redesign security

Signed-off-by: tvallin <[email protected]>

Author: tvallin

openapi/src/main/java/io/helidon/openapi/OpenApiFeature.java

@@ -26,6 +26,7 @@
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
@@ -45,14 +46,15 @@
 import io.helidon.http.WritableHeaders;
 import io.helidon.webserver.http.HttpRules;
 import io.helidon.webserver.http.HttpService;
+import io.helidon.webserver.http.SecureHandler;
 import io.helidon.webserver.http.ServerRequest;
 import io.helidon.webserver.http.ServerResponse;
-import io.helidon.webserver.servicecommon.HelidonSecureFeatureSupport;
+import io.helidon.webserver.servicecommon.HelidonFeatureSupport;
 
 /**
  * Behavior shared between the SE and MP OpenAPI feature implementations.
  */
-public abstract class OpenApiFeature extends HelidonSecureFeatureSupport {
+public abstract class OpenApiFeature extends HelidonFeatureSupport {
 
     /**
      * Default media type used in responses in absence of incoming Accept
@@ -81,6 +83,8 @@ public abstract class OpenApiFeature extends HelidonSecureFeatureSupport {
     private final MediaType[] preferredMediaTypeOrdering;
     private final MediaType[] mediaTypesSupportedByUi;
     private final ConcurrentMap<OpenAPIMediaType, String> cachedDocuments = new ConcurrentHashMap<>();
+    private final boolean permitAll;
+    private final String[] roles;
     /**
      * Constructor for the feature.
      *
@@ -93,6 +97,8 @@ protected OpenApiFeature(System.Logger logger, Builder<?, ?> builder) {
         ui = prepareUi(builder);
         mediaTypesSupportedByUi = ui.supportedMediaTypes();
         preferredMediaTypeOrdering = preparePreferredMediaTypeOrdering(mediaTypesSupportedByUi);
+        permitAll = builder.permitAll;
+        roles = builder.roles.toArray(new String[0]);
     }
 
     /**
@@ -151,11 +157,6 @@ private static MediaType[] preparePreferredMediaTypeOrdering(MediaType[] uiTypes
         return result;
     }
 
-    private void configureRoutes(HttpRules rules) {
-        authorizeRules(rules);
-        rules.get("/", this::prepareResponse);
-    }
-
     private static ClassLoader getContextClassLoader() {
         return Thread.currentThread().getContextClassLoader();
     }
@@ -172,6 +173,9 @@ private OpenApiUi prepareUi(Builder<?, ?> builder) {
     }
 
     private void configureRoutes(HttpRules rules) {
+        if (!permitAll) {
+            rules.any(SecureHandler.authorize(roles));
+        }
         rules.get("/", this::prepareResponse);
     }
 
@@ -418,7 +422,11 @@ MediaType mediaType() {
      * @param <T> specific concrete type of {@link OpenApiFeature} the builder creates
      */
     public abstract static class Builder<B extends Builder<B, T>, T extends OpenApiFeature>
-            extends HelidonSecureFeatureSupport.Builder<B, T> {
+            extends HelidonFeatureSupport.Builder<B, T> {
+
+        private boolean permitAll = false;
+
+        private final List<String> roles = new LinkedList<>();
 
         /**
          * Config key for the OpenAPI section.
@@ -449,6 +457,12 @@ public B config(Config config) {
                     .ifPresent(this::staticFile);
             config.get(OpenApiUi.Builder.OPENAPI_UI_CONFIG_KEY)
                     .ifExists(uiBuilder::config);
+            config.get("permit-all")
+                    .asBoolean()
+                    .ifPresent(this::permitAll);
+            config.get("roles")
+                    .asList(String.class)
+                    .ifPresent(roles::addAll);
             return identity();
         }
 
@@ -496,6 +510,29 @@ public OpenApiStaticFile staticFile() {
                     : staticFile;
         }
 
+        /**
+         * If {@code permitAll} is {@code true} and security enabled, the feature
+         * endpoints will be authorized. Default value is {@code false}.
+         *
+         * @param permitAll permit all metrics endpoint
+         * @return updated builder instance
+         */
+        public B permitAll(boolean permitAll) {
+            this.permitAll = permitAll;
+            return identity();
+        }
+
+        /**
+         * Set hint for role names the user is expected to be in.
+         *
+         * @param role role name
+         * @return updated builder instance
+         */
+        public B addRoleHint(String role) {
+            roles.add(role);
+            return identity();
+        }
+
         /**
          * Returns the logger for the OpenAPI feature instance.
          *

tests/integration/security/gh2297/src/main/resources/application.yaml

@@ -34,3 +34,5 @@ security:
           roles-allowed:
             user:
               - admin
+metrics:
+  permit-all: true

webserver/observe/metrics/src/main/java/io/helidon/webserver/observe/metrics/MetricsFeature.java

@@ -39,16 +39,16 @@
 import io.helidon.webserver.http.HttpRouting;
 import io.helidon.webserver.http.HttpRules;
 import io.helidon.webserver.http.HttpService;
+import io.helidon.webserver.http.SecureHandler;
 import io.helidon.webserver.http.ServerRequest;
 import io.helidon.webserver.http.ServerResponse;
-import io.helidon.webserver.servicecommon.HelidonSecureFeatureSupport;
 
 import static io.helidon.http.HeaderNames.ALLOW;
 import static io.helidon.http.Status.METHOD_NOT_ALLOWED_405;
 import static io.helidon.http.Status.NOT_FOUND_404;
 import static io.helidon.http.Status.OK_200;
 
-public class MetricsFeature extends HelidonSecureFeatureSupport {
+class MetricsFeature {
 
     /**
      * Prefix for key performance indicator metrics names.
@@ -195,7 +195,9 @@ private void getOrOptionsMatching(MediaType mediaType,
     }
 
     private void setUpEndpoints(HttpRules rules) {
-        authorizeRules(rules);
+        if (!metricsConfig.permitAll()) {
+            rules.any(SecureHandler.authorize(metricsConfig.roles().toArray(new String[0])));
+        }
         // routing to root of metrics
         // As of Helidon 4, this is the only path we should need because scope-based or metric-name-based
         // selection should use query parameters instead of paths.
@@ -269,98 +271,6 @@ private void setUpDisabledEndpoints(HttpRules rules) {
                 .options("/", DISABLED_ENDPOINT_HANDLER);
     }
 
-    /**
-     * Separate metrics service class with an afterStop method that is properly invoked.
-     */
-    @Configured(root = true, prefix = "metrics")
-    public static class Builder extends HelidonSecureFeatureSupport.Builder<Builder, MetricsFeature> {
-        private LazyValue<MeterRegistry> meterRegistry;
-        private MetricsConfig.Builder metricsSettingsBuilder = MetricsConfig.builder();
-
-        private Builder() {
-            super("metrics");
-        }
-
-        /**
-         * Creates a new builder.
-         *
-         * @param serviceName service name to register the feature with
-         */
-        protected Builder(String serviceName) {
-            super(serviceName);
-        }
-
-        @Override
-        public void routing(HttpRules rules) {
-            if (metricsConfig.enabled()) {
-                setUpEndpoints(rules);
-            } else {
-                setUpDisabledEndpoints(rules);
-            }
-            return new MetricsFeature(this);
-        }
-
-        /**
-         * Override default configuration.
-         *
-         * @param config configuration instance
-         * @return updated builder instance
-         * @see io.helidon.metrics.api.KeyPerformanceIndicatorMetricsConfig.Builder Details about key
-         *         performance metrics configuration
-         */
-        public Builder config(Config config) {
-            super.config(config);
-            metricsSettingsBuilder.config(config);
-            return this;
-        }
-
-        /**
-         * Assigns {@code MetricsSettings} which will be used in creating the {@code MetricsSupport} instance at build-time.
-         *
-         * @param metricsSettingsBuilder the metrics settings to assign for use in building the {@code MetricsSupport} instance
-         * @return updated builder
-         */
-        @ConfiguredOption(mergeWithParent = true,
-                          type = MetricsConfig.class)
-        public Builder metricsConfig(MetricsConfig.Builder metricsSettingsBuilder) {
-            this.metricsSettingsBuilder = metricsSettingsBuilder;
-            return this;
-        }
-
-        /**
-         * If you want to have multiple meter registries with different
-         * endpoints, you may create them using
-         * {@snippet :
-         *      MeterRegistry meterRegistry = MetricsFactory.getInstance()
-         *              .createMeterRegistry(metricsConfig);
-         *      MetricsFeature.builder()
-         *              .meterRegistry(meterRegistry) // further settings on the feature builder, etc.
-         * }
-         * where {@code metricsConfig} in each case has different
-         * {@link #webContext(String)} settings}.
-         * <p>
-         * If this method is not called,
-         * {@link MetricsFeature} would use the shared
-         * instance as provided by
-         * {@link io.helidon.metrics.api.MetricsFactory#globalRegistry()}.
-         *
-         * @param meterRegistry meterRegistry to use in this metric support
-         * @return updated builder instance
-         */
-        public Builder meterRegistry(MeterRegistry meterRegistry) {
-            this.meterRegistry = LazyValue.create(() -> meterRegistry);
-            return this;
-        }
-
-        MeterRegistry meterRegistry() {
-            return meterRegistry.get();
-        }
-
-        MetricsConfig metricsConfig() {
-            return metricsSettingsBuilder.build();
-        }
-    }
-
     /**
      * Separate metrics service class with an afterStop method that is properly invoked.
      */