Module io.helidon.security.integration.grpc
Package io.helidon.security.integration.grpc

Class GrpcSecurity

    • Field Detail

      • CONTEXT_ADD_HEADERS

        public static final io.grpc.Context.Key<Map> CONTEXT_ADD_HEADERS
        Security can accept additional headers to be added to security request. This will be used to obtain multi-value string map (a map of string to list of strings) from context (appropriate to the integration).

      • SECURITY_CONTEXT

        public static final io.grpc.Context.Key<SecurityContext> SECURITY_CONTEXT
        The SecurityContext gRPC metadata header key.

      • GRPC_SECURITY_HANDLER

        public static final io.grpc.Context.Key<GrpcSecurityHandler> GRPC_SECURITY_HANDLER
        The default security handler gRPC metadata header key.

      • ABAC_ATTRIBUTE_REMOTE_ADDRESS

        public static final String ABAC_ATTRIBUTE_REMOTE_ADDRESS
        The value used for the key of the security context environment's ABAC request remote address attribute.
        See Also:
        Constant Field Values

      • ABAC_ATTRIBUTE_REMOTE_PORT

        public static final String ABAC_ATTRIBUTE_REMOTE_PORT
        The value used for the key of the security context environment's ABAC request remote port attribute.
        See Also:
        Constant Field Values

      • ABAC_ATTRIBUTE_HEADERS

        public static final String ABAC_ATTRIBUTE_HEADERS
        The value used for the key of the security context environment's ABAC request headers attribute.
        See Also:
        Constant Field Values

      • ABAC_ATTRIBUTE_METHOD

        public static final String ABAC_ATTRIBUTE_METHOD
        The value used for the key of the security context environment's ABAC request method descriptor attribute.
        See Also:
        Constant Field Values

    • Method Detail

      • create

        public static GrpcSecurity create​(Security security)
        Create a consumer of gRPC routing config to be GrpcRouting.Builder.register(GrpcService)) registered} with gRPC server routing to process security requests. This method is to be used together with other routing methods to protect gRPC service or methods programmatically. Example: 
         .intercept(GrpcSecurity.authenticate().rolesAllowed("user"))
        Parameters:
        security - initialized security
        Returns:
        routing config consumer

      • create

        public static GrpcSecurity create​(Config config)
        Create a consumer of gRPC routing config to be registered with gRPC server routing to process security requests. This method configures security and gRPC server integration from a config instance
        Parameters:
        config - Config instance to load security and gRPC server integration from configuration
        Returns:
        routing config consumer

      • create

        public static GrpcSecurity create​(Security security,
                                  Config config)
        Create a consumer of gRPC routing config to be registered with gRPC server routing to process security requests. This method expects initialized security and creates gRPC server integration from a config instance
        Parameters:
        security - Security instance to use
        config - Config instance to load security and gRPC server integration from configuration
        Returns:
        routing config consumer

      • secure

        public static GrpcSecurityHandler secure()
        Secure access using authentication and authorization. Auditing is enabled by default for methods modifying content. When using RBAC (role based access control), just use rolesAllowed(String...). If you use a security provider, that requires additional data, use GrpcSecurityHandler.customObject(Object).

        Behavior:

        • Authentication: enabled and required
        • Authorization: enabled if provider configured
        • Audit: not modified
        Returns:
        GrpcSecurityHandler instance configured with authentication and authorization

      • authenticate

        public static GrpcSecurityHandler authenticate()
        If called, request will go through authentication process - defaults to false (even if authorize is true).

        Behavior:

        • Authentication: enabled and required
        • Authorization: not modified (default: disabled)
        • Audit: not modified
        Returns:
        GrpcSecurityHandler instance

      • audit

        public static GrpcSecurityHandler audit()
        Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise. Request is audited with event type "request".

        Behavior:

        • Authentication: not modified (default: disabled)
        • Authorization: not modified (default: disabled)
        • Audit: enabled for any method this gate is registered on
        Returns:
        GrpcSecurityHandler instance

      • authenticator

        public static GrpcSecurityHandler authenticator​(String explicitAuthenticator)
        Use a named authenticator (as supported by security - if not defined, default authenticator is used).

        Behavior:

        • Authentication: enabled and required
        • Authorization: not modified (default: disabled)
        • Audit: not modified
        Parameters:
        explicitAuthenticator - name of authenticator as configured in Security
        Returns:
        GrpcSecurityHandler instance

      • authorizer

        public static GrpcSecurityHandler authorizer​(String explicitAuthorizer)
        Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).

        Behavior:

        • Authentication: enabled and required
        • Authorization: enabled with explicit provider
        • Audit: not modified
        Parameters:
        explicitAuthorizer - name of authorizer as configured in Security
        Returns:
        GrpcSecurityHandler instance

      • rolesAllowed

        public static GrpcSecurityHandler rolesAllowed​(String... roles)
        An array of allowed roles for this path - must have a security provider supporting roles.

        Behavior:

        • Authentication: enabled and required
        • Authorization: enabled
        • Audit: not modified
        Parameters:
        roles - if subject is any of these roles, allow access
        Returns:
        GrpcSecurityHandler instance

      • allowAnonymous

        public static GrpcSecurityHandler allowAnonymous()
        If called, authentication failure will not abort request and will continue as anonymous (defaults to false).

        Behavior:

        • Authentication: enabled and optional
        • Authorization: not modified (default: disabled)
        • Audit: not modified
        Returns:
        GrpcSecurityHandler instance

      • authorize

        public static GrpcSecurityHandler authorize()
        Enable authorization for this route.

        Behavior:

        • Authentication: enabled and required
        • Authorization: enabled if provider is present
        • Audit: not modified
        Returns:
        GrpcSecurityHandler instance

      • enforce

        public static GrpcSecurityHandler enforce()
        Return a default instance to create a default enforcement point (or modify the result further).

        Behavior:

        • Authentication: not modified (default: disabled)
        • Authorization: not modified (default: disabled)
        • Audit: not modified
        Returns:
        GrpcSecurityHandler instance

      • securityDefaults

        public GrpcSecurity securityDefaults​(GrpcSecurityHandler defaultHandler)
        Create a new gRPC security instance using the default handler as base defaults for all handlers used. If handlers are loaded from config, than this is the least significant value.
        Parameters:
        defaultHandler - if a security handler is configured for a route, it will take its defaults from this handler
        Returns:
        new instance of gRPC security with the handler default

      • interceptCall

        public <ReqT,​RespT> io.grpc.ServerCall.Listener<ReqT> interceptCall​(io.grpc.ServerCall<ReqT,​RespT> call,
                                                                          io.grpc.Metadata headers,
                                                                          io.grpc.ServerCallHandler<ReqT,​RespT> next)
        Specified by:
        interceptCall in interface io.grpc.ServerInterceptor