closes #176 + tests

Author: Alexander Furer

README.adoc

@@ -640,6 +640,19 @@ One is possible to plug in your own bespoke authentication provider by implement
 <4> Register your own `AuthenticationProvider` that supports validation of `MyAuthenticationObject`
 <5> Validate provided `authentication` and return validated and *authenticated* `Authentication` object
 
+
+`AuthenticationSchemeSelector` can also be registered by defining Spring bean in your application context:
+
+[source,java]
+----
+@Bean
+public AuthenticationSchemeSelector myCustomSchemeSelector(){
+     return authHeader->{
+         // your logic here
+     };
+}
+----
+
 <<Client side configuration support>> section explains how to pass custom authorization scheme and claim from GRPC client.
 
 === Obtaining Authentication details

grpc-spring-boot-starter-demo/build.gradle

@@ -15,6 +15,7 @@ apply plugin: "nebula.facet"
 
 facets {
     pureNettyTest
+    customSecurityTest
 }
 
 dependencyManagement {
@@ -26,15 +27,24 @@ dependencyManagement {
 configurations.findAll{ cfg ->
     if (cfg.name.startsWith("pureNetty")) {
         cfg.exclude group: 'io.grpc', module: 'grpc-netty-shaded'
-        dependencies.add(cfg.name,"io.grpc:grpc-netty")
-    }
-    if(cfg.name.equals("pureNettyTestCompileClasspath")){
-        cfg.extendsFrom(configurations.getByName("testCompileClasspath"))
+
     }
-    if(cfg.name.equals("pureNettyTestRuntimeClasspath")){
-        cfg.extendsFrom(configurations.getByName("testRuntimeClasspath"))
+
+    if (cfg.name.startsWith("customSecurity")) {
+        cfg.exclude group: 'org.springframework.security', module: 'spring-security-oauth2-resource-server'
+        cfg.exclude group: 'org.springframework.security', module: 'spring-security-oauth2-jose'
     }
 
+
+}
+
+
+configurations {
+    pureNettyTestCompile.extendsFrom( testCompile)
+    pureNettyTestRuntime.extendsFrom(testRuntime)
+
+    customSecurityTestCompile.extendsFrom( testCompile)
+    customSecurityTestRuntime.extendsFrom(testRuntime)
 }
 
 
@@ -70,7 +80,10 @@ dependencies {
 
     testImplementation 'org.mockito:mockito-core:2.23.0'
 
+    customSecurityTestCompile  sourceSets.test.output
 
+    pureNettyTestCompile sourceSets.test.output
+    pureNettyTestCompile "io.grpc:grpc-netty"
     //testCompile  "org.testcontainers:junit-jupiter:1.14.3"
 
 

grpc-spring-boot-starter-demo/src/customSecurityTest/java/org/lognet/springboot/grpc/auth/CustomSecurityTest.java

@@ -0,0 +1,101 @@
+package org.lognet.springboot.grpc.auth;
+
+import com.google.protobuf.Empty;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import io.grpc.examples.SecuredGreeterGrpc;
+import org.hamcrest.Matchers;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.lognet.springboot.grpc.GrpcServerTestBase;
+import org.lognet.springboot.grpc.demo.DemoApp;
+import org.lognet.springboot.grpc.security.AuthCallCredentials;
+import org.lognet.springboot.grpc.security.AuthHeader;
+import org.lognet.springboot.grpc.security.EnableGrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurityConfigurerAdapter;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.TestingAuthenticationProvider;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.nio.ByteBuffer;
+import java.util.Optional;
+import java.util.concurrent.ExecutionException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertNotNull;
+
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.NONE;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(classes = {DemoApp.class}, webEnvironment = NONE)
+@Import(CustomSecurityTest.TestConfig.class)
+public class CustomSecurityTest extends GrpcServerTestBase {
+    private final static String MY_CUSTOM_SCHEME_NAME = "custom";
+
+    @TestConfiguration
+    static class TestConfig {
+
+        @EnableGrpcSecurity
+        public class DemoGrpcSecurityConfig extends GrpcSecurityConfigurerAdapter {
+
+
+            @Override
+            public void configure(GrpcSecurity builder) throws Exception {
+
+
+                builder.authorizeRequests()
+                        .withSecuredAnnotation()
+                        .authenticationSchemeSelector(scheme ->
+                                Optional.of(scheme.toString())
+                                        .filter(s -> s.startsWith(MY_CUSTOM_SCHEME_NAME))
+                                        .map(s -> s.substring(MY_CUSTOM_SCHEME_NAME.length() + 1))
+                                        .map(token -> {
+                                            final String[] chunks = token.split("#");
+                                            return new TestingAuthenticationToken(token.split("#")[0], null, "SCOPE_" + chunks[1]);
+                                        })
+                        )
+                        .authenticationProvider(new TestingAuthenticationProvider());
+            }
+
+
+        }
+
+    }
+
+
+    @Test
+    public void customSchemeTest() throws ExecutionException, InterruptedException {
+        String userName = "userToken1";
+        String reply = invoke(userName, "profile");
+        assertNotNull("Reply should not be null", reply);
+        assertTrue(String.format("Reply should contain name '%s'", userName), reply.contains(userName));
+    }
+
+    @Test
+    public void customSchemeAccessDeniedTest() {
+
+        final StatusRuntimeException e = assertThrows(StatusRuntimeException.class,
+                () -> invoke("userToken1", "deniedProfile")
+        );
+        assertThat(e.getStatus().getCode(), Matchers.is(Status.Code.PERMISSION_DENIED));
+
+    }
+
+    private String invoke(String userName, String authority)  {
+        AuthCallCredentials callCredentials = new AuthCallCredentials(
+                AuthHeader.builder().authScheme(MY_CUSTOM_SCHEME_NAME).tokenSupplier(() ->
+                        ByteBuffer.wrap(String.format("%s#%s", userName, authority).getBytes()))
+        );
+
+        return SecuredGreeterGrpc.newBlockingStub(getChannel())
+                .withCallCredentials(callCredentials)
+                .sayAuthHello2(Empty.newBuilder().build()).getMessage();
+    }
+}

