[3.x] Unauthenticated status code fix (helidon-io#6482)

Unauthenticated status code fix

Signed-off-by: David Kral <david.k.kral@oracle.com>

Author: Verdent

security/integration/grpc/src/main/java/io/helidon/security/integration/grpc/GrpcSecurityHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -368,11 +368,13 @@ private <ReqT, RespT> ServerCall.Listener<ReqT> processSecurity(SecurityContext
                                                .customObjects(customObjects.orElse(new ClassToInstanceStore<>()))
                                                .build());
 
-        CompletionStage<Boolean> stage = processAuthentication(call, headers, securityContext, tracing.atnTracing())
+        CallWrapper<ReqT, RespT> callWrapper = new CallWrapper<>(call);
+
+        CompletionStage<Boolean> stage = processAuthentication(callWrapper, headers, securityContext, tracing.atnTracing())
                 .thenCompose(atnResult -> {
                     if (atnResult.proceed) {
                         // authentication was OK or disabled, we should continue
-                        return processAuthorization(securityContext, tracing.atzTracing());
+                        return processAuthorization(securityContext, tracing.atzTracing(), callWrapper);
                     } else {
                         // authentication told us to stop processing
                         return CompletableFuture.completedFuture(AtxResult.STOP);
@@ -392,15 +394,13 @@ private <ReqT, RespT> ServerCall.Listener<ReqT> processSecurity(SecurityContext
                 });
 
         ServerCall.Listener<ReqT> listener;
-        CallWrapper<ReqT, RespT> callWrapper = new CallWrapper<>(call);
 
         try {
             boolean proceed = stage.toCompletableFuture().get();
 
             if (proceed) {
                 listener = next.startCall(callWrapper, headers);
             } else {
-                callWrapper.close(Status.PERMISSION_DENIED, new Metadata());
                 listener = new EmptyListener<>();
             }
         } catch (Throwable throwable) {
@@ -463,18 +463,18 @@ private CompletionStage<AtxResult> processAuthentication(ServerCall<?, ?> call,
                 //everything is fine, we can continue with processing
                 break;
             case FAILURE_FINISH:
-                if (atnFinishFailure(future)) {
+                if (atnFinishFailure(future, call)) {
                     atnSpanFinish(atnTracing, response);
                     return;
                 }
                 break;
             case SUCCESS_FINISH:
-                atnFinish(future);
+                atnFinish(future, call);
                 atnSpanFinish(atnTracing, response);
                 return;
             case ABSTAIN:
             case FAILURE:
-                if (atnAbstainFailure(future)) {
+                if (atnAbstainFailure(future, call)) {
                     atnSpanFinish(atnTracing, response);
                     return;
                 }
@@ -505,28 +505,31 @@ private void atnSpanFinish(AtnTracing atnTracing, AuthenticationResponse respons
         atnTracing.finish();
     }
 
-    private boolean atnAbstainFailure(CompletableFuture<AtxResult> future) {
+    private boolean atnAbstainFailure(CompletableFuture<AtxResult> future, ServerCall<?, ?> call) {
         if (authenticationOptional.orElse(false)) {
             LOGGER.finest("Authentication failed, but was optional, so assuming anonymous");
             return false;
         }
 
+        call.close(Status.UNAUTHENTICATED, new Metadata());
         future.complete(AtxResult.STOP);
         return true;
     }
 
-    private boolean atnFinishFailure(CompletableFuture<AtxResult> future) {
+    private boolean atnFinishFailure(CompletableFuture<AtxResult> future, ServerCall<?, ?> call) {
 
         if (authenticationOptional.orElse(false)) {
             LOGGER.finest("Authentication failed, but was optional, so assuming anonymous");
             return false;
         } else {
+            call.close(Status.UNAUTHENTICATED, new Metadata());
             future.complete(AtxResult.STOP);
             return true;
         }
     }
 
