Introduce Server Security JWT Support

gradle.properties

@@ -1,7 +1,9 @@
-projectVersion=2.3.1-SNAPSHOT
+projectVersion=2.4.0-SNAPSHOT
 micronautDocsVersion=1.0.24
 micronautBuildVersion=1.1.5
-micronautVersion=2.3.1
+micronautDiscoveryClientVersion=2.0.1
+micronautSecurityVersion=2.3.0
+micronautVersion=2.3.2
 micronautTestVersion=2.2.1
 groovyVersion=3.0.4
 spockVersion=2.0-M3-groovy-3.0

grpc-client-runtime/build.gradle

@@ -12,11 +12,11 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
     implementation "io.grpc:grpc-netty:$grpcVersion"
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-runtime/build.gradle

@@ -12,12 +12,12 @@ dependencies {
     api "io.grpc:grpc-protobuf:$grpcVersion"
     api "io.grpc:grpc-stub:$grpcVersion"
 
-    compileOnly "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    compileOnly "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     compileOnly "io.micronaut:micronaut-tracing:$micronautVersion"
     compileOnly "io.micronaut:micronaut-management"
     compileOnly 'io.opentracing.contrib:opentracing-grpc:0.2.3'
 
-    testImplementation "io.micronaut.discovery:micronaut-discovery-client:2.2.4"
+    testImplementation "io.micronaut.discovery:micronaut-discovery-client:$micronautDiscoveryClientVersion"
     testImplementation 'io.opentracing:opentracing-mock:0.33.0'
     testImplementation "io.micronaut:micronaut-tracing:$micronautVersion"
     testImplementation 'io.opentracing.contrib:opentracing-grpc:0.2.3'

