Added new child module 'services-security'

Author: artem-v

pom.xml

@@ -1,5 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
@@ -58,9 +60,10 @@
 
   <properties>
     <scalecube-cluster.version>2.6.7.RC1</scalecube-cluster.version>
-    <scalecube-commons.version>1.0.12</scalecube-commons.version>
-    <reactor.version>2020.0.5</reactor.version>
+    <scalecube-commons.version>1.0.13</scalecube-commons.version>
+    <scalecube-security-tokens.version>1.0.16</scalecube-security-tokens.version>
 
+    <reactor.version>2020.0.5</reactor.version>
     <jackson.version>2.11.0</jackson.version>
     <rsocket.version>1.0.4</rsocket.version>
     <protostuff.version>1.6.0</protostuff.version>
@@ -77,11 +80,12 @@
   </properties>
 
   <modules>
+    <module>services</module>
     <module>services-api</module>
     <module>services-transport-parent</module>
     <module>services-discovery</module>
     <module>services-bytebuf-codec</module>
-    <module>services</module>
+    <module>services-security</module>
     <module>services-examples</module>
   </modules>
 
@@ -95,6 +99,13 @@
         <version>${scalecube-commons.version}</version>
       </dependency>
 
+      <!-- Scalecube security tokens -->
+      <dependency>
+        <groupId>io.scalecube</groupId>
+        <artifactId>scalecube-security-tokens</artifactId>
+        <version>${scalecube-security-tokens.version}</version>
+      </dependency>
+
       <!-- Scalecube cluster -->
       <dependency>
         <groupId>io.scalecube</groupId>

services-security/pom.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>io.scalecube</groupId>
+    <artifactId>scalecube-services-parent</artifactId>
+    <version>2.10.13-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>scalecube-services-security</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.scalecube</groupId>
+      <artifactId>scalecube-services</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.scalecube</groupId>
+      <artifactId>scalecube-security-tokens</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>

services-security/src/main/java/io/scalecube/services/security/Credentials.java

@@ -0,0 +1,92 @@
+package io.scalecube.services.security;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Objects;
+import reactor.core.Exceptions;
+
+public class Credentials {
+
+  /**
+   * Encodes the given credentials to the given stream.
+   *
+   * @param stream stream
+   * @param credentials credentials
+   */
+  public static void encode(OutputStream stream, Map<String, String> credentials) {
+    if (credentials == null) {
+      return;
+    }
+    Objects.requireNonNull(stream, "output stream");
+    try (ObjectOutputStream out = new ObjectOutputStream(stream)) {
+      // credentials
+      out.writeInt(credentials.size());
+      for (Entry<String, String> entry : credentials.entrySet()) {
+        out.writeUTF(entry.getKey());
+        out.writeObject(entry.getValue()); // value is nullable
+      }
+
+      out.flush();
+    } catch (Throwable th) {
+      throw Exceptions.propagate(th);
+    }
+  }
+
+  /**
+   * Encodes the given credentials to a byte array.
+   *
+   * @param credentials credentials
+   * @return byte array representation of credentials
+   */
+  public static byte[] toByteArray(Map<String, String> credentials) {
+    if (credentials == null || credentials.isEmpty()) {
+      return new byte[0];
+    }
+    ByteArrayOutputStream output = new ByteArrayOutputStream();
+    encode(output, credentials);
+    return output.toByteArray();
+  }
+
+  /**
+   * Decodes the given stream to credentials as {@code Map<String, String>}.
+   *
+   * @return credentials
+   */
+  public static Map<String, String> decode(InputStream stream) {
+    Objects.requireNonNull(stream, "input stream");
+    try (ObjectInputStream in = new ObjectInputStream(stream)) {
+      // credentials
+      int credentialsSize = in.readInt();
+      Map<String, String> credentials = new HashMap<>(credentialsSize);
+      for (int i = 0; i < credentialsSize; i++) {
+        String key = in.readUTF();
+        String value = (String) in.readObject(); // value is nullable
+        credentials.put(key, value);
+      }
+      return Collections.unmodifiableMap(credentials);
+    } catch (Throwable th) {
+      throw Exceptions.propagate(th);
+    }
+  }
+
+  /**
+   * Decodes the given byte array to credentials as {@code Map<String, String>}.
+   *
+   * @return credentials
+   */
+  public static Map<String, String> decode(byte[] bytes) {
+    if (bytes == null || bytes.length == 0) {
+      return Collections.emptyMap();
+    }
+    ByteArrayInputStream input = new ByteArrayInputStream(bytes);
+    return decode(input);
+  }
+}

services-security/src/main/java/io/scalecube/services/security/ServiceClaims.java

@@ -0,0 +1,23 @@
+package io.scalecube.services.security;
+
+import java.util.StringJoiner;
+
+public final class ServiceClaims {
+
+  private final String permissions;
+
+  public ServiceClaims(String permissions) {
+    this.permissions = permissions;
+  }
+
+  public String permissions() {
+    return permissions;
+  }
+
+  @Override
+  public String toString() {
+    return new StringJoiner(", ", ServiceClaims.class.getSimpleName() + "[", "]")
+        .add("permissions='" + permissions + "'")
+        .toString();
+  }
+}

services-security/src/main/java/io/scalecube/services/security/ServiceTokenAuthenticator.java

@@ -0,0 +1,60 @@
+package io.scalecube.services.security;
+
+import io.scalecube.security.tokens.jwt.JwtTokenResolver;
+import io.scalecube.services.auth.Authenticator;
+import io.scalecube.services.exceptions.UnauthorizedException;
+import java.util.Map;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import reactor.core.publisher.Mono;
+import reactor.util.retry.Retry;
+
+/**
+ * Generic {@link Authenticator} implementation based on abstract {@link JwtTokenResolver}. Using
+ * token resolver this authenticator turns extracted and verified token claims into the {@link
+ * ServiceClaims} object.
+ */
+public final class ServiceTokenAuthenticator implements Authenticator<ServiceClaims> {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(ServiceTokenAuthenticator.class);
+
+  private final JwtTokenResolver tokenResolver;
+  private final Retry retryStrategy;
+
+  public ServiceTokenAuthenticator(JwtTokenResolver tokenResolver) {
+    this(tokenResolver, Retry.max(0));
+  }
+
+  public ServiceTokenAuthenticator(JwtTokenResolver tokenResolver, Retry retryStrategy) {
+    this.tokenResolver = tokenResolver;
+    this.retryStrategy = retryStrategy;
+  }
+
+  @Override
+  public Mono<ServiceClaims> apply(Map<String, String> credentials) {
+    return Mono.defer(
+        () -> {
+          String serviceToken = credentials.get(ServiceTokens.SERVICE_TOKEN_HEADER);
+
+          if (serviceToken == null) {
+            throw new UnauthorizedException("Authentication failed");
+          }
+
+          return tokenResolver
+              .resolve(serviceToken)
+              .map(ServiceTokenAuthenticator::toServiceClaims)
+              .retryWhen(retryStrategy)
+              .doOnError(th -> LOGGER.error("Failed to authenticate, cause: {}", th.toString()))
+              .onErrorMap(th -> new UnauthorizedException("Authentication failed"))
+              .switchIfEmpty(Mono.error(new UnauthorizedException("Authentication failed")));
+        });
+  }
+
+  private static ServiceClaims toServiceClaims(Map<String, Object> authData) {
+    String permissionsClaim = (String) authData.get(ServiceTokens.PERMISSIONS_CLAIM);
+    if (permissionsClaim == null || permissionsClaim.isEmpty()) {
+      throw new UnauthorizedException("Authentication failed");
+    }
+    return new ServiceClaims(permissionsClaim);
+  }
+}

services-security/src/main/java/io/scalecube/services/security/ServiceTokens.java

@@ -0,0 +1,12 @@
+package io.scalecube.services.security;
+
+public final class ServiceTokens {
+
+  public static final String SERVICE_TOKEN_HEADER = "serviceToken";
+  public static final String PERMISSIONS_CLAIM = "permissions";
+  public static final String LOCAL_TOKEN_HEADER = "localToken";
+
+  private ServiceTokens() {
+    // Do not instantiate
+  }
+}