-    private void atnFinish(CompletableFuture<AtxResult> future) {
+    private void atnFinish(CompletableFuture<AtxResult> future, ServerCall<?, ?> call) {
+        call.close(Status.OK, new Metadata());
         future.complete(AtxResult.STOP);
     }
 
@@ -539,7 +542,8 @@ private void configureSecurityRequest(SecurityRequestBuilder<? extends SecurityR
 
     private CompletionStage<AtxResult> processAuthorization(
             SecurityContext context,
-            AtzTracing atzTracing) {
+            AtzTracing atzTracing,
+            ServerCall<?, ?> call) {
         CompletableFuture<AtxResult> future = new CompletableFuture<>();
 
         if (!authorize.orElse(false)) {
@@ -555,12 +559,14 @@ private CompletionStage<AtxResult> processAuthorization(
             // first validate roles - RBAC is supported out of the box by security, no need to invoke provider
             if (explicitAuthorizer.isPresent()) {
                 if (rolesSet.stream().noneMatch(role -> context.isUserInRole(role, explicitAuthorizer.get()))) {
+                    call.close(Status.PERMISSION_DENIED, new Metadata());
                     future.complete(AtxResult.STOP);
                     atzTracing.finish();
                     return future;
                 }
             } else {
                 if (rolesSet.stream().noneMatch(context::isUserInRole)) {
+                    call.close(Status.PERMISSION_DENIED, new Metadata());
                     future.complete(AtxResult.STOP);
                     atzTracing.finish();
                     return future;
@@ -580,14 +586,20 @@ private CompletionStage<AtxResult> processAuthorization(
             case SUCCESS:
                 //everything is fine, we can continue with processing
                 break;
-            case FAILURE_FINISH:
             case SUCCESS_FINISH:
                 atzTracing.finish();
+                call.close(Status.OK, new Metadata());
+                future.complete(AtxResult.STOP);
+                return;
+            case FAILURE_FINISH:
+                atzTracing.finish();
+                call.close(Status.PERMISSION_DENIED, new Metadata());
                 future.complete(AtxResult.STOP);
                 return;
             case ABSTAIN:
             case FAILURE:
                 atzTracing.finish();
+                call.close(Status.PERMISSION_DENIED, new Metadata());
                 future.complete(AtxResult.STOP);
                 return;
             default:

security/integration/grpc/src/test/java/io/helidon/security/integration/grpc/OutboundSecurityIT.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2021 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

security/integration/grpc/src/test/java/io/helidon/security/integration/grpc/SecurityFromConfigIT.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -119,7 +119,7 @@ public void shouldBeSecuredWithGlobalSettingsDenyAccess() {
         StatusRuntimeException thrown = assertThrows(StatusRuntimeException.class, () ->
                 noCredsEchoStub.lower(toMessage("FOO")));
 
-        assertThat(thrown.getStatus().getCode(), is(Status.PERMISSION_DENIED.getCode()));
+        assertThat(thrown.getStatus().getCode(), is(Status.UNAUTHENTICATED.getCode()));
     }
 
     /**

security/integration/grpc/src/test/java/io/helidon/security/integration/grpc/ServiceAndMethodLevelSecurityIT.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -126,7 +126,7 @@ public void shouldBeSecuredWithGlobalSettingsDenyAccess() {
         StatusRuntimeException thrown = assertThrows(StatusRuntimeException.class, () ->
                 noCredsEchoStub.lower(toMessage("FOO")));
 
-        assertThat(thrown.getStatus().getCode(), is(Status.PERMISSION_DENIED.getCode()));
+        assertThat(thrown.getStatus().getCode(), is(Status.UNAUTHENTICATED.getCode()));
     }
 
     @Test

security/integration/grpc/src/test/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019, 2021 Oracle and/or its affiliates.
+# Copyright (c) 2019, 2023 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -32,3 +32,5 @@ http-basic-auth:
     - login: "Bob"
       password: "password"
       roles: ["user"]
+  outbound:
+    - name: "propagate-everything"