Created a client wrapper to make it easier to work with (#96)

Created a client wrapper to make it easier to work with - can be retrieved via jitpack
Use Dispatchers IO as thread dispatcher for client
Added authentication to gRpc server and client
Added okhttp as gprc channel provider
navikt/dagpenger#406

Author: geiralund

.github/workflows/dp-inntekt-grpc-build.yml

@@ -0,0 +1,64 @@
+name: Build and deploy dp-inntekt-grpc
+
+on:
+  push:
+    paths:
+      - 'dp-inntekt-grpc/**'
+
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v1
+      - name: Set up Java 12
+        uses: actions/setup-java@v1
+        with:
+          java-version: '13.x'
+      - name: Cache gradle dependencies
+        uses: actions/cache@v1
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('dp-inntekt-grpc/build.gradle.kts') }}-${{ hashFiles('buildSrc/src/main/kotlin/Constants.kt') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+      - name: Build with Gradle
+        run: ./gradlew :dp-inntekt-grpc:build
+
+
+  release:
+    name: Create Release
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master' && !contains(github.event.head_commit.message, 'ci skip')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v1
+      - name: Set release tag
+        run: |
+          export TAG_NAME="$(TZ="Europe/Oslo" date +%Y.%m.%d-%H.%M).$(echo $GITHUB_SHA | cut -c 1-12)"
+          echo "::set-env name=RELEASE_TAG::$TAG_NAME"
+      - name: Set changelog
+        # (Escape newlines see https://github.com/actions/create-release/issues/25)
+        run: |
+          text="$(git --no-pager log $(git describe --tags --abbrev=0)..HEAD --pretty=format:"%h %s")"
+          text="${text//$'%'/%25}"
+          text="${text//$'\n'/%0A}"
+          text="${text//$'\r'/%0D}"
+          echo "::set-env name=CHANGELOG::$text"
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ env.RELEASE_TAG }}
+          release_name: ${{ env.RELEASE_TAG }}
+          body: |
+            Changes in this Release
+            ${{ env.CHANGELOG }}
+          draft: false
+          prerelease: false

build.gradle.kts

@@ -8,11 +8,6 @@ plugins {
 
 val grpcVersion = "1.27.2"
 
-repositories {
-    jcenter()
-    maven("https://jitpack.io")
-}
-
 allprojects {
     group = "no.nav.dagpenger"
 
@@ -73,6 +68,11 @@ allprojects {
     tasks.named("jar") {
         dependsOn("test")
     }
+
+    repositories {
+        jcenter()
+        maven("https://jitpack.io")
+    }
 }
 
 subprojects {

dp-inntekt-api/src/main/kotlin/no/nav/dagpenger/inntekt/InntektApi.kt

@@ -64,7 +64,7 @@ import org.slf4j.event.Level
 
 private val LOGGER = KotlinLogging.logger {}
 private val sikkerLogg = KotlinLogging.logger("tjenestekall")
-val config = Configuration()
+private val config = Configuration()
 
 fun main() = runBlocking {
 
@@ -74,8 +74,7 @@ fun main() = runBlocking {
         .rateLimited(10, 1, TimeUnit.MINUTES)
         .build()
 
-    val apiKeyVerifier = ApiKeyVerifier(config.application.apiSecret)
-    val allowedApiKeys = config.application.allowedApiKeys
+    val authApiKeyVerifier = AuthApiKeyVerifier(ApiKeyVerifier(config.application.apiSecret), config.application.allowedApiKeys)
 
     val dataSource = dataSourceFrom(config)
     val postgresInntektStore = PostgresInntektStore(dataSource)
@@ -86,7 +85,7 @@ fun main() = runBlocking {
         listen()
     }
 
-    val gRpcServer = InntektGrpcServer(port = 50051, inntektStore = postgresInntektStore)
+    val gRpcServer = InntektGrpcServer(port = 50051, inntektStore = postgresInntektStore, apiKeyVerifier = authApiKeyVerifier)
 
     launch {
         gRpcServer.start()
@@ -120,7 +119,7 @@ fun main() = runBlocking {
             postgresInntektStore,
             cachedInntektsGetter,
             oppslagClient,
-            AuthApiKeyVerifier(apiKeyVerifier, allowedApiKeys),
+            authApiKeyVerifier,
             jwkProvider,
             listOf(
                 postgresInntektStore as HealthCheck,

dp-inntekt-api/src/main/kotlin/no/nav/dagpenger/inntekt/rpc/InntektGrpcServer.kt

@@ -1,25 +1,35 @@
 package no.nav.dagpenger.inntekt.rpc
 
+import com.squareup.moshi.JsonAdapter
+import io.grpc.Metadata
 import io.grpc.Server
 import io.grpc.ServerBuilder
+import io.grpc.ServerCall
+import io.grpc.ServerCallHandler
+import io.grpc.ServerInterceptor
 import io.grpc.Status
 import io.grpc.StatusException
+import io.grpc.StatusRuntimeException
 import mu.KotlinLogging
 import no.nav.dagpenger.events.inntekt.v1.SpesifisertInntekt
+import no.nav.dagpenger.inntekt.AuthApiKeyVerifier
 import no.nav.dagpenger.inntekt.db.IllegalInntektIdException
 import no.nav.dagpenger.inntekt.db.InntektNotFoundException
 import no.nav.dagpenger.inntekt.db.InntektStore
 import no.nav.dagpenger.inntekt.moshiInstance
 
-internal class InntektGrpcServer(private val port: Int, inntektStore: InntektStore) {
-
-    companion object {
-        private val logger = KotlinLogging.logger {}
-    }
+private val logger = KotlinLogging.logger {}
+internal class InntektGrpcServer(
+    private val port: Int,
+    private val apiKeyVerifier: AuthApiKeyVerifier,
+    private val inntektStore: InntektStore
+) {
+    private val inntektGrpcApi = InntektGrpcApi(inntektStore).bindService()
 
     private val server: Server = ServerBuilder
         .forPort(port)
-        .addService(InntektGrpcApi(inntektStore))
+        .addService(inntektGrpcApi)
+        .intercept(ApiKeyServerInterceptor(apiKeyVerifier))
         .build()
 
     fun start() {
@@ -43,9 +53,30 @@ internal class InntektGrpcServer(private val port: Int, inntektStore: InntektSto
     }
 }
 
+internal class ApiKeyServerInterceptor(private val apiKeyVerifier: AuthApiKeyVerifier) : ServerInterceptor {
+
+    companion object {
+        private val API_KEY_HEADER: Metadata.Key<String> =
+            Metadata.Key.of("x-api-key", Metadata.ASCII_STRING_MARSHALLER)
+    }
+
+    override fun <ReqT : Any?, RespT : Any?> interceptCall(
+        call: ServerCall<ReqT, RespT>,
+        headers: Metadata,
+        next: ServerCallHandler<ReqT, RespT>
+    ): ServerCall.Listener<ReqT> {
+        val authenticated = headers.get(API_KEY_HEADER)?.let { apiKeyVerifier.verify(it) } ?: false
+        if (!authenticated) {
+            logger.warn { "gRpc call not authenticated" }
+            throw StatusRuntimeException(Status.UNAUTHENTICATED)
+        }
+        return next.startCall(call, headers)
+    }
+}
+
 internal class InntektGrpcApi(private val inntektStore: InntektStore) : SpesifisertInntektHenterGrpcKt.SpesifisertInntektHenterCoroutineImplBase() {
     companion object {
-        val spesifisertInntektAdapter = moshiInstance.adapter(SpesifisertInntekt::class.java)
+        val spesifisertInntektAdapter: JsonAdapter<SpesifisertInntekt> = moshiInstance.adapter(SpesifisertInntekt::class.java)
     }
 
     override suspend fun hentSpesifisertInntektAsJson(request: InntektId): SpesifisertInntektAsJson {

dp-inntekt-api/src/test/kotlin/no/nav/dagpenger/inntekt/rpc/InntektGrpcApiTest.kt

@@ -1,21 +1,30 @@
 package no.nav.dagpenger.inntekt.rpc
 
 import de.huxhorn.sulky.ulid.ULID
+import io.grpc.Metadata
+import io.grpc.Metadata.ASCII_STRING_MARSHALLER
+import io.grpc.ServerCall
+import io.grpc.ServerCallHandler
 import io.grpc.Status
+import io.grpc.Status.UNAUTHENTICATED
 import io.grpc.StatusException
+import io.grpc.StatusRuntimeException
 import io.kotest.matchers.shouldBe
 import io.kotest.matchers.shouldNotBe
 import io.mockk.every
 import io.mockk.mockk
+import io.mockk.verify
 import java.time.LocalDateTime
 import java.time.YearMonth
 import kotlinx.coroutines.runBlocking
 import no.nav.dagpenger.events.inntekt.v1.Aktør
 import no.nav.dagpenger.events.inntekt.v1.AktørType
 import no.nav.dagpenger.events.inntekt.v1.SpesifisertInntekt
+import no.nav.dagpenger.inntekt.AuthApiKeyVerifier
 import no.nav.dagpenger.inntekt.db.InntektNotFoundException
 import no.nav.dagpenger.inntekt.db.InntektStore
 import no.nav.dagpenger.inntekt.moshiInstance
+import no.nav.dagpenger.ktor.auth.ApiKeyVerifier
 import org.junit.Test
 import org.junit.jupiter.api.assertThrows
 
@@ -74,3 +83,37 @@ internal class InntektGrpcApiTest : GrpcTest() {
         spesifisertInntekt shouldBe spesifisertInntektResponse
     }
 }
+
+internal class ApiKeyServerInterceptorTest {
+
+    @Test
+    fun ` Should throw authenticated exception if no api key present `() {
+        val verifier = AuthApiKeyVerifier(ApiKeyVerifier("secret"), listOf("client"))
+        val apiKeyServerInterceptor = ApiKeyServerInterceptor(verifier)
+
+        val mockedServerCall = mockk<ServerCall<Any, Any>>(relaxed = true)
+        val headers = Metadata()
+        val mockedServerCallHandler = mockk<ServerCallHandler<Any, Any>>(relaxed = true)
+
+        val exc = assertThrows<StatusRuntimeException> { apiKeyServerInterceptor.interceptCall(mockedServerCall, headers, mockedServerCallHandler) }
+        exc.status.code shouldBe UNAUTHENTICATED.code
+
+        verify(exactly = 0) { mockedServerCallHandler.startCall(mockedServerCall, headers) }
+    }
+
+    @Test
+    fun ` Should forward authenticated calls `() {
+        val keyVerifier = ApiKeyVerifier("secret")
+        val apiVerifier = AuthApiKeyVerifier(keyVerifier, listOf("client"))
+        val apiKeyServerInterceptor = ApiKeyServerInterceptor(apiVerifier)
+
+        val mockedServerCall = mockk<ServerCall<Any, Any>>(relaxed = true)
+        val headers = Metadata()
+        headers.put(Metadata.Key.of("x-api-key", ASCII_STRING_MARSHALLER), keyVerifier.generate("client"))
+        val mockedServerCallHandler = mockk<ServerCallHandler<Any, Any>>(relaxed = true)
+
+        apiKeyServerInterceptor.interceptCall(mockedServerCall, headers, mockedServerCallHandler)
+
+        verify(exactly = 1) { mockedServerCallHandler.startCall(mockedServerCall, headers) }
+    }
+}

dp-inntekt-grpc/build.gradle.kts

@@ -8,10 +8,15 @@ val protobufGradleVersion = "0.8.12"
 plugins {
     kotlin("jvm")
     id("com.google.protobuf") version "0.8.12"
+    `java-library`
+    `maven-publish`
 }
 
 apply(plugin = "com.google.protobuf")
 
+group = "com.github.navikt"
+version = "1.0-SNAPSHOT"
+
 // To get intellij to make sense of generated sources
 java {
     val mainJavaSourceSet: SourceDirectorySet = sourceSets.getByName("main").java
@@ -21,19 +26,38 @@ java {
 
 dependencies {
     implementation(kotlin("stdlib-jdk8"))
+
     // Grpc and Protobuf
     protobuf(files("src/proto/"))
     implementation("com.google.protobuf:protobuf-gradle-plugin:$protobufGradleVersion")
     api("io.grpc:grpc-api:$grpcVersion")
     api("io.grpc:grpc-protobuf:$grpcVersion")
     api("io.grpc:grpc-stub:$grpcVersion")
     api("io.grpc:grpc-kotlin-stub:$grpcKotlinVersion")
+    implementation("io.grpc:grpc-okhttp:$grpcVersion")
 
     if (JavaVersion.current().isJava9Compatible) {
         // Workaround for @javax.annotation.Generated
         // see: https://github.com/grpc/grpc-java/issues/3633
         compileOnly("javax.annotation:javax.annotation-api:1.3.2")
     }
+
+    //
+    implementation(Kotlin.Coroutines.module("core"))
+
+    // events
+    implementation(Dagpenger.Events)
+    implementation(Moshi.moshi)
+
+    // api key verifier
+    implementation(Dagpenger.Biblioteker.ktorUtils)
+
+    // test
+    testImplementation("io.grpc:grpc-testing:$grpcVersion")
+    testImplementation(Junit5.api)
+    testRuntimeOnly(Junit5.engine)
+    testRuntimeOnly(Junit5.vintageEngine)
+    testImplementation(KoTest.assertions)
 }
 
 // Could not resolve all files for configuration ':protomodule:compileProtoPath' bug