feat(security,hibernate-orm): support security annotations on repositories

Author: michalvavrik

docs/src/main/asciidoc/hibernate-orm.adoc

@@ -1949,6 +1949,40 @@ Please refer to the corresponding https://hibernate.org/repositories/[Hibernate
 and https://jakarta.ee/specifications/data/1.0/jakarta-data-1.0[Jakarta Data]
 guides to learn what else they have to offer.
 
+==== Secure Jakarta Data repositories
+
+Quarkus Security supports security annotations placed directly on Jakarta Data repository interfaces and their methods.
+This is one exception to the general rule outlined in xref:security-authorize-web-endpoints-reference.adoc#security-annotations-inheritance[security annotations inheritance], as we do not recommend using security annotations on interfaces elsewhere.
+
+Security annotations can be placed either directly on the Jakarta Data repository methods:
+
+[source,java]
+----
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @RolesAllowed("admin")
+    @Delete
+    void delete(String name);
+
+}
+----
+
+or on the interface classes:
+
+[source,java]
+----
+@Authenticated
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @Delete
+    void delete(String name); <1>
+
+}
+----
+<1> Only the methods directly declared on the `MyRepository` interface require authentication. Methods inherited from `CrudRepository`, such as the `insert` method, are not secured by the interface-level annotation.
+
 [[configuration-reference]]
 == Configuration Reference for Hibernate ORM
 

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc

@@ -790,6 +790,7 @@ It is possible to use multiple expressions in the role definition.
 In development mode, it allows any authenticated user.
 <5> Property expression `all-roles` will be treated as a collection type `List`, therefore, the endpoint will be accessible for roles `Administrator`, `Software`, `Tester` and `User`.
 
+[[security-annotations-inheritance]]
 === Endpoint security annotations and Jakarta REST inheritance
 
 Quarkus supports security annotations placed on the endpoint implementation or its class like in the example below:

extensions/hibernate-orm/deployment/pom.xml

@@ -61,6 +61,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-hibernate-validator-spi</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security-spi</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>io.quarkus</groupId>

extensions/hibernate-orm/deployment/src/main/java/io/quarkus/hibernate/orm/deployment/HibernateOrmProcessor.java

@@ -146,6 +146,7 @@
 import io.quarkus.panache.hibernate.common.deployment.HibernateModelClassCandidatesForFieldAccessBuildItem;
 import io.quarkus.runtime.LaunchMode;
 import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import net.bytebuddy.description.type.TypeDescription;
 import net.bytebuddy.dynamic.ClassFileLocator;
 import net.bytebuddy.dynamic.DynamicType;
@@ -171,6 +172,8 @@ public final class HibernateOrmProcessor {
 
     private static final String INTEGRATOR_SERVICE_FILE = "META-INF/services/org.hibernate.integrator.spi.Integrator";
 
+    private static final String JAKARTA_DATA_REPOSITORY_ANNOTATION = "jakarta.data.repository.Repository";
+
     @BuildStep
     NativeImageFeatureBuildItem registerServicesForReflection(BuildProducer<ServiceProviderBuildItem> services) {
         for (DotName serviceProvider : ClassNames.SERVICE_PROVIDERS) {
@@ -837,6 +840,15 @@ public void registerInjectServiceMethodsForReflection(CombinedIndexBuildItem ind
         }
     }
 
+    @BuildStep
+    public void registerJakartaDataRepositorySecurityAnnotations(Capabilities capabilities,
+            BuildProducer<SecuredInterfaceAnnotationBuildItem> securedInterfaceAnnotationProducer) {
+        if (capabilities.isPresent(Capability.SECURITY)) {
+            securedInterfaceAnnotationProducer
+                    .produce(new SecuredInterfaceAnnotationBuildItem(DotName.createSimple(JAKARTA_DATA_REPOSITORY_ANNOTATION)));
+        }
+    }
+
     private void handleHibernateORMWithNoPersistenceXml(
             HibernateOrmConfig hibernateOrmConfig,
             CombinedIndexBuildItem index,

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

@@ -143,6 +143,7 @@
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
 import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
 import io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import io.quarkus.security.spi.SecurityTransformer;
 import io.quarkus.security.spi.SecurityTransformer.AuthorizationType;
 import io.quarkus.security.spi.SecurityTransformerBuildItem;
@@ -168,14 +169,24 @@ public class SecurityProcessor {
 
