Introduce Server Security JWT Support

gradle.properties

@@ -1,7 +1,9 @@
+
 projectVersion=2.3.1-SNAPSHOT
 micronautDocsVersion=1.0.24
 micronautBuildVersion=1.1.5
-micronautVersion=2.3.1
+micronautDiscoveryClientVersion=2.0.1
+micronautVersion=2.3.2
 micronautTestVersion=2.2.1
 groovyVersion=3.0.4
 spockVersion=2.0-M3-groovy-3.0

grpc-client-runtime/build.gradle

@@ -12,11 +12,11 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
     implementation "io.grpc:grpc-netty:$grpcVersion"
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-runtime/build.gradle

@@ -12,12 +12,12 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
 
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly "io.micronaut:micronaut-management"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-security-jwt/build.gradle

@@ -0,0 +1,20 @@
+
+dependencies {
+
+    annotationProcessor "io.micronaut:micronaut-inject-java:$micronautVersion"
+
+    api project(":grpc-server-runtime")
+    api "io.micronaut:micronaut-inject:$micronautVersion"
+    api "io.micronaut:micronaut-runtime:$micronautVersion"
+    api "com.nimbusds:nimbus-jose-jwt:9.4.2"
+
+    implementation("io.micronaut.security:micronaut-security-jwt:$micronautSecurityVersion") {
+        exclude group: 'io.micronaut', module: 'micronaut-http'
+        exclude group: 'io.micronaut', module: 'micronaut-http-server'
+    }
+
+    testImplementation "io.micronaut:micronaut-inject-groovy:$micronautVersion"
+    testImplementation "io.micronaut:micronaut-inject-java:$micronautVersion"
+    testImplementation 'io.micronaut.test:micronaut-test-spock:1.2.0'
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtConfiguration.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt;
+
+import io.micronaut.context.annotation.ConfigurationProperties;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.core.bind.annotation.Bindable;
+import io.micronaut.core.order.Ordered;
+import io.micronaut.core.util.Toggleable;
+import io.micronaut.grpc.server.GrpcServerConfiguration;
+
+import javax.validation.constraints.NotBlank;
+
+/**
+ * gRPC Security JWT configuration
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@ConfigurationProperties(GrpcServerSecurityJwtConfiguration.PREFIX)
+@Requires(property = GrpcServerSecurityJwtConfiguration.PREFIX + ".enabled", value = "true", defaultValue = "false")
+public interface GrpcServerSecurityJwtConfiguration extends Toggleable {
+
+    String DEFAULT_METADATA_KEY_NAME = "JWT";
+    String PREFIX = GrpcServerConfiguration.PREFIX + ".security.jwt";
+
+    /**
+     * Whether or not JWT server interceptor is enabled.  Defaults to {@code false} if not configured.
+     *
+     * @return true if enabled, false otherwise
+     */
+    @Override
+    @Bindable(defaultValue = "false")
+    boolean isEnabled();
+
+    /**
+     * The order to be applied to the server interceptor in the interceptor chain.  Defaults
+     * to {@value io.micronaut.core.order.Ordered#HIGHEST_PRECEDENCE} if not configured.
+     *
+     * @return the order
+     */
+    @Bindable(defaultValue = "" + Ordered.HIGHEST_PRECEDENCE)
+    int getOrder();
+
+    /**
+     * The name of the metadata key which holds the JWT.  Defaults
+     * to {@value #DEFAULT_METADATA_KEY_NAME} if not configured.
+     *
+     * @return the metadata key name
+     */
+    @NotBlank
+    @Bindable(defaultValue = DEFAULT_METADATA_KEY_NAME)
+    String getMetadataKeyName();
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtInterceptorFactory.java

