grpc security config fixes

Author: Alexander Furer

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/DefaultAuthConfigTest.java

@@ -30,10 +30,14 @@ static class TestCfg  extends GrpcSecurityConfigurerAdapter {
 
     }
 
+    public DefaultAuthConfigTest() {
+        super(false);
+    }
+
     @Test
     public void securedServiceTest() {
 
-        final SecuredGreeterGrpc.SecuredGreeterBlockingStub   securedFutureStub = SecuredGreeterGrpc.newBlockingStub(selectedChanel);
+        final SecuredGreeterGrpc.SecuredGreeterBlockingStub   securedFutureStub = SecuredGreeterGrpc.newBlockingStub(getChannel(true));
 
         final String reply = securedFutureStub.sayAuthHello(Empty.getDefaultInstance()).getMessage();
         assertNotNull("Reply should not be null",reply);

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtAuthBaseTest.java

@@ -37,15 +37,22 @@ public JwtAuthBaseTest() {
 
     @Override
     protected Channel getChannel() {
-        final AuthClientInterceptor clientInterceptor = new AuthClientInterceptor(
-                AuthHeader.builder().bearer().tokenSupplier(this::generateToken));
-        return globalSecuredChannel ? ClientInterceptors.intercept(super.getChannel(), clientInterceptor)
-                : super.getChannel();
+        return getChannel(globalSecuredChannel);
+
     }
+    protected Channel getChannel(boolean authenticated){
+            return authenticated ? ClientInterceptors.intercept(super.getChannel(), getAuthClientInterceptor())
+                    : super.getChannel();
 
+    }
     protected final static String USER_NAME = "keycloak-test";
 
 
+    protected   AuthClientInterceptor getAuthClientInterceptor() {
+        return new AuthClientInterceptor(
+                AuthHeader.builder().bearer().tokenSupplier(this::generateToken));
+    }
+
     protected ByteBuffer generateToken() {
         if (authServerUrl.isEmpty()) {
             return ByteBuffer.wrap(UUID.randomUUID().toString().getBytes());

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/JwtRoleTest.java

@@ -55,8 +55,6 @@ public class DemoGrpcSecurityConfig extends GrpcSecurityConfigurerAdapter {
 
             @Override
             public void configure(GrpcSecurity builder) throws Exception {
-
-                super.configure(builder);
                 builder.authorizeRequests()
                         .methods(GreeterGrpc.getSayHelloMethod()).hasAnyRole("reader")
                         .methods(CalculatorGrpc.getCalculateMethod()).hasAnyRole("anotherRole")
@@ -146,4 +144,5 @@ public void shouldFail() {
 
     }
 
+
 }

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/AuthenticationSchemeService.java

@@ -23,11 +23,11 @@ public Optional<Authentication> getAuthScheme(CharSequence authorization) {
                 .collect(Collectors.toList());
         switch (auth.size()){
             case 0:
-                throw  new IllegalStateException("Authentication scheme not supported");
+                throw  new IllegalStateException("Authentication scheme" +authorization.toString() +"not supported");
             case 1 :
                 return Optional.of(auth.get(0));
             default:
-                throw  new IllegalStateException("Ambiguous authentication scheme");
+                throw  new IllegalStateException("Ambiguous authentication scheme "+authorization.toString());
         }
     }
 

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/GrpcServiceAuthorizationConfigurer.java

@@ -3,6 +3,7 @@
 import io.grpc.BindableService;
 import io.grpc.MethodDescriptor;
 import io.grpc.ServerInterceptor;
+import io.grpc.ServerMethodDefinition;
 import io.grpc.ServerServiceDefinition;
 import io.grpc.ServiceDescriptor;
 import org.springframework.context.ApplicationContext;
@@ -115,24 +116,17 @@ public GrpcSecurity withSecuredAnnotation() {
                     }
                 }
                 // method level security
-                serverServiceDefinition.getMethods()
-                        .stream()
-                        .map(methodDefinition -> Stream.of(service.getClass().getMethods()) // get method from methodDefinition
-                                .filter(m -> {
-                                    final String methodName = methodDefinition.getMethodDescriptor().getFullMethodName().substring(methodDefinition.getMethodDescriptor().getServiceName().length() + 1);
-                                    return methodName.equalsIgnoreCase(m.getName());
-                                })
-                                .findFirst()
-                        )
-                        .filter(Optional::isPresent)
-                        .map(Optional::get)
-                        .map(m ->Optional.ofNullable(AnnotationUtils.findAnnotation(m, Secured.class)))
-                        .filter(Optional::isPresent)
-                        .forEach(secured ->
-                                new AuthorizedMethod(serverServiceDefinition.getServiceDescriptor())
-                                        .hasAnyAuthority(secured.get().value())
-
-                        );
+                for(ServerMethodDefinition<?,?> methodDefinition :serverServiceDefinition.getMethods()){
+                     Stream.of(service.getClass().getMethods()) // get method from methodDefinition
+                            .filter(m -> {
+                                final String methodName = methodDefinition.getMethodDescriptor().getFullMethodName().substring(methodDefinition.getMethodDescriptor().getServiceName().length() + 1);
+                                return methodName.equalsIgnoreCase(m.getName());
+                            })
+                            .findFirst()
+                            .flatMap(m->Optional.ofNullable(AnnotationUtils.findAnnotation(m, Secured.class)))
+                            .ifPresent(secured -> new AuthorizedMethod(methodDefinition.getMethodDescriptor()) .hasAnyAuthority(secured.value()));
+
+                }
             }
             return and();
         }