feat(security,hibernate-orm): support security annotations on repositories

Author: michalvavrik

docs/src/main/asciidoc/hibernate-orm.adoc

@@ -1949,6 +1949,76 @@ Please refer to the corresponding https://hibernate.org/repositories/[Hibernate
 and https://jakarta.ee/specifications/data/1.0/jakarta-data-1.0[Jakarta Data]
 guides to learn what else they have to offer.
 
+==== Secure Jakarta Data repositories
+
+Quarkus Security can secure Jakarta Data Repositories with security annotations.
+
+.Example Jakarta Data repository with method-level security annotation
+[source,java]
+----
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @RolesAllowed("admin")
+    @Delete
+    void delete(String name);
+
+}
+----
+
+.Example Jakarta Data repository with class-level security annotation
+[source,java]
+----
+@Authenticated
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @Delete
+    void delete(String name);
+
+}
+----
+
+[WARNING]
+====
+Only the methods directly declared on the `MyRepository` interface require authentication.
+Methods inherited from `CrudRepository`, such as the `insert` method, are not secured by the interface-level annotation.
+====
+
+[IMPORTANT]
+====
+Generic interface methods using type variables or wildcards cannot currently be secured reliably with standard security annotations.
+For example, consider the generic method `findAll` with the type variable `T` shown below:
+
+[source,java]
+----
+public interface MyParentRepository<T extends MyEntity> {
+
+    @Find
+    Stream<T> findAll(Order<T> order);
+
+}
+
+@Repository
+public interface MyRepository extends MyParentRepository<MyEntity> {
+}
+----
+
+You can either apply a security annotation to the calling method in your service layer or replace the type variable `T` with a concrete type, as demonstrated below:
+
+[source,java]
+----
+@Repository
+public interface MyRepository {
+
+    @PermissionsAllowed("find-all")
+    @Find
+    Stream<MyEntity> findAll(Order<MyEntity> order);
+
+}
+----
+====
+
 [[configuration-reference]]
 == Configuration Reference for Hibernate ORM
 

extensions/hibernate-orm/deployment/pom.xml

@@ -65,6 +65,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-reactive-datasource-spi</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security-spi</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>io.quarkus</groupId>

extensions/hibernate-orm/deployment/src/main/java/io/quarkus/hibernate/orm/deployment/HibernateOrmProcessor.java

@@ -10,6 +10,8 @@
 import static io.quarkus.hibernate.orm.deployment.util.HibernateProcessorUtil.setDialectAndStorageEngine;
 import static io.quarkus.hibernate.orm.deployment.util.HibernateProcessorUtil.xmlMapperKind;
 import static io.quarkus.hibernate.orm.runtime.PersistenceUnitUtil.DEFAULT_PERSISTENCE_UNIT_NAME;
+import static io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem.ofClassAnnotation;
+import static io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem.ofMethodAnnotation;
 
 import java.io.IOException;
 import java.net.URL;
@@ -44,6 +46,9 @@
 import jakarta.persistence.PersistenceUnitTransactionType;
 import jakarta.xml.bind.JAXBElement;
 
+import org.hibernate.annotations.processing.Find;
+import org.hibernate.annotations.processing.HQL;
+import org.hibernate.annotations.processing.SQL;
 import org.hibernate.boot.archive.scan.spi.ClassDescriptor;
 import org.hibernate.boot.archive.scan.spi.PackageDescriptor;
 import org.hibernate.boot.beanvalidation.BeanValidationIntegrator;
@@ -150,6 +155,7 @@
 import io.quarkus.reactive.datasource.spi.ReactiveDataSourceBuildItem;
 import io.quarkus.runtime.LaunchMode;
 import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import net.bytebuddy.description.type.TypeDescription;
 import net.bytebuddy.dynamic.ClassFileLocator;
 import net.bytebuddy.dynamic.DynamicType;
@@ -171,10 +177,17 @@ public final class HibernateOrmProcessor {
 
     public static final String HIBERNATE_ORM_CONFIG_PREFIX = "quarkus.hibernate-orm.";
 
+    /**
+     * Collection of Hibernate annotations for which, if detected on interface, Hibernate processor generates repository.
+     */
+    public static final Set<Class<?>> HIBERNATE_REPOSITORY_ANNOTATIONS = Set.of(Find.class, HQL.class, SQL.class);
+
     private static final Logger LOG = Logger.getLogger(HibernateOrmProcessor.class);
 
     private static final String INTEGRATOR_SERVICE_FILE = "META-INF/services/org.hibernate.integrator.spi.Integrator";
 
+    private static final String JAKARTA_DATA_REPOSITORY_ANNOTATION = "jakarta.data.repository.Repository";
+
     @BuildStep
     NativeImageFeatureBuildItem registerServicesForReflection(BuildProducer<ServiceProviderBuildItem> services) {
         for (DotName serviceProvider : ClassNames.SERVICE_PROVIDERS) {
@@ -856,6 +869,16 @@ public void registerInjectServiceMethodsForReflection(CombinedIndexBuildItem ind
         }
     }
 