@@ -0,0 +1,49 @@
+package io.micronaut.grpc.server.security.jwt;
+
+import io.grpc.ServerInterceptor;
+import io.micronaut.context.annotation.Bean;
+import io.micronaut.context.annotation.Factory;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.grpc.server.security.jwt.interceptor.GrpcServerSecurityJwtInterceptor;
+import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
+import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
+import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
+import io.micronaut.security.token.jwt.validator.JwtValidator;
+
+import javax.inject.Singleton;
+import java.util.Collection;
+
+/**
+ * Factory for creating instances of gRPC server security JWT interceptors
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@Factory
+@Requires(beans = GrpcServerSecurityJwtConfiguration.class)
+public class GrpcServerSecurityJwtInterceptorFactory {
+
+    /**
+     * Constructs an instance of {@link GrpcServerSecurityJwtInterceptor} based on configuration
+     *
+     * @param grpcServerSecurityJwtConfiguration the gRPC server security JWT configuration
+     * @param signatureConfigurations the signature configurations
+     * @param encryptionConfigurations the encryption configurations
+     * @param genericJwtClaimsValidators the generic JWT claims validators
+     * @return the server interceptor bean
+     */
+    @Bean
+    @Singleton
+    public ServerInterceptor serverInterceptor(final GrpcServerSecurityJwtConfiguration grpcServerSecurityJwtConfiguration,
+                                               final Collection<SignatureConfiguration> signatureConfigurations,
+                                               final Collection<EncryptionConfiguration> encryptionConfigurations,
+                                               final Collection<GenericJwtClaimsValidator> genericJwtClaimsValidators) {
+        final JwtValidator jwtValidator = JwtValidator.builder()
+                .withSignatures(signatureConfigurations)
+                .withEncryptions(encryptionConfigurations)
+                .withClaimValidators(genericJwtClaimsValidators)
+                .build();
+        return new GrpcServerSecurityJwtInterceptor(grpcServerSecurityJwtConfiguration, jwtValidator);
+    }
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/interceptor/GrpcServerSecurityJwtInterceptor.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt.interceptor;
+
+import com.nimbusds.jwt.JWT;
+import io.grpc.ForwardingServerCallListener;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import io.micronaut.core.order.Ordered;
+import io.micronaut.grpc.server.security.jwt.GrpcServerSecurityJwtConfiguration;
+import io.micronaut.security.token.jwt.validator.JwtValidator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Optional;
+
+
+/**
+ * gRPC Server Security JWT Interceptor
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+public class GrpcServerSecurityJwtInterceptor implements ServerInterceptor, Ordered {
+
+    private static final Logger LOG = LoggerFactory.getLogger(GrpcServerSecurityJwtInterceptor.class);
+
+    private final Metadata.Key<String> jwtMetadataKey;
+    private final JwtValidator jwtValidator;
+    private final int order;
+
+    /**
+     * Create the interceptor based on the configuration.
+     *
+     * @param config the gRPC Security JWT configuration
+     * @param validator the JWT validator
+     */
+    public GrpcServerSecurityJwtInterceptor(final GrpcServerSecurityJwtConfiguration config, final JwtValidator validator) {
+        jwtMetadataKey = Metadata.Key.of(config.getMetadataKeyName(), Metadata.ASCII_STRING_MARSHALLER);
+        jwtValidator = validator;
+        order = config.getOrder();
+    }
+
+    /**
+     * Intercept the call to validate the JSON web token.  If the token is not present in the metadata, or
+     * if the token is not valid, this method will deny the request with a {@link StatusRuntimeException}.
+     *
+     * @param call the server call
+     * @param metadata the metadata
+     * @param next the next processor in the interceptor chain
+     * @param <T> the type of the server request
+     * @param <S> the type of the server response
+     * @throws StatusRuntimeException if token not present or invalid
+     */
+    @Override
+    public <T, S> ServerCall.Listener<T> interceptCall(final ServerCall<T, S> call, final Metadata metadata, final ServerCallHandler<T, S> next) {
+        if (!metadata.containsKey(jwtMetadataKey)) {
+            final String message = String.format("%s key missing in gRPC metadata", jwtMetadataKey.name());
+            LOG.error(message);
+            throw Status.UNAUTHENTICATED.withDescription(message).asRuntimeException();
+        }
+        final ServerCall.Listener<T> listener = next.startCall(call, metadata);
+        final String jwt = metadata.get(jwtMetadataKey);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("JWT: {}", jwt);
+        }
+        final Optional<JWT> jwtOptional = jwtValidator.validate(jwt, null); // We don't have an HttpRequest to send in here (hence null)
+        if (!jwtOptional.isPresent()) {
+            final String message = "JWT validation failed";
+            LOG.error(message);
+            throw Status.PERMISSION_DENIED.withDescription(message).asRuntimeException();
+        }
+        return new ForwardingServerCallListener.SimpleForwardingServerCallListener<T>(listener) { };
+    }
+
+    /**
+     * Get the metadata key.
+     *
+     * @return the metadata key
+     */
+    Metadata.Key<String> getMetadataKey() {
+        return jwtMetadataKey;
+    }
+
+    /**
+     * Get the order for this interceptor within the interceptor chain.
+     *
+     * @return the order
+     */
+    @Override
+    public int getOrder() {
+        return order;
+    }
+
+}

grpc-server-security-jwt/src/test/groovy/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtConfigurationOverrideSpec.groovy

@@ -0,0 +1,24 @@
+package io.micronaut.grpc.server.security.jwt
+
+import io.micronaut.context.annotation.Property
+import io.micronaut.core.order.Ordered
+import io.micronaut.test.extensions.spock.annotation.MicronautTest
+import spock.lang.Specification
+
+import javax.inject.Inject
+
+@MicronautTest
+@Property(name = "grpc.server.security.jwt.enabled", value = "true")
+class GrpcServerSecurityJwtConfigurationOverrideSpec extends Specification {
+
+    @Inject
+    GrpcServerSecurityJwtConfiguration config
+
+    def "GRPC server security JWT configuration defaults override"() {
+        expect:
+        config.enabled
+        config.metadataKeyName == "JWT"
+        config.order == Ordered.HIGHEST_PRECEDENCE
+    }
+
+}

grpc-server-security-jwt/src/test/groovy/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtConfigurationSpec.groovy

@@ -0,0 +1,25 @@
+package io.micronaut.grpc.server.security.jwt
+
+import io.micronaut.context.annotation.Property
+import io.micronaut.test.extensions.spock.annotation.MicronautTest
+import spock.lang.Specification
+
+import javax.inject.Inject
+
+@MicronautTest
+@Property(name = "grpc.server.security.jwt.enabled", value = "true")
+@Property(name = "grpc.server.security.jwt.metadata-key-name", value = "AUTH")
+@Property(name = "grpc.server.security.jwt.order", value = "100")
+class GrpcServerSecurityJwtConfigurationSpec extends Specification {
+
+    @Inject
+    GrpcServerSecurityJwtConfiguration config
+
+    def "GRPC server security JWT configuration defaults override"() {
+        expect:
+        config.enabled
+        config.metadataKeyName == "AUTH"
+        config.order == 100
+    }
+
+}