scalecube
diff --git a/‎services-api/src/main/java/io/scalecube/services/Reflect.java
Lines changed: 19 additions & 30 deletions b/‎services-api/src/main/java/io/scalecube/services/Reflect.java
Lines changed: 19 additions & 30 deletions
diff --git a/‎services-api/src/main/java/io/scalecube/services/RequestContext.java
Lines changed: 16 additions & 10 deletions b/‎services-api/src/main/java/io/scalecube/services/RequestContext.java
Lines changed: 16 additions & 10 deletions
diff --git a/‎services-api/src/main/java/io/scalecube/services/ServiceCall.java
Lines changed: 27 additions & 1 deletion b/‎services-api/src/main/java/io/scalecube/services/ServiceCall.java
Lines changed: 27 additions & 1 deletion
diff --git a/‎services-api/src/main/java/io/scalecube/services/auth/Secured.java
Lines changed: 10 additions & 1 deletion b/‎services-api/src/main/java/io/scalecube/services/auth/Secured.java
Lines changed: 10 additions & 1 deletion
diff --git a/‎services-api/src/main/java/io/scalecube/services/methods/MethodInfo.java
Lines changed: 8 additions & 14 deletions b/‎services-api/src/main/java/io/scalecube/services/methods/MethodInfo.java
Lines changed: 8 additions & 14 deletions
diff --git a/‎services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java
Lines changed: 18 additions & 3 deletions b/‎services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java
Lines changed: 18 additions & 3 deletions
diff --git a/‎services-api/src/test/java/io/scalecube/services/methods/PrincipalImpl.java
Lines changed: 9 additions & 0 deletions b/‎services-api/src/test/java/io/scalecube/services/methods/PrincipalImpl.java
Lines changed: 9 additions & 0 deletions
@@ -15,7 +15,6 @@
 import io.scalecube.services.auth.AllowedRole;
 import io.scalecube.services.auth.AllowedRoles;
 import io.scalecube.services.auth.Secured;
-import io.scalecube.services.methods.MethodInfo;
 import io.scalecube.services.methods.ServiceRoleDefinition;
 import java.lang.reflect.Method;
 import java.lang.reflect.ParameterizedType;
@@ -155,28 +154,6 @@ public static Type parameterizedType(Object object) {
     return Object.class;
   }
 
-  /**
-   * Parse given service interface and method, and return {@link MethodInfo} as result.
-   *
-   * @param serviceInterface serviceInterface
-   * @return {@link MethodInfo} instance
-   */
-  public static MethodInfo methodInfo(Class<?> serviceInterface, Method method) {
-    return new MethodInfo(
-        serviceName(serviceInterface),
-        methodName(method),
-        parameterizedReturnType(method),
-        isReturnTypeServiceMessage(method),
-        communicationMode(method),
-        method.getParameterCount(),
-        requestType(method),
-        isRequestTypeServiceMessage(method),
-        isSecured(method),
-        Schedulers.immediate(),
-        restMethod(method),
-        Collections.emptyList());
-  }
-
   /**
    * Returns the parameterized of the request type of a given object.
    *
@@ -384,15 +361,27 @@ public static boolean isService(Class<?> type) {
   }
 
   /**
-   * Checks whether given method is considered secured, i.e does it have annotation {@link Secured},
-   * or, if not, then does declaring class contains annotation {@link Secured}.
+   * Retrives {@link Secured} annotation. Annotation is expected to be declared on service method,
+   * or on the service class. If declared on both - service method declaration takes precedence.
    *
-   * @param method method
-   * @return result
+   * @param method service method
+   * @return {@link Secured} annotation, or null
    */
-  public static boolean isSecured(Method method) {
-    return method.isAnnotationPresent(Secured.class)
-        || method.getDeclaringClass().isAnnotationPresent(Secured.class);
+  public static Secured secured(Method method) {
+    Secured secured = method.getAnnotation(Secured.class);
+
+    // If @Secured annotation is not present on service method, then find it on service class
+
+    if (secured == null) {
+      for (var clazz = method.getDeclaringClass(); clazz != null; clazz = clazz.getSuperclass()) {
+        if (clazz.isAnnotationPresent(Secured.class)) {
+          secured = clazz.getAnnotation(Secured.class);
+          break;
+        }
+      }
+    }
+
+    return secured;
   }
 
   /**
 
@@ -319,7 +319,10 @@ public static Mono<RequestContext> deferSecured() {
               final var principal = context.principal();
               final var methodInfo = context.methodInfo();
 
-              if (!methodInfo.allowedRoles().contains(principal.role())) {
+              final var allowedRoles = methodInfo.allowedRoles();
+              if (allowedRoles != null
+                  && !allowedRoles.isEmpty()
+                  && !allowedRoles.contains(principal.role())) {
                 LOGGER.warn(
                     "Insufficient permissions for secured method ({}) -- "
                         + "principal role '{}' is not allowed (principal: {})",
@@ -329,15 +332,18 @@ public static Mono<RequestContext> deferSecured() {
                 throw new ForbiddenException("Insufficient permissions");
               }
 
-              for (var allowedPermission : methodInfo.allowedPermissions()) {
-                if (!principal.hasPermission(allowedPermission)) {
-                  LOGGER.warn(
-                      "Insufficient permissions for secured method ({}) -- "
-                          + "allowed permission '{}' is missing (principal: {})",
-                      context.methodInfo(),
-                      allowedPermission,
-                      principal);
-                  throw new ForbiddenException("Insufficient permissions");
+              final var allowedPermissions = methodInfo.allowedPermissions();
+              if (allowedPermissions != null && !allowedPermissions.isEmpty()) {
+                for (var allowedPermission : allowedPermissions) {
+                  if (!principal.hasPermission(allowedPermission)) {
+                    LOGGER.warn(
+                        "Insufficient permissions for secured method ({}) -- "
+                            + "allowed permission '{}' is missing (principal: {})",
+                        context.methodInfo(),
+                        allowedPermission,
+                        principal);
+                    throw new ForbiddenException("Insufficient permissions");
+                  }
                 }
               }
             });
 
@@ -1,5 +1,13 @@
 package io.scalecube.services;
 
+import static io.scalecube.services.Reflect.communicationMode;
+import static io.scalecube.services.Reflect.isRequestTypeServiceMessage;
+import static io.scalecube.services.Reflect.isReturnTypeServiceMessage;
+import static io.scalecube.services.Reflect.methodName;
+import static io.scalecube.services.Reflect.parameterizedReturnType;
+import static io.scalecube.services.Reflect.requestType;
+import static io.scalecube.services.Reflect.restMethod;
+import static io.scalecube.services.Reflect.serviceName;
 import static io.scalecube.services.auth.Principal.NULL_PRINCIPAL;
 
 import io.scalecube.services.api.ErrorData;
@@ -13,6 +21,7 @@
 import io.scalecube.services.routing.Router;
 import io.scalecube.services.routing.Routers;
 import io.scalecube.services.transport.api.ClientTransport;
+import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
 import java.lang.reflect.Type;
 import java.util.Collections;
@@ -27,6 +36,7 @@
 import reactor.core.Exceptions;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
 
 public class ServiceCall implements AutoCloseable {
 
@@ -380,7 +390,7 @@ public <T> T api(Class<T> serviceInterface) {
               }
 
               final var serviceCall = this;
-              final var methodInfo = Reflect.methodInfo(serviceInterface, method);
+              final var methodInfo = getMethodInfo(serviceInterface, method);
               final var returnType = methodInfo.parameterizedReturnType();
               final var isReturnTypeServiceMessage = methodInfo.isReturnTypeServiceMessage();
               final var request = methodInfo.requestType() == Void.TYPE ? null : params[0];
@@ -487,6 +497,22 @@ private ServiceMessage throwIfError(ServiceMessage message) {
     return message;
   }
 
+  private static MethodInfo getMethodInfo(Class<?> serviceInterface, Method method) {
+    return new MethodInfo(
+        serviceName(serviceInterface),
+        methodName(method),
+        parameterizedReturnType(method),
+        isReturnTypeServiceMessage(method),
+        communicationMode(method),
+        method.getParameterCount(),
+        requestType(method),
+        isRequestTypeServiceMessage(method),
+        null,
+        Schedulers.immediate(),
+        restMethod(method),
+        Collections.emptyList());
+  }
+
   @Override
   public void close() {
     if (transport != null) {
 
@@ -15,4 +15,13 @@
 @Documented
 @Target({METHOD, TYPE})
 @Retention(RUNTIME)
-public @interface Secured {}
+public @interface Secured {
+
+  /**
+   * Returns whether service method must apply standard security check behavior.
+   *
+   * @return {@code true} if service must apply standard security check behavior, {@code false}
+   *     otherwise
+   */
+  boolean deferSecured() default true;
+}
@@ -5,6 +5,7 @@
 import io.scalecube.services.CommunicationMode;
 import io.scalecube.services.api.DynamicQualifier;
 import io.scalecube.services.api.Qualifier;
+import io.scalecube.services.auth.Secured;
 import java.lang.reflect.Type;
 import java.util.Collection;
 import java.util.StringJoiner;
@@ -23,10 +24,9 @@ public class MethodInfo {
   private final int parameterCount;
   private final Class<?> requestType;
   private final boolean isRequestTypeServiceMessage;
-  private final boolean isSecured;
+  private final Secured secured;
   private final Scheduler scheduler;
   private final String restMethod;
-  private final Collection<ServiceRoleDefinition> serviceRoles;
   private final Collection<String> allowedRoles;
   private final Collection<String> allowedPermissions;
 
@@ -41,7 +41,7 @@ public class MethodInfo {
    * @param parameterCount amount of parameters
    * @param requestType the type of the request
    * @param isRequestTypeServiceMessage is request service message
-   * @param isSecured is method protected by authentication
+   * @param secured secured (optional)
    * @param scheduler scheduler (optional)
    * @param restMethod restMethod (optional)
    * @param serviceRoles serviceRoles (optional)
@@ -55,7 +55,7 @@ public MethodInfo(
       int parameterCount,
       Class<?> requestType,
       boolean isRequestTypeServiceMessage,
-      boolean isSecured,
+      Secured secured,
       Scheduler scheduler,
       String restMethod,
       Collection<ServiceRoleDefinition> serviceRoles) {
@@ -69,10 +69,9 @@ public MethodInfo(
     this.parameterCount = parameterCount;
     this.requestType = requestType;
     this.isRequestTypeServiceMessage = isRequestTypeServiceMessage;
-    this.isSecured = isSecured;
+    this.secured = secured;
     this.scheduler = scheduler;
     this.restMethod = restMethod;
-    this.serviceRoles = serviceRoles;
     this.allowedRoles =
         serviceRoles.stream().map(ServiceRoleDefinition::role).collect(Collectors.toSet());
     this.allowedPermissions =
@@ -125,8 +124,8 @@ public Class<?> requestType() {
     return requestType;
   }
 
-  public boolean isSecured() {
-    return isSecured;
+  public Secured secured() {
+    return secured;
   }
 
   public Scheduler scheduler() {
@@ -137,10 +136,6 @@ public String restMethod() {
     return restMethod;
   }
 
-  public Collection<ServiceRoleDefinition> serviceRoles() {
-    return serviceRoles;
-  }
-
   public Collection<String> allowedRoles() {
     return allowedRoles;
   }
@@ -162,10 +157,9 @@ public String toString() {
         .add("parameterCount=" + parameterCount)
         .add("requestType=" + requestType)
         .add("isRequestTypeServiceMessage=" + isRequestTypeServiceMessage)
-        .add("isSecured=" + isSecured)
+        .add("secured=" + secured)
         .add("scheduler=" + scheduler)
         .add("restMethod=" + restMethod)
-        .add("serviceRoles=" + serviceRoles)
         .add("allowedRoles=" + allowedRoles)
         .add("allowedPermissions=" + allowedPermissions)
         .toString();
 
@@ -63,7 +63,8 @@ public Mono<ServiceMessage> invokeOne(ServiceMessage message) {
               return mapPrincipal(context)
                   .flatMap(
                       principal ->
-                          Mono.defer(() -> Mono.from(invokeRequest(request)))
+                          requestContext()
+                              .then(Mono.defer(() -> Mono.from(invokeRequest(request))))
                               .contextWrite(enhanceRequestContext(context, request, principal)))
                   .doOnSuccess(
                       response -> {
@@ -104,7 +105,8 @@ public Flux<ServiceMessage> invokeMany(ServiceMessage message) {
               return mapPrincipal(context)
                   .flatMapMany(
                       principal ->
-                          Flux.defer(() -> Flux.from(invokeRequest(request)))
+                          requestContext()
+                              .thenMany(Flux.defer(() -> Flux.from(invokeRequest(request))))
                               .contextWrite(enhanceRequestContext(context, request, principal)))
                   .doOnSubscribe(
                       s -> {
@@ -153,6 +155,19 @@ public Flux<ServiceMessage> invokeBidirectional(Publisher<ServiceMessage> publis
             });
   }
 
+  private Mono<RequestContext> requestContext() {
+    final Mono<RequestContext> contextMono;
+    final var secured = methodInfo.secured();
+
+    if (secured != null && secured.deferSecured()) {
+      contextMono = RequestContext.deferSecured();
+    } else {
+      contextMono = RequestContext.deferContextual();
+    }
+
+    return contextMono;
+  }
+
   private Publisher<?> invokeRequest(Object request) {
     Publisher<?> result = null;
     Throwable throwable = null;
@@ -230,7 +245,7 @@ public PrincipalMapper principalMapper() {
   }
 
   private Mono<Principal> mapPrincipal(RequestContext context) {
-    if (!methodInfo.isSecured()) {
+    if (methodInfo.secured() == null) {
       return Mono.just(context.principal());
     }
 
 
@@ -3,6 +3,7 @@
 import io.scalecube.services.auth.Principal;
 import java.util.List;
 import java.util.Objects;
+import java.util.StringJoiner;
 
 public record PrincipalImpl(String role, List<String> permissions) implements Principal {
 
@@ -15,4 +16,12 @@ public boolean hasRole(String role) {
   public boolean hasPermission(String permission) {
     return permissions != null && permissions.contains(permission);
   }
+
+  @Override
+  public String toString() {
+    return new StringJoiner(", ", PrincipalImpl.class.getSimpleName() + "[", "]")
+        .add("role='" + role + "'")
+        .add("permissions=" + permissions)
+        .toString();
+  }
 }