From 2e52510101be56235cad4dd7bbf4b0115dfc4cb5 Mon Sep 17 00:00:00 2001 From: David Kral Date: Tue, 27 Jun 2023 11:30:50 +0200 Subject: [PATCH 1/4] WebClient security propagation module --- bom/pom.xml | 5 + nima/webclient/pom.xml | 1 + nima/webclient/security/pom.xml | 41 ++++ .../webclient/security/WebClientSecurity.java | 220 ++++++++++++++++++ .../security/WebClientSecurityProvider.java | 49 ++++ .../nima/webclient/security/package-info.java | 20 ++ .../security/src/main/java/module-info.java | 30 +++ .../webclient/http1/ClientRequestImpl.java | 2 +- 8 files changed, 367 insertions(+), 1 deletion(-) create mode 100644 nima/webclient/security/pom.xml create mode 100644 nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java create mode 100644 nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java create mode 100644 nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java create mode 100644 nima/webclient/security/src/main/java/module-info.java diff --git a/bom/pom.xml b/bom/pom.xml index 7967dcd3bb4..083bb51b51a 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -1255,6 +1255,11 @@ helidon-nima-webclient ${helidon.version} + + io.helidon.nima.webclient + helidon-nima-webclient-security + ${helidon.version} + io.helidon.nima.webclient helidon-nima-webclient-tracing diff --git a/nima/webclient/pom.xml b/nima/webclient/pom.xml index 9802b42aa69..b0dc0dbfe16 100644 --- a/nima/webclient/pom.xml +++ b/nima/webclient/pom.xml @@ -38,6 +38,7 @@ webclient tracing + security diff --git a/nima/webclient/security/pom.xml b/nima/webclient/security/pom.xml new file mode 100644 index 00000000000..34f5821a93d --- /dev/null +++ b/nima/webclient/security/pom.xml @@ -0,0 +1,41 @@ + + + + 4.0.0 + + io.helidon.nima.webclient + helidon-nima-webclient-project + 4.0.0-SNAPSHOT + + + helidon-nima-webclient-security + Helidon NĂ­ma WebClient Security + + + + io.helidon.nima.webclient + helidon-nima-webclient + + + io.helidon.security.providers + helidon-security-providers-common + + + + diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java new file mode 100644 index 00000000000..af4dfae3caf --- /dev/null +++ b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java @@ -0,0 +1,220 @@ +/* + * Copyright (c) 2023 Oracle and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.helidon.nima.webclient.security; + +import java.lang.System.Logger.Level; +import java.net.URI; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.UUID; + +import io.helidon.common.context.Context; +import io.helidon.common.context.Contexts; +import io.helidon.common.http.ClientRequestHeaders; +import io.helidon.common.http.Http; +import io.helidon.nima.webclient.WebClientServiceRequest; +import io.helidon.nima.webclient.WebClientServiceResponse; +import io.helidon.nima.webclient.spi.WebClientService; +import io.helidon.security.EndpointConfig; +import io.helidon.security.OutboundSecurityClientBuilder; +import io.helidon.security.OutboundSecurityResponse; +import io.helidon.security.Security; +import io.helidon.security.SecurityContext; +import io.helidon.security.SecurityEnvironment; +import io.helidon.security.providers.common.OutboundConfig; +import io.helidon.tracing.Span; +import io.helidon.tracing.SpanContext; +import io.helidon.tracing.Tracer; + +/** + * Client service for security propagation. + */ +public class WebClientSecurity implements WebClientService { + private static final System.Logger LOGGER = System.getLogger(WebClientSecurity.class.getName()); + + private static final String PROVIDER_NAME = "io.helidon.security.rest.client.security.providerName"; + + private final Security security; + + private WebClientSecurity() { + this(null); + } + + private WebClientSecurity(Security security) { + this.security = security; + } + + /** + * Creates new instance of client security service. + * + * @return client security service + */ + public static WebClientSecurity create() { + Context context = Contexts.context().orElseGet(Contexts::globalContext); + + return context.get(Security.class) + .map(WebClientSecurity::new) // if available, use constructor with Security parameter + .orElseGet(WebClientSecurity::new); // else use constructor without Security parameter + } + + /** + * Creates new instance of client security service base on {@link io.helidon.security.Security}. + * + * @param security security instance + * @return client security service + */ + public static WebClientSecurity create(Security security) { + // if we have one more configuration parameter, we need to switch to builder based pattern + return new WebClientSecurity(security); + } + + @Override + public WebClientServiceResponse handle(Chain chain, WebClientServiceRequest request) { + if ("true".equalsIgnoreCase(request.properties().get(OutboundConfig.PROPERTY_DISABLE_OUTBOUND))) { + return chain.proceed(request); + } + + Context requestContext = request.context(); + // context either from request or create a new one + Optional maybeContext = requestContext.get(SecurityContext.class); + + SecurityContext context; + + if (null == security) { + if (maybeContext.isEmpty()) { + return chain.proceed(request); + } else { + context = maybeContext.get(); + } + } else { + // we have our own security - we need to use this instance for outbound, + // so we cannot re-use the context + context = createContext(request); + } + + Span span = context.tracer() + .spanBuilder("security:outbound") + .parent(context.tracingSpan()) + .start(); + + String explicitProvider = request.properties().get(PROVIDER_NAME); + + OutboundSecurityClientBuilder clientBuilder; + + try { + SecurityEnvironment.Builder outboundEnv = context.env() + .derive() + .clearHeaders() + .clearQueryParams(); + + outboundEnv.method(request.method().text()) + .path(request.uri().path()) + .targetUri(URI.create(request.uri().scheme() + "://" + request.uri().authority())) + .queryParams(request.query()); + + request.headers() + .stream() + .forEach(headerValue -> outboundEnv.header(headerValue.name(), headerValue.values())); + + EndpointConfig.Builder outboundEp = context.endpointConfig().derive(); + Map propMap = request.properties(); + + for (String name : propMap.keySet()) { + Optional.ofNullable(request.properties().get(name)) + .ifPresent(property -> outboundEp.addAtribute(name, property)); + } + + clientBuilder = context.outboundClientBuilder() + .outboundEnvironment(outboundEnv) + .outboundEndpointConfig(outboundEp) + .explicitProvider(explicitProvider); + + } catch (Exception e) { + traceError(span, e, null); + + throw e; + } + + OutboundSecurityResponse providerResponse = clientBuilder.submit(); + return processResponse(request, span, providerResponse, chain); + } + + private WebClientServiceResponse processResponse(WebClientServiceRequest request, + Span span, + OutboundSecurityResponse providerResponse, + Chain chain) { + try { + switch (providerResponse.status()) { + case FAILURE: + case FAILURE_FINISH: + traceError(span, + providerResponse.throwable().orElse(null), + providerResponse.description() + .orElse(providerResponse.status().toString())); + break; + case ABSTAIN: + case SUCCESS: + case SUCCESS_FINISH: + default: + break; + } + + Map> newHeaders = providerResponse.requestHeaders(); + + LOGGER.log(Level.TRACE, () -> "Client filter header(s). SIZE: " + newHeaders.size()); + + ClientRequestHeaders clientHeaders = request.headers(); + for (Map.Entry> entry : newHeaders.entrySet()) { + LOGGER.log(Level.TRACE, () -> " + Header: " + entry.getKey() + ": " + entry.getValue()); + + //replace existing + Http.HeaderName headerName = Http.Header.create(entry.getKey()); + clientHeaders.set(headerName, entry.getValue().toArray(new String[0])); + } + span.end(); + return chain.proceed(request); + } catch (Exception e) { + traceError(span, e, null); + throw e; + } + } + + private SecurityContext createContext(WebClientServiceRequest request) { + SecurityContext.Builder builder = security.contextBuilder(UUID.randomUUID().toString()) + .endpointConfig(EndpointConfig.builder() + .build()) + .env(SecurityEnvironment.builder() + .path(request.uri().path()) + .build()); + request.context().get(Tracer.class).ifPresent(builder::tracingTracer); + request.context().get(SpanContext.class).ifPresent(builder::tracingSpan); + return builder.build(); + } + + static void traceError(Span span, Throwable throwable, String description) { + // failed + span.status(Span.Status.ERROR); + + if (throwable == null) { + span.addEvent("error", Map.of("message", description, + "error.kind", "SecurityException")); + span.end(); + } else { + span.end(throwable); + } + } +} diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java new file mode 100644 index 00000000000..ee7fc8f40dc --- /dev/null +++ b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurityProvider.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2023 Oracle and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.helidon.nima.webclient.security; + +import io.helidon.common.config.Config; +import io.helidon.nima.webclient.spi.WebClientService; +import io.helidon.nima.webclient.spi.WebClientServiceProvider; + +/** + * Client security SPI provider. + * + * @deprecated This class should only be used via {@link java.util.ServiceLoader}. + * Use {@link io.helidon.nima.webclient.security.WebClientSecurity} instead + */ +@Deprecated +public class WebClientSecurityProvider implements WebClientServiceProvider { + + /** + * Required public constructor. + * + * @deprecated This class should only be used via {@link java.util.ServiceLoader}. + */ + @Deprecated + public WebClientSecurityProvider() { + } + + @Override + public String configKey() { + return "security"; + } + + @Override + public WebClientService create(Config config) { + return WebClientSecurity.create(); + } +} diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java new file mode 100644 index 00000000000..4b82b2bbe2d --- /dev/null +++ b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2023 Oracle and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Security propagation service. + */ +package io.helidon.nima.webclient.security; diff --git a/nima/webclient/security/src/main/java/module-info.java b/nima/webclient/security/src/main/java/module-info.java new file mode 100644 index 00000000000..3713bf1c187 --- /dev/null +++ b/nima/webclient/security/src/main/java/module-info.java @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2023 Oracle and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Helidon WebClient Security. + */ +module helidon.nima.webclient.security { + + requires io.helidon.nima.webclient; + requires io.helidon.security; + requires io.helidon.security.providers.common; + + exports io.helidon.nima.webclient.security; + + provides io.helidon.nima.webclient.spi.WebClientServiceProvider + with io.helidon.nima.webclient.security.WebClientSecurityProvider; +} \ No newline at end of file diff --git a/nima/webclient/webclient/src/main/java/io/helidon/nima/webclient/http1/ClientRequestImpl.java b/nima/webclient/webclient/src/main/java/io/helidon/nima/webclient/http1/ClientRequestImpl.java index 3bf48ce7829..138b5a55be0 100644 --- a/nima/webclient/webclient/src/main/java/io/helidon/nima/webclient/http1/ClientRequestImpl.java +++ b/nima/webclient/webclient/src/main/java/io/helidon/nima/webclient/http1/ClientRequestImpl.java @@ -74,7 +74,7 @@ class ClientRequestImpl implements Http1ClientRequest { Map properties) { this.method = method; this.uri = helper; - this.properties = properties; + this.properties = new HashMap<>(properties); this.clientConfig = clientConfig; this.mediaContext = clientConfig.mediaContext(); From 58c95d210221b0fa54257fa113a0277961b920d8 Mon Sep 17 00:00:00 2001 From: David Kral Date: Tue, 27 Jun 2023 14:09:10 +0200 Subject: [PATCH 2/4] minor adjustment --- .../io/helidon/nima/webclient/security/WebClientSecurity.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java index af4dfae3caf..0b064e11ab5 100644 --- a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java +++ b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java @@ -123,7 +123,7 @@ public WebClientServiceResponse handle(Chain chain, WebClientServiceRequest requ outboundEnv.method(request.method().text()) .path(request.uri().path()) - .targetUri(URI.create(request.uri().scheme() + "://" + request.uri().authority())) + .targetUri(URI.create(request.uri().toString())) .queryParams(request.query()); request.headers() From 9077d317b71250c3b9d90a247b44a75f982e7c18 Mon Sep 17 00:00:00 2001 From: David Kral Date: Tue, 27 Jun 2023 17:54:35 +0200 Subject: [PATCH 3/4] review comments --- nima/webclient/security/pom.xml | 7 ++++++- .../nima/webclient/security/WebClientSecurity.java | 10 +++++++--- nima/webclient/security/src/main/java/module-info.java | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/nima/webclient/security/pom.xml b/nima/webclient/security/pom.xml index 34f5821a93d..21b59842873 100644 --- a/nima/webclient/security/pom.xml +++ b/nima/webclient/security/pom.xml @@ -16,12 +16,13 @@ --> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 io.helidon.nima.webclient helidon-nima-webclient-project 4.0.0-SNAPSHOT + ../pom.xml helidon-nima-webclient-security @@ -32,6 +33,10 @@ io.helidon.nima.webclient helidon-nima-webclient + + io.helidon.security + helidon-security + io.helidon.security.providers helidon-security-providers-common diff --git a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java index 0b064e11ab5..9da8891319b 100644 --- a/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java +++ b/nima/webclient/security/src/main/java/io/helidon/nima/webclient/security/WebClientSecurity.java @@ -94,7 +94,7 @@ public WebClientServiceResponse handle(Chain chain, WebClientServiceRequest requ SecurityContext context; - if (null == security) { + if (security == null) { if (maybeContext.isEmpty()) { return chain.proceed(request); } else { @@ -175,11 +175,15 @@ private WebClientServiceResponse processResponse(WebClientServiceRequest request Map> newHeaders = providerResponse.requestHeaders(); - LOGGER.log(Level.TRACE, () -> "Client filter header(s). SIZE: " + newHeaders.size()); + if (LOGGER.isLoggable(Level.TRACE)) { + LOGGER.log(Level.TRACE, "Client filter header(s). SIZE: " + newHeaders.size()); + } ClientRequestHeaders clientHeaders = request.headers(); for (Map.Entry> entry : newHeaders.entrySet()) { - LOGGER.log(Level.TRACE, () -> " + Header: " + entry.getKey() + ": " + entry.getValue()); + if (LOGGER.isLoggable(Level.TRACE)) { + LOGGER.log(Level.TRACE, " + Header: " + entry.getKey() + ": " + entry.getValue()); + } //replace existing Http.HeaderName headerName = Http.Header.create(entry.getKey()); diff --git a/nima/webclient/security/src/main/java/module-info.java b/nima/webclient/security/src/main/java/module-info.java index 3713bf1c187..0f3d532e16a 100644 --- a/nima/webclient/security/src/main/java/module-info.java +++ b/nima/webclient/security/src/main/java/module-info.java @@ -17,7 +17,7 @@ /** * Helidon WebClient Security. */ -module helidon.nima.webclient.security { +module io.helidon.nima.webclient.security { requires io.helidon.nima.webclient; requires io.helidon.security; From 5cc7b71446e2b219cdbce882e084dacba8069bed Mon Sep 17 00:00:00 2001 From: David Kral Date: Wed, 28 Jun 2023 09:29:46 +0200 Subject: [PATCH 4/4] Feature added --- nima/webclient/security/pom.xml | 30 +++++++++++++++++++ .../security/src/main/java/module-info.java | 9 ++++++ nima/webclient/tracing/pom.xml | 9 +++++- .../tracing/src/main/java/module-info.java | 15 +++++++++- 4 files changed, 61 insertions(+), 2 deletions(-) diff --git a/nima/webclient/security/pom.xml b/nima/webclient/security/pom.xml index 21b59842873..d87c4220a5e 100644 --- a/nima/webclient/security/pom.xml +++ b/nima/webclient/security/pom.xml @@ -41,6 +41,36 @@ io.helidon.security.providers helidon-security-providers-common + + io.helidon.common.features + helidon-common-features-api + true + + + + + org.apache.maven.plugins + maven-compiler-plugin + + + + io.helidon.common.features + helidon-common-features-processor + ${helidon.version} + + + + + + io.helidon.common.features + helidon-common-features-api + ${helidon.version} + + + + + + diff --git a/nima/webclient/security/src/main/java/module-info.java b/nima/webclient/security/src/main/java/module-info.java index 0f3d532e16a..24731d6ce6d 100644 --- a/nima/webclient/security/src/main/java/module-info.java +++ b/nima/webclient/security/src/main/java/module-info.java @@ -14,10 +14,19 @@ * limitations under the License. */ +import io.helidon.common.features.api.Feature; +import io.helidon.common.features.api.HelidonFlavor; + /** * Helidon WebClient Security. */ +@Feature(value = "Security", + description = "Web client support for security", + in = HelidonFlavor.SE, + path = {"WebClient", "Security"} +) module io.helidon.nima.webclient.security { + requires static io.helidon.common.features.api; requires io.helidon.nima.webclient; requires io.helidon.security; diff --git a/nima/webclient/tracing/pom.xml b/nima/webclient/tracing/pom.xml index 7dd5697bcf0..fdfb196b5e3 100644 --- a/nima/webclient/tracing/pom.xml +++ b/nima/webclient/tracing/pom.xml @@ -22,6 +22,7 @@ io.helidon.nima.webclient helidon-nima-webclient-project 4.0.0-SNAPSHOT + ../pom.xml helidon-nima-webclient-tracing @@ -39,7 +40,6 @@ io.helidon.common.features helidon-common-features-api - provided true @@ -78,6 +78,13 @@ + + + io.helidon.common.features + helidon-common-features-api + ${helidon.version} + + diff --git a/nima/webclient/tracing/src/main/java/module-info.java b/nima/webclient/tracing/src/main/java/module-info.java index 23c9f8312b8..42c0902cc78 100644 --- a/nima/webclient/tracing/src/main/java/module-info.java +++ b/nima/webclient/tracing/src/main/java/module-info.java @@ -14,12 +14,25 @@ * limitations under the License. */ +import io.helidon.common.features.api.Feature; +import io.helidon.common.features.api.HelidonFlavor; + +/** + * Helidon WebClient Tracing. + */ +@Feature(value = "Tracing", + description = "Web client support for tracing", + in = HelidonFlavor.SE, + path = {"WebClient", "Tracing"} +) module io.helidon.nima.webclient.tracing { - exports io.helidon.nima.webclient.tracing; + requires static io.helidon.common.features.api; requires io.helidon.nima.webclient; requires io.helidon.tracing; + exports io.helidon.nima.webclient.tracing; + provides io.helidon.nima.webclient.spi.WebClientServiceProvider with io.helidon.nima.webclient.tracing.WebClientTracingProvider; } \ No newline at end of file