+    @BuildStep
+    void registerJakartaDataRepositorySecurityAnnotations(Capabilities capabilities,
+            BuildProducer<SecuredInterfaceAnnotationBuildItem> securedInterfaceAnnotationProducer) {
+        if (capabilities.isPresent(Capability.SECURITY)) {
+            securedInterfaceAnnotationProducer.produce(ofClassAnnotation(JAKARTA_DATA_REPOSITORY_ANNOTATION));
+            HIBERNATE_REPOSITORY_ANNOTATIONS
+                    .forEach(annotation -> securedInterfaceAnnotationProducer.produce(ofMethodAnnotation(annotation)));
+        }
+    }
+
     private void handleHibernateORMWithNoPersistenceXml(
             HibernateOrmConfig hibernateOrmConfig,
             CombinedIndexBuildItem index,

extensions/hibernate-orm/deployment/src/test/java/io/quarkus/hibernate/orm/deployment/HibernateRepositoryAnnotationsTest.java

@@ -0,0 +1,94 @@
+package io.quarkus.hibernate.orm.deployment;
+
+import static java.util.stream.Collectors.toSet;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.assertj.core.api.Assertions;
+import org.hibernate.Hibernate;
+import org.hibernate.annotations.processing.Find;
+import org.jboss.jandex.AnnotationInstance;
+import org.jboss.jandex.ClassInfo;
+import org.jboss.jandex.DotName;
+import org.jboss.jandex.Index;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.deployment.index.IndexingUtil;
+
+/**
+ * Tests that the list of the 'org.hibernate.annotations.processing' package annotations for which Hibernate Processor
+ * creates Hibernate repository is up-to-date.
+ */
+public class HibernateRepositoryAnnotationsTest {
+
+    private static final DotName RETENTION = DotName.createSimple(Retention.class.getName());
+    private static final DotName TARGET = DotName.createSimple(Target.class.getName());
+    private static final String ANNOTATIONS_PACKAGE = Find.class.getPackage().getName();
+
+    private static Index hibernateIndex;
+
+    @BeforeAll
+    public static void index() throws IOException {
+        hibernateIndex = IndexingUtil.indexJar(determineHibernateJarLocation());
+    }
+
+    @Test
+    void testAllRepositoryDefiningAnnotationsListed() {
+        var allProcessingAnnotations = findAllProcessingAnnotations();
+        var knowRepositoryDefiningAnnotations = HibernateOrmProcessor.HIBERNATE_REPOSITORY_ANNOTATIONS.stream()
+                .map(Class::getName).collect(toSet());
+        assertThat(allProcessingAnnotations)
+                .isNotEmpty()
+                .contains(knowRepositoryDefiningAnnotations.toArray(new String[0]));
+        if (knowRepositoryDefiningAnnotations.size() != allProcessingAnnotations.size()) {
+            for (String annotation : allProcessingAnnotations) {
+                if (!knowRepositoryDefiningAnnotations.contains(annotation)) {
+                    // if this ever happen, we can introduce a whitelist
+                    Assertions.fail("Annotation " + annotation + " has not been vetted yet."
+                            + "Please verify this annotation cannot be used as a repository defining annotation.");
+                }
+            }
+        }
+    }
+
+    private static Set<String> findAllProcessingAnnotations() {
+        Set<String> annotations = new HashSet<>();
+        for (AnnotationInstance retentionAnnotation : hibernateIndex.getAnnotations(RETENTION)) {
+            ClassInfo annotation = retentionAnnotation.target().asClass();
+            if (annotation.name().packagePrefix().equals(ANNOTATIONS_PACKAGE) && allowsMethodTargetType(annotation)) {
+                annotations.add(annotation.name().toString());
+            }
+        }
+        return annotations;
+    }
+
+    private static boolean allowsMethodTargetType(ClassInfo annotation) {
+        AnnotationInstance targetAnnotation = annotation.declaredAnnotation(TARGET);
+        if (targetAnnotation == null) {
+            // Can target anything
+            return true;
+        }
+
+        List<String> allowedTargetTypes = Arrays.asList(targetAnnotation.value().asEnumArray());
+        return allowedTargetTypes.contains(ElementType.METHOD.name());
+    }
+
+    private static File determineHibernateJarLocation() {
+        URL url = Hibernate.class.getProtectionDomain().getCodeSource().getLocation();
+        if (!url.getProtocol().equals("file")) {
+            throw new IllegalStateException("Hibernate JAR is not a local file? " + url);
+        }
+        return new File(url.getPath());
+    }
+}

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

@@ -144,6 +144,7 @@
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
 import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
 import io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import io.quarkus.security.spi.SecurityTransformer;
 import io.quarkus.security.spi.SecurityTransformer.AuthorizationType;
 import io.quarkus.security.spi.SecurityTransformerBuildItem;
@@ -169,14 +170,24 @@ public class SecurityProcessor {
 