grpc-spring-boot-starter-demo/src/main/java/org/lognet/springboot/grpc/demo/SecuredGreeterService.java

@@ -24,9 +24,18 @@ public void sayAuthHello(Empty request, StreamObserver<GreeterOuterClass.HelloRe
             user = JwtAuthenticationToken.class.cast(auth).getTokenAttributes().get("preferred_username").toString();
         }
 
+        reply(user,responseObserver);
+    }
+
+    @Override
+    public void sayAuthHello2(Empty request, StreamObserver<GreeterOuterClass.HelloReply> responseObserver) {
+        reply(GrpcSecurity.AUTHENTICATION_CONTEXT_KEY.get().getName(),responseObserver);
+    }
+
+    private void reply(String userName,StreamObserver<GreeterOuterClass.HelloReply> responseObserver){
         responseObserver.onNext(GreeterOuterClass.HelloReply
                 .newBuilder()
-                .setMessage(user)
+                .setMessage(userName)
                 .build());
         responseObserver.onCompleted();
     }

grpc-spring-boot-starter-demo/src/main/proto/greeter.proto

@@ -16,6 +16,7 @@ service Greeter {
 }
 service SecuredGreeter {
     rpc SayAuthHello ( google.protobuf.Empty) returns (  HelloReply) {}
+    rpc SayAuthHello2 ( google.protobuf.Empty) returns (  HelloReply) {}
 
 }
 

grpc-spring-boot-starter-demo/src/main/protoGen/io/grpc/examples/GreeterOuterClass.java

@@ -45,6 +45,37 @@ io.grpc.examples.GreeterOuterClass.HelloReply> getSayAuthHelloMethod() {
     return getSayAuthHelloMethod;
   }
 
+  private static volatile io.grpc.MethodDescriptor<com.google.protobuf.Empty,
+      io.grpc.examples.GreeterOuterClass.HelloReply> getSayAuthHello2Method;
+
+  @io.grpc.stub.annotations.RpcMethod(
+      fullMethodName = SERVICE_NAME + '/' + "SayAuthHello2",
+      requestType = com.google.protobuf.Empty.class,
+      responseType = io.grpc.examples.GreeterOuterClass.HelloReply.class,
+      methodType = io.grpc.MethodDescriptor.MethodType.UNARY)
+  public static io.grpc.MethodDescriptor<com.google.protobuf.Empty,
+      io.grpc.examples.GreeterOuterClass.HelloReply> getSayAuthHello2Method() {
+    io.grpc.MethodDescriptor<com.google.protobuf.Empty, io.grpc.examples.GreeterOuterClass.HelloReply> getSayAuthHello2Method;
+    if ((getSayAuthHello2Method = SecuredGreeterGrpc.getSayAuthHello2Method) == null) {
+      synchronized (SecuredGreeterGrpc.class) {
+        if ((getSayAuthHello2Method = SecuredGreeterGrpc.getSayAuthHello2Method) == null) {
+          SecuredGreeterGrpc.getSayAuthHello2Method = getSayAuthHello2Method =
+              io.grpc.MethodDescriptor.<com.google.protobuf.Empty, io.grpc.examples.GreeterOuterClass.HelloReply>newBuilder()
+              .setType(io.grpc.MethodDescriptor.MethodType.UNARY)
+              .setFullMethodName(generateFullMethodName(SERVICE_NAME, "SayAuthHello2"))
+              .setSampledToLocalTracing(true)
+              .setRequestMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+                  com.google.protobuf.Empty.getDefaultInstance()))
+              .setResponseMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+                  io.grpc.examples.GreeterOuterClass.HelloReply.getDefaultInstance()))
+              .setSchemaDescriptor(new SecuredGreeterMethodDescriptorSupplier("SayAuthHello2"))
+              .build();
+        }
+      }
+    }
+    return getSayAuthHello2Method;
+  }
+
   /**
    * Creates a new async stub that supports all call types for the service
    */
@@ -100,6 +131,13 @@ public void sayAuthHello(com.google.protobuf.Empty request,
       io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall(getSayAuthHelloMethod(), responseObserver);
     }
 
+    /**
+     */
+    public void sayAuthHello2(com.google.protobuf.Empty request,
+        io.grpc.stub.StreamObserver<io.grpc.examples.GreeterOuterClass.HelloReply> responseObserver) {
+      io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall(getSayAuthHello2Method(), responseObserver);
+    }
+
     @java.lang.Override public final io.grpc.ServerServiceDefinition bindService() {
       return io.grpc.ServerServiceDefinition.builder(getServiceDescriptor())
           .addMethod(
@@ -109,6 +147,13 @@ public void sayAuthHello(com.google.protobuf.Empty request,
                 com.google.protobuf.Empty,
                 io.grpc.examples.GreeterOuterClass.HelloReply>(
                   this, METHODID_SAY_AUTH_HELLO)))
+          .addMethod(
+            getSayAuthHello2Method(),
+            io.grpc.stub.ServerCalls.asyncUnaryCall(
+              new MethodHandlers<
+                com.google.protobuf.Empty,
+                io.grpc.examples.GreeterOuterClass.HelloReply>(
+                  this, METHODID_SAY_AUTH_HELLO2)))
           .build();
     }
   }
@@ -134,6 +179,14 @@ public void sayAuthHello(com.google.protobuf.Empty request,
       io.grpc.stub.ClientCalls.asyncUnaryCall(
           getChannel().newCall(getSayAuthHelloMethod(), getCallOptions()), request, responseObserver);
     }
+
+    /**
+     */
+    public void sayAuthHello2(com.google.protobuf.Empty request,
+        io.grpc.stub.StreamObserver<io.grpc.examples.GreeterOuterClass.HelloReply> responseObserver) {
+      io.grpc.stub.ClientCalls.asyncUnaryCall(
+          getChannel().newCall(getSayAuthHello2Method(), getCallOptions()), request, responseObserver);
+    }
   }
 
   /**
@@ -156,6 +209,13 @@ public io.grpc.examples.GreeterOuterClass.HelloReply sayAuthHello(com.google.pro
       return io.grpc.stub.ClientCalls.blockingUnaryCall(
           getChannel(), getSayAuthHelloMethod(), getCallOptions(), request);
     }
+
+    /**
+     */
+    public io.grpc.examples.GreeterOuterClass.HelloReply sayAuthHello2(com.google.protobuf.Empty request) {
+      return io.grpc.stub.ClientCalls.blockingUnaryCall(
+          getChannel(), getSayAuthHello2Method(), getCallOptions(), request);
+    }
   }
 
   /**
@@ -179,9 +239,18 @@ public com.google.common.util.concurrent.ListenableFuture<io.grpc.examples.Greet
       return io.grpc.stub.ClientCalls.futureUnaryCall(
           getChannel().newCall(getSayAuthHelloMethod(), getCallOptions()), request);
     }
+
+    /**
+     */
+    public com.google.common.util.concurrent.ListenableFuture<io.grpc.examples.GreeterOuterClass.HelloReply> sayAuthHello2(
+        com.google.protobuf.Empty request) {
+      return io.grpc.stub.ClientCalls.futureUnaryCall(
+          getChannel().newCall(getSayAuthHello2Method(), getCallOptions()), request);
+    }
   }
 
   private static final int METHODID_SAY_AUTH_HELLO = 0;
+  private static final int METHODID_SAY_AUTH_HELLO2 = 1;
 
   private static final class MethodHandlers<Req, Resp> implements
       io.grpc.stub.ServerCalls.UnaryMethod<Req, Resp>,
@@ -204,6 +273,10 @@ public void invoke(Req request, io.grpc.stub.StreamObserver<Resp> responseObserv
           serviceImpl.sayAuthHello((com.google.protobuf.Empty) request,
               (io.grpc.stub.StreamObserver<io.grpc.examples.GreeterOuterClass.HelloReply>) responseObserver);
           break;
+        case METHODID_SAY_AUTH_HELLO2:
+          serviceImpl.sayAuthHello2((com.google.protobuf.Empty) request,
+              (io.grpc.stub.StreamObserver<io.grpc.examples.GreeterOuterClass.HelloReply>) responseObserver);
+          break;
         default:
           throw new AssertionError();
       }
@@ -266,6 +339,7 @@ public static io.grpc.ServiceDescriptor getServiceDescriptor() {
           serviceDescriptor = result = io.grpc.ServiceDescriptor.newBuilder(SERVICE_NAME)
               .setSchemaDescriptor(new SecuredGreeterFileDescriptorSupplier())
               .addMethod(getSayAuthHelloMethod())
+              .addMethod(getSayAuthHello2Method())
               .build();
         }
       }