feat(security,hibernate-orm): support security annotations on repositories

Author: michalvavrik

docs/src/main/asciidoc/hibernate-orm.adoc

@@ -1949,6 +1949,37 @@ Please refer to the corresponding https://hibernate.org/repositories/[Hibernate
 and https://jakarta.ee/specifications/data/1.0/jakarta-data-1.0[Jakarta Data]
 guides to learn what else they have to offer.
 
+==== Secure Jakarta Data repositories
+
+Quarkus Security can secure Jakarta Data Repositories with security annotations.
+
+.Example Jakarta Data repository with method-level security annotation
+[source,java]
+----
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @RolesAllowed("admin")
+    @Delete
+    void delete(String name);
+
+}
+----
+
+.Example Jakarta Data repository with class-level security annotation
+[source,java]
+----
+@Authenticated
+@Repository
+public interface MyRepository extends CrudRepository<MyEntity, Integer> {
+
+    @Delete
+    void delete(String name); <1>
+
+}
+----
+<1> Only the methods directly declared on the `MyRepository` interface require authentication. Methods inherited from `CrudRepository`, such as the `insert` method, are not secured by the interface-level annotation.
+
 [[configuration-reference]]
 == Configuration Reference for Hibernate ORM
 

docs/src/main/asciidoc/security-authorize-web-endpoints-reference.adoc

@@ -790,6 +790,7 @@ It is possible to use multiple expressions in the role definition.
 In development mode, it allows any authenticated user.
 <5> Property expression `all-roles` will be treated as a collection type `List`, therefore, the endpoint will be accessible for roles `Administrator`, `Software`, `Tester` and `User`.
 
+[[security-annotations-inheritance]]
 === Endpoint security annotations and Jakarta REST inheritance
 
 Quarkus supports security annotations placed on the endpoint implementation or its class like in the example below:

extensions/hibernate-orm/deployment/pom.xml

@@ -65,6 +65,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-reactive-datasource-spi</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security-spi</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>io.quarkus</groupId>

extensions/hibernate-orm/deployment/src/main/java/io/quarkus/hibernate/orm/deployment/HibernateOrmProcessor.java

@@ -10,6 +10,8 @@
 import static io.quarkus.hibernate.orm.deployment.util.HibernateProcessorUtil.setDialectAndStorageEngine;
 import static io.quarkus.hibernate.orm.deployment.util.HibernateProcessorUtil.xmlMapperKind;
 import static io.quarkus.hibernate.orm.runtime.PersistenceUnitUtil.DEFAULT_PERSISTENCE_UNIT_NAME;
+import static io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem.ofClassAnnotation;
+import static io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem.ofMethodAnnotation;
 
 import java.io.IOException;
 import java.net.URL;
@@ -44,6 +46,9 @@
 import jakarta.persistence.PersistenceUnitTransactionType;
 import jakarta.xml.bind.JAXBElement;
 
+import org.hibernate.annotations.processing.Find;
+import org.hibernate.annotations.processing.HQL;
+import org.hibernate.annotations.processing.SQL;
 import org.hibernate.boot.archive.scan.spi.ClassDescriptor;
 import org.hibernate.boot.archive.scan.spi.PackageDescriptor;
 import org.hibernate.boot.beanvalidation.BeanValidationIntegrator;
@@ -150,6 +155,7 @@
 import io.quarkus.reactive.datasource.spi.ReactiveDataSourceBuildItem;
 import io.quarkus.runtime.LaunchMode;
 import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import net.bytebuddy.description.type.TypeDescription;
 import net.bytebuddy.dynamic.ClassFileLocator;
 import net.bytebuddy.dynamic.DynamicType;
@@ -171,10 +177,17 @@ public final class HibernateOrmProcessor {
 
     public static final String HIBERNATE_ORM_CONFIG_PREFIX = "quarkus.hibernate-orm.";
 
+    /**
+     * Collection of Hibernate annotations for which, if detected on interface, Hibernate processor generates repository.
+     */
+    public static final Set<Class<?>> HIBERNATE_REPOSITORY_ANNOTATIONS = Set.of(Find.class, HQL.class, SQL.class);
+
     private static final Logger LOG = Logger.getLogger(HibernateOrmProcessor.class);
 
     private static final String INTEGRATOR_SERVICE_FILE = "META-INF/services/org.hibernate.integrator.spi.Integrator";
 
+    private static final String JAKARTA_DATA_REPOSITORY_ANNOTATION = "jakarta.data.repository.Repository";
+
     @BuildStep
     NativeImageFeatureBuildItem registerServicesForReflection(BuildProducer<ServiceProviderBuildItem> services) {
         for (DotName serviceProvider : ClassNames.SERVICE_PROVIDERS) {
@@ -856,6 +869,16 @@ public void registerInjectServiceMethodsForReflection(CombinedIndexBuildItem ind
         }
     }
 
