feat: Migrate Reactive Routes to Vert.X Web and add security tests (#838)

Author: ehsavoie

client/transport/spi/src/main/java/org/a2aproject/sdk/client/transport/spi/interceptors/auth/AuthInterceptor.java

@@ -24,8 +24,10 @@
 public class AuthInterceptor extends ClientCallInterceptor {
 
     private static final String BEARER_SCHEME = "bearer";
+    private static final String BASIC_SCHEME = "basic";
     public static final String AUTHORIZATION = "Authorization";
     private static final String BEARER = "Bearer ";
+    private static final String BASIC = "Basic ";
     private final CredentialService credentialService;
 
     public AuthInterceptor(final CredentialService credentialService) {
@@ -51,9 +53,13 @@ public PayloadAndHeaders intercept(String methodName, @Nullable Object payload,
                         continue;
                     }
                     if (securityScheme instanceof HTTPAuthSecurityScheme httpAuthSecurityScheme) {
-                        if (httpAuthSecurityScheme.scheme().toLowerCase(Locale.ROOT).equals(BEARER_SCHEME)) {
+                        String scheme = httpAuthSecurityScheme.scheme().toLowerCase(Locale.ROOT);
+                        if (scheme.equals(BEARER_SCHEME)) {
                             updatedHeaders.put(AUTHORIZATION, getBearerValue(credential));
                             return new PayloadAndHeaders(payload, updatedHeaders);
+                        } else if (scheme.equals(BASIC_SCHEME)) {
+                            updatedHeaders.put(AUTHORIZATION, getBasicValue(credential));
+                            return new PayloadAndHeaders(payload, updatedHeaders);
                         }
                     } else if (securityScheme instanceof OAuth2SecurityScheme
                             || securityScheme instanceof OpenIdConnectSecurityScheme) {
@@ -72,4 +78,8 @@ public PayloadAndHeaders intercept(String methodName, @Nullable Object payload,
     private static String getBearerValue(String credential) {
         return BEARER + credential;
     }
+
+    private static String getBasicValue(String credential) {
+        return BASIC + credential;
+    }
 }

client/transport/spi/src/test/java/org/a2aproject/sdk/client/transport/spi/interceptors/auth/AuthInterceptorTest.java

@@ -129,6 +129,21 @@ public void testBearerSecurityScheme() {
         testSecurityScheme(authTestCase);
     }
 
+    @Test
+    public void testBasicAuthSecurityScheme() {
+        // Credential should be pre-encoded base64("testuser:testpass") = "dGVzdHVzZXI6dGVzdHBhc3M="
+        AuthTestCase authTestCase = new AuthTestCase(
+                "http://agent.com/rpc",
+                "session-id",
+                "basic",
+                "dGVzdHVzZXI6dGVzdHBhc3M=",
+                new HTTPAuthSecurityScheme(null, "basic", "HTTP Basic authentication"),
+                "Authorization",
+                "Basic dGVzdHVzZXI6dGVzdHBhc3M="
+        );
+        testSecurityScheme(authTestCase);
+    }
+
     private void testSecurityScheme(AuthTestCase authTestCase) {
         credentialStore.setCredential(authTestCase.sessionId, authTestCase.schemeName, authTestCase.credential);
 

extras/opentelemetry/integration-tests/pom.xml

@@ -40,10 +40,10 @@
             <artifactId>quarkus-opentelemetry</artifactId>
         </dependency>
 
-        <!-- Quarkus Reactive Routes (for test utilities) -->
+        <!-- Quarkus Vertx HTTP (for test utilities) -->
         <dependency>
             <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-reactive-routes</artifactId>
+            <artifactId>quarkus-vertx-http</artifactId>
         </dependency>
 
         <!-- CDI -->

extras/opentelemetry/integration-tests/src/main/java/org/a2aproject/sdk/extras/opentelemetry/it/A2ATestRoutes.java

@@ -18,11 +18,11 @@
 import io.opentelemetry.context.Scope;
 import io.opentelemetry.sdk.testing.exporter.InMemorySpanExporter;
 import io.opentelemetry.sdk.trace.data.SpanData;
-import io.quarkus.vertx.web.Body;
-import io.quarkus.vertx.web.Param;
-import io.quarkus.vertx.web.Route;
+import io.vertx.ext.web.Router;
 import io.vertx.ext.web.RoutingContext;
+import io.vertx.ext.web.handler.BodyHandler;
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
 import jakarta.enterprise.inject.Produces;
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
@@ -48,8 +48,47 @@ public class A2ATestRoutes {
     @Inject
     Tracer tracer;
 
