TLS support

Author: Alexander Furer

README.adoc

@@ -186,6 +186,34 @@ public  class GreeterService extends  GreeterGrpc.GreeterImplBase{
 }
 ----
 
+=== Transport Security (TLS)
+
+The transport security can be configured using root certificate and it's private key paths:
+
+[source,yaml]
+----
+ grpc:
+    security:
+      cert-chain: classpath:cert/server-cert.pem
+      private-key: file:../grpc-spring-boot-starter-demo/src/test/resources/cert/server-key.pem
+----
+
+The value of both properties is in form supported by https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/core/io/ResourceEditor.html[ResourceEditor]. +
+
+The client side should be configured accordingly :
+
+[source,java]
+----
+((NettyChannelBuilder)channelBuilder)
+ .useTransportSecurity()
+ .sslContext(GrpcSslContexts.forClient().trustManager(certChain).build());
+----
+
+This starter will pull the `io.netty:netty-tcnative-boringssl-static` dependency by default to support SSL. +
+If  you need another SSL/TLS support, please exclude this dependency and follow https://github.com/grpc/grpc-java/blob/master/SECURITY.md[Security Guide].
+
+[NOTE]
+If the more detailed tuning is needed for security setup, please use custom configurer described in <<Custom gRPC Server Configuration>>
 
 === Custom gRPC Server Configuration
 
@@ -205,6 +233,10 @@ public class MyGRpcServerBuilderConfigurer extends GRpcServerBuilderConfigurer{
                 .decompressorRegistry(YOUR DECOMPRESSION REGISTRY)
                 .useTransportSecurity(YOUR TRANSPORT SECURITY SETTINGS);
             ((NettyServerBuilder)serverBuilder)// cast to NettyServerBuilder (which is the default server) for further customization
+                    .sslContext(GrpcSslContexts  // security fine tuning
+                                    .forServer(...)
+                                    .trustManager(...)
+                                    .build())
                     .maxConnectionAge(...)
                     .maxConnectionAgeGrace(...);
 

build.gradle

@@ -2,7 +2,7 @@ buildscript {
     ext {
         springBoot_1_X_Version = '1.5.13.RELEASE'
         springBoot_2_X_Version = '2.1.3.RELEASE'
-        grpcVersion = '1.21.0'
+        grpcVersion = '1.22.1'
     }
     repositories {
         mavenCentral()

grpc-spring-boot-starter-demo/src/main/protoGen/io/grpc/examples/CalculatorGrpc.java

@@ -10,7 +10,7 @@
 /**
  */
 @javax.annotation.Generated(
-    value = "by gRPC proto compiler (version 1.21.0)",
+    value = "by gRPC proto compiler (version 1.22.1)",
     comments = "Source: calculator.proto")
 public final class CalculatorGrpc {
 

grpc-spring-boot-starter-demo/src/main/protoGen/io/grpc/examples/GreeterGrpc.java

@@ -13,7 +13,7 @@
  * </pre>
  */
 @javax.annotation.Generated(
-    value = "by gRPC proto compiler (version 1.21.0)",
+    value = "by gRPC proto compiler (version 1.22.1)",
     comments = "Source: greeter.proto")
 public final class GreeterGrpc {
 

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/GrpcBuggySecuritySettingsTest.java

@@ -0,0 +1,39 @@
+package org.lognet.springboot.grpc;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.lognet.springboot.grpc.demo.DemoApp;
+import org.lognet.springboot.rules.ExpectedStartupExceptionWithInspector;
+import org.lognet.springboot.rules.SpringRunnerWithGlobalExpectedExceptionInspected;
+import org.springframework.beans.factory.BeanCreationException;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+
+import java.util.function.Predicate;
+
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.NONE;
+
+
+@RunWith(SpringRunnerWithGlobalExpectedExceptionInspected.class)
+@SpringBootTest(classes = {DemoApp.class}, webEnvironment = NONE)
+@ActiveProfiles("buggy-security")
+@ExpectedStartupExceptionWithInspector(GrpcBuggySecuritySettingsTest.ExceptionInspector.class)
+public class GrpcBuggySecuritySettingsTest extends GrpcServerTestBase {
+    @Test
+    public void contextFails() {
+    }
+
+    public static class ExceptionInspector implements Predicate<Throwable> {
+
+        @Override
+        public boolean test(Throwable throwable) {
+            Throwable rootCause = throwable;
+            while (rootCause.getCause() != null && rootCause.getCause() != rootCause) {
+                rootCause = rootCause.getCause();
+            }
+            return rootCause instanceof BeanCreationException;
+        }
+
+    }
+
+}

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/GrpcSecurityTest.java

@@ -0,0 +1,17 @@
+package org.lognet.springboot.grpc;
+
+import org.junit.runner.RunWith;
+import org.lognet.springboot.grpc.demo.DemoApp;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.NONE;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(classes = {DemoApp.class}, webEnvironment = NONE)
+@ActiveProfiles("security")
+public class GrpcSecurityTest extends GrpcServerTestBase {
+
+
+}

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/GrpcServerTestBase.java

@@ -5,6 +5,8 @@
 import io.grpc.examples.GreeterGrpc;
 import io.grpc.examples.GreeterOuterClass;
 import io.grpc.inprocess.InProcessChannelBuilder;
+import io.grpc.netty.GrpcSslContexts;
+import io.grpc.netty.NettyChannelBuilder;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -13,8 +15,10 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.ApplicationContext;
+import org.springframework.core.io.Resource;
 import org.springframework.util.StringUtils;
 
+import java.io.IOException;
 import java.util.Optional;
 import java.util.concurrent.ExecutionException;
 
@@ -45,11 +49,22 @@ public abstract class GrpcServerTestBase {
     protected GRpcServerProperties gRpcServerProperties;
 
     @Before
-    public final void setupChannels() {
+    public final void setupChannels() throws IOException {
         if(gRpcServerProperties.isEnabled()) {
-            channel = onChannelBuild(ManagedChannelBuilder.forAddress("localhost",getPort() )
-                    .usePlaintext()
-                    ).build();
+            ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder.forAddress("localhost", getPort());
+            Resource certChain = Optional.ofNullable(gRpcServerProperties.getSecurity())
+                    .map(GRpcServerProperties.SecurityProperties::getCertChain)
+                    .orElse(null);
+            if(null!= certChain){
+                ((NettyChannelBuilder)channelBuilder)
+                        .useTransportSecurity()
+                        .sslContext(GrpcSslContexts.forClient().trustManager(certChain.getInputStream()).build());
+            }else{
+                channelBuilder.usePlaintext();
+            }
+
+
+            channel = onChannelBuild(channelBuilder).build();
         }
         if(StringUtils.hasText(gRpcServerProperties.getInProcessServerName())){
             inProcChannel = onChannelBuild(

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/rules/ExpectExceptionWithPredicate.java

@@ -0,0 +1,35 @@
+package org.lognet.springboot.rules;
+
+import org.junit.AssumptionViolatedException;
+import org.junit.runners.model.Statement;
+
+import java.util.function.Predicate;
+
+public class ExpectExceptionWithPredicate extends Statement {
+    private Predicate<Throwable> inspector;
+    private Statement next;
+
+    public ExpectExceptionWithPredicate(Statement next, Predicate<Throwable> inspector) {
+        this.next = next;
+        this.inspector = inspector;
+    }
+
+    @Override
+    public void evaluate() throws Throwable {
+        boolean complete = false;
+        try {
+            next.evaluate();
+            complete = true;
+        } catch (AssumptionViolatedException e) {
+            throw e;
+        } catch (Throwable e) {
+            if (!inspector.test(e)) {
+                String message = "Unexpected exception, " + inspector.getClass().getName() + " returned false";
+                throw new Exception(message, e);
+            }
+        }
+        if (complete) {
+            throw new AssertionError("Expected exception");
+        }
+    }
+}

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/rules/ExpectedStartupExceptionWithInspector.java

@@ -0,0 +1,17 @@
+package org.lognet.springboot.rules;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+import java.util.function.Predicate;
+
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Retention(RUNTIME)
+@Target({ TYPE, METHOD })
+
+public @interface ExpectedStartupExceptionWithInspector {
+
+    Class<? extends Predicate<Throwable>> value();
+}

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/rules/SpringRunnerWithGlobalExpectedExceptionInspected.java

@@ -0,0 +1,36 @@
+package org.lognet.springboot.rules;
+
+import org.junit.internal.runners.statements.Fail;
+import org.junit.runners.model.FrameworkMethod;
+import org.junit.runners.model.InitializationError;
+import org.junit.runners.model.Statement;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import java.util.function.Predicate;
+
+
+
+public class SpringRunnerWithGlobalExpectedExceptionInspected extends SpringJUnit4ClassRunner {
+    private Class<? extends Predicate<Throwable>> expectedExceptionInspector;
+
+    public SpringRunnerWithGlobalExpectedExceptionInspected(Class<?> clazz) throws InitializationError {
+        super(clazz);
+        ExpectedStartupExceptionWithInspector annotation = clazz.getAnnotation(ExpectedStartupExceptionWithInspector.class);
+        if (annotation != null) {
+            expectedExceptionInspector = annotation.value();
+        } else {
+            throw new IllegalArgumentException("Missing " + ExpectedStartupExceptionWithInspector.class.getName() + " on " + clazz.getName());
+        }
+    }
+
+    @Override
+    protected Statement methodBlock(FrameworkMethod frameworkMethod) {
+        Statement result = super.methodBlock(frameworkMethod);
+        try {
+            return new ExpectExceptionWithPredicate(result, expectedExceptionInspector.newInstance());
+        } catch (InstantiationException | IllegalAccessException e) {
+            return new Fail(e);
+        }
+    }
+
+}