Add ExecutorAuthenticationProvider API (#1548)

* Add ExecutorAuthenticationProvider API don’t flag blocking imperative AuthenticationProvider with @Blocking instead use `ExecutorAuthenticationProvider` * cache every beanContext invocation
micronaut-projects · Jan 8, 2024 · 9d264b1 · 9d264b1
1 parent 7ad6d49
commit 9d264b1
Show file tree

Hide file tree

Showing 9 changed files with 110 additions and 163 deletions.
diff --git a/...ity/src/main/java/io/micronaut/security/authentication/AuthenticationProviderAdapter.java b/...ity/src/main/java/io/micronaut/security/authentication/AuthenticationProviderAdapter.java
@@ -15,7 +15,6 @@
  */
 package io.micronaut.security.authentication;
 
-import io.micronaut.context.BeanContext;
 import io.micronaut.core.annotation.Internal;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
@@ -35,23 +34,22 @@
 final class AuthenticationProviderAdapter<T, I, S> implements ReactiveAuthenticationProvider<T, I, S> {
 
     @NonNull
-    private final io.micronaut.security.authentication.provider.AuthenticationProvider<T, I, S> authenticationProvider;
+    private final AuthenticationProvider<T, I, S> authenticationProvider;
 
+    @Nullable
     private final Scheduler scheduler;
 
-    public AuthenticationProviderAdapter(BeanContext beanContext,
-                                         Scheduler scheduler,
-                                         @NonNull io.micronaut.security.authentication.provider.AuthenticationProvider<T, I, S> authenticationProvider) {
-        this(authenticationProvider,
-                AuthenticationProviderUtils.isAuthenticateBlocking(beanContext, authenticationProvider) ? scheduler : null);
-    }
-
     public AuthenticationProviderAdapter(@NonNull AuthenticationProvider<T, I, S> authenticationProvider,
-                                          @Nullable Scheduler scheduler) {
+                                         @NonNull Scheduler scheduler) {
         this.authenticationProvider = authenticationProvider;
         this.scheduler = scheduler;
     }
 
+    public AuthenticationProviderAdapter(@NonNull AuthenticationProvider<T, I, S> authenticationProvider) {
+        this.authenticationProvider = authenticationProvider;
+        this.scheduler = null;
+    }
+
     @Override
     public Publisher<AuthenticationResponse> authenticate(T requestContext, AuthenticationRequest<I, S> authenticationRequest) {
         Mono<AuthenticationResponse> authenticationResponseMono = Mono.fromCallable(() -> authenticationProvider.authenticate(requestContext, authenticationRequest));

diff --git a/security/src/main/java/io/micronaut/security/authentication/AuthenticationProviderUtils.java b/security/src/main/java/io/micronaut/security/authentication/AuthenticationProviderUtils.java
diff --git a/security/src/main/java/io/micronaut/security/authentication/Authenticator.java b/security/src/main/java/io/micronaut/security/authentication/Authenticator.java
@@ -20,13 +20,14 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.core.order.OrderUtil;
 import io.micronaut.core.util.CollectionUtils;
+import io.micronaut.inject.qualifiers.Qualifiers;
 import io.micronaut.scheduling.TaskExecutors;
 import io.micronaut.security.authentication.provider.AuthenticationProvider;
+import io.micronaut.security.authentication.provider.ExecutorAuthenticationProvider;
 import io.micronaut.security.authentication.provider.ReactiveAuthenticationProvider;
 import io.micronaut.security.config.AuthenticationStrategy;
 import io.micronaut.security.config.SecurityConfiguration;
 import jakarta.inject.Inject;
-import jakarta.inject.Named;
 import jakarta.inject.Singleton;
 import org.reactivestreams.Publisher;
 import org.slf4j.Logger;
@@ -38,10 +39,8 @@
 import reactor.core.scheduler.Scheduler;
 import reactor.core.scheduler.Schedulers;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
+import java.util.*;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
@@ -70,38 +69,35 @@ public class Authenticator<T, I, S> {
     protected final Collection<io.micronaut.security.authentication.AuthenticationProvider<T, I, S>> authenticationProviders;
 
     private final List<ReactiveAuthenticationProvider<T, I, S>> reactiveAuthenticationProviders;
-
     private final BeanContext beanContext;
+
     private final List<AuthenticationProvider<T, I, S>> imperativeAuthenticationProviders;
     private final SecurityConfiguration securityConfiguration;
 
-    private final Scheduler scheduler;
+    private final Map<String, Scheduler> executeNameToScheduler = new ConcurrentHashMap<>();
 