grpc-server-security-jwt/build.gradle

@@ -0,0 +1,55 @@
+
+plugins {
+    id "net.ltgt.apt" version "0.21"
+    id 'com.google.protobuf' version '0.8.15'
+}
+
+dependencies {
+
+    annotationProcessor "io.micronaut:micronaut-inject-java:$micronautVersion"
+    testAnnotationProcessor "io.micronaut.security:micronaut-security-annotations:$micronautSecurityVersion"
+
+    api project(":grpc-server-runtime")
+    api "io.micronaut:micronaut-inject:$micronautVersion"
+    api "io.micronaut:micronaut-runtime:$micronautVersion"
+    api "com.nimbusds:nimbus-jose-jwt:9.4.2"
+
+    implementation("io.micronaut.security:micronaut-security-jwt:$micronautSecurityVersion") {
+        exclude group: 'io.micronaut', module: 'micronaut-http'
+        exclude group: 'io.micronaut', module: 'micronaut-http-server'
+    }
+
+    testImplementation "io.micronaut:micronaut-inject-groovy:$micronautVersion"
+    testImplementation "io.micronaut:micronaut-inject-java:$micronautVersion"
+    testImplementation "io.micronaut.test:micronaut-test-spock:$micronautTestVersion"
+
+}
+
+protobuf {
+    protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+    plugins {
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:$grpcVersion" }
+    }
+    generateProtoTasks {
+        all()*.plugins { grpc {} }
+    }
+}
+
+sourceSets {
+    test {
+        java {
+            srcDirs 'build/generated/source/proto/test/grpc'
+            srcDirs 'build/generated/source/proto/test/java'
+        }
+    }
+}
+
+protobuf {
+    protoc { artifact = "com.google.protobuf:protoc:$protocVersion" }
+    plugins {
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.35.0" }
+    }
+    generateProtoTasks {
+        all()*.plugins { grpc {} }
+    }
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtConfiguration.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+import io.grpc.Status;
+import io.micronaut.context.annotation.ConfigurationProperties;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.core.bind.annotation.Bindable;
+import io.micronaut.core.order.Ordered;
+import io.micronaut.core.util.Toggleable;
+import io.micronaut.grpc.server.GrpcServerConfiguration;
+
+import javax.validation.constraints.NotBlank;
+import java.util.Collection;
+
+/**
+ * gRPC Security JWT configuration.
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@ConfigurationProperties(GrpcServerSecurityJwtConfiguration.PREFIX)
+@Requires(property = GrpcServerSecurityJwtConfiguration.PREFIX + ".enabled", value = "true", defaultValue = "false")
+public interface GrpcServerSecurityJwtConfiguration extends Toggleable {
+
+    /**
+     * The configuration prefix.
+     */
+    String PREFIX = GrpcServerConfiguration.PREFIX + ".security.jwt";
+
+    /**
+     * The default name for the JWT metadata key.
+     */
+    String DEFAULT_METADATA_KEY_NAME = "JWT";
+
+    /**
+     * Whether or not JWT server interceptor is enabled.  Defaults to {@code false} if not configured.
+     *
+     * @return true if enabled, false otherwise
+     */
+    @Override
+    @Bindable(defaultValue = "false")
+    boolean isEnabled();
+
+    /**
+     * The order to be applied to the server interceptor in the interceptor chain.  Defaults
+     * to {@value io.micronaut.core.order.Ordered#HIGHEST_PRECEDENCE} if not configured.
+     *
+     * @return the order
+     */
+    @Bindable(defaultValue = "" + Ordered.HIGHEST_PRECEDENCE)
+    int getInterceptorOrder();
+
+    /**
+     * Get the list of fully qualified RPC method patterns which should be intercepted and interrogated for a valid JWT.
+     * If no values are provided, by default, all methods will be intercepted.
+     *
+     * @see io.grpc.MethodDescriptor#getFullMethodName()
+     *
+     * @return the intercept method names.
+     */
+    @Nullable
+    Collection<String> getInterceptMethodPatterns();
+
+    /**
+     * The {@link Status} returned by the interceptor when JWT is missing from metadata.
+     * The default value is {@link Status.Code#UNAUTHENTICATED}
+     *
+     * @return the status
+     */
+    @Bindable(defaultValue = "UNAUTHENTICATED")
+    Status.Code getMissingTokenStatus();
+
+    /**
+     * The {@link Status} returned by the interceptor when JWT validation fails. The
+     * default value is {@link Status.Code#PERMISSION_DENIED}
+     *
+     * @return the status
+     */
+    @Bindable(defaultValue = "PERMISSION_DENIED")
+    Status.Code getFailedValidationTokenStatus();
+
+    /**
+     * The name of the metadata key which holds the JWT.  Defaults
+     * to {@value #DEFAULT_METADATA_KEY_NAME} if not configured.
+     *
+     * @return the metadata key name
+     */
+    @NotBlank
+    @Bindable(defaultValue = DEFAULT_METADATA_KEY_NAME)
+    String getMetadataKeyName();
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/GrpcServerSecurityJwtInterceptorFactory.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt;
+
+import io.grpc.ServerInterceptor;
+import io.micronaut.context.annotation.Bean;
+import io.micronaut.context.annotation.Factory;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.grpc.server.security.jwt.interceptor.GrpcServerSecurityJwtInterceptor;
+import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
+import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
+import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
+import io.micronaut.security.token.jwt.validator.JwtValidator;
+
+import javax.inject.Singleton;
+import java.util.Collection;
+
+/**
+ * Factory for creating instances of gRPC server security JWT interceptors.
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+@Factory
+@Requires(beans = GrpcServerSecurityJwtConfiguration.class)
+public class GrpcServerSecurityJwtInterceptorFactory {
+
+    /**
+     * Constructs an instance of {@link GrpcServerSecurityJwtInterceptor} based on configuration.
+     *
+     * @param grpcServerSecurityJwtConfiguration the gRPC server security JWT configuration
+     * @param signatureConfigurations the signature configurations
+     * @param encryptionConfigurations the encryption configurations
+     * @param genericJwtClaimsValidators the generic JWT claims validators
+     * @return the server interceptor bean
+     */
+    @Bean
+    @Singleton
+    public ServerInterceptor serverInterceptor(final GrpcServerSecurityJwtConfiguration grpcServerSecurityJwtConfiguration,
+                                               final Collection<SignatureConfiguration> signatureConfigurations,
+                                               final Collection<EncryptionConfiguration> encryptionConfigurations,
+                                               final Collection<GenericJwtClaimsValidator> genericJwtClaimsValidators) {
+        final JwtValidator jwtValidator = JwtValidator.builder()
+                .withSignatures(signatureConfigurations)
+                .withEncryptions(encryptionConfigurations)
+                .withClaimValidators(genericJwtClaimsValidators)
+                .build();
+        return new GrpcServerSecurityJwtInterceptor(grpcServerSecurityJwtConfiguration, jwtValidator);
+    }
+
+}

