org.objectweb.asm.Opcodes.ACC_STATIC;
 
 import java.util.List;
+import java.util.Optional;
 
 import org.jboss.jandex.AnnotationInstance;
 import org.jboss.jandex.AnnotationTarget;
 import org.jboss.jandex.ClassInfo;
 import org.jboss.jandex.DotName;
 
+import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.builditem.ApplicationIndexBuildItem;
+import io.quarkus.deployment.builditem.BytecodeTransformerBuildItem;
+import io.quarkus.gizmo.ClassTransformer;
+import io.quarkus.gizmo.MethodDescriptor;
 import io.quarkus.security.jpa.Password;
 import io.quarkus.security.jpa.Roles;
 import io.quarkus.security.jpa.UserDefinition;
 import io.quarkus.security.jpa.Username;
+import io.quarkus.security.jpa.common.runtime.JpaIdentityProviderUtil;
 
 class QuarkusSecurityJpaCommonProcessor {
 
@@ -48,4 +56,50 @@ void provideJpaSecurityDefinition(ApplicationIndexBuildItem index, PanacheEntity
         }
     }
 
+    /**
+     * This method produces {@link io.quarkus.security.jpa.SecurityJpa} CDI bean producer for either Hibernate ORM
+     * or Hibernate Reactive version of the Quarkus Security JPA.
+     */
+    @BuildStep
+    void registerSecurityJpaImplCdiBean(BuildProducer<BytecodeTransformerBuildItem> bytecodeTransformerProducer,
+            BuildProducer<AdditionalBeanBuildItem> additionalBeanProducer,
+            Optional<SecurityJpaProviderInfoBuildItem> securityJpaProviderClassBuildItem) {
+        if (securityJpaProviderClassBuildItem.isPresent()) {
+            var item = securityJpaProviderClassBuildItem.get();
+            additionalBeanProducer.produce(AdditionalBeanBuildItem.unremovableOf(item.securityJpaProviderClass));
+            bytecodeTransformerProducer
+                    .produce(new BytecodeTransformerBuildItem(item.securityJpaProviderClass.getName(), (cls, classVisitor) -> {
+                        var newInstanceUtilMethodDesc = MethodDescriptor.ofMethod(JpaIdentityProviderUtil.class, "newInstance",
+                                Object.class, Class.class);
+                        var classTransformer = new ClassTransformer(cls);
+                        classTransformer.removeMethod("newJpaIdentityProvider", item.jpaIdentityProviderClass);
+                        try (var mc = classTransformer.addMethod("newJpaIdentityProvider", item.jpaIdentityProviderClass)) {
+                            mc.setModifiers(ACC_PRIVATE | ACC_STATIC);
+                            // generates method similar to:
+                            // private static JpaIdentityProvider newJpaIdentityProvider() {
+                            //     return JpaIdentityProviderUtil.newInstance(MyEntity__JpaIdentityProviderImpl.class);
+                            // }
+                            var clazz = mc.loadClassFromTCCL(item.jpaIdentityProviderImplName);
+                            // we don't use "new MyEntity__JpaIdentityProviderImpl()" because the generated class needs TCCL
+                            var newInstance = mc.invokeStaticMethod(newInstanceUtilMethodDesc, clazz);
+                            mc.returnValue(newInstance);
+                        }
+                        classTransformer.removeMethod("newJpaTrustedIdentityProvider", item.jpaTrustedIdentityProviderClass);
+                        try (var mc = classTransformer.addMethod("newJpaTrustedIdentityProvider",
+                                item.jpaTrustedIdentityProviderClass)) {
+                            mc.setModifiers(ACC_PRIVATE | ACC_STATIC);
+                            // generates method similar to:
+                            // private static JpaTrustedIdentityProvider newJpaTrustedIdentityProvider() {
+                            //     return JpaIdentityProviderUtil.newInstance(MyEntity__JpaTrustedIdentityProviderImpl.class);
+                            // }
+                            var clazz = mc.loadClassFromTCCL(item.jpaTrustedIdentityProviderImplName);
+                            // we don't use "new MyEntity__JpaTrustedIdentityProviderImpl()",
+                            // because the generated class needs TCCL
+                            var newInstance = mc.invokeStaticMethod(newInstanceUtilMethodDesc, clazz);
+                            mc.returnValue(newInstance);
+                        }
+                        return classTransformer.applyTo(classVisitor);
+                    }));
+        }
+    }
 }

extensions/security-jpa-common/deployment/src/main/java/io/quarkus/security/jpa/common/deployment/SecurityJpaProviderInfoBuildItem.java

