Security API enhancements

[vicmosin]

Hi there,
I wonder whether we could have something like

override fun configure(builder: GrpcSecurity) {
        builder.authorizeRequests()
            .services(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(user) // fallback
            .methods(SomeServiceGrpc.getMethod1()).hasAnyRole(admin, user)
            .methods(SomeServiceGrpc.getMethod2()).hasAnyRole(superAdmin, user)
}

Idea is to have a fallback restriction to service's methods if one forgot to define the method restriction in configuration. Right now such approach doesn't seem to work. For example, the snippet above will set all the methods of the SomeServiceGrpc to have at least user role even if it's not explicitly specified in the configuration

Thank you

[jvmlet]

I'm not sure I understand

the snippet above will set all the methods of the SomeServiceGrpc to have at least user role even if it's not explicitly specified in the configuration

is exactly the fallback you are asking, no?

[vicmosin]

@jvmlet
well, the problem is that .method(*) definition doesn't seem to override the .services(*), but technically yeah, fallback works

[jvmlet]

@vicmosin , I think this is what you are after :

 builder.authorizeRequests()
            .services(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(admin)  
            .anyServiceExcluding(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(user)

Please try with latest 4.7.1-SNAPSHOT once build completes.
You also have similar API for methods

[jvmlet]

4.7.1 is out

[vicmosin]

@jvmlet thnx for quick solution but I think there is still something either wrong there or I do it wrong.. for example,

.methods(
   SomeServiceGrpc.getCreateXMethod(),
).hasAnyRole(admin)
.anyMethodExcluding(
   *SomeServiceGrpc.getServiceDescriptor().methods.toTypedArray()
).hasAnyRole(user)

now with such config if I call createX without providing auth details, the call goes through.. if I revert to 4.7.0 and define all the methods individually then it works as expected

[jvmlet]

Such config leaves all SomeServiceGrpc methods, except createXMethod, unprotected, right?
Are you sure the unauthorized user can invoke createXMethod?

[vicmosin]

@jvmlet

Such config leaves all SomeServiceGrpc methods, except createXMethod, unprotected, right?

yes

Are you sure the unauthorized user can invoke createXMethod?

No, it works as expected.. i.e. calls without auth details throw Status.UNAUTHENTICATED

So basically it seems like anyMethodExcluding and anyServiceExcluding override all the previous settings

[vicmosin]

btw maybe it makes sense to rename them to be more self-explaining.. something like
fallback(serviceDescriptor..) and fallback(methodDescriptor..)

[jvmlet]

They are not fallback. Each time you invoke hasAnyRole() method , the authority is (authorities are) added to the permission list of the MethodDescriptor.
At runtime, if the MethodDescriptor has the user role in it's authorities list - it's allowed.