     @BuildStep
     SecurityTransformerBuildItem createSecurityTransformerBuildItem(
+            List<SecuredInterfaceAnnotationBuildItem> securedInterfacePredicates,
             List<AdditionalSecurityAnnotationBuildItem> additionalSecurityAnnotationBuildItems) {
         // collect security annotations
         Map<AuthorizationType, Set<DotName>> authorizationTypeToSecurityAnnotations = new EnumMap<>(AuthorizationType.class);
         authorizationTypeToSecurityAnnotations.put(SECURITY_CHECK, new HashSet<>(SECURITY_CHECK_ANNOTATIONS));
         additionalSecurityAnnotationBuildItems.forEach(i -> authorizationTypeToSecurityAnnotations
                 .computeIfAbsent(i.getAuthorizationType(), k -> new HashSet<>()).add(i.getSecurityAnnotationName()));
 
-        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations);
+        Predicate<ClassInfo> isInterfaceWithTransformations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getIsInterfaceWithTransformations)
+                .reduce(Predicate::or)
+                .orElse(null);
+        Set<DotName> securedAnnotations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getAnnotationName)
+                .collect(Collectors.toSet());
+
+        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations, isInterfaceWithTransformations,
+                securedAnnotations);
     }
 
     @BuildStep
@@ -188,6 +199,19 @@ List<AdditionalIndexedClassesBuildItem> registerAdditionalIndexedClassesBuildIte
                 .of(new AdditionalIndexedClassesBuildItem(securityTransformerBuildItem.getAllSecurityAnnotationNames()));
     }
 
+    @BuildStep
+    void secureInterfaceImplementations(SecurityTransformerBuildItem securityTransformerBuildItem,
+            CombinedIndexBuildItem combinedIndexBuildItem,
+            BuildProducer<AnnotationsTransformerBuildItem> annotationsTransformerProducer) {
+        SecurityTransformer securityTransformer = createSecurityTransformer(
+                combinedIndexBuildItem.getIndex(), securityTransformerBuildItem);
+        var annotationTransformations = securityTransformer.getInterfaceTransformations();
+        if (annotationTransformations != null) {
+            annotationTransformations
+                    .forEach(i -> annotationsTransformerProducer.produce(new AnnotationsTransformerBuildItem(i)));
+        }
+    }
+
     /**
      * Create JCAProviderBuildItems for any configured provider names
      */

extensions/security/deployment/src/test/java/io/quarkus/security/test/cdi/SecurityAnnotationWithTypeVariableValidationFailureTest.java

@@ -0,0 +1,78 @@
+package io.quarkus.security.test.cdi;
+
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import jakarta.annotation.security.DenyAll;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
+import io.quarkus.test.QuarkusUnitTest;
+
+/**
+ * Type variables are currently not supported for secured interfaces.
+ */
+public class SecurityAnnotationWithTypeVariableValidationFailureTest {
+
+    @RegisterExtension
+    static QuarkusUnitTest test = new QuarkusUnitTest().setArchiveProducer(() -> ShrinkWrap
+            .create(JavaArchive.class)
+            .addClasses(SecuredInterface.class, ParametrizedType.class, Repository.class, SecuredInterfaceImpl.class))
+            .assertException(throwable -> {
+                assertInstanceOf(RuntimeException.class, throwable);
+                String exceptionMessage = throwable.getMessage();
+                assertTrue(exceptionMessage.contains("Unable to determine if the"),
+                        () -> "Unexpected exception message: " + exceptionMessage);
+                assertTrue(exceptionMessage.contains("SecuredInterfaceImpl#securedMethod"),
+                        () -> "Unexpected exception message: " + exceptionMessage);
+                assertTrue(exceptionMessage.contains("method should inherit security annotation"),
+                        () -> "Unexpected exception message: " + exceptionMessage);
+                assertTrue(exceptionMessage.contains("SecuredInterface#securedMethod"),
+                        () -> "Unexpected exception message: " + exceptionMessage);
+            })
+            .addBuildChainCustomizer(buildChainBuilder -> buildChainBuilder
+                    .addBuildStep(context -> context
+                            .produce(SecuredInterfaceAnnotationBuildItem.ofClassAnnotation(Repository.class.getName())))
+                    .produces(SecuredInterfaceAnnotationBuildItem.class).build());
+
+    @Test
+    public void runTest() {
+        Assertions.fail("This test should not run");
+    }
+
+    @Repository
+    public interface SecuredInterface<T> {
+
+        @DenyAll
+        Object securedMethod(ParametrizedType<T> securedAnnotation);
+
+    }
+
+    public static class SecuredInterfaceImpl implements SecuredInterface<String> {
+
+        @Override
+        public Object securedMethod(ParametrizedType<String> securedAnnotation) {
+            return null;
+        }
+    }
+
+    public static class ParametrizedType<T> {
+
+    }
+
+    @Retention(RetentionPolicy.RUNTIME)
+    @Target(ElementType.TYPE)
+    public @interface Repository {
+
+    }
+}