-    @Route(path = "/test/task", methods = {Route.HttpMethod.POST}, consumes = {APPLICATION_JSON}, type = Route.HandlerType.BLOCKING)
-    public void saveTask(@Body String body, RoutingContext rc) {
+    void setupRoutes(@Observes Router router) {
+        router.post("/test/task")
+            .consumes(APPLICATION_JSON)
+            .blockingHandler(ctx -> saveTask(ctx.body().asString(), ctx));
+
+        router.get("/test/task/:taskId")
+            .produces(APPLICATION_JSON)
+            .blockingHandler(ctx -> getTask(ctx.pathParam("taskId"), ctx));
+
+        router.delete("/test/task/:taskId")
+            .blockingHandler(ctx -> deleteTask(ctx.pathParam("taskId"), ctx));
+
+        router.post("/test/queue/ensure/:taskId")
+            .handler(ctx -> ensureTaskQueue(ctx.pathParam("taskId"), ctx));
+
+        router.post("/test/queue/enqueueTaskStatusUpdateEvent/:taskId")
+            .handler(BodyHandler.create())
+            .handler(ctx -> enqueueTaskStatusUpdateEvent(ctx.pathParam("taskId"), ctx.body().asString(), ctx));
+
+        router.post("/test/queue/enqueueTaskArtifactUpdateEvent/:taskId")
+            .handler(BodyHandler.create())
+            .handler(ctx -> enqueueTaskArtifactUpdateEvent(ctx.pathParam("taskId"), ctx.body().asString(), ctx));
+
+        router.get("/test/queue/childCount/:taskId")
+            .produces(TEXT_PLAIN)
+            .handler(ctx -> getChildQueueCount(ctx.pathParam("taskId"), ctx));
+
+        router.get("/hello")
+            .produces(TEXT_PLAIN)
+            .handler(ctx -> hello(ctx));
+
+        router.get("/export")
+            .produces(APPLICATION_JSON)
+            .handler(ctx -> exportSpans(ctx));
+
+        router.get("/reset")
+            .produces(TEXT_PLAIN)
+            .handler(ctx -> reset(ctx));
+    }
+
+    public void saveTask(String body, RoutingContext rc) {
         try {
             Task task = JsonUtil.fromJson(body, Task.class);
             testUtilsBean.saveTask(task);
@@ -61,8 +100,7 @@ public void saveTask(@Body String body, RoutingContext rc) {
         }
     }
 
-    @Route(path = "/test/task/:taskId", methods = {Route.HttpMethod.GET}, produces = {APPLICATION_JSON}, type = Route.HandlerType.BLOCKING)
-    public void getTask(@Param String taskId, RoutingContext rc) {
+    public void getTask(String taskId, RoutingContext rc) {
         try {
             Task task = testUtilsBean.getTask(taskId);
             if (task == null) {
@@ -81,8 +119,7 @@ public void getTask(@Param String taskId, RoutingContext rc) {
         }
     }
 
-    @Route(path = "/test/task/:taskId", methods = {Route.HttpMethod.DELETE}, type = Route.HandlerType.BLOCKING)
-    public void deleteTask(@Param String taskId, RoutingContext rc) {
+    public void deleteTask(String taskId, RoutingContext rc) {
         try {
             Task task = testUtilsBean.getTask(taskId);
             if (task == null) {
@@ -100,8 +137,7 @@ public void deleteTask(@Param String taskId, RoutingContext rc) {
         }
     }
 
-    @Route(path = "/test/queue/ensure/:taskId", methods = {Route.HttpMethod.POST})
-    public void ensureTaskQueue(@Param String taskId, RoutingContext rc) {
+    public void ensureTaskQueue(String taskId, RoutingContext rc) {
         try {
             testUtilsBean.ensureQueue(taskId);
             rc.response()
@@ -112,8 +148,7 @@ public void ensureTaskQueue(@Param String taskId, RoutingContext rc) {
         }
     }
 
-    @Route(path = "/test/queue/enqueueTaskStatusUpdateEvent/:taskId", methods = {Route.HttpMethod.POST})
-    public void enqueueTaskStatusUpdateEvent(@Param String taskId, @Body String body, RoutingContext rc) {
+    public void enqueueTaskStatusUpdateEvent(String taskId, String body, RoutingContext rc) {
         try {
             TaskStatusUpdateEvent event = JsonUtil.fromJson(body, TaskStatusUpdateEvent.class);
             testUtilsBean.enqueueEvent(taskId, event);
@@ -125,8 +160,7 @@ public void enqueueTaskStatusUpdateEvent(@Param String taskId, @Body String body
         }
     }
 
-    @Route(path = "/test/queue/enqueueTaskArtifactUpdateEvent/:taskId", methods = {Route.HttpMethod.POST})
-    public void enqueueTaskArtifactUpdateEvent(@Param String taskId, @Body String body, RoutingContext rc) {
+    public void enqueueTaskArtifactUpdateEvent(String taskId, String body, RoutingContext rc) {
         try {
             TaskArtifactUpdateEvent event = JsonUtil.fromJson(body, TaskArtifactUpdateEvent.class);
             testUtilsBean.enqueueEvent(taskId, event);
@@ -138,15 +172,13 @@ public void enqueueTaskArtifactUpdateEvent(@Param String taskId, @Body String bo
         }
     }
 
-    @Route(path = "/test/queue/childCount/:taskId", methods = {Route.HttpMethod.GET}, produces = {TEXT_PLAIN})
-    public void getChildQueueCount(@Param String taskId, RoutingContext rc) {
+    public void getChildQueueCount(String taskId, RoutingContext rc) {
         int count = testUtilsBean.getChildQueueCount(taskId);
         rc.response()
                 .setStatusCode(200)
                 .end(String.valueOf(count));
     }
 
-    @Route(path = "/hello", methods = {Route.HttpMethod.GET}, produces = {TEXT_PLAIN})
     public void hello(RoutingContext rc) {
         Span span = tracer.spanBuilder("hello").startSpan();
         try (Scope scope = span.makeCurrent()) {
@@ -159,8 +191,7 @@ public void hello(RoutingContext rc) {
         }
     }
 
-    @Route(path = "/export", methods = {Route.HttpMethod.GET}, produces = {APPLICATION_JSON})
-    public void exportSpans(@Param String taskId, RoutingContext rc) {
+    public void exportSpans(RoutingContext rc) {
         List<SpanData> spans = inMemorySpanExporter.getFinishedSpanItems()
                 .stream()
                 .filter(sd -> !sd.getName().contains("export") && !sd.getName().contains("reset"))
@@ -202,8 +233,7 @@ private JsonElement serialize(List<SpanData> spanDatas) {
         return spans;
     }
 
-    @Route(path = "/reset", methods = {Route.HttpMethod.GET}, produces = {TEXT_PLAIN})
-    public void reset(@Param String taskId, RoutingContext rc) {
+    public void reset(RoutingContext rc) {
         inMemorySpanExporter.reset();
         rc.response().setStatusCode(200).end();
     }

extras/opentelemetry/integration-tests/src/test/java/org/a2aproject/sdk/extras/opentelemetry/it/OpenTelemetryA2ABaseTest.java

@@ -1,6 +1,5 @@
 package org.a2aproject.sdk.extras.opentelemetry.it;
 
-import static io.quarkus.vertx.web.ReactiveRoutes.APPLICATION_JSON;
 import static io.restassured.RestAssured.given;
 import static java.net.HttpURLConnection.HTTP_OK;
 import static java.util.concurrent.TimeUnit.SECONDS;
@@ -243,7 +242,7 @@ protected void saveTaskInTaskStore(Task task) throws Exception {
         HttpRequest request = HttpRequest.newBuilder()
                 .uri(URI.create("http://localhost:" + serverPort + "/test/task"))
                 .POST(HttpRequest.BodyPublishers.ofString(JsonUtil.toJson(task)))
-                .header("Content-Type", APPLICATION_JSON)
+                .header("Content-Type", "application/json")
                 .build();
 
         HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));

extras/push-notification-config-store-database-jpa/pom.xml

@@ -103,10 +103,5 @@
             <artifactId>a2a-java-sdk-client</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-reactive-routes</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 </project>

extras/task-store-database-jpa/pom.xml

@@ -102,10 +102,5 @@
             <artifactId>a2a-java-sdk-client</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-reactive-routes</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 </project>

http-client/src/main/java/org/a2aproject/sdk/client/http/JdkA2AHttpClient.java

@@ -267,6 +267,13 @@ public A2AHttpResponse get() throws IOException, InterruptedException {
                     .build();
             HttpResponse<String> response =
                     httpClient.send(request, BodyHandlers.ofString(StandardCharsets.UTF_8));
+
+            if (response.statusCode() == HTTP_UNAUTHORIZED) {
+                throw new IOException(A2AErrorMessages.AUTHENTICATION_FAILED);
+            } else if (response.statusCode() == HTTP_FORBIDDEN) {
+                throw new IOException(A2AErrorMessages.AUTHORIZATION_FAILED);
+            }
+
             return new JdkHttpResponse(response);
         }
 
@@ -289,6 +296,13 @@ public A2AHttpResponse delete() throws IOException, InterruptedException {
             HttpRequest request = super.createRequestBuilder().DELETE().build();
             HttpResponse<String> response =
                     httpClient.send(request, BodyHandlers.ofString(StandardCharsets.UTF_8));
+
+            if (response.statusCode() == HTTP_UNAUTHORIZED) {
+                throw new IOException(A2AErrorMessages.AUTHENTICATION_FAILED);
+            } else if (response.statusCode() == HTTP_FORBIDDEN) {
+                throw new IOException(A2AErrorMessages.AUTHORIZATION_FAILED);
+            }
+
             return new JdkHttpResponse(response);
         }
 

reference/common/pom.xml

@@ -35,7 +35,11 @@
         </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-reactive-routes</artifactId>
+            <artifactId>quarkus-vertx-http</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-arc</artifactId>
         </dependency>
         <dependency>
             <groupId>jakarta.enterprise</groupId>
@@ -73,5 +77,17 @@
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
+        <!-- Security dependencies - optional so they don't propagate transitively.
+             Transport modules add these as test-scoped for auth tests. -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-security</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security-properties-file</artifactId>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
 </project>