Introduce Server Security JWT Support

gradle.properties

@@ -1,7 +1,9 @@
-projectVersion=2.3.1-SNAPSHOT
+projectVersion=2.4.0-SNAPSHOT
 micronautDocsVersion=1.0.24
 micronautBuildVersion=1.1.5
-micronautVersion=2.3.1
+micronautDiscoveryClientVersion=2.2.4
+micronautSecurityVersion=2.3.0
+micronautVersion=2.3.2
 micronautTestVersion=2.2.1
 groovyVersion=3.0.4
 spockVersion=2.0-M3-groovy-3.0

grpc-client-runtime/build.gradle

@@ -12,11 +12,11 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
     implementation "io.grpc:grpc-netty:$grpcVersion"
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-runtime/build.gradle

@@ -12,12 +12,12 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
 
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly "io.micronaut:micronaut-management"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-security-jwt/build.gradle

@@ -0,0 +1,55 @@
+
+plugins {
+    id "net.ltgt.apt" version "0.21"
+    id 'com.google.protobuf' version '0.8.15'
+}
+
+dependencies {
+
+    annotationProcessor "io.micronaut:micronaut-inject-java:$micronautVersion"
+    testAnnotationProcessor "io.micronaut.security:micronaut-security-annotations:$micronautSecurityVersion"
+
+    api project(":grpc-server-runtime")
+    api "io.micronaut:micronaut-inject:$micronautVersion"
+    api "io.micronaut:micronaut-runtime:$micronautVersion"
+    api "com.nimbusds:nimbus-jose-jwt:9.4.2"
+
+    implementation("io.micronaut.security:micronaut-security-jwt:$micronautSecurityVersion") {
+        exclude group: 'io.micronaut', module: 'micronaut-http'
+        exclude group: 'io.micronaut', module: 'micronaut-http-server'
+    }
+
+    testImplementation "io.micronaut:micronaut-inject-groovy:$micronautVersion"
+    testImplementation "io.micronaut:micronaut-inject-java:$micronautVersion"
+    testImplementation "io.micronaut.test:micronaut-test-spock:$micronautTestVersion"
+
+}
+
+protobuf {
+    protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+    plugins {
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+    }
+    generateProtoTasks {
+        all()*.plugins { grpc {} }
+    }
+}
+
+sourceSets {
+    test {
+        java {
+            srcDirs 'build/generated/source/proto/test/grpc'
+            srcDirs 'build/generated/source/proto/test/java'
+        }
+    }
+}
+
+protobuf {
+    protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+    plugins {
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.35.0" }
+    }
+    generateProtoTasks {
+        all()*.plugins { grpc {} }
+    }
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtConfiguration.java