+    @BuildStep
+    void registerJakartaDataRepositorySecurityAnnotations(Capabilities capabilities,
+            BuildProducer<SecuredInterfaceAnnotationBuildItem> securedInterfaceAnnotationProducer) {
+        if (capabilities.isPresent(Capability.SECURITY)) {
+            securedInterfaceAnnotationProducer.produce(ofClassAnnotation(JAKARTA_DATA_REPOSITORY_ANNOTATION));
+            HIBERNATE_REPOSITORY_ANNOTATIONS
+                    .forEach(annotation -> securedInterfaceAnnotationProducer.produce(ofMethodAnnotation(annotation)));
+        }
+    }
+
     private void handleHibernateORMWithNoPersistenceXml(
             HibernateOrmConfig hibernateOrmConfig,
             CombinedIndexBuildItem index,

extensions/hibernate-orm/deployment/src/test/java/io/quarkus/hibernate/orm/deployment/HibernateRepositoryAnnotationsTest.java

@@ -0,0 +1,94 @@
+package io.quarkus.hibernate.orm.deployment;
+
+import static java.util.stream.Collectors.toSet;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.assertj.core.api.Assertions;
+import org.hibernate.Hibernate;
+import org.hibernate.annotations.processing.Find;
+import org.jboss.jandex.AnnotationInstance;
+import org.jboss.jandex.ClassInfo;
+import org.jboss.jandex.DotName;
+import org.jboss.jandex.Index;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.deployment.index.IndexingUtil;
+
+/**
+ * Tests that the list of the 'org.hibernate.annotations.processing' package annotations for which Hibernate Processor
+ * creates Hibernate repository is up-to-date.
+ */
+public class HibernateRepositoryAnnotationsTest {
+
+    private static final DotName RETENTION = DotName.createSimple(Retention.class.getName());
+    private static final DotName TARGET = DotName.createSimple(Target.class.getName());
+    private static final String ANNOTATIONS_PACKAGE = Find.class.getPackage().getName();
+
+    private static Index hibernateIndex;
+
+    @BeforeAll
+    public static void index() throws IOException {
+        hibernateIndex = IndexingUtil.indexJar(determineHibernateJarLocation());
+    }
+
+    @Test
+    void testAllRepositoryDefiningAnnotationsListed() {
+        var allProcessingAnnotations = findAllProcessingAnnotations();
+        var knowRepositoryDefiningAnnotations = HibernateOrmProcessor.HIBERNATE_REPOSITORY_ANNOTATIONS.stream()
+                .map(Class::getName).collect(toSet());
+        assertThat(allProcessingAnnotations)
+                .isNotEmpty()
+                .contains(knowRepositoryDefiningAnnotations.toArray(new String[0]));
+        if (knowRepositoryDefiningAnnotations.size() != allProcessingAnnotations.size()) {
+            for (String annotation : allProcessingAnnotations) {
+                if (!knowRepositoryDefiningAnnotations.contains(annotation)) {
+                    // if this ever happen, we can introduce a whitelist
+                    Assertions.fail("Annotation " + annotation + " has not been vetted yet."
+                            + "Please verify this annotation cannot be used as a repository defining annotation.");
+                }
+            }
+        }
+    }
+
+    private static Set<String> findAllProcessingAnnotations() {
+        Set<String> annotations = new HashSet<>();
+        for (AnnotationInstance retentionAnnotation : hibernateIndex.getAnnotations(RETENTION)) {
+            ClassInfo annotation = retentionAnnotation.target().asClass();
+            if (annotation.name().packagePrefix().equals(ANNOTATIONS_PACKAGE) && allowsMethodTargetType(annotation)) {
+                annotations.add(annotation.name().toString());
+            }
+        }
+        return annotations;
+    }
+
+    private static boolean allowsMethodTargetType(ClassInfo annotation) {
+        AnnotationInstance targetAnnotation = annotation.declaredAnnotation(TARGET);
+        if (targetAnnotation == null) {
+            // Can target anything
+            return true;
+        }
+
+        List<String> allowedTargetTypes = Arrays.asList(targetAnnotation.value().asEnumArray());
+        return allowedTargetTypes.contains(ElementType.METHOD.name());
+    }
+
+    private static File determineHibernateJarLocation() {
+        URL url = Hibernate.class.getProtectionDomain().getCodeSource().getLocation();
+        if (!url.getProtocol().equals("file")) {
+            throw new IllegalStateException("Hibernate JAR is not a local file? " + url);
+        }
+        return new File(url.getPath());
+    }
+}

extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java

@@ -144,6 +144,7 @@
 import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
 import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
 import io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem;
+import io.quarkus.security.spi.SecuredInterfaceAnnotationBuildItem;
 import io.quarkus.security.spi.SecurityTransformer;
 import io.quarkus.security.spi.SecurityTransformer.AuthorizationType;
 import io.quarkus.security.spi.SecurityTransformerBuildItem;
@@ -169,14 +170,24 @@ public class SecurityProcessor {
 
