Uploaded image for project: 'Subscription Watch'
  1. Subscription Watch
  2. SWATCH-3528

Update junit tests using the io.quarkus:quarkus-test-security extension

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • 2025-07-08 - API
    • None
    • None
    • None

      In some tests of swatch-contracts, we use the extension “io.quarkus:quarkus-test-security”, so we can mock the security context using the annotation @TestSecurity:

      @TestSecurity(
   user = "owner123456",
   roles = {"customer"})

      And then, inject a mock of the security context like:

      @BeforeEach
void updateSecurityContext() {
 SecurityContext mockSecurityContext = Mockito.mock(SecurityContext.class);
 Principal mockPrincipal = Mockito.mock(Principal.class);
 resource.setTestSecurityContext(mockSecurityContext);
 when(mockSecurityContext.getUserPrincipal()).thenReturn(mockPrincipal);
 when(mockPrincipal.getName()).thenReturn("owner123456");
 when(uriInfo.getRequestUriBuilder()).thenReturn(new ResteasyUriBuilderImpl());
}

      When using the Quarkus Resteasy extension, this does not work because the SecurityContext is not injectable, but it’s a context bean. This worked when using the Quarkus Resteasy Reactive extension because it magically made the SecurityContext a bean (more info in here).

      The problem is that we have many tests that depend on the SecurityContext being injectable and mockable.

      The solution for this is to not use mocks for security, but call the API using RestAssured:
      Change the @Inject annotation to @Context in the API resources:

      From:

      @Inject SecurityContext securityContext;

      To:

      @Context SecurityContext securityContext;

      Remove the “io.quarkus:quarkus-test-security” extension and all the annotations “@TestSecurity”
      Instead of calling the method resource, use the API with RestAssured:

      From:

      CapacityReportByMetricId report =
   resource.getCapacityReportByMetricId(
       RHEL_FOR_ARM,
       METRIC_ID_CORES,
       GranularityType.DAILY,
       min,
       max,
       null,
       null,
       null,
       ReportCategory.PHYSICAL,
       null,
       null);

      To:

      CapacityReportByMetricId report = RestAssured.given()
   .header("x-rh-identity", header())
   .get("/the endpoint")
   .as(CapacityReportByMetricId.class);

      Where header() is the base64 encoded string where the org ID and the user information.

      The extra benefit is that we’ll be able to better ensure the security of our API in JUnit tests.

              rhn-engineering-wpoteat William Poteat
              jcarvaja@redhat.com Jose Carvajal Hilario
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: