Added RequestContext.deferSecured()

artem-v · artem-v · commit b11f82c6ed4a · 2025-03-08T22:03:04.000+02:00
diff --git a/services-api/src/main/java/io/scalecube/services/RequestContext.java b/services-api/src/main/java/io/scalecube/services/RequestContext.java
@@ -5,6 +5,8 @@
 import static io.scalecube.services.auth.Principal.NULL_PRINCIPAL;
 
 import io.scalecube.services.auth.Principal;
+import io.scalecube.services.exceptions.ForbiddenException;
+import io.scalecube.services.methods.MethodInfo;
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.util.Map;
@@ -116,6 +118,14 @@ public boolean hasPrincipal() {
     return principal != null && principal != NULL_PRINCIPAL;
   }
 
+  public MethodInfo methodInfo() {
+    return getOrDefault("methodInfo", null);
+  }
+
+  public RequestContext methodInfo(MethodInfo methodInfo) {
+    return put("methodInfo", methodInfo);
+  }
+
   public Map<String, String> pathVars() {
     return get("pathVars");
   }
@@ -163,6 +173,28 @@ public static Mono<RequestContext> deferContextual() {
     return Mono.deferContextual(context -> Mono.just(context.get(RequestContext.class)));
   }
 
+  public static Mono<RequestContext> deferSecured() {
+    return Mono.deferContextual(context -> Mono.just(context.get(RequestContext.class)))
+        .doOnNext(
+            context -> {
+              if (!context.hasPrincipal()) {
+                throw new ForbiddenException("Insufficient permissions");
+              }
+
+              final var principal = context.principal();
+              final var methodInfo = context.methodInfo();
+
+              if (!methodInfo.allowedRoles().contains(principal.role())) {
+                throw new ForbiddenException("Insufficient permissions");
+              }
+              for (var allowedPermission : methodInfo.allowedPermissions()) {
+                if (!principal.hasPermission(allowedPermission)) {
+                  throw new ForbiddenException("Insufficient permissions");
+                }
+              }
+            });
+  }
+
   @Override
   public String toString() {
     return new StringJoiner(", ", RequestContext.class.getSimpleName() + "[", "]")
diff --git a/services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java b/services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java
@@ -189,7 +189,11 @@ private Context enhanceRequestContext(
       pathVars = dynamicQualifier.matchQualifier(context.requestQualifier());
     }
 
-    return new RequestContext(context).request(request).principal(principal).pathVars(pathVars);
+    return new RequestContext(context)
+        .request(request)
+        .principal(principal)
+        .pathVars(pathVars)
+        .methodInfo(methodInfo);
   }
 
   private Object toRequest(ServiceMessage message) {
diff --git a/services-api/src/test/java/io/scalecube/services/methods/ServiceMethodInvokerTest.java b/services-api/src/test/java/io/scalecube/services/methods/ServiceMethodInvokerTest.java
@@ -1,11 +1,13 @@
 package io.scalecube.services.methods;
 
 import static io.scalecube.services.auth.Principal.NULL_PRINCIPAL;
+import static io.scalecube.services.methods.StubService.NAMESPACE;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import io.scalecube.services.CommunicationMode;
 import io.scalecube.services.Reflect;
 import io.scalecube.services.RequestContext;
 import io.scalecube.services.api.ErrorData;
@@ -17,6 +19,7 @@
 import io.scalecube.services.transport.api.ServiceMessageDataDecoder;
 import java.lang.reflect.Method;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Consumer;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.DisplayName;
@@ -27,6 +30,7 @@
 import org.mockito.ArgumentMatchers;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
 import reactor.test.StepVerifier;
 import reactor.util.context.Context;
 
@@ -286,6 +290,88 @@ static Stream<Principal> testAuthFailedWithRoleOrPermissionsMethodSource() {
     }
   }
 
+  @Nested
+  class ServiceRoleTests {
+
+    @Test
+    @DisplayName("Invocation of service method with @AllowedRole annotation")
+    void invokeWithAllowedRoleAnnotation() throws Exception {
+      final var methodName = "invokeWithAllowedRoleAnnotation";
+      final var method = StubService.class.getMethod(methodName);
+      final var methodInfo =
+          new MethodInfo(
+              NAMESPACE,
+              methodName,
+              Void.TYPE,
+              false,
+              CommunicationMode.REQUEST_RESPONSE,
+              0,
+              Void.TYPE,
+              false,
+              true,
+              Schedulers.immediate(),
+              null,
+              List.of(new ServiceRoleDefinition("admin", Set.of("read", "write"))));
+
+      final var message = serviceMessage(methodName);
+      final var principal = new PrincipalImpl("admin", List.of("read", "write"));
+
+      final var authenticator = mock(Authenticator.class);
+      when(authenticator.authenticate(ArgumentMatchers.any())).thenReturn(Mono.just(principal));
+
+      serviceMethodInvoker = serviceMethodInvoker(method, methodInfo, authenticator);
+
+      StepVerifier.create(
+              serviceMethodInvoker
+                  .invokeOne(message)
+                  .contextWrite(requestContext(message, principal)))
+          .verifyComplete();
+    }
+
+    @ParameterizedTest
+    @MethodSource("invokeWithAllowedRoleAnnotationFailedMethodSource")
+    @DisplayName("Failed to invoke of service method with @AllowedRole annotation")
+    void invokeWithAllowedRoleAnnotationFailed(Principal principal) throws Exception {
+      final var methodName = "invokeWithAllowedRoleAnnotation";
+      final var method = StubService.class.getMethod(methodName);
+      final var methodInfo =
+          new MethodInfo(
+              NAMESPACE,
+              methodName,
+              Void.TYPE,
+              false,
+              CommunicationMode.REQUEST_RESPONSE,
+              0,
+              Void.TYPE,
+              false,
+              true,
+              Schedulers.immediate(),
+              null,
+              List.of(new ServiceRoleDefinition("admin", Set.of("read", "write"))));
+
+      final var message = serviceMessage(methodName);
+
+      final var authenticator = mock(Authenticator.class);
+      when(authenticator.authenticate(ArgumentMatchers.any())).thenReturn(Mono.just(principal));
+
+      serviceMethodInvoker = serviceMethodInvoker(method, methodInfo, authenticator);
+
+      StepVerifier.create(
+              serviceMethodInvoker
+                  .invokeOne(message)
+                  .contextWrite(requestContext(message, principal)))
+          .assertNext(assertError(403, "Insufficient permissions"))
+          .verifyComplete();
+    }
+
+    static Stream<Principal> invokeWithAllowedRoleAnnotationFailedMethodSource() {
+      return Stream.of(
+          NULL_PRINCIPAL,
+          new PrincipalImpl("invalid-role", null),
+          new PrincipalImpl("admin", List.of("invalid-permission")));
+    }
+  }
+
   private static Context requestContext(ServiceMessage message, Principal principal) {
     return new RequestContext().headers(message.headers()).principal(principal);
   }
@@ -303,9 +389,7 @@ private ServiceMethodInvoker serviceMethodInvoker(
   }
 
   private static ServiceMessage serviceMessage(String action) {
-    return ServiceMessage.builder()
-        .qualifier(Qualifier.asString(StubService.NAMESPACE, action))
-        .build();
+    return ServiceMessage.builder().qualifier(Qualifier.asString(NAMESPACE, action)).build();
   }
 
   private static Consumer<ServiceMessage> assertError(int errorCode, String errorMessage) {
diff --git a/services-api/src/test/java/io/scalecube/services/methods/StubService.java b/services-api/src/test/java/io/scalecube/services/methods/StubService.java
@@ -45,4 +45,10 @@ public interface StubService {
   @Secured
   @ServiceMethod
   Mono<Void> invokeWithRoleOrPermissions();
+
+  // Services secured by annotations in method body
+
+  @Secured
+  @ServiceMethod
+  Mono<Void> invokeWithAllowedRoleAnnotation();
 }
diff --git a/services-api/src/test/java/io/scalecube/services/methods/StubServiceImpl.java b/services-api/src/test/java/io/scalecube/services/methods/StubServiceImpl.java
@@ -4,6 +4,7 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import io.scalecube.services.RequestContext;
+import io.scalecube.services.auth.AllowedRole;
 import io.scalecube.services.exceptions.ForbiddenException;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
@@ -96,4 +97,14 @@ public Mono<Void> invokeWithRoleOrPermissions() {
             })
         .then();
   }
+
+  // Services secured by annotations in method body
+
+  @AllowedRole(
+      name = "admin",
+      permissions = {"read", "write"})
+  @Override
+  public Mono<Void> invokeWithAllowedRoleAnnotation() {
+    return RequestContext.deferSecured().then();
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,11 @@ private Context enhanceRequestContext(`
`189`	`189`	`pathVars = dynamicQualifier.matchQualifier(context.requestQualifier());`
`190`	`190`	`}`
`191`	`191`
`192`		`- return new RequestContext(context).request(request).principal(principal).pathVars(pathVars);`
	`192`	`+ return new RequestContext(context)`
	`193`	`+ .request(request)`
	`194`	`+ .principal(principal)`
	`195`	`+ .pathVars(pathVars)`
	`196`	`+ .methodInfo(methodInfo);`
`193`	`197`	`}`
`194`	`198`
`195`	`199`	`private Object toRequest(ServiceMessage message) {`