     @BuildStep
     SecurityTransformerBuildItem createSecurityTransformerBuildItem(
+            List<SecuredInterfaceAnnotationBuildItem> securedInterfacePredicates,
             List<AdditionalSecurityAnnotationBuildItem> additionalSecurityAnnotationBuildItems) {
         // collect security annotations
         Map<AuthorizationType, Set<DotName>> authorizationTypeToSecurityAnnotations = new EnumMap<>(AuthorizationType.class);
         authorizationTypeToSecurityAnnotations.put(SECURITY_CHECK, new HashSet<>(SECURITY_CHECK_ANNOTATIONS));
         additionalSecurityAnnotationBuildItems.forEach(i -> authorizationTypeToSecurityAnnotations
                 .computeIfAbsent(i.getAuthorizationType(), k -> new HashSet<>()).add(i.getSecurityAnnotationName()));
 
-        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations);
+        Predicate<ClassInfo> isInterfaceWithTransformations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getIsInterfaceWithTransformations)
+                .reduce(Predicate::or)
+                .orElse(null);
+        Set<DotName> securedAnnotations = securedInterfacePredicates.stream()
+                .map(SecuredInterfaceAnnotationBuildItem::getAnnotationName)
+                .collect(Collectors.toSet());
+
+        return new SecurityTransformerBuildItem(authorizationTypeToSecurityAnnotations, isInterfaceWithTransformations,
+                securedAnnotations);
     }
 
     @BuildStep
@@ -188,6 +199,19 @@ List<AdditionalIndexedClassesBuildItem> registerAdditionalIndexedClassesBuildIte
                 .of(new AdditionalIndexedClassesBuildItem(securityTransformerBuildItem.getAllSecurityAnnotationNames()));
     }
 
+    @BuildStep
+    void secureInterfaceImplementations(SecurityTransformerBuildItem securityTransformerBuildItem,
+            CombinedIndexBuildItem combinedIndexBuildItem,
+            BuildProducer<AnnotationsTransformerBuildItem> annotationsTransformerProducer) {
+        SecurityTransformer securityTransformer = createSecurityTransformer(
+                combinedIndexBuildItem.getIndex(), securityTransformerBuildItem);
+        var annotationTransformations = securityTransformer.getInterfaceTransformations();
+        if (annotationTransformations != null) {
+            annotationTransformations
+                    .forEach(i -> annotationsTransformerProducer.produce(new AnnotationsTransformerBuildItem(i)));
+        }
+    }
+
     /**
      * Create JCAProviderBuildItems for any configured provider names
      */

extensions/security/spi/src/main/java/io/quarkus/security/spi/SecuredInterfaceAnnotationBuildItem.java

@@ -0,0 +1,59 @@
+package io.quarkus.security.spi;
+
+import java.util.Objects;
+import java.util.function.Predicate;
+
+import org.jboss.jandex.ClassInfo;
+import org.jboss.jandex.DotName;
+
+import io.quarkus.builder.item.MultiBuildItem;
+
+/**
+ * Security annotations on interfaces are in most cases not inherited by interface implementors.
+ * This build item allows to register interfaces whose implementors will inherit security annotations.
+ * If this build item is used extensively, it can get very complex, and we would create situations,
+ * where users can hardly tell precedence, like what will happen if different repeatable annotation instance
+ * (like the {@code PermissionsAllowed} annotation) is placed on both implemented and interface method.
+ * Or does method-level interface annotation take precedence over implementors class-level annotation.
+ * Examples could continue, for which reason we aim to support simple cases for now.
+ * <p>
+ * The all the implementors of interfaces matched by this build item annotation will inherit
+ * security annotations from interface methods and the interface class-level security annotations only
+ * apply directly on the methods declared on the interface. All scenarios that are supposed to work are tested.
+ * Any scenario that is not working is not yet supported.
+ */
+public final class SecuredInterfaceAnnotationBuildItem extends MultiBuildItem {
+
+    private enum SecuredAnnotationTargetKind {
+        METHOD,
+        CLASS
+    }
+
+    private final DotName annotationName;
+
+    private final SecuredAnnotationTargetKind targetKind;
+
+    private SecuredInterfaceAnnotationBuildItem(DotName annotationName, SecuredAnnotationTargetKind targetKind) {
+        this.annotationName = Objects.requireNonNull(annotationName);
+        this.targetKind = targetKind;
+    }
+
+    public Predicate<ClassInfo> getIsInterfaceWithTransformations() {
+        return switch (targetKind) {
+            case CLASS -> ci -> ci.isInterface() && ci.hasDeclaredAnnotation(annotationName);
+            case METHOD -> ci -> ci.isInterface() && ci.hasAnnotation(annotationName);
+        };
+    }
+
+    public DotName getAnnotationName() {
+        return annotationName;
+    }
+
+    public static SecuredInterfaceAnnotationBuildItem ofClassAnnotation(String annotationName) {
+        return new SecuredInterfaceAnnotationBuildItem(DotName.createSimple(annotationName), SecuredAnnotationTargetKind.CLASS);
+    }
+
+    public static SecuredInterfaceAnnotationBuildItem ofMethodAnnotation(Class<?> annotation) {
+        return new SecuredInterfaceAnnotationBuildItem(DotName.createSimple(annotation), SecuredAnnotationTargetKind.METHOD);
+    }
+}