fix(grpc,security): Run authN and authZ handlers when root path is not "/"

Author: michalvavrik

extensions/grpc/deployment/src/main/java/io/quarkus/grpc/deployment/GrpcServerProcessor.java

@@ -21,6 +21,7 @@
 import java.util.Set;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import jakarta.enterprise.inject.spi.DeploymentException;
 import jakarta.transaction.Transaction;
@@ -90,9 +91,14 @@
 import io.quarkus.kubernetes.spi.KubernetesPortBuildItem;
 import io.quarkus.netty.deployment.MinNettyAllocatorMaxOrderBuildItem;
 import io.quarkus.runtime.LaunchMode;
+import io.quarkus.runtime.RuntimeValue;
 import io.quarkus.smallrye.health.deployment.spi.HealthBuildItem;
 import io.quarkus.vertx.deployment.VertxBuildItem;
+import io.quarkus.vertx.http.deployment.FilterBuildItem;
 import io.quarkus.vertx.http.deployment.VertxWebRouterBuildItem;
+import io.vertx.core.Handler;
+import io.vertx.ext.web.Router;
+import io.vertx.ext.web.RoutingContext;
 
 public class GrpcServerProcessor {
 
@@ -683,7 +689,8 @@ ServiceStartBuildItem initializeServer(GrpcServerRecorder recorder,
             List<RecorderBeanInitializedBuildItem> orderEnforcer,
             LaunchModeBuildItem launchModeBuildItem,
             VertxWebRouterBuildItem routerBuildItem,
-            VertxBuildItem vertx, Capabilities capabilities) {
+            VertxBuildItem vertx, Capabilities capabilities,
+            List<FilterBuildItem> filterBuildItems) {
 
         // Build the list of blocking methods per service implementation
         Map<String, List<String>> blocking = new HashMap<>();
@@ -702,10 +709,23 @@ ServiceStartBuildItem initializeServer(GrpcServerRecorder recorder,
         if (!bindables.isEmpty()
                 || (LaunchMode.current() == LaunchMode.DEVELOPMENT && buildTimeConfig.devMode.forceServerStart)) {
             //Uses mainrouter when the 'quarkus.http.root-path' is not '/'
-            recorder.initializeGrpcServer(vertx.getVertx(),
-                    routerBuildItem.getMainRouter() != null ? routerBuildItem.getMainRouter() : routerBuildItem.getHttpRouter(),
+            Map<Integer, Handler<RoutingContext>> securityHandlers = null;
+            final RuntimeValue<Router> routerRuntimeValue;
+            if (routerBuildItem.getMainRouter() != null) {
+                routerRuntimeValue = routerBuildItem.getMainRouter();
+                if (capabilities.isPresent(Capability.SECURITY)) {
+                    securityHandlers = filterBuildItems
+                            .stream()
+                            .filter(filter -> filter.getPriority() == FilterBuildItem.AUTHENTICATION
+                                    || filter.getPriority() == FilterBuildItem.AUTHORIZATION)
+                            .collect(Collectors.toMap(f -> f.getPriority() * -1, FilterBuildItem::getHandler));
+                }
+            } else {
+                routerRuntimeValue = routerBuildItem.getHttpRouter();
+            }
+            recorder.initializeGrpcServer(vertx.getVertx(), routerRuntimeValue,
                     config, shutdown, blocking, virtuals, launchModeBuildItem.getLaunchMode(),
-                    capabilities.isPresent(Capability.SECURITY));
+                    capabilities.isPresent(Capability.SECURITY), securityHandlers);
             return new ServiceStartBuildItem(GRPC_SERVER);
         }
         return null;

extensions/grpc/deployment/src/test/java/io/quarkus/grpc/auth/GrpcAuthCustomRootPathTest.java