@@ -0,0 +1,106 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+import io.grpc.Status;
+import io.micronaut.context.annotation.ConfigurationProperties;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.core.bind.annotation.Bindable;
+import io.micronaut.core.order.Ordered;
+import io.micronaut.core.util.StringUtils;
+import io.micronaut.core.util.Toggleable;
+import io.micronaut.grpc.server.GrpcServerConfiguration;
+import io.micronaut.security.config.InterceptUrlMapPattern;
+import io.micronaut.security.config.SecurityConfigurationProperties;
+import io.micronaut.security.token.config.TokenConfigurationProperties;
+import io.micronaut.security.token.jwt.config.JwtConfigurationProperties;
+
+import javax.validation.constraints.NotBlank;
+import java.util.Collection;
+
+/**
+ * gRPC Security JWT configuration.
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@ConfigurationProperties(GrpcServerSecurityJwtConfiguration.PREFIX)
+@Requires(property = SecurityConfigurationProperties.PREFIX + ".enabled", notEquals = StringUtils.FALSE)
+@Requires(property = TokenConfigurationProperties.PREFIX + ".enabled", notEquals = StringUtils.FALSE)
+@Requires(property = JwtConfigurationProperties.PREFIX + ".enabled", notEquals = StringUtils.FALSE)
+@Requires(property = GrpcServerSecurityJwtConfiguration.PREFIX + ".enabled", notEquals = StringUtils.FALSE)
+public interface GrpcServerSecurityJwtConfiguration extends Toggleable {
+
+    /**
+     * The configuration prefix.
+     */
+    String PREFIX = GrpcServerConfiguration.PREFIX + ".security.token.jwt";
+
+    /**
+     * The default name for the JWT metadata key.
+     */
+    String DEFAULT_METADATA_KEY_NAME = "JWT";
+
+    /**
+     * The order to be applied to the server interceptor in the interceptor chain.  Defaults
+     * to {@value io.micronaut.core.order.Ordered#HIGHEST_PRECEDENCE} if not configured.
+     *
+     * @return the order
+     */
+    @Bindable(defaultValue = "" + Ordered.HIGHEST_PRECEDENCE)
+    int getInterceptorOrder();
+
+    /**
+     * Get the list of fully qualified RPC method patterns which should be intercepted and interrogated for a valid JWT.
+     * If no values are provided, by default, all methods will be intercepted.
+     *
+     * @see io.grpc.MethodDescriptor#getFullMethodName()
+     *
+     * @return the intercept method names.
+     */
+    @Nullable
+    Collection<InterceptUrlMapPattern> getInterceptMethodPatterns();
+
+    /**
+     * The {@link Status} returned by the interceptor when JWT is missing from metadata.
+     * The default value is {@link Status.Code#UNAUTHENTICATED}
+     *
+     * @return the status
+     */
+    @Bindable(defaultValue = "UNAUTHENTICATED")
+    Status.Code getMissingTokenStatus();
+
+    /**
+     * The {@link Status} returned by the interceptor when JWT validation fails. The
+     * default value is {@link Status.Code#PERMISSION_DENIED}
+     *
+     * @return the status
+     */
+    @Bindable(defaultValue = "PERMISSION_DENIED")
+    Status.Code getFailedValidationTokenStatus();
+
+    /**
+     * The name of the metadata key which holds the JWT.  Defaults
+     * to {@value #DEFAULT_METADATA_KEY_NAME} if not configured.
+     *
+     * @return the metadata key name
+     */
+    @NotBlank
+    @Bindable(defaultValue = DEFAULT_METADATA_KEY_NAME)
+    String getMetadataKeyName();
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtInterceptorFactory.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt;
+
+import io.grpc.ServerInterceptor;
+import io.micronaut.context.annotation.Bean;
+import io.micronaut.context.annotation.Factory;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.grpc.server.security.jwt.interceptor.GrpcServerSecurityJwtInterceptor;
+import io.micronaut.security.config.SecurityConfiguration;
+import io.micronaut.security.token.RolesFinder;
+import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
+import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
+import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
+import io.micronaut.security.token.jwt.validator.JwtValidator;
+
+import javax.inject.Singleton;
+import java.util.Collection;
+
+/**
+ * Factory for creating instances of gRPC server security JWT interceptors.
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@Factory
+@Requires(beans = GrpcServerSecurityJwtConfiguration.class)
+public class GrpcServerSecurityJwtInterceptorFactory {
+
+    /**
+     * Constructs an instance of {@link GrpcServerSecurityJwtInterceptor} based on configuration.
+     *
+     * @param grpcServerSecurityJwtConfiguration the gRPC server security JWT configuration
+     * @param signatureConfigurations the signature configurations
+     * @param encryptionConfigurations the encryption configurations
+     * @param genericJwtClaimsValidators the generic JWT claims validators
+     * @param securityConfiguration the security configuration
+     * @param rolesFinder the roles finder for comparing roles with required roles
+     * @return the server interceptor bean
+     */
+    @Bean
+    @Singleton
+    public ServerInterceptor serverInterceptor(final GrpcServerSecurityJwtConfiguration grpcServerSecurityJwtConfiguration,
+                                               final Collection<SignatureConfiguration> signatureConfigurations,
+                                               final Collection<EncryptionConfiguration> encryptionConfigurations,
+                                               final Collection<GenericJwtClaimsValidator> genericJwtClaimsValidators,
+                                               final SecurityConfiguration securityConfiguration,
+                                               final RolesFinder rolesFinder) {
+        final JwtValidator jwtValidator = JwtValidator.builder()
+                .withSignatures(signatureConfigurations)
+                .withEncryptions(encryptionConfigurations)
+                .withClaimValidators(genericJwtClaimsValidators)
+                .build();
+        final boolean rejectRolesNotFound = securityConfiguration.isRejectNotFound();
+        return new GrpcServerSecurityJwtInterceptor(grpcServerSecurityJwtConfiguration, jwtValidator, rolesFinder, rejectRolesNotFound);
+    }
+
+}