feat(grpc,quarkus-rest,security): fix app startup for grpc svc with class security

Author: michalvavrik

extensions/resteasy-reactive/rest/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/StandardSecurityCheckInterceptor.java

@@ -16,6 +16,7 @@
 
 import org.jboss.resteasy.reactive.server.core.CurrentRequestManager;
 
+import io.quarkus.arc.Arc;
 import io.quarkus.security.Authenticated;
 import io.quarkus.security.PermissionsAllowed;
 import io.quarkus.security.spi.runtime.AuthorizationController;
@@ -36,7 +37,9 @@ public abstract class StandardSecurityCheckInterceptor {
 
     @AroundInvoke
     public Object intercept(InvocationContext ic) throws Exception {
-        if (controller.isAuthorizationEnabled() && CurrentRequestManager.get() != null
+        if (controller.isAuthorizationEnabled() && Arc.container() != null
+                && Arc.container().requestContext().isActive()
+                && CurrentRequestManager.get() != null
                 && alreadyDoneByEagerSecurityHandler(
                         CurrentRequestManager.get().getProperty(STANDARD_SECURITY_CHECK_INTERCEPTOR), ic.getMethod())) {
             ic.getContextData().put(SECURITY_HANDLER, EXECUTED);

integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/GreeterResource.java

@@ -9,6 +9,9 @@
 import examples.HelloReply;
 import examples.HelloRequest;
 import examples.MutinyGreeterGrpc;
+import examples.MutinySaluterGrpc;
+import examples.SaluteReply;
+import examples.SaluteRequest;
 import io.grpc.Metadata;
 import io.quarkus.grpc.GrpcClient;
 import io.quarkus.grpc.GrpcClientUtils;
@@ -26,6 +29,9 @@ public class GreeterResource {
     @GrpcClient("hello")
     MutinyGreeterGrpc.MutinyGreeterStub helloClient;
 
+    @GrpcClient("saluter")
+    MutinySaluterGrpc.MutinySaluterStub saluterClient;
+
     @Path("bearer")
     @GET
     public Uni<String> sayHello() {
@@ -35,4 +41,13 @@ public Uni<String> sayHello() {
                 .bearer(HelloRequest.newBuilder().setName("Jonathan").build()).map(HelloReply::getMessage);
     }
 
+    @Path("/other/bearer")
+    @GET
+    public Uni<String> sayHi() {
+        Metadata headers = new Metadata();
+        headers.put(AUTHORIZATION, "Bearer " + accessToken.getRawToken());
+        return GrpcClientUtils.attachHeaders(saluterClient, headers)
+                .bearer(SaluteRequest.newBuilder().setName("Jonathan").build()).map(SaluteReply::getMessage);
+    }
+
 }

integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/SaluterServiceImpl.java

@@ -0,0 +1,26 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+
+import examples.MutinySaluterGrpc;
+import examples.SaluteReply;
+import examples.SaluteRequest;
+import io.quarkus.grpc.GrpcService;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.smallrye.mutiny.Uni;
+
+@RolesAllowed("admin")
+@GrpcService
+public class SaluterServiceImpl extends MutinySaluterGrpc.SaluterImplBase {
+
+    @Inject
+    SecurityIdentity securityIdentity;
+
+    @Override
+    public Uni<SaluteReply> bearer(SaluteRequest request) {
+        var principalName = securityIdentity.getPrincipal().getName();
+        return Uni.createFrom().item(SaluteReply.newBuilder()
+                .setMessage("Hi " + request.getName() + " from " + principalName).build());
+    }
+}

integration-tests/oidc-wiremock/src/main/proto/saluter.proto

@@ -0,0 +1,54 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+syntax = "proto3";
+
+option java_multiple_files = true;
+option java_package = "examples";
+option java_outer_classname = "SaluterProto";
+option objc_class_prefix = "HLW";
+
+package saluter;
+
+// The greeting service definition.
+service Saluter {
+    // Sends a greeting
+    // Name is 'Bearer' in order to match tenant name
+    rpc bearer (SaluteRequest) returns (SaluteReply) {}
+}
+
+// The request message containing the user's name.
+message SaluteRequest {
+    string name = 1;
+}
+
+// The response message containing the greetings
+message SaluteReply {
+    string message = 1;
+}

integration-tests/oidc-wiremock/src/main/resources/application.properties

@@ -317,6 +317,8 @@ quarkus.native.additional-build-args=-H:IncludeResources=private.*\\.*,-H:Includ
 
 quarkus.grpc.clients.hello.host=localhost
 quarkus.grpc.clients.hello.port=8081
+quarkus.grpc.clients.saluter.host=localhost
+quarkus.grpc.clients.saluter.port=8081
 quarkus.grpc.server.use-separate-server=false
 
 %issuer-based-resolver.quarkus.oidc.bearer-issuer-resolver-a.auth-server-url=http://localhost:8185/auth/realms/quarkus2

integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java

@@ -742,6 +742,22 @@ public void testGrpcAuthorizationWithBearerToken() {
                 .body(Matchers.containsString("Hello Jonathan from alice"));
     }
 
+    @Test
+    public void testAuthorizationOnGrpcServiceClassLevel() {
+        String token = getAccessToken("alice", Set.of("user"));
+        RestAssured.given().auth().oauth2(token).when()
+                .get("/api/greeter/other/bearer")
+                .then()
+                .statusCode(500);
+
+        token = getAccessToken("alice", Set.of("admin"));
+        RestAssured.given().auth().oauth2(token).when()
+                .get("/api/greeter/other/bearer")
+                .then()
+                .statusCode(200)
+                .body(Matchers.containsString("Hi Jonathan from alice"));
+    }
+
     private static void assertSecurityIdentityAcquired(String tenant, String user, String role) {
         String jsonPath = tenant + "." + user + ".findAll{ it == \"" + role + "\"}.size()";
         RestAssured.given().when().get("/startup-service").then().statusCode(200)