Changed signature of CredentialsSupplier, added more responsibility to ServiceTokenCredentialsSupplier

artem-v · artem-v · commit 89c209fa1f00 · 2025-04-07T22:56:10.000+03:00
diff --git a/services-api/src/main/java/io/scalecube/services/auth/CredentialsSupplier.java b/services-api/src/main/java/io/scalecube/services/auth/CredentialsSupplier.java
@@ -1,5 +1,6 @@
 package io.scalecube.services.auth;
 
+import java.util.List;
 import reactor.core.publisher.Mono;
 
 /**
@@ -12,8 +13,9 @@ public interface CredentialsSupplier {
   /**
    * Obtains credentials for the given service role.
    *
-   * @param serviceRole serviceRole
+   * @param serviceName logical service name
+   * @param serviceRoles allowed roles on the service (optional)
    * @return credentials
    */
-  Mono<byte[]> credentials(String serviceRole);
+  Mono<byte[]> credentials(String serviceName, List<String> serviceRoles);
 }
diff --git a/services-gateway/src/test/java/io/scalecube/services/gateway/files/FileDownloadTest.java b/services-gateway/src/test/java/io/scalecube/services/gateway/files/FileDownloadTest.java
@@ -8,6 +8,7 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -58,7 +59,7 @@ public class FileDownloadTest {
   @BeforeAll
   static void beforeAll() {
     credentialsSupplier = mock(CredentialsSupplier.class);
-    when(credentialsSupplier.credentials(any(String.class))).thenReturn(Mono.never());
+    when(credentialsSupplier.credentials(any(String.class), anyList())).thenReturn(Mono.never());
 
     gateway =
         Microservices.start(
diff --git a/services-security/src/main/java/io/scalecube/services/security/ServiceTokenCredentialsSupplier.java b/services-security/src/main/java/io/scalecube/services/security/ServiceTokenCredentialsSupplier.java
@@ -2,7 +2,10 @@
 
 import io.scalecube.security.vault.VaultServiceTokenSupplier;
 import io.scalecube.services.auth.CredentialsSupplier;
+import io.scalecube.services.exceptions.ForbiddenException;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.function.Supplier;
@@ -13,37 +16,58 @@ public class ServiceTokenCredentialsSupplier implements CredentialsSupplier {
   private final String environment;
   private final String vaultAddress;
   private final Supplier<CompletableFuture<String>> vaultTokenSupplier;
+  private final Collection<String> allowedRoles;
 
   /**
    * Constructor.
    *
    * @param environment logical environment name
    * @param vaultAddress vaultAddress
    * @param vaultTokenSupplier vaultTokenSupplier
+   * @param allowedRoles allowedRoles (optional)
    */
   public ServiceTokenCredentialsSupplier(
       String environment,
       String vaultAddress,
-      Supplier<CompletableFuture<String>> vaultTokenSupplier) {
+      Supplier<CompletableFuture<String>> vaultTokenSupplier,
+      Collection<String> allowedRoles) {
     this.environment = Objects.requireNonNull(environment, "environment");
     this.vaultAddress = Objects.requireNonNull(vaultAddress, "vaultAddress");
     this.vaultTokenSupplier = Objects.requireNonNull(vaultTokenSupplier, "vaultTokenSupplier");
+    this.allowedRoles = allowedRoles;
   }
 
   @Override
-  public Mono<byte[]> credentials(String serviceRole) {
+  public Mono<byte[]> credentials(String serviceName, List<String> serviceRoles) {
     return Mono.defer(
         () -> {
-          if (serviceRole == null) {
+          if (serviceRoles == null || serviceRoles.isEmpty()) {
             return Mono.just(new byte[0]);
           }
 
+          String serviceRole = null;
+
+          if (allowedRoles == null || allowedRoles.isEmpty()) {
+            serviceRole = serviceRoles.get(0);
+          } else {
+            for (var allowedRole : allowedRoles) {
+              if (serviceRoles.contains(allowedRole)) {
+                serviceRole = allowedRole;
+              }
+            }
+          }
+
+          if (serviceRole == null) {
+            throw new ForbiddenException("Insufficient permissions");
+          }
+
           return Mono.fromFuture(
                   VaultServiceTokenSupplier.builder()
                       .vaultAddress(vaultAddress)
                       .serviceRole(serviceRole)
                       .vaultTokenSupplier(vaultTokenSupplier)
-                      .serviceTokenNameBuilder((role, tags) -> environment + "." + role)
+                      .serviceTokenNameBuilder(
+                          (role, tags) -> String.join(".", environment, serviceName, role))
                       .build()
                       .getToken(Collections.emptyMap()))
               .map(String::getBytes);
diff --git a/services-security/src/test/java/io/scalecube/services/security/ServiceTokenTests.java b/services-security/src/test/java/io/scalecube/services/security/ServiceTokenTests.java
@@ -34,7 +34,7 @@ void shouldAuthenticateSuccessfully(SuccessArgs args, VaultEnvironment vaultEnvi
         () -> CompletableFuture.completedFuture(vaultEnvironment.login());
 
     final var credentialsSupplier =
-        new ServiceTokenCredentialsSupplier(args.environment, vaultAddr, vaultTokenSupplier);
+        new ServiceTokenCredentialsSupplier(args.environment, vaultAddr, vaultTokenSupplier, null);
 
     final var authenticator =
         new ServiceTokenAuthenticator(
@@ -49,7 +49,7 @@ void shouldAuthenticateSuccessfully(SuccessArgs args, VaultEnvironment vaultEnvi
     // Get service token
 
     final var credentials =
-        credentialsSupplier.credentials(args.service + "." + args.serviceRole).block();
+        credentialsSupplier.credentials(args.service, List.of(args.serviceRole)).block();
 
     // Authenticate
 
diff --git a/services-transport-parent/services-transport-rsocket/src/main/java/io/scalecube/services/transport/rsocket/RSocketClientTransport.java b/services-transport-parent/services-transport-rsocket/src/main/java/io/scalecube/services/transport/rsocket/RSocketClientTransport.java
@@ -66,10 +66,10 @@ public ClientChannel create(ServiceReference serviceReference) {
     final var mono =
         monoMap.computeIfAbsent(
             new Destination(address, serviceRole),
-            key ->
-                connect(key, serviceReference, monoMap)
+            destination ->
+                connect(destination, serviceReference, monoMap)
                     .cacheInvalidateIf(RSocket::isDisposed)
-                    .doOnError(ex -> monoMap.remove(key)));
+                    .doOnError(ex -> monoMap.remove(destination)));
 
     return new RSocketClientChannel(mono, new ServiceMessageCodec(headersCodec, dataCodecs));
   }
@@ -99,7 +99,7 @@ private Mono<RSocket> connect(
       ServiceReference serviceReference,
       Map<Destination, Mono<RSocket>> monoMap) {
     return RSocketConnector.create()
-        .setupPayload(Mono.defer(() -> getCredentials(serviceReference, destination.role())))
+        .setupPayload(Mono.defer(() -> getCredentials(serviceReference)))
         .connect(() -> clientTransportFactory.clientTransport(destination.address()))
         .doOnSuccess(
             rsocket -> {
@@ -122,13 +122,13 @@ private Mono<RSocket> connect(
             ex -> LOGGER.warn("Failed to connect ({}), cause: {}", destination, ex.toString()));
   }
 
-  private Mono<Payload> getCredentials(ServiceReference serviceReference, String serviceRole) {
-    if (credentialsSupplier == null || !serviceReference.isSecured() || serviceRole == null) {
+  private Mono<Payload> getCredentials(ServiceReference serviceReference) {
+    if (credentialsSupplier == null || !serviceReference.isSecured()) {
       return Mono.just(EmptyPayload.INSTANCE);
     }
 
     return credentialsSupplier
-        .credentials(serviceReference.endpointName() + "." + serviceRole)
+        .credentials(serviceReference.endpointName(), serviceReference.allowedRoles())
         .map(data -> data.length != 0 ? DefaultPayload.create(data) : EmptyPayload.INSTANCE)
         .onErrorMap(
             th -> {
diff --git a/services/src/test/java/io/scalecube/services/AuthTest.java b/services/src/test/java/io/scalecube/services/AuthTest.java
@@ -104,9 +104,9 @@ class SecuredTests {
     void authenticateSuccessfully(String test, SuccessArgs args) {
       serviceCall =
           serviceCall(
-              serviceRole -> credentials(args.tokenSupplier.apply(stripService(serviceRole))),
-              args.serviceRole,
-              args.allowedRoles);
+              (serviceName, roles) ->
+                  credentials(args.tokenSupplier.apply(stripService(args.serviceRole))),
+              args.serviceRole);
 
       StepVerifier.create(serviceCall.api(SecuredService.class).invokeWithRoleOrPermissions())
           .verifyComplete();
@@ -138,9 +138,9 @@ private static Stream<Arguments> authenticateSuccessfullyMethodSource() {
     void failedAuthentication(String test, FailedArgs args) {
       serviceCall =
           serviceCall(
-              serviceRole -> credentials(args.tokenSupplier.apply(stripService(serviceRole))),
-              args.serviceRole,
-              args.allowedRoles);
+              (serviceName, roles) ->
+                  credentials(args.tokenSupplier.apply(stripService(args.serviceRole))),
+              args.serviceRole);
 
       StepVerifier.create(serviceCall.api(SecuredService.class).invokeWithRoleOrPermissions())
           .verifyErrorSatisfies(
@@ -206,7 +206,7 @@ void authenticateSuccessfully() {
       credentials.put("user", "alice");
       credentials.put("permissions", "helloComposite");
 
-      serviceCall = serviceCall((r) -> credentials(tokenCredentials), role, null);
+      serviceCall = serviceCall((serviceName, roles) -> credentials(tokenCredentials), role);
 
       StepVerifier.create(
               serviceCall
@@ -222,7 +222,7 @@ void failedAuthentication(String test, FailedArgs args) {
       final var role = "invoker";
       final var tokenCredentials = new TokenCredentials(VALID_TOKEN, role, null);
 
-      serviceCall = serviceCall((r) -> credentials(tokenCredentials), role, null);
+      serviceCall = serviceCall((serviceName, roles) -> credentials(tokenCredentials), role);
 
       StepVerifier.create(
               serviceCall
@@ -268,7 +268,7 @@ void authenticateSuccessfully() {
       final var tokenCredentials =
           new TokenCredentials(VALID_TOKEN, role, List.of("read", "write", "delete", "*"));
 
-      serviceCall = serviceCall((r) -> credentials(tokenCredentials), role, null);
+      serviceCall = serviceCall((serviceName, roles) -> credentials(tokenCredentials), role);
 
       StepVerifier.create(serviceCall.api(SecuredService.class).readWithAllowedRoleAnnotation())
           .verifyComplete();
@@ -329,8 +329,7 @@ private static Mono<Principal> mapPrincipal(RequestContext requestContext) {
             });
   }
 
-  private ServiceCall serviceCall(
-      CredentialsSupplier credentialsSupplier, String serviceRole, List<String> allowedRoles) {
+  private ServiceCall serviceCall(CredentialsSupplier credentialsSupplier, String serviceRole) {
     //noinspection resource
     return new ServiceCall()
         .transport(
@@ -339,7 +338,7 @@ private ServiceCall serviceCall(
                 DataCodec.getAllInstances(),
                 RSocketClientTransportFactory.websocket().apply(LOOP_RESOURCE),
                 credentialsSupplier,
-                allowedRoles))
+                serviceRole != null ? List.of(serviceRole) : null))
         .router(
             StaticAddressRouter.forService(service.serviceAddress(), "app-service")
                 .secured(credentialsSupplier != null)