@@ -0,0 +1,17 @@
+package io.quarkus.grpc.auth;
+
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class GrpcAuthCustomRootPathTest extends GrpcAuthTestBase {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = createQuarkusUnitTest("""
+            quarkus.grpc.server.use-separate-server=false
+            quarkus.grpc.clients.securityClient.host=localhost
+            quarkus.grpc.clients.securityClient.port=8081
+            quarkus.http.root-path=/api
+            """, true);
+
+}

extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcServerRecorder.java

@@ -60,6 +60,7 @@
 import io.quarkus.runtime.ShutdownContext;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.vertx.http.runtime.PortSystemProperties;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
 import io.quarkus.virtual.threads.VirtualThreadsRecorder;
 import io.vertx.core.AbstractVerticle;
 import io.vertx.core.AsyncResult;
@@ -99,7 +100,7 @@ public void initializeGrpcServer(RuntimeValue<Vertx> vertxSupplier,
             ShutdownContext shutdown,
             Map<String, List<String>> blockingMethodsPerService,
             Map<String, List<String>> virtualMethodsPerService,
-            LaunchMode launchMode, boolean securityPresent) {
+            LaunchMode launchMode, boolean securityPresent, Map<Integer, Handler<RoutingContext>> securityHandlers) {
         GrpcContainer grpcContainer = Arc.container().instance(GrpcContainer.class).get();
         if (grpcContainer == null) {
             throw new IllegalStateException("gRPC not initialized, GrpcContainer not found");
@@ -137,15 +138,16 @@ public void initializeGrpcServer(RuntimeValue<Vertx> vertxSupplier,
             }
         } else {
             buildGrpcServer(vertx, configuration, routerSupplier, shutdown, blockingMethodsPerService, virtualMethodsPerService,
-                    grpcContainer, launchMode, securityPresent);
+                    grpcContainer, launchMode, securityPresent, securityHandlers);
         }
     }
 
     // TODO -- handle XDS
     private void buildGrpcServer(Vertx vertx, GrpcServerConfiguration configuration, RuntimeValue<Router> routerSupplier,
             ShutdownContext shutdown, Map<String, List<String>> blockingMethodsPerService,
             Map<String, List<String>> virtualMethodsPerService,
-            GrpcContainer grpcContainer, LaunchMode launchMode, boolean securityPresent) {
+            GrpcContainer grpcContainer, LaunchMode launchMode, boolean securityPresent,
+            Map<Integer, Handler<RoutingContext>> securityHandlers) {
 
         GrpcServerOptions options = new GrpcServerOptions();
         if (!configuration.maxInboundMessageSize.isEmpty()) {
@@ -193,8 +195,45 @@ private void buildGrpcServer(Vertx vertx, GrpcServerConfiguration configuration,
 
         initHealthStorage();
 
+        Router router = routerSupplier.getValue();
+        if (securityHandlers != null) {
+            for (Map.Entry<Integer, Handler<RoutingContext>> e : securityHandlers.entrySet()) {
+                Handler<RoutingContext> handler = e.getValue();
+                Route route = router.route().order(e.getKey()).handler(new Handler<RoutingContext>() {
+                    @Override
+                    public void handle(RoutingContext ctx) {
+                        if (!isGrpc(ctx)) {
+                            ctx.next();
+                        } else if (ctx.get(HttpAuthenticator.class.getName()) != null) {
+                            // this IF branch shouldn't be invoked with current implementation
+                            // when gRPC is attached to the main router when the root path is not '/'
+                            // because HTTP authenticator and authorizer handlers are not added by default on the main
+                            // router; adding it in case someone made changes without consider this use case
+                            // so that we prevent repeated authentication
+                            ctx.next();
+                        } else {
+                            if (!Context.isOnEventLoopThread()) {
+                                Context capturedVertxContext = Vertx.currentContext();
+                                if (capturedVertxContext != null) {
+                                    capturedVertxContext.runOnContext(new Handler<Void>() {
+                                        @Override
+                                        public void handle(Void unused) {
+                                            handler.handle(ctx);
+                                        }
+                                    });
+                                    return;
+                                }
+                            }
+                            handler.handle(ctx);
+                        }
+                    }
+                });
+                shutdown.addShutdownTask(route::remove); // remove this route at shutdown, this should reset it
+            }
+        }
+
         LOGGER.info("Starting new Quarkus gRPC server (using Vert.x transport)...");
-        Route route = routerSupplier.getValue().route().handler(ctx -> {
+        Route route = router.route().handler(ctx -> {
             if (!isGrpc(ctx)) {
                 ctx.next();
             } else {