grpc-server-security-jwt/src/main/java/io/micronaut/grpc/server/security/jwt/interceptor/GrpcServerSecurityJwtInterceptor.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2017-2021 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.grpc.server.security.jwt.interceptor;
+
+import com.nimbusds.jwt.JWT;
+import io.grpc.ForwardingServerCallListener;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import io.micronaut.core.order.Ordered;
+import io.micronaut.core.util.CollectionUtils;
+import io.micronaut.grpc.server.security.jwt.GrpcServerSecurityJwtConfiguration;
+import io.micronaut.security.token.jwt.validator.JwtValidator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Optional;
+
+
+/**
+ * gRPC Server Security JWT Interceptor.
+ *
+ * @since 2.4.0
+ * @author Brian Wyka
+ */
+public class GrpcServerSecurityJwtInterceptor implements ServerInterceptor, Ordered {
+
+    private static final Logger LOG = LoggerFactory.getLogger(GrpcServerSecurityJwtInterceptor.class);
+
+    private final GrpcServerSecurityJwtConfiguration config;
+    private final Metadata.Key<String> jwtMetadataKey;
+    private final JwtValidator jwtValidator;
+
+    /**
+     * Create the interceptor based on the configuration.
+     *
+     * @param config the gRPC Security JWT configuration
+     * @param validator the JWT validator
+     */
+    public GrpcServerSecurityJwtInterceptor(final GrpcServerSecurityJwtConfiguration config, final JwtValidator validator) {
+        this.config = config;
+        jwtMetadataKey = Metadata.Key.of(config.getMetadataKeyName(), Metadata.ASCII_STRING_MARSHALLER);
+        jwtValidator = validator;
+    }
+
+    /**
+     * Intercept the call to validate the JSON web token.  If the token is not present in the metadata, or
+     * if the token is not valid, this method will deny the request with a {@link io.grpc.StatusRuntimeException}.
+     *
+     * @param call the server call
+     * @param metadata the metadata
+     * @param next the next processor in the interceptor chain
+     * @param <T> the type of the server request
+     * @param <S> the type of the server response
+     * @throws io.grpc.StatusRuntimeException if token not present or invalid
+     */
+    @Override
+    public <T, S> ServerCall.Listener<T> interceptCall(final ServerCall<T, S> call, final Metadata metadata, final ServerCallHandler<T, S> next) {
+        final boolean validateAll = CollectionUtils.isEmpty(config.getInterceptMethodPatterns());
+        final boolean validateServiceMethod = validateAll || config.getInterceptMethodPatterns()
+                .stream()
+                .anyMatch(interceptMethodPattern -> call.getMethodDescriptor().getFullMethodName().matches(interceptMethodPattern));
+        if (!validateServiceMethod) {
+            // Forward to the next server interceptor without validation
+            LOG.debug("JWT validation is skipped due to 'intercept-method-patterns' configuration");
+            return new ForwardingServerCallListener.SimpleForwardingServerCallListener<T>(next.startCall(call, metadata)) { };
+        }
+        if (!metadata.containsKey(jwtMetadataKey)) {
+            final String message = String.format("%s key missing in gRPC metadata", jwtMetadataKey.name());
+            LOG.error(message);
+            throw Status.fromCode(config.getMissingTokenStatus()).withDescription(message).asRuntimeException();
+        }
+        final String jwt = metadata.get(jwtMetadataKey);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("JWT: {}", jwt);
+        }
+        final Optional<JWT> jwtOptional = jwtValidator.validate(jwt, null); // We don't have an HttpRequest to send in here (hence null)
+        if (!jwtOptional.isPresent()) {
+            final String message = "JWT validation failed";
+            LOG.error(message);
+            throw Status.fromCode(config.getFailedValidationTokenStatus()).withDescription(message).asRuntimeException();
+        }
+        return new ForwardingServerCallListener.SimpleForwardingServerCallListener<T>(next.startCall(call, metadata)) { };
+    }
+
+    /**
+     * Get the metadata key.
+     *
+     * @return the metadata key
+     */
+    Metadata.Key<String> getMetadataKey() {
+        return jwtMetadataKey;
+    }
+
+    /**
+     * Get the order for this interceptor within the interceptor chain.
+     *
+     * @return the order
+     */
+    @Override
+    public int getOrder() {
+        return config.getInterceptorOrder();
+    }
+
+}