     /**
      * @param beanContext Bean Context
      * @param reactiveAuthenticationProviders A list of available Reactive authentication providers
      * @param authenticationProviders A list of available imperative authentication providers
-     * @param executorService BLOCKING executor service
      * @param securityConfiguration The security configuration
      */
     @Inject
     public Authenticator(BeanContext beanContext,
                          List<ReactiveAuthenticationProvider<T, I, S>> reactiveAuthenticationProviders,
                          List<AuthenticationProvider<T, I, S>> authenticationProviders,
-                         @Named(TaskExecutors.BLOCKING) ExecutorService executorService,
                          SecurityConfiguration securityConfiguration) {
         this.beanContext = beanContext;
         this.reactiveAuthenticationProviders = reactiveAuthenticationProviders;
         this.securityConfiguration = securityConfiguration;
         this.imperativeAuthenticationProviders = authenticationProviders;
-        this.scheduler = Schedulers.fromExecutorService(executorService);
         this.authenticationProviders = Collections.emptyList();
     }
 
     /**
      * @param authenticationProviders A list of available authentication providers
      * @param securityConfiguration   The security configuration
-     * @deprecated Use {@link Authenticator#Authenticator(BeanContext, List, List, ExecutorService, SecurityConfiguration)} instead.
+     * @deprecated Use {@link Authenticator#Authenticator(BeanContext, List, List, SecurityConfiguration)} instead.
      */
     @Deprecated(forRemoval = true, since = "4.5.0")
     public Authenticator(Collection<io.micronaut.security.authentication.AuthenticationProvider<T, I, S>> authenticationProviders,
@@ -110,7 +106,6 @@ public Authenticator(Collection<io.micronaut.security.authentication.Authenticat
         this.authenticationProviders = authenticationProviders;
         this.reactiveAuthenticationProviders = new ArrayList<>(authenticationProviders);
         this.securityConfiguration = securityConfiguration;
-        this.scheduler = null;
         this.imperativeAuthenticationProviders = Collections.emptyList();
     }
 
@@ -137,8 +132,20 @@ public Publisher<AuthenticationResponse> authenticate(T requestContext, Authenti
         return authenticate(requestContext, authenticationRequest, everyProviderSorted());
     }
 
+    /**
+     *
+     * @return Whether any of the authentication provider is blocking
+     */
     private boolean anyImperativeAuthenticationProviderIsBlocking() {
-        return imperativeAuthenticationProviders.stream().anyMatch(provider -> AuthenticationProviderUtils.isAuthenticateBlocking(beanContext, provider));
+        return imperativeAuthenticationProviders.stream().anyMatch(this::isImperativeAuthenticationProviderIsBlocking);
+    }
+
+    /**
+     * If {@link ExecutorAuthenticationProvider#getExecutorName()} equals `blocking` or `io` returns `true`.
+     * @return Whether any of the authentication provider is blocking.
+     */
+    protected boolean isImperativeAuthenticationProviderIsBlocking(AuthenticationProvider<?, ?, ?> authenticationProvider) {
+        return authenticationProvider instanceof ExecutorAuthenticationProvider ap && (ap.getExecutorName().equals(TaskExecutors.BLOCKING) || ap.getExecutorName().equals(TaskExecutors.IO));
     }
 
     @NonNull
@@ -175,7 +182,16 @@ private List<ReactiveAuthenticationProvider<T, I, S>> everyProviderSorted() {
         List<ReactiveAuthenticationProvider<T, I, S>> providers = new ArrayList<>(reactiveAuthenticationProviders);
         if (beanContext != null) {
             providers.addAll(imperativeAuthenticationProviders.stream()
-                    .map(imperativeAuthenticationProvider -> new AuthenticationProviderAdapter<>(beanContext, scheduler, imperativeAuthenticationProvider)).toList());
+                    .map(imperativeAuthenticationProvider -> {
+                        if (imperativeAuthenticationProvider instanceof ExecutorAuthenticationProvider<?, ?, ?> ap) {
+                            return new AuthenticationProviderAdapter<>(imperativeAuthenticationProvider, executeNameToScheduler.computeIfAbsent(ap.getExecutorName(), s ->
+                                    beanContext.findBean(ExecutorService.class, Qualifiers.byName(ap.getExecutorName()))
+                                            .map(Schedulers::fromExecutorService)
+                                            .orElse(null)));
+                        } else {
+                            return new AuthenticationProviderAdapter<>(imperativeAuthenticationProvider);
+                        }
+                    }).toList());
         }
         OrderUtil.sort(providers);
         return providers;