@@ -0,0 +1,27 @@
+package io.quarkus.security.jpa.common.deployment;
+
+import java.util.Objects;
+
+import io.quarkus.builder.item.SimpleBuildItem;
+
+/**
+ * Registers {@link io.quarkus.security.jpa.SecurityJpa} CDI bean producer class and generated identity provider names.
+ */
+public final class SecurityJpaProviderInfoBuildItem extends SimpleBuildItem {
+
+    final Class<?> securityJpaProviderClass;
+    final String jpaIdentityProviderImplName;
+    final String jpaTrustedIdentityProviderImplName;
+    final Class<?> jpaIdentityProviderClass;
+    final Class<?> jpaTrustedIdentityProviderClass;
+
+    public SecurityJpaProviderInfoBuildItem(Class<?> securityJpaProviderClass, String jpaIdentityProviderImplName,
+            String jpaTrustedIdentityProviderImplName, Class<?> jpaIdentityProviderClass,
+            Class<?> jpaTrustedIdentityProviderClass) {
+        this.securityJpaProviderClass = Objects.requireNonNull(securityJpaProviderClass);
+        this.jpaIdentityProviderImplName = jpaIdentityProviderImplName;
+        this.jpaTrustedIdentityProviderImplName = jpaTrustedIdentityProviderImplName;
+        this.jpaIdentityProviderClass = jpaIdentityProviderClass;
+        this.jpaTrustedIdentityProviderClass = jpaTrustedIdentityProviderClass;
+    }
+}

extensions/security-jpa-common/runtime/src/main/java/io/quarkus/security/jpa/SecurityJpa.java

@@ -0,0 +1,89 @@
+package io.quarkus.security.jpa;
+
+import io.quarkus.arc.Arc;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.SecurityIdentityAugmentor;
+import io.quarkus.security.spi.runtime.IdentityProviderBuilder;
+import io.smallrye.common.annotation.Experimental;
+
+/**
+ * A CDI bean used to build Quarkus Security JPA {@link IdentityProvider}s programmatically.
+ * This bean should be used together with the CDI event 'HttpSecurity' in following situations:
+ * <ul>
+ * <li>
+ * You want to configure the Basic authentication to use the Quarkus Security JPA {@link IdentityProvider},
+ * while other authentication mechanism is using different {@link IdentityProvider}:
+ *
+ * <pre>
+ * {@code
+ * import static io.quarkus.security.jpa.SecurityJpa.jpa;
+ * import io.quarkus.vertx.http.security.Form;
+ * import io.quarkus.vertx.http.security.HttpSecurity;
+ * import jakarta.enterprise.event.Observes;
+ *
+ * public class HttpSecurityConfiguration {
+ *
+ *     void configure(@Observes HttpSecurity httpSecurity) {
+ *         httpSecurity
+ *                 .basic(jpa())
+ *                 .mechanism(Form.create(), createCustomIdentityProviders());
+ *     }
+ * }
+ * }
+ * </pre>
+ *
+ * </li>
+ * <li>
+ * If you want to store the identity information in a named datasource determined during the runtime:
+ *
+ * <pre>
+ * {@code
+ * import static io.quarkus.security.jpa.SecurityJpa.jpa;
+ * import io.quarkus.vertx.http.security.Form;
+ * import io.quarkus.vertx.http.security.HttpSecurity;
+ * import jakarta.enterprise.event.Observes;
+ * import org.eclipse.microprofile.config.inject.ConfigProperty;
+ *
+ * public class HttpSecurityConfiguration {
+ *
+ *     void configure(@Observes HttpSecurity httpSecurity, @ConfigProperty(name = "named-pu") String namedPersistenceUnit) {
+ *         httpSecurity.basic(jpa().persistence(namedPersistenceUnit));
+ *         // or maybe you need to use 2 different persistence units for each mechanism
+ *         httpSecurity.mechanism(Form.create(), jpa().persistence("different-persistence-unit"));
+ *     }
+ * }
+ * }
+ * </pre>
+ *
+ * </li>
+ * </ul>
+ */
+@Experimental("This API is currently experimental and might get changed")
+public interface SecurityJpa extends IdentityProviderBuilder {
+
+    /**
+     * Selects the persistence unit used by the Security JPA identity providers.
+     *
+     * @param persistenceUnitName persistence unit name
+     * @return
+     */
+    SecurityJpa persistence(String persistenceUnitName);
+
+    /**
+     * Specifies the {@link SecurityIdentityAugmentor} used to augment the {@link io.quarkus.security.identity.SecurityIdentity}
+     * produced by the Security JPA. When this method is used, only augmentors specified this way will be applied.
+     *
+     * @param securityIdentityAugmentor {@link SecurityIdentityAugmentor}
+     * @return
+     */
+    SecurityJpa augmentor(SecurityIdentityAugmentor securityIdentityAugmentor);
+
+    /**
+     * Looks up the {@link SecurityJpa} builder and returns it.
+     *
+     * @return {@link SecurityJpa}
+     */
+    static SecurityJpa jpa() {
+        return Arc.requireContainer().instance(SecurityJpa.class).get();
+    }
+}

extensions/security-jpa-common/runtime/src/main/java/io/quarkus/security/jpa/common/runtime/JpaIdentityProviderUtil.java

@@ -1,5 +1,6 @@
 package io.quarkus.security.jpa.common.runtime;
 
+import java.lang.reflect.InvocationTargetException;
 import java.security.spec.InvalidKeySpecException;
 import java.util.List;
 import java.util.UUID;
@@ -82,4 +83,13 @@ public static void passwordAction(PasswordType type) {
             BcryptUtil.bcryptHash(uuid);
         }
     }
+
+    @SuppressWarnings("unchecked")
+    public static <T> T newInstance(Class<T> clazz) {
+        try {
+            return (T) clazz.getConstructors()[0].newInstance();
+        } catch (InstantiationException | IllegalAccessException | InvocationTargetException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }