docs

Author: Alexander Furer

.gitignore

@@ -8,4 +8,5 @@ gradle-app.setting
 bin/
 !/.gitignore
 !/.travis.yml
-out/
+out/
+/grpc-spring-boot-starter/changelog

README.adoc

@@ -219,6 +219,17 @@ The annotation on java config factory method is also supported :
  }
 ----
 
+The particular service also has the opportunity to disable the global interceptors :
+
+[source,java]
+----
+@GRpcService(applyGlobalInterceptors = false)
+public  class GreeterService extends  GreeterGrpc.GreeterImplBase{
+    // ommited
+}
+----
+==== Interceptors ordering
+
 Global interceptors can be ordered using Spring's `@Ordered` or `@Priority` annotations.
 Following Spring's ordering semantics, lower order values have higher priority and will be executed first in the interceptor chain.
 
@@ -237,15 +248,33 @@ public  class B implements ServerInterceptor{
 }
 ----
 
-The particular service also has the opportunity to disable the global interceptors :
+The starter uses built-in interceptors to implement Spring `Security`, `Validation` and `Metrics` integration.
+Their order can also be controlled by below properties :
+
+* `grpc.security.auth.interceptor-order` ( defaults to `Ordered.HIGHEST_PRECEDENCE`)
+* `grpc.validation.interceptor-order` ( defaults to `Ordered.HIGHEST_PRECEDENCE+10`)
+* `grpc.metrics.interceptor-order` ( defaults to `Ordered.HIGHEST_PRECEDENCE+20`)
+
+This gives you the ability to setup the desired order of built-in and your custom interceptors.
+
+*Keep on reading !!! There is more*
+
+The way grpc interceptor works is that it intercepts the call and returns the server call listener, which in turn can intercept the request message as well, before forwarding it to the actual service call handler :
+
+`interceptor_1(interceptCall)` -> `interceptor_2(interceptCall)` -> `interceptor_3(interceptCall)` -> `interceptor_1(On_Message)`-> `interceptor_2(On_Message)`-> `interceptor_3(On_Message)`-> `actual service call`
+
+By setting  `grpc.security.auth.fail-fast`  property to `false` all downstream interceptors as well as all upstream interceptors (On_Message) will still be executed +
+
+So, for failed authentication/authorization with +
+`grpc.security.auth.fail-fast=true`(default): +
+
+`interceptor_1(interceptCall)` -> `securityInterceptor(interceptCall)` - *Call is Closed* [.line-through]#-> `interceptor_3(interceptCall)` -> `interceptor_1(On_Message)`-> `securityInterceptor(On_Message)`-> `interceptor_3(On_Message)`-> `actual service call`#
+
+And  for failed authentication/authorization with +
+`grpc.security.auth.fail-fast=false`: +
+
+`interceptor_1(interceptCall)` -> `securityInterceptor(interceptCall)` -> `interceptor_3(interceptCall)` -> `interceptor_1(On_Message)`-> `securityInterceptor(On_Message)` - *Call is Closed*-> [.line-through]#`interceptor_3(On_Message)`-> `actual service call`#
 
-[source,java]
-----
-@GRpcService(applyGlobalInterceptors = false)
-public  class GreeterService extends  GreeterGrpc.GreeterImplBase{
-    // ommited
-}
-----
 === Distributed tracing support (Spring Cloud Sleuth integration)
 
 This started is *natively* supported by `spring-cloud-sleuth` project. +
@@ -264,8 +293,20 @@ the starter will collect gRPC server metrics , broken down by
 After configuring the exporter of your https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-metrics[choice],
 you should see the `timer` named `grpc.server.calls`.
 
+==== Custom tags support
+
+By defining `GRpcMetricsTagsContributor` bean in your application context, you can add custom tags to the `grpc.server.calls` timer. +
+You can also use `RequestAwareGRpcMetricsTagsContributor` bean to tag *unary* calls. +
+Demo is https://github.com/LogNet/grpc-spring-boot-starter/blob/master/grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/GrpcMeterTest.java[here]
 
+[TIP]
+Keep the dispersion low not to blow up the cardinality of the metric.
 
+`RequestAwareGRpcMetricsTagsContributor` can be still executed for failed authentication if `metric` interceptor has higher precedence than `security` interceptor and   `grpc.security.auth.fail-fast` set to `false`. +
+This case is covered by link:grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/MetricWithSecurityTest.java[this] test. +
+
+[TIP]
+Make sure to read <<Interceptors ordering>> chapter.
 
 === Spring Boot Validation support
 
@@ -399,6 +440,12 @@ Note also custom cross-field link:grpc-spring-boot-starter-demo/src/main/java/or
 </bean>
 ----
 
+As described in  <<Interceptors ordering>> chapter, you can give `validation` interceptor the higher precedence than `security` interceptor and set `grpc.security.auth.fail-fast` property to `false`. +
+In this scenario, if call is both unauthenticated and invalid, the client will get `Status.INVALID_ARGUMENT` instead of `Status.PERMISSION_DENIED/Status.UNAUTHENTICATED` response status.
+
+By adding `GRpcErrorHandler` bean to your application, you get  a chance to send your custom response headers. The error handler will be called with `Status.INVALID_ARGUMENT` and incoming request message that is failed.
+
+
 == Spring Security Integration
 
 === Setup
@@ -527,6 +574,14 @@ final Authentication auth = GrpcSecurity.AUTHENTICATION_CONTEXT_KEY.get();
 ----
 
 
+=== Custom  authentication failure handling
+
+By adding `GRpcErrorHandler` bean to your application, you get  a chance to provide your custom response headers. The error handler will be called with `Status.PERMISSION_DENIED/Status.UNAUTHENTICATED` (and incoming request message , if you set `grpc.security.auth.fail-fast` property to `false`). +
+The demo is link:grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtRoleTest.java[here]
+
+
+
+
 
 === Client side configuration support
 

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/MetricWithSecurityTest.java

@@ -0,0 +1,144 @@
+package org.lognet.springboot.grpc;
+
+
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import io.grpc.examples.GreeterGrpc;
+import io.grpc.examples.GreeterOuterClass;
+import io.micrometer.core.instrument.MeterRegistry;
+import io.micrometer.core.instrument.Timer;
+import io.micrometer.core.instrument.simple.SimpleConfig;
+import org.awaitility.Awaitility;
+import org.hamcrest.Matchers;
+import org.junit.runner.RunWith;
+import org.lognet.springboot.grpc.demo.DemoApp;
+import org.lognet.springboot.grpc.security.AuthCallCredentials;
+import org.lognet.springboot.grpc.security.AuthHeader;
+import org.lognet.springboot.grpc.security.EnableGrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.time.Duration;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.Assert.assertThrows;
+
+
+@SpringBootTest(classes = DemoApp.class
+        ,properties = {
+                "grpc.security.auth.fail-fast=false", // give metric interceptor a chance to record failed authentication
+                "grpc.security.auth.interceptor-order=4",
+                "grpc.metrics.interceptor-order=2",  
+        }
+        )
+@RunWith(SpringRunner.class)
+@Import({MetricWithSecurityTest.TestCfg.class})
+@ActiveProfiles("measure")
+public class MetricWithSecurityTest extends GrpcServerTestBase {
+
+
+    @Autowired
+    private MeterRegistry registry;
+
+
+
+    @Autowired
+    private SimpleConfig registryConfig;
+
+
+   // @Test
+    public void validationShouldInvokedBeforeAuthTest() {
+        final GreeterGrpc.GreeterBlockingStub stub = GreeterGrpc.newBlockingStub(super.getChannel());
+        StatusRuntimeException e = assertThrows(StatusRuntimeException.class, () -> {
+            stub.helloPersonValidResponse(GreeterOuterClass.Person.newBuilder()
+                    .setAge(49)// valid
+                    .clearName()//invalid
+                    .build());
+        });
+
+        assertThat(e.getStatus().getCode(), Matchers.is(Status.Code.INVALID_ARGUMENT));
+
+
+    }
+
+    @Override
+    public void simpleGreeting() throws ExecutionException, InterruptedException {
+        AuthCallCredentials callCredentials = new AuthCallCredentials(
+                AuthHeader.builder().basic("user","pwd".getBytes())
+        );
+
+        final GreeterGrpc.GreeterBlockingStub greeterFutureStub = GreeterGrpc.newBlockingStub(selectedChanel);
+        StatusRuntimeException e = assertThrows(StatusRuntimeException.class, () -> {
+
+            greeterFutureStub
+                    .withCallCredentials(callCredentials)
+                .sayHello(GreeterOuterClass.HelloRequest.newBuilder().setName(name).build());
+        });
+        assertThat(e.getStatus().getCode(),Matchers.is(Status.Code.UNAUTHENTICATED));
+
+        final Timer timer = registry.find("grpc.server.calls").timer();
+        assertThat(timer,notNullValue(Timer.class));
+
+        Awaitility
+                .waitAtMost(Duration.ofMillis(registryConfig.step().toMillis() * 2))
+                .until(timer::count,greaterThan(0L));
+
+        assertThat(timer.max(TimeUnit.MILLISECONDS),greaterThan(0d));
+        assertThat(timer.mean(TimeUnit.MILLISECONDS),greaterThan(0d));
+        assertThat(timer.totalTime(TimeUnit.MILLISECONDS),greaterThan(0d));
+
+
+
+        final String resultTag = timer.getId().getTag("result");
+        assertThat(resultTag,notNullValue());
+        assertThat(resultTag,is(Status.UNAUTHENTICATED.getCode().name()));
+    }
+
+    @TestConfiguration
+    @EnableGrpcSecurity
+    static class TestCfg extends GrpcSecurityConfigurerAdapter {
+            @Override
+            public void configure(GrpcSecurity builder) throws Exception {
+
+                builder.authorizeRequests()
+                        .anyMethod().authenticated()
+                        .and()
+                        .authenticationProvider(new AuthenticationProvider() {
+                            @Override
+                            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+                                throw  new BadCredentialsException("");
+                            }
+
+                            @Override
+                            public boolean supports(Class<?> authentication) {
+                                return true;
+                            }
+                        })
+                        .userDetailsService(new InMemoryUserDetailsManager());
+            }
+
+
+
+    }
+
+
+
+
+
+}

grpc-spring-boot-starter/build.gradle

@@ -8,7 +8,9 @@ buildscript {
         classpath "io.franzbecker:gradle-lombok:4.0.0"
     }
 }
-
+plugins {
+    id "de.undercouch.download" version "4.1.1"
+}
 apply plugin: 'java'
 apply plugin: 'org.springframework.boot'
 apply plugin: 'io.spring.dependency-management'
@@ -23,6 +25,29 @@ dependencyManagement {
         mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
     }
 }
+task generateReleaseNotes(type: JavaExec, group: "documentation") {
+    def m =  java.util.regex.Pattern.compile("(\\d+\\.\\d+\\.\\d+).*").matcher(version.toString())
+    def milestoneLabel = ""
+    if(m.find()) {
+         milestoneLabel  = m.group(1)
+    }
+
+    def generator = file("changelog/github-changelog-generator.jar")
+    classpath(generator.absolutePath)
+    args  (
+            milestoneLabel
+            ,"changelog/changelog.md"
+            , "--changelog.repository=LogNet/grpc-spring-boot-starter"
+    )
+    doFirst {
+        download {
+            src 'https://github.com/spring-io/github-changelog-generator/releases/download/v0.0.6/github-changelog-generator.jar'
+            dest generator
+            onlyIfModified true
+        }
+    }
+}
+
 task delombok(type: io.franzbecker.gradle.lombok.task.DelombokTask) {
     def outputDir = file("$buildDir/delombok")
     outputs.dir(outputDir)

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/FailureHandlingServerInterceptor.java

@@ -4,9 +4,10 @@
 import io.grpc.ServerCall;
 import io.grpc.ServerInterceptor;
 import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
 
 public interface FailureHandlingServerInterceptor extends ServerInterceptor {
-    default   void closeCall(Object o, GRpcErrorHandler errorHandler, ServerCall<?, ?> call, Metadata headers, final Status status, Exception exception){
+    default StatusRuntimeException closeCall(Object o, GRpcErrorHandler errorHandler, ServerCall<?, ?> call, Metadata headers, final Status status, Exception exception){
 
         final Metadata responseHeaders = new Metadata();
         Status statusToSend;
@@ -17,5 +18,7 @@ default   void closeCall(Object o, GRpcErrorHandler errorHandler, ServerCall<?,
         }
 
         call.close(statusToSend, responseHeaders);
+        return statusToSend.asRuntimeException(responseHeaders);
+
     }
 }

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/autoconfigure/metrics/GRpcMetricsAutoConfiguration.java

@@ -35,6 +35,7 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
@@ -71,6 +72,7 @@ static class MonitoringServerCall<ReqT, RespT> extends ForwardingServerCall.Simp
 
         private Collection<GRpcMetricsTagsContributor> tagsContributors;
         private  List<Tag> additionalTags;
+        private AtomicBoolean closed = new AtomicBoolean(false);
 
 
 
@@ -84,14 +86,17 @@ protected MonitoringServerCall(ServerCall<ReqT, RespT> delegate, MeterRegistry r
         @Override
         public void close(Status status, Metadata trailers) {
 
-            final Timer.Builder timerBuilder = Timer.builder("grpc.server.calls");
-            tagsContributors.forEach(c->
-                timerBuilder.tags(c.getTags(status,getMethodDescriptor(),getAttributes()))
-            );
-            Optional.ofNullable(additionalTags)
-                    .ifPresent(timerBuilder::tags);
+            if(closed.compareAndSet(false,true)){ //close is called twice , first time with actual status
+                final Timer.Builder timerBuilder = Timer.builder("grpc.server.calls");
+                tagsContributors.forEach(c->
+                        timerBuilder.tags(c.getTags(status,getMethodDescriptor(),getAttributes()))
+                );
+                Optional.ofNullable(additionalTags)
+                        .ifPresent(timerBuilder::tags);
+
+                start.stop(timerBuilder.register(registry));
+            }
 
-            start.stop(timerBuilder.register(registry));
 
             super.close(status, trailers);
         }

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/SecurityInterceptor.java

@@ -110,16 +110,15 @@ public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
     private <RespT, ReqT> ServerCall.Listener<ReqT> fail(ServerCallHandler<ReqT, RespT> next, ServerCall<ReqT, RespT> call, Metadata headers,final Status status, Exception exception) {
 
         if (authCfg.isFailFast()) {
-            closeCall(null,errorHandler,call,headers,status,exception);
-            return new ServerCall.Listener<ReqT>() {
-                // noop
-            };
+            throw closeCall(null,errorHandler,call,headers,status,exception);
+
         } else {
 
            return new ForwardingServerCallListener.SimpleForwardingServerCallListener<ReqT>(next.startCall(call,headers))  {
                 @Override
                 public void onMessage(ReqT message) {
-                    closeCall(message,errorHandler,call,headers,status,exception);
+                   throw  closeCall(message, errorHandler, call, headers, status, exception);
+
 
                 }
             };