fix(grpc,security): Improve security error handling

Author: michalvavrik

extensions/grpc/deployment/src/main/java/io/quarkus/grpc/deployment/GrpcServerProcessor.java

@@ -719,6 +719,9 @@ ServiceStartBuildItem initializeServer(GrpcServerRecorder recorder,
                             .filter(filter -> filter.getPriority() == FilterBuildItem.AUTHENTICATION
                                     || filter.getPriority() == FilterBuildItem.AUTHORIZATION)
                             .collect(Collectors.toMap(f -> f.getPriority() * -1, FilterBuildItem::getHandler));
+                    // for the moment being, the main router doesn't have QuarkusErrorHandler, but we need to make
+                    // sure that exceptions raised during proactive authentication or HTTP authorization are handled
+                    recorder.addMainRouterErrorHandlerIfSameServer(routerRuntimeValue, config);
                 }
             } else {
                 routerRuntimeValue = routerBuildItem.getHttpRouter();

extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/BasicGrpcSecurityMechanism.java

@@ -31,6 +31,10 @@ public AuthenticationRequest createAuthenticationRequest(Metadata metadata) {
             String userName = plainChallenge.substring(0, colonPos);
             char[] password = plainChallenge.substring(colonPos + 1).toCharArray();
             return new UsernamePasswordAuthenticationRequest(userName, new PasswordCredential(password));
+        } else if (!plainChallenge.isEmpty()) {
+            // this is illegal argument exception because ATM when Basic HTTP Auth mechanism doesn't throw auth exception
+            // for the same credentials, so let's simulate the same situation in this test
+            throw new IllegalArgumentException("Empty authentication request");
         } else {
             return null;
         }

extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/GrpcAuthTestBase.java

@@ -20,6 +20,7 @@
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
 
+import org.awaitility.Awaitility;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
@@ -31,11 +32,15 @@
 import com.example.security.Security;
 
 import io.grpc.Metadata;
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
 import io.quarkus.grpc.GrpcClient;
 import io.quarkus.grpc.GrpcClientUtils;
 import io.quarkus.grpc.GrpcService;
+import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.UnauthorizedException;
 import io.quarkus.security.runtime.interceptor.check.RolesAllowedCheck;
+import io.quarkus.security.spi.runtime.AuthenticationFailureEvent;
 import io.quarkus.security.spi.runtime.AuthenticationSuccessEvent;
 import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
 import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
@@ -107,6 +112,37 @@ void shouldSecureUniEndpoint() {
         assertSecurityEventsFired("john");
     }
 
+    @Test
+    void shouldHandleAuthenticationFailure() {
+        Metadata headers = new Metadata();
+        headers.put(AUTHORIZATION, "Basic wrongcredentials");
+        SecuredService client = GrpcClientUtils.attachHeaders(securityClient, headers);
+        AtomicInteger authenticationFailedCount = new AtomicInteger();
+        client.unaryCall(Security.Container.newBuilder().setText("woo-hoo").build())
+                .subscribe().with(ti -> {
+                }, error -> {
+                    if (error instanceof StatusRuntimeException statusException) {
+                        if (Status.UNAUTHENTICATED.getCode().equals(statusException.getStatus().getCode())) {
+                            authenticationFailedCount.incrementAndGet();
+                        } else {
+                            Assertions.fail("Expected unauthenticated response status, got " + statusException.getStatus());
+                        }
+                    } else {
+                        Assertions.fail("Expected 'StatusRuntimeException' exception, got " + error);
+                    }
+                });
+
+        await().atMost(10, TimeUnit.SECONDS).until(() -> authenticationFailedCount.get() == 1);
+        Awaitility.await().atMost(10, TimeUnit.SECONDS).untilAsserted(() -> {
+            AuthenticationFailureEvent authFailureEvent = securityEventObserver.getStorage().stream()
+                    .filter(e -> e instanceof AuthenticationFailureEvent)
+                    .map(e -> (AuthenticationFailureEvent) e)
+                    .findFirst().orElse(null);
+            Assertions.assertNotNull(authFailureEvent);
+            Assertions.assertInstanceOf(AuthenticationFailedException.class, authFailureEvent.getAuthenticationFailure());
+        });
+    }
+
     @Test
     void shouldSecureBlockingUniEndpoint() {
         Metadata headers = new Metadata();
@@ -192,6 +228,8 @@ void shouldFailWithInvalidInsufficientRole() {
 
         await().atMost(10, TimeUnit.SECONDS)
                 .until(() -> error.get() != null);
+        StatusRuntimeException statusRuntimeException = (StatusRuntimeException) error.get();
+        Assertions.assertEquals(Status.PERMISSION_DENIED, statusRuntimeException.getStatus());
 
         // we don't check exact count as HTTP Security policies are not supported when gRPC is running on separate server
         assertFalse(securityEventObserver.getStorage().isEmpty());

extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/GrpcAuthCustomRootPathTest.java renamed to extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/GrpcEagerAuthCustomRootPathTest.java

@@ -4,7 +4,7 @@
 
 import io.quarkus.test.QuarkusUnitTest;
 
-public class GrpcAuthCustomRootPathTest extends GrpcAuthTestBase {
+public class GrpcEagerAuthCustomRootPathTest extends GrpcAuthTestBase {
 
     @RegisterExtension
     static final QuarkusUnitTest config = createQuarkusUnitTest("""

extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/GrpcLazyAuthCustomRootPathTest.java

@@ -0,0 +1,18 @@
+package io.quarkus.grpc.auth;
+
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class GrpcLazyAuthCustomRootPathTest extends GrpcAuthTestBase {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = createQuarkusUnitTest("""
+            quarkus.grpc.server.use-separate-server=false
+            quarkus.grpc.clients.securityClient.host=localhost
+            quarkus.grpc.clients.securityClient.port=8081
+            quarkus.http.root-path=/api
+            quarkus.http.auth.proactive=false
+            """, true);
+
+}

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/auth/AuthExceptionHandler.java

@@ -1,12 +1,13 @@
 package io.quarkus.grpc.auth;
 
+import static io.quarkus.grpc.auth.DefaultAuthExceptionHandlerProvider.transformToStatusException;
+
 import jakarta.enterprise.inject.spi.Prioritized;
 
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
-import io.grpc.Status;
 import io.quarkus.grpc.ExceptionHandler;
-import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.AuthenticationException;
 
 /**
  * Exception mapper for authentication and authorization exceptions
@@ -16,9 +17,17 @@
  */
 public class AuthExceptionHandler<ReqT, RespT> extends ExceptionHandler<ReqT, RespT> implements Prioritized {
 
+    private final boolean addStatusDescription;
+
     public AuthExceptionHandler(ServerCall.Listener<ReqT> listener, ServerCall<ReqT, RespT> serverCall,
-            Metadata metadata) {
+            Metadata metadata, boolean addStatusDescription) {
         super(listener, serverCall, metadata);
+        this.addStatusDescription = addStatusDescription;
+    }
+
+    public AuthExceptionHandler(ServerCall.Listener<ReqT> listener, ServerCall<ReqT, RespT> serverCall,
+            Metadata metadata) {
+        this(listener, serverCall, metadata, false);
     }
 
     /**
@@ -29,10 +38,8 @@ public AuthExceptionHandler(ServerCall.Listener<ReqT> listener, ServerCall<ReqT,
      * @param metadata call metadata
      */
     protected void handleException(Throwable exception, ServerCall<ReqT, RespT> serverCall, Metadata metadata) {
-        if (exception instanceof AuthenticationFailedException) {
-            serverCall.close(Status.UNAUTHENTICATED.withDescription(exception.getMessage()), metadata);
-        } else if (exception instanceof SecurityException) {
-            serverCall.close(Status.PERMISSION_DENIED.withDescription(exception.getMessage()), metadata);
+        if (exception instanceof AuthenticationException || exception instanceof SecurityException) {
+            serverCall.close(transformToStatusException(addStatusDescription, exception), metadata);
         } else if (exception instanceof RuntimeException) {
             throw (RuntimeException) exception;
         } else {

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/auth/AuthExceptionHandlerProvider.java

@@ -5,6 +5,7 @@
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
 import io.grpc.ServerCall.Listener;
+import io.grpc.StatusException;
 
 /**
  * Provider for AuthExceptionHandler.
@@ -17,4 +18,22 @@ public interface AuthExceptionHandlerProvider extends Prioritized {
 
     <ReqT, RespT> AuthExceptionHandler<ReqT, RespT> createHandler(Listener<ReqT> listener,
             ServerCall<ReqT, RespT> serverCall, Metadata metadata);
+
+    /**
+     * @param failure security exception this provider can handle according to the {@link #handlesException(Throwable)}
+     * @return status exception
+     */
+    default StatusException transformToStatusException(Throwable failure) {
+        // because by default we don't handle any exception
+        // the original behavior (before introduction of this method) is kept because 'handlesException' return false
+        throw new IllegalStateException("Cannot transform exception " + failure + " to a status exception");
+    }
+
+    /**
+     * @param failure any gRPC request failure
+     * @return whether this provider should create response status for given failure
+     */
+    default boolean handlesException(Throwable failure) {
+        return false;
+    }
 }

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/auth/DefaultAuthExceptionHandlerProvider.java

@@ -4,10 +4,20 @@
 
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
+import io.grpc.Status;
+import io.grpc.StatusException;
+import io.quarkus.runtime.LaunchMode;
+import io.quarkus.security.AuthenticationException;
 
 @Singleton
 public class DefaultAuthExceptionHandlerProvider implements AuthExceptionHandlerProvider {
 
+    private final boolean addStatusDescription;
+
+    public DefaultAuthExceptionHandlerProvider() {
+        this.addStatusDescription = LaunchMode.current().isDevOrTest();
+    }
+
     @Override
     public int getPriority() {
         return DEFAULT_PRIORITY;
@@ -16,6 +26,34 @@ public int getPriority() {
     @Override
     public <ReqT, RespT> AuthExceptionHandler<ReqT, RespT> createHandler(ServerCall.Listener<ReqT> listener,
             ServerCall<ReqT, RespT> serverCall, Metadata metadata) {
-        return new AuthExceptionHandler<>(listener, serverCall, metadata);
+        return new AuthExceptionHandler<>(listener, serverCall, metadata, addStatusDescription);
+    }
+
+    @Override
+    public StatusException transformToStatusException(Throwable t) {
+        return new StatusException(transformToStatusException(addStatusDescription, t));
+    }
+
+    @Override
+    public boolean handlesException(Throwable failure) {
+        return failure instanceof AuthenticationException || failure instanceof SecurityException;
+    }
+
+    static Status transformToStatusException(boolean addExceptionMessage, Throwable exception) {
+        if (exception instanceof AuthenticationException) {
+            if (addExceptionMessage) {
+                return Status.UNAUTHENTICATED.withDescription(exception.getMessage());
+            } else {
+                return Status.UNAUTHENTICATED;
+            }
+        } else if (exception instanceof SecurityException) {
+            if (addExceptionMessage) {
+                return Status.PERMISSION_DENIED.withDescription(exception.getMessage());
+            } else {
+                return Status.PERMISSION_DENIED;
+            }
+        } else {
+            throw new IllegalStateException("Cannot transform exception " + exception, exception);
+        }
     }
 }

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/auth/GrpcSecurityInterceptor.java

@@ -13,6 +13,7 @@
 import java.util.Map;
 import java.util.concurrent.Executor;
 import java.util.function.Consumer;
+import java.util.function.Predicate;
 
 import jakarta.enterprise.event.Event;
 import jakarta.enterprise.inject.Instance;
@@ -29,10 +30,12 @@
 import io.grpc.ServerCallHandler;
 import io.grpc.ServerInterceptor;
 import io.quarkus.grpc.GlobalInterceptor;
+import io.quarkus.security.AuthenticationException;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.identity.CurrentIdentityAssociation;
 import io.quarkus.security.identity.IdentityProviderManager;
 import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AnonymousAuthenticationRequest;
 import io.quarkus.security.identity.request.AuthenticationRequest;
 import io.quarkus.security.spi.runtime.AuthenticationFailureEvent;
 import io.quarkus.security.spi.runtime.AuthenticationSuccessEvent;
@@ -179,6 +182,7 @@ public void accept(Throwable throwable) {
                     securityEventHelper.fireFailureEvent(new AuthenticationFailureEvent(authFailedEx, null));
                 }
                 identityAssociation.setIdentity(Uni.createFrom().failure(authFailedEx));
+                identityAssociationNotSet = false;
             }
         }
         if (identityAssociationNotSet && notUsingSeparateGrpcServer) {
@@ -188,10 +192,26 @@ public void accept(Throwable throwable) {
                 if (capturedContext.getLocal(IDENTITY_KEY) != null) {
                     identityAssociation.setIdentity(capturedContext.<SecurityIdentity> getLocal(IDENTITY_KEY));
                 } else if (capturedContext.getLocal(DEFERRED_IDENTITY_KEY) != null) {
-                    identityAssociation.setIdentity(capturedContext.<Uni<SecurityIdentity>> getLocal(DEFERRED_IDENTITY_KEY));
+                    Uni<SecurityIdentity> identityUni = capturedContext
+                            .<Uni<SecurityIdentity>> getLocal(DEFERRED_IDENTITY_KEY)
+                            .onFailure(new Predicate<Throwable>() {
+                                @Override
+                                public boolean test(Throwable t) {
+                                    return !(t instanceof AuthenticationException);
+                                }
+                            })
+                            // even if it were internal error, we must be able to identify exceptions
+                            // raised during authentication so that we don't append body by default, hence wrapping it
+                            .transform(AuthenticationFailedException::new);
+                    identityAssociation.setIdentity(identityUni);
                 }
+                identityAssociationNotSet = false;
             }
         }
+        if (identityAssociationNotSet) {
+            Uni<SecurityIdentity> identityUni = identityProviderManager.authenticate(AnonymousAuthenticationRequest.INSTANCE);
+            identityAssociation.setIdentity(identityUni);
+        }
         ServerCall.Listener<ReqT> listener = serverCallHandler.startCall(serverCall, metadata);
         return exceptionHandlerProvider.createHandler(listener, serverCall, metadata);
     }
@@ -213,6 +233,10 @@ public static void propagateSecurityIdentityWithDuplicatedCtx(RoutingContext eve
                 getCapturedVertxContext().putLocal(IDENTITY_KEY, existing.getSecurityIdentity());
             } else {
                 getCapturedVertxContext().putLocal(DEFERRED_IDENTITY_KEY, QuarkusHttpUser.getSecurityIdentity(event, null));
+                // we will handle failures ourselves, so that response is written once
+                // do this even if the authentication failure handler is not DefaultAuthFailureHandler because
+                // it might be the failure handler added by the Quarkus REST when it is present
+                event.remove(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
             }
         }
     }

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcServerRecorder.java

@@ -59,6 +59,7 @@
 import io.quarkus.runtime.ShutdownContext;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.vertx.http.runtime.PortSystemProperties;
+import io.quarkus.vertx.http.runtime.QuarkusErrorHandler;
 import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
 import io.quarkus.virtual.threads.VirtualThreadsRecorder;
 import io.vertx.core.AbstractVerticle;
@@ -93,6 +94,29 @@ public static List<GrpcServiceDefinition> getServices() {
         return services;
     }
 
+    public void addMainRouterErrorHandlerIfSameServer(RuntimeValue<Router> mainRouter, GrpcConfiguration config) {
+        if (!config.server().useSeparateServer()) {
+            mainRouter.getValue().route().last().failureHandler(new Handler<>() {
+
+                private final Handler<RoutingContext> errorHandler = new QuarkusErrorHandler(LaunchMode.current().isDevOrTest(),
+                        false, Optional.empty());
+
+                @Override
+                public void handle(RoutingContext event) {
+                    if (isGrpc(event)) {
+                        // this is for failures before that occurred before gRPC started processing, it could be:
+                        // 1. authentication failure
+                        // 2. internal error raised during authentication
+                        // 3. unrelated failure
+                        // if there is an exception on the gRPC route, we should handle it because the most likely cause
+                        // of the failure is authentication; as for the '3.', this is better than having unhandled failures
+                        errorHandler.handle(event);
+                    }
+                }
+            });
+        }
+    }
+
     public void initializeGrpcServer(RuntimeValue<Vertx> vertxSupplier,
             RuntimeValue<Router> routerSupplier,
             GrpcConfiguration cfg,
@@ -198,12 +222,13 @@ private void buildGrpcServer(Vertx vertx, GrpcServerConfiguration configuration,
         if (securityHandlers != null) {
             for (Map.Entry<Integer, Handler<RoutingContext>> e : securityHandlers.entrySet()) {
                 Handler<RoutingContext> handler = e.getValue();
+                boolean isAuthenticationHandler = e.getKey() == -200;
                 Route route = router.route().order(e.getKey()).handler(new Handler<RoutingContext>() {
                     @Override
                     public void handle(RoutingContext ctx) {
                         if (!isGrpc(ctx)) {
                             ctx.next();
-                        } else if (ctx.get(HttpAuthenticator.class.getName()) != null) {
+                        } else if (isAuthenticationHandler && ctx.get(HttpAuthenticator.class.getName()) != null) {
                             // this IF branch shouldn't be invoked with current implementation
                             // when gRPC is attached to the main router when the root path is not '/'
                             // because HTTP authenticator and authorizer handlers are not added by default on the main