Pruebas de seguridad
Este documento describe cómo probar Quarkus Security.
Configuración de la información del usuario
Puedes usar quarkus-elytron-security-properties-file para probar la seguridad. Esto soporta tanto la introducción de la información del usuario en application.properties como los archivos de propiedades independientes.
For example, the following configuration will allow for configuring the users in both the production where OAuth2 is required and development modes using Configuration Profiles.
# Configure embedded authentication
%dev.quarkus.security.users.embedded.enabled=true
%dev.quarkus.security.users.embedded.plain-text=true
%dev.quarkus.security.users.embedded.users.scott=reader
%dev.quarkus.security.users.embedded.users.stuart=writer
%dev.quarkus.security.users.embedded.roles.scott=READER
%dev.quarkus.security.users.embedded.roles.stuart=READER,WRITER
# Configure OAuth2
quarkus.oauth2.enabled=true
%dev.quarkus.oauth2.enabled=false
quarkus.oauth2.client-id=client-id
quarkus.oauth2.client-secret=client-secret
quarkus.oauth2.introspection-url=http://host:port/introspectProbar la extensión de seguridad
Quarkus provides explicit support for testing with different users, and with the security subsystem disabled. To use
this you must include the quarkus-test-security dependency:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-test-security</artifactId>
<scope>test</scope>
</dependency>testImplementation("io.quarkus:quarkus-test-security")This artifact provides the io.quarkus.test.security.TestSecurity annotation, that can be applied to test methods and
test classes to control the security context that the test is run with. This allows you to do two things, you can disable
authorization so tests can access secured endpoints without needing to be authenticated, and you can specify the identity
that you want the tests to run under.
Una prueba que se ejecuta con la autorización deshabilitada puede simplemente establecer la propiedad enabled en false:
@Test
@TestSecurity(authorizationEnabled = false)
void someTestMethod() {
...
}Esto deshabilitará todas las comprobaciones de acceso, lo que permite que la prueba acceda a endpoints seguros sin necesidad de autenticarse.
También puede utilizarlo para configurar el usuario actual con el que se ejecutará la prueba:
@Test
@TestSecurity(user = "testUser", roles = {"admin", "user"})
void someTestMethod() {
...
}This will run the test with an identity with the given username and roles. Note that these can be combined, so you can disable authorization while also providing an identity to run the test under, which can be useful if the endpoint expects an identity to be present.
See OpenID Connect Bearer Token Integration testing, OpenID Connect Authorization Code Flow Integration testing and SmallRye JWT Integration testing for more details about testing the endpoint code which depends on the injected JsonWebToken.
|
The feature is only available for |
|
This is particularly useful if the same set of security settings needs to be used in multiple test methods. |
Mezcla de pruebas de seguridad
If it becomes necessary to test security features using both @TestSecurity and Basic Auth (which is the fallback auth
mechanism when none is defined), then Basic Auth needs to be enabled explicitly,
for example by setting quarkus.http.auth.basic=true or %test.quarkus.http.auth.basic=true.
Utilizar Wiremock para las pruebas de integración
You can also use Wiremock to mock the authorization OAuth2 and OIDC services: See OAuth2 Integration testing, OpenID Connect Bearer Token Integration testing, OpenID Connect Authorization Code Flow Integration testing and SmallRye JWT Integration testing for more details.