diff --git a/...in/java/io/micronaut/security/authentication/provider/ExecutorAuthenticationProvider.java b/...in/java/io/micronaut/security/authentication/provider/ExecutorAuthenticationProvider.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2017-2024 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.security.authentication.provider;
+
+import io.micronaut.scheduling.TaskExecutors;
+import io.micronaut.security.authentication.AuthenticationRequest;
+
+/**
+ * An {@link AuthenticationProvider} which forces you to define the executor to be used.
+ * Blocking implementations of AuthenticationProvider should use this API.
+ * @author Sergio del Amo
+ * @since 4.5.0
+ * @param <T> Request Context Type
+ * @param <I> Authentication Request Identity Type
+ * @param <S> Authentication Request Secret Type
+ */
+public interface ExecutorAuthenticationProvider<T, I, S> extends AuthenticationProvider<T, I, S>  {
+
+    /**
+     *
+     * @return The executor name where the code {@link AuthenticationProvider#authenticate(T, AuthenticationRequest)} will be executed.
+     */
+    default String getExecutorName() {
+        return TaskExecutors.BLOCKING;
+    }
+}
diff --git a/...micronaut/security/authentication/provider/HttpRequestExecutorAuthenticationProvider.java b/...micronaut/security/authentication/provider/HttpRequestExecutorAuthenticationProvider.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2017-2023 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.security.authentication.provider;
+
+import io.micronaut.http.HttpRequest;
+
+/**
+ * {@link ExecutorAuthenticationProvider} for {@link HttpRequest}.
+ * @author Sergio del Amo
+ * @since 4.5.0
+ * @param <B> The HTTP Request Body type
+ */
+public interface HttpRequestExecutorAuthenticationProvider<B> extends ExecutorAuthenticationProvider<HttpRequest<B>, String, String>  {
+}
diff --git a/security/src/main/java/io/micronaut/security/converters/package-info.java b/security/src/main/java/io/micronaut/security/converters/package-info.java
@@ -16,4 +16,4 @@
 /**
  * Security {@link io.micronaut.core.convert.TypeConverter}s.
  */
-package io.micronaut.security.converters;
+package io.micronaut.security.converters;
diff --git a/...perativeAuthenticationProviderSpec.groovy → ...ication/AuthenticationProviderSpec.groovy b/...perativeAuthenticationProviderSpec.groovy → ...ication/AuthenticationProviderSpec.groovy
@@ -8,6 +8,8 @@ import io.micronaut.http.HttpRequest
 import io.micronaut.scheduling.LoomSupport
 import io.micronaut.scheduling.TaskExecutors
 import io.micronaut.security.authentication.provider.AuthenticationProvider
+import io.micronaut.security.authentication.provider.ExecutorAuthenticationProvider
+import io.micronaut.security.authentication.provider.HttpRequestExecutorAuthenticationProvider
 import io.micronaut.security.testutils.ApplicationContextSpecification
 import jakarta.inject.Named
 import jakarta.inject.Singleton
@@ -65,12 +67,11 @@ class AuthenticationProviderSpec extends ApplicationContextSpecification {
 
     @Requires(property = "spec.name", value = "AuthenticationProviderSpec")
     @Singleton
-    static class SimpleAuthenticationProvider<T, I, S> implements AuthenticationProvider<T, I, S> {
+    static class SimpleAuthenticationProvider<T> implements HttpRequestExecutorAuthenticationProvider<T> {
         private String executedThreadName
 
         @Override
-        @Blocking
-        AuthenticationResponse authenticate(@Nullable T requestContext, AuthenticationRequest<I, S> authenticationRequest) {
+        AuthenticationResponse authenticate(@Nullable HttpRequest<T> requestContext, AuthenticationRequest<String, String> authenticationRequest) {
             executedThreadName = Thread.currentThread().getName()
             if (authenticationRequest.getIdentity().toString() == 'lebowski' && authenticationRequest.getSecret().toString() == 'thedudeabides') {
                 return AuthenticationResponse.success('lebowski')

diff --git a/...ovy/io/micronaut/security/authentication/ImperativeAuthenticationProviderUtilsTest.groovy b/...ovy/io/micronaut/security/authentication/ImperativeAuthenticationProviderUtilsTest.groovy
diff --git a/src/main/docs/guide/authenticationProviders/imperativeAuthenticationProviders.adoc b/src/main/docs/guide/authenticationProviders/imperativeAuthenticationProviders.adoc
@@ -2,5 +2,4 @@ The api:security.authentication.provider.ReactiveAuthenticationProvider[] interf
 
 snippet::io.micronaut.security.docs.blockingauthenticationprovider.CustomAuthenticationProvider[tags="clazz"]
 
-IMPORTANT: If your implementation is blocking (e.g., you fetch the user credentials from a database in a blocking way to check against the supplied authentication request), annotate the `authenticate` method with `@Blocking`. If the `authenticate` method is annotated with `@Blocking`, it will be executed in a managed thread using the `TaskExecutors.BLOCKING` executor to avoid blocking the main reactive flow.
-
+IMPORTANT: If your implementation is blocking (e.g., you fetch the user credentials from a database in a blocking way to check against the supplied authentication request), implement the api:security.authentication.provider.ExecutorAuthenticationProvider[] or api:security.authentication.provider.HttpRequestExecutorAuthenticationProvider[] interface. Those APIs specify the executor name, by default `TaskExecutors.BLOCKING`, where