Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support basic, mTLS and bearer access token based auth and authorization using annotations when running on Vert.x gRPC server #37966

Merged
merged 1 commit into from
Jan 8, 2024
Merged

Support basic, mTLS and bearer access token based auth and authorization using annotations when running on Vert.x gRPC server #37966

merged 1 commit into from
Jan 8, 2024

Conversation

michalvavrik
Copy link
Member

belongs to the #24755 (it deals with gRPC service implementation, consumption will be next step after this PR)

Some users try to leverage the fact that HTTP authenticator and authorizer runs before gRPC route (when quarkus.grpc.server.use-separate-server=false) but this approach had before this PR few flaws:

  • you need to rely on HTTP Security policies
  • you are unable to access SecurityIdentity used for authentication / authorization inside gRPC service, hence you don't know anything about the user
  • you can't use standard security annotations
  • we don't test it
  • we don't document it
  • if users want to access SecurityIdentity or use RBAC annotations, their only option is to implement GrpcSecurityMechanism

This PR makes very small change which fixes above-mentioned points - use Quarkus HTTP Security Identity and make it available for RBAC authorization and SecurityIdentity injection. It also adds bunch of tests for basic auth, mTLS roles mapping (also existing tests didn't actually used X509IdentityProvider and mTLS auth mechanism, they authenticate on lower level), OIDC Bearer token auth, SmallRye JWT and OAuth2.

@michalvavrik michalvavrik changed the title Support basic, mTLS and bearer access token based auth and authorization using annotations when run on Vert.x gRPC server Support basic, mTLS and bearer access token based auth and authorization using annotations when running on Vert.x gRPC server Jan 1, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 1, 2024
edited
Loading

🙈 The PR is closed and the preview is expired.

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jan 1, 2024
edited by github-actions bot
Loading

Failing Jobs - Building 4cec3fa

Status Name Step Failures Logs Raw logs Build scan
Gradle Tests - JDK 17 Build Failures Logs Raw logs 🔍
✔️ Gradle Tests - JDK 17 Windows 🔍

Full information is available in the Build summary check run.
You can also consult the Develocity build scans.

Failures

⚙️ Gradle Tests - JDK 17 #

- Failing: integration-tests/gradle

📦 integration-tests/gradle

io.quarkus.gradle.ConditionalDependenciesTest.scenarioTwo line 142 - More details - Source on GitHub

java.lang.AssertionError: Gradle build failed with exit code 1
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:111)
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:53)

io.quarkus.gradle.ConditionalDependenciesTest.shouldImportConditionalDependency line 79 - More details - Source on GitHub

java.lang.AssertionError: Gradle build failed with exit code 1
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:111)
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:53)

io.quarkus.gradle.ConditionalDependenciesTest.shouldNotFailIfConditionalDependencyIsExplicitlyDeclared line 119 - More details - Source on GitHub

java.lang.AssertionError: Gradle build failed with exit code 1
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:111)
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:53)

io.quarkus.gradle.ConditionalDependenciesTest.shouldNotImportConditionalDependency line 101 - More details - Source on GitHub

java.lang.AssertionError: Gradle build failed with exit code 1
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:111)
	at io.quarkus.gradle.QuarkusGradleWrapperTestBase.runGradleWrapper(QuarkusGradleWrapperTestBase.java:53)

@michalvavrik
Copy link
Member Author

@sberyozkin told me he does not plan to review the PR, but dependency changes in OIDC / JWT IT modules are alright.

@michalvavrik
Copy link
Member Author

@cescoffier is this ready to merge (if so please do) or do you require additional review or some action (if so, please request it)?

@cescoffier cescoffier merged commit 7eb19ff into quarkusio:main Jan 8, 2024
37 of 38 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.7 - main milestone Jan 8, 2024
@michalvavrik michalvavrik deleted the feature/enhance-grpc-security branch January 8, 2024 09:49
@cescoffier cescoffier mentioned this pull request Sep 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cescoffier cescoffier cescoffier approved these changes

@alesj alesj alesj approved these changes

Assignees
No one assigned
Labels
area/documentation area/grpc gRPC area/security
Projects
Quarkus Documentation
Status: Done
Milestone
3.7.0.CR1
Development

Successfully merging this pull request may close these issues.
3 participants
@michalvavrik @alesj @cescoffier