fixes #178

Author: Alexander Furer

README.adoc

@@ -532,7 +532,8 @@ class MyClient{
         final AuthClientInterceptor clientInterceptor = new AuthClientInterceptor(<1>
                 AuthHeader.builder()
                     .bearer()
-                    .tokenSupplier(this::generateToken)<3>
+                    .binaryFormat(true)<3>
+                    .tokenSupplier(this::generateToken)<4>
         );
 
         Channel authenticatedChannel = ClientInterceptors.intercept(
@@ -541,14 +542,18 @@ class MyClient{
         // use authenticatedChannel to invoke GRPC service
     }
 
-     private ByteBuffer generateToken(){ <3>
+     private ByteBuffer generateToken(){ <4>
          // generate bearer token against your resource server
      }
  }
 ----
 <1> Create client interceptor
 <2> Intercept channel
-<3> Provide token generator function (Please refer to link:grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtAuthBaseTest.java[for example].)
+<3> Turn the binary format on/off: +
+* When `true`, the authentication header is sent with  `Authentication-bin` key using https://grpc.github.io/grpc-java/javadoc/io/grpc/Metadata.BinaryMarshaller.html[binary marshaller].
+* When `false`, the authentication header is sent with  `Authentication` key using https://grpc.github.io/grpc-java/javadoc/io/grpc/Metadata.AsciiMarshaller.html[ASCII marshaller].
+
+<4> Provide token generator function (Please refer to link:grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtAuthBaseTest.java[for example].)
 
 Per-call::
 +

ReleaseNotes.adoc

@@ -1,3 +1,7 @@
+== Version 4.4.3-SNAPSHOT
+* Fixes *178
+* gRPC response status set to `PERMISSION_DENIED` when user has insufficient privileges to invoke gRPC method.
+
 == Version 4.4.2
 * Spring Boot `2.4.1`
 * Spring Cloud `2020.0.0`

grpc-client-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/AuthHeader.java

@@ -11,6 +11,8 @@
 public class AuthHeader implements Constants {
     private final Supplier<ByteBuffer> tokenSupplier;
     private final String authScheme;
+    @Builder.Default
+    private final boolean binaryFormat = true;
 
     public static class AuthHeaderBuilder {
 
@@ -35,14 +37,19 @@ public AuthHeader.AuthHeaderBuilder basic(String userName, byte[] password) {
 
 
     }
+
     public Metadata attach(Metadata metadataHeader){
         ByteBuffer token = tokenSupplier.get();
         final byte[] header = ByteBuffer.allocate(authScheme.length() + token.remaining() + 1)
                 .put(authScheme.getBytes())
                 .put((byte)' ')
                 .put(token)
                 .array();
-        metadataHeader.put(Constants.AUTH_HEADER_KEY,header);
+        if(binaryFormat) {
+            metadataHeader.put(Constants.AUTH_HEADER_BIN_KEY, header);
+        }else{
+            metadataHeader.put(Constants.AUTH_HEADER_KEY, new String(header));
+        }
         return metadataHeader;
     }
 }

grpc-client-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/Constants.java

@@ -4,7 +4,9 @@
 
 
 public  interface Constants {
-    Metadata.Key<byte[]> AUTH_HEADER_KEY = Metadata.Key.of("Authorization"+Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER);
+
+    Metadata.Key<String> AUTH_HEADER_KEY = Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
+    Metadata.Key<byte[]> AUTH_HEADER_BIN_KEY = Metadata.Key.of(AUTH_HEADER_KEY.name()+Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER);
     String BEARER_AUTH_SCHEME="Bearer";
     String BASIC_AUTH_SCHEME="Basic";
 

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtRoleTest.java

@@ -1,6 +1,7 @@
 package org.lognet.springboot.grpc.auth;
 
 
+import io.grpc.Status;
 import io.grpc.StatusRuntimeException;
 import io.grpc.examples.CalculatorGrpc;
 import io.grpc.examples.CalculatorOuterClass;
@@ -139,7 +140,7 @@ public void shouldFail() {
                     .setOperation(CalculatorOuterClass.CalculatorRequest.OperationType.ADD)
                     .build());
         });
-        assertThat(statusRuntimeException.getMessage(), Matchers.containsString("UNAUTHENTICATED"));
+        assertThat(statusRuntimeException.getStatus().getCode(), Matchers.is(Status.Code.PERMISSION_DENIED));
 
 
     }

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/UserDetailsAuthTest.java

@@ -1,8 +1,10 @@
 package org.lognet.springboot.grpc.auth;
 
 
+import com.google.protobuf.Empty;
 import io.grpc.Channel;
 import io.grpc.ClientInterceptors;
+import io.grpc.Status;
 import io.grpc.StatusRuntimeException;
 import io.grpc.examples.CalculatorGrpc;
 import io.grpc.examples.CalculatorOuterClass;
@@ -27,15 +29,18 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit4.SpringRunner;
 
+import java.util.concurrent.ExecutionException;
+
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
 
 
 @SpringBootTest(classes = DemoApp.class)
-@ActiveProfiles("keycloack-test")
+//@ActiveProfiles("keycloack-test")
 @RunWith(SpringRunner.class)
 @Import({UserDetailsAuthTest.TestCfg.class})
 public class UserDetailsAuthTest extends GrpcServerTestBase {
@@ -70,6 +75,7 @@ public void configure(GrpcSecurity builder) throws Exception {
 
                 builder.authorizeRequests()
                         .methods(GreeterGrpc.getSayHelloMethod()).hasAnyRole("reader")
+                        .methods(GreeterGrpc.getSayAuthOnlyHelloMethod()).hasAnyRole("reader")
                         .methods(CalculatorGrpc.getCalculateMethod()).hasAnyRole("anotherRole")
                         .and()
                         .userDetailsService(new InMemoryUserDetailsManager(user()));
@@ -85,6 +91,19 @@ public void configure(GrpcSecurity builder) throws Exception {
     private UserDetails user;
 
 
+    @Test
+    public void simpleAuthHeaderFormat() throws ExecutionException, InterruptedException {
+
+
+
+        final GreeterGrpc.GreeterFutureStub greeterFutureStub = GreeterGrpc.newFutureStub(getChannel(false));
+        final String reply = greeterFutureStub.sayAuthOnlyHello(Empty.newBuilder().build()).get().getMessage();
+        assertNotNull("Reply should not be null",reply);
+        assertTrue(String.format("Reply should contain name '%s'",user.getUsername()),reply.contains(user.getUsername()));
+
+
+    }
+
     @Test
     public void shouldFail() {
 
@@ -95,17 +114,21 @@ public void shouldFail() {
                     .setOperation(CalculatorOuterClass.CalculatorRequest.OperationType.ADD)
                     .build());
         });
-        assertThat(statusRuntimeException.getMessage(), Matchers.containsString("UNAUTHENTICATED"));
-
+        assertThat(statusRuntimeException.getStatus().getCode(), Matchers.is(Status.Code.PERMISSION_DENIED));
 
     }
 
     @Override
     protected Channel getChannel() {
+       return getChannel(true);
+    }
+
+    protected Channel getChannel(boolean binaryFormat) {
 
         final AuthClientInterceptor interceptor = new AuthClientInterceptor(AuthHeader.builder()
                 .basic(user.getUsername(),TestCfg.DemoGrpcSecurityConfig.pwd.getBytes())
-                );
+                .binaryFormat(binaryFormat)
+        );
         return ClientInterceptors.intercept(super.getChannel(), interceptor);
     }
 

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/SecurityInterceptor.java

@@ -10,13 +10,15 @@
 import io.grpc.Status;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.Ordered;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.util.Optional;
 
 @Slf4j
 public class SecurityInterceptor extends AbstractSecurityInterceptor implements ServerInterceptor, Ordered {
@@ -52,16 +54,15 @@ public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
             ServerCallHandler<ReqT, RespT> next) {
 
 
+        final CharSequence authorization = Optional.ofNullable(headers.get(Metadata.Key.of("Authorization" + Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER)))
+                .map(auth -> (CharSequence)StandardCharsets.UTF_8.decode(ByteBuffer.wrap(auth)))
+                .orElse(headers.get(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER)));
 
-        final byte[] authorization = headers.get(Metadata.Key.of("Authorization"+Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER));
 
 
         final Authentication authentication = null==authorization?null:
-                schemeSelector.getAuthScheme(StandardCharsets.UTF_8.decode(ByteBuffer.wrap(authorization)))
-                .orElseThrow(()->new RuntimeException("Can't get authentication from authorization header"));
-
-
-
+                schemeSelector.getAuthScheme(authorization)
+                        .orElseThrow(()->new RuntimeException("Can't get authentication from authorization header"));
 
 
         try {
@@ -75,9 +76,12 @@ public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
                     .withValue(GrpcSecurity.AUTHENTICATION_CONTEXT_KEY, SecurityContextHolder.getContext().getAuthentication());
 
             return  Contexts.interceptCall(ctx,call,headers,next);
+        } catch (AccessDeniedException e) {
+            call.close(Status.PERMISSION_DENIED.withDescription(e.getMessage()), new Metadata());
+            return new ServerCall.Listener<ReqT>() {
+                // noop
+            };
         } catch (Exception e) {
-
-
             call.close(Status.UNAUTHENTICATED.withDescription(e.getMessage()), new Metadata());
             return new ServerCall.Listener<ReqT>() {
                 // noop