WebClient security propagation module (#7109)

WebClient security propagation module Signed-off-by: David Kral <david.k.kral@oracle.com>
helidon-io · Jun 28, 2023 · 4be7cc2 · 4be7cc2
1 parent ebdafd4
commit 4be7cc2
Show file tree

Hide file tree

Showing 10 changed files with 437 additions and 3 deletions.
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -1255,6 +1255,11 @@
                 <artifactId>helidon-nima-webclient</artifactId>
                 <version>${helidon.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.helidon.nima.webclient</groupId>
+                <artifactId>helidon-nima-webclient-security</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
             <dependency>
                 <groupId>io.helidon.nima.webclient</groupId>
                 <artifactId>helidon-nima-webclient-tracing</artifactId>

diff --git a/nima/webclient/pom.xml b/nima/webclient/pom.xml
@@ -38,6 +38,7 @@
     <modules>
         <module>webclient</module>
         <module>tracing</module>
+        <module>security</module>
     </modules>
 
 </project>
diff --git a/nima/webclient/security/pom.xml b/nima/webclient/security/pom.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.helidon.nima.webclient</groupId>
+        <artifactId>helidon-nima-webclient-project</artifactId>
+        <version>4.0.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>helidon-nima-webclient-security</artifactId>
+    <name>Helidon Níma WebClient Security</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.helidon.nima.webclient</groupId>
+            <artifactId>helidon-nima-webclient</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.security</groupId>
+            <artifactId>helidon-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.security.providers</groupId>
+            <artifactId>helidon-security-providers-common</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.common.features</groupId>
+            <artifactId>helidon-common-features-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <annotationProcessorPaths>
+                        <path>
+                            <groupId>io.helidon.common.features</groupId>
+                            <artifactId>helidon-common-features-processor</artifactId>
+                            <version>${helidon.version}</version>
+                        </path>
+                    </annotationProcessorPaths>
+                </configuration>
+                <dependencies>
+                    <dependency>
+                        <groupId>io.helidon.common.features</groupId>
+                        <artifactId>helidon-common-features-api</artifactId>
+                        <version>${helidon.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/...ebclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java b/...ebclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.nima.webclient.security;
+
+import java.lang.System.Logger.Level;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
+
+import io.helidon.common.context.Context;
+import io.helidon.common.context.Contexts;
+import io.helidon.common.http.ClientRequestHeaders;
+import io.helidon.common.http.Http;
+import io.helidon.nima.webclient.WebClientServiceRequest;
+import io.helidon.nima.webclient.WebClientServiceResponse;
+import io.helidon.nima.webclient.spi.WebClientService;
+import io.helidon.security.EndpointConfig;
+import io.helidon.security.OutboundSecurityClientBuilder;
+import io.helidon.security.OutboundSecurityResponse;
+import io.helidon.security.Security;
+import io.helidon.security.SecurityContext;
+import io.helidon.security.SecurityEnvironment;
+import io.helidon.security.providers.common.OutboundConfig;
+import io.helidon.tracing.Span;
+import io.helidon.tracing.SpanContext;
+import io.helidon.tracing.Tracer;
+
+/**
+ * Client service for security propagation.
+ */
+public class WebClientSecurity implements WebClientService {
+    private static final System.Logger LOGGER = System.getLogger(WebClientSecurity.class.getName());
+
+    private static final String PROVIDER_NAME = "io.helidon.security.rest.client.security.providerName";
+
+    private final Security security;
+
+    private WebClientSecurity() {
+        this(null);
+    }
+
+    private WebClientSecurity(Security security) {
+        this.security = security;
+    }
+
+    /**
+     * Creates new instance of client security service.
+     *
+     * @return client security service
+     */
+    public static WebClientSecurity create() {
+        Context context = Contexts.context().orElseGet(Contexts::globalContext);
+
+        return context.get(Security.class)
+                .map(WebClientSecurity::new) // if available, use constructor with Security parameter
+                .orElseGet(WebClientSecurity::new); // else use constructor without Security parameter
+    }
+
+    /**
+     * Creates new instance of client security service base on {@link io.helidon.security.Security}.
+     *
+     * @param security security instance
+     * @return client security service
+     */
+    public static WebClientSecurity create(Security security) {
+        // if we have one more configuration parameter, we need to switch to builder based pattern
+        return new WebClientSecurity(security);
+    }
+
+    @Override
+    public WebClientServiceResponse handle(Chain chain, WebClientServiceRequest request) {
+        if ("true".equalsIgnoreCase(request.properties().get(OutboundConfig.PROPERTY_DISABLE_OUTBOUND))) {
+            return chain.proceed(request);
+        }
+
+        Context requestContext = request.context();
+        // context either from request or create a new one
+        Optional<SecurityContext> maybeContext = requestContext.get(SecurityContext.class);
+
+        SecurityContext context;
+
+        if (security == null) {
+            if (maybeContext.isEmpty()) {
+                return chain.proceed(request);
+            } else {
+                context = maybeContext.get();
+            }
+        } else {
+            // we have our own security - we need to use this instance for outbound,
+            // so we cannot re-use the context
+            context = createContext(request);
+        }
+
+        Span span = context.tracer()
+                .spanBuilder("security:outbound")
+                .parent(context.tracingSpan())
+                .start();
+
+        String explicitProvider = request.properties().get(PROVIDER_NAME);
+
+        OutboundSecurityClientBuilder clientBuilder;
+
+        try {
+            SecurityEnvironment.Builder outboundEnv = context.env()
+                    .derive()
+                    .clearHeaders()
+                    .clearQueryParams();
+
+            outboundEnv.method(request.method().text())
+                    .path(request.uri().path())
+                    .targetUri(URI.create(request.uri().toString()))
+                    .queryParams(request.query());
+
+            request.headers()
+                    .stream()
+                    .forEach(headerValue -> outboundEnv.header(headerValue.name(), headerValue.values()));
+
+            EndpointConfig.Builder outboundEp = context.endpointConfig().derive();
+            Map<String, String> propMap = request.properties();
+
+            for (String name : propMap.keySet()) {
+                Optional.ofNullable(request.properties().get(name))
+                        .ifPresent(property -> outboundEp.addAtribute(name, property));
+            }
+
+            clientBuilder = context.outboundClientBuilder()
+                    .outboundEnvironment(outboundEnv)
+                    .outboundEndpointConfig(outboundEp)
+                    .explicitProvider(explicitProvider);
+
+        } catch (Exception e) {
+            traceError(span, e, null);
+
+            throw e;
+        }
+
+        OutboundSecurityResponse providerResponse = clientBuilder.submit();
+        return processResponse(request, span, providerResponse, chain);
+    }
+
+    private WebClientServiceResponse processResponse(WebClientServiceRequest request,
+                                                     Span span,
+                                                     OutboundSecurityResponse providerResponse,
+                                                     Chain chain) {
+        try {
+            switch (providerResponse.status()) {
+            case FAILURE:
+            case FAILURE_FINISH:
+                traceError(span,
+                           providerResponse.throwable().orElse(null),
+                           providerResponse.description()
+                                   .orElse(providerResponse.status().toString()));
+                break;
+            case ABSTAIN:
+            case SUCCESS:
+            case SUCCESS_FINISH:
+            default:
+                break;
+            }
+
+            Map<String, List<String>> newHeaders = providerResponse.requestHeaders();
+
+            if (LOGGER.isLoggable(Level.TRACE)) {
+                LOGGER.log(Level.TRACE, "Client filter header(s). SIZE: " + newHeaders.size());
+            }
+
+            ClientRequestHeaders clientHeaders = request.headers();
+            for (Map.Entry<String, List<String>> entry : newHeaders.entrySet()) {
+                if (LOGGER.isLoggable(Level.TRACE)) {
+                    LOGGER.log(Level.TRACE, "    + Header: " + entry.getKey() + ": " + entry.getValue());
+                }
+
+                //replace existing
+                Http.HeaderName headerName = Http.Header.create(entry.getKey());
+                clientHeaders.set(headerName, entry.getValue().toArray(new String[0]));
+            }
+            span.end();
+            return chain.proceed(request);
+        } catch (Exception e) {
+            traceError(span, e, null);
+            throw e;
+        }
+    }
+
+    private SecurityContext createContext(WebClientServiceRequest request) {
+        SecurityContext.Builder builder = security.contextBuilder(UUID.randomUUID().toString())
+                .endpointConfig(EndpointConfig.builder()
+                                        .build())
+                .env(SecurityEnvironment.builder()
+                             .path(request.uri().path())
+                             .build());
+        request.context().get(Tracer.class).ifPresent(builder::tracingTracer);
+        request.context().get(SpanContext.class).ifPresent(builder::tracingSpan);
+        return builder.build();
+    }
+
+    static void traceError(Span span, Throwable throwable, String description) {
+        // failed
+        span.status(Span.Status.ERROR);
+
+        if (throwable == null) {
+            span.addEvent("error", Map.of("message", description,
+                                          "error.kind", "SecurityException"));
+            span.end();
+        } else {
+            span.end(throwable);
+        }
+    }
+}
diff --git a/.../security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java b/.../security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.nima.webclient.security;
+
+import io.helidon.common.config.Config;
+import io.helidon.nima.webclient.spi.WebClientService;
+import io.helidon.nima.webclient.spi.WebClientServiceProvider;
+
+/**
+ * Client security SPI provider.
+ *
+ * @deprecated This class should only be used via {@link java.util.ServiceLoader}.
+ *  Use {@link io.helidon.nima.webclient.security.WebClientSecurity} instead
+ */
+@Deprecated
+public class WebClientSecurityProvider implements WebClientServiceProvider {
+
+    /**
+     * Required public constructor.
+     *
+     * @deprecated This class should only be used via {@link java.util.ServiceLoader}.
+     */
+    @Deprecated
+    public WebClientSecurityProvider() {
+    }
+
+    @Override
+    public String configKey() {
+        return "security";
+    }
+
+    @Override
+    public WebClientService create(Config config) {
+        return WebClientSecurity.create();
+    }
+}
diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Security propagation service.
+ */
+package io.helidon.nima.webclient.security;