fix(vertx-http): fail build on duplicated named policies

michalvavrik · michalvavrik · commit 85975e7df791 · 2025-04-20T09:45:18.000+02:00
diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/DuplicatedNamedAuthPolicyValidationFailureTest.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/DuplicatedNamedAuthPolicyValidationFailureTest.java
@@ -0,0 +1,65 @@
+package io.quarkus.vertx.http.security;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+public class DuplicatedNamedAuthPolicyValidationFailureTest {
+
+    private static final String POLICY_NAME = "p_o_l_i_c_y_n_a_m_e";
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(NamedPolicy_1.class, NamedPolicy_2.class))
+            .assertException(throwable -> {
+                var errMsg = throwable.getMessage();
+                Assertions.assertTrue(errMsg.contains("Only one HttpSecurityPolicy"), errMsg);
+                Assertions.assertTrue(errMsg.contains(POLICY_NAME), errMsg);
+                Assertions.assertTrue(errMsg.contains(NamedPolicy_1.class.getSimpleName()));
+                Assertions.assertTrue(errMsg.contains(NamedPolicy_2.class.getSimpleName()));
+            });
+
+    @Test
+    public void test() {
+        Assertions.fail("Build was supposed to fail due to validation");
+    }
+
+    @ApplicationScoped
+    public static class NamedPolicy_1 implements HttpSecurityPolicy {
+
+        @Override
+        public Uni<CheckResult> checkPermission(RoutingContext request, Uni<SecurityIdentity> identity,
+                AuthorizationRequestContext requestContext) {
+            return null;
+        }
+
+        @Override
+        public String name() {
+            return POLICY_NAME;
+        }
+    }
+
+    @ApplicationScoped
+    public static class NamedPolicy_2 implements HttpSecurityPolicy {
+
+        @Override
+        public Uni<CheckResult> checkPermission(RoutingContext request, Uni<SecurityIdentity> identity,
+                AuthorizationRequestContext requestContext) {
+            return null;
+        }
+
+        @Override
+        public String name() {
+            return POLICY_NAME;
+        }
+    }
+}
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy.java
@@ -16,6 +16,7 @@
 
 import jakarta.enterprise.inject.Instance;
 
+import io.quarkus.arc.ClientProxy;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.quarkus.security.StringPermission;
 import io.quarkus.security.identity.SecurityIdentity;
@@ -236,7 +237,10 @@ private static Map<String, HttpSecurityPolicy> toNamedHttpSecPolicies(Map<String
                 if (policy.name().isBlank()) {
                     throw new ConfigurationException("HTTP Security policy '" + policy + "' name must not be blank");
                 }
-                namedPolicies.put(policy.name(), policy);
+                var previousPolicy = namedPolicies.put(policy.name(), policy);
+                if (previousPolicy != null) {
+                    throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, policy);
+                }
             }
         }
 
@@ -271,12 +275,26 @@ private static Map<String, HttpSecurityPolicy> toNamedHttpSecPolicies(Map<String
                     roleToPermissions.put(role, Set.copyOf(permissions));
                 }
             }
-            namedPolicies.put(e.getKey(),
-                    new RolesAllowedHttpSecurityPolicy(policyConfig.rolesAllowed(), roleToPermissions, policyConfig.roles()));
+            var rolesAllowedPolicy = new RolesAllowedHttpSecurityPolicy(policyConfig.rolesAllowed(), roleToPermissions,
+                    policyConfig.roles());
+            var previousPolicy = namedPolicies.put(e.getKey(), rolesAllowedPolicy);
+            if (previousPolicy != null) {
+                throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, rolesAllowedPolicy);
+            }
+        }
+
+        var previousPolicy = namedPolicies.put("deny", DenySecurityPolicy.INSTANCE);
+        if (previousPolicy != null) {
+            throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, DenySecurityPolicy.INSTANCE);
+        }
+        previousPolicy = namedPolicies.put("permit", new PermitSecurityPolicy());
+        if (previousPolicy != null) {
+            throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, new PermitSecurityPolicy());
+        }
+        previousPolicy = namedPolicies.put("authenticated", new AuthenticatedHttpSecurityPolicy());
+        if (previousPolicy != null) {
+            throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, new AuthenticatedHttpSecurityPolicy());
         }
-        namedPolicies.put("deny", new DenySecurityPolicy());
-        namedPolicies.put("permit", new PermitSecurityPolicy());
-        namedPolicies.put("authenticated", new AuthenticatedHttpSecurityPolicy());
         return namedPolicies;
     }
 
@@ -386,6 +404,13 @@ private void addAction(String action) {
         }
     }
 
+    static ConfigurationException duplicateNamedPoliciesNotAllowedEx(HttpSecurityPolicy policy1, HttpSecurityPolicy policy2) {
+        String policyClassName1 = ClientProxy.unwrap(policy1).getClass().getName();
+        String policyClassName2 = ClientProxy.unwrap(policy2).getClass().getName();
+        return new ConfigurationException("Only one HttpSecurityPolicy with the name '"
+                + policy1.name() + "' is allowed, but found: " + policyClassName1 + " and " + policyClassName2);
+    }
+
     record HttpMatcher(String authMechanism, Set<String> methods, HttpSecurityPolicy checker) {
 
     }
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/JaxRsPathMatchingHttpSecurityPolicy.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/JaxRsPathMatchingHttpSecurityPolicy.java
@@ -1,6 +1,7 @@
 package io.quarkus.vertx.http.runtime.security;
 
 import static io.quarkus.vertx.http.runtime.PolicyMappingConfig.AppliesTo.JAXRS;
+import static io.quarkus.vertx.http.runtime.security.AbstractPathMatchingHttpSecurityPolicy.duplicateNamedPoliciesNotAllowedEx;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -46,7 +47,10 @@ public class JaxRsPathMatchingHttpSecurityPolicy {
             var allPolicies = new HashMap<String, HttpSecurityPolicy>();
             for (HttpSecurityPolicy installedPolicy : installedPolicies) {
                 if (installedPolicy.name() != null) {
-                    allPolicies.put(installedPolicy.name(), installedPolicy);
+                    var previousPolicy = allPolicies.put(installedPolicy.name(), installedPolicy);
+                    if (previousPolicy != null) {
+                        throw duplicateNamedPoliciesNotAllowedEx(previousPolicy, installedPolicy);
+                    }
                 }
             }
             var annotationPoliciesOnly = new HashMap<String, HttpSecurityPolicy>();