     @BuildStep
     SecurityTransformerBuildItem createSecurityTransformerBuildItem(
+            List<SecuredInterfaceAnnotationBuildItem> securedInterfacePredicates,
             List<AdditionalSecurityAnnotationBuildItem> additionalSecurityAnnotationBuildItems) {
         // collect security annotations
         Map<AuthorizationType, Set<DotName>> authorizationTypeToSecurityAnnotations = new EnumMap<>(AuthorizationType.class);
         authorizationTypeToSecurityAnnotations.put(SECURITY_CHECK, new HashSet<>(SECURITY_CHECK_ANNOTATIONS));
         additionalSecurityAnnotationBuildItems.forEach(i -> authorizationTypeToSecurityAnnotations
                 .computeIfAbsent(i.getAuthorizationType(), k -> new HashSet<>()).add(i.getSecurityAnnotationName()));
 
-        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations);
+        Predicate<ClassInfo> isInterfaceWithTransformations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getIsInterfaceWithTransformations)
+                .reduce(Predicate::or)
+                .orElse(null);
+        Set<DotName> securedInterfaceAnnotations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getInterfaceAnnotationName)
+                .collect(Collectors.toSet());
+
+        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations,
+                isInterfaceWithTransformations, securedInterfaceAnnotations);
     }
 
     @BuildStep
@@ -187,6 +198,19 @@ List<AdditionalIndexedClassesBuildItem> registerAdditionalIndexedClassesBuildIte
                 .of(new AdditionalIndexedClassesBuildItem(securityTransformerBuildItem.getAllSecurityAnnotationNames()));
     }
 
+    @BuildStep
+    void secureInterfaceImplementations(SecurityTransformerBuildItem securityTransformerBuildItem,
+            CombinedIndexBuildItem combinedIndexBuildItem,
+            BuildProducer<AnnotationsTransformerBuildItem> annotationsTransformerProducer) {
+        SecurityTransformer securityTransformer = createSecurityTransformer(
+                combinedIndexBuildItem.getIndex(), securityTransformerBuildItem);
+        var annotationTransformations = securityTransformer.getInterfaceTransformations();
+        if (annotationTransformations != null) {
+            annotationTransformations
+                    .forEach(i -> annotationsTransformerProducer.produce(new AnnotationsTransformerBuildItem(i)));
+        }
+    }
+
     /**
      * Create JCAProviderBuildItems for any configured provider names
      */

extensions/security/spi/src/main/java/io/quarkus/security/spi/SecuredInterfaceAnnotationBuildItem.java

@@ -0,0 +1,40 @@
+package io.quarkus.security.spi;
+
+import java.util.Objects;
+import java.util.function.Predicate;
+
+import org.jboss.jandex.ClassInfo;
+import org.jboss.jandex.DotName;
+
+import io.quarkus.builder.item.MultiBuildItem;
+
+/**
+ * Security annotations on interfaces are in most cases not inherited by interface implementors.
+ * This build item allows to register interfaces whose implementors will inherit security annotations.
+ * If this build item is used extensively, it can get very complex, and we would create situations,
+ * where users can hardly tell precedence, like what will happen if different repeatable annotation instance
+ * (like the {@code PermissionsAllowed} annotation) is placed on both implemented and interface method.
+ * Or does method-level interface annotation take precedence over implementors class-level annotation.
+ * Examples could continue, for which reason we aim to support simple cases for now.
+ * <p>
+ * The all the implementors of interfaces matched by this build item annotation will inherit
+ * security annotations from interface methods and the interface class-level security annotations only
+ * apply directly on the methods declared on the interface. All scenarios that are supposed to work are tested.
+ * Any scenario that is not working is not yet supported.
+ */
+public final class SecuredInterfaceAnnotationBuildItem extends MultiBuildItem {
+
+    private final DotName interfaceAnnotationName;
+
+    public SecuredInterfaceAnnotationBuildItem(DotName interfaceAnnotationName) {
+        this.interfaceAnnotationName = Objects.requireNonNull(interfaceAnnotationName);
+    }
+
+    public Predicate<ClassInfo> getIsInterfaceWithTransformations() {
+        return ci -> ci.isInterface() && ci.hasDeclaredAnnotation(interfaceAnnotationName);
+    }
+
+    public DotName getInterfaceAnnotationName() {
+        return interfaceAnnotationName;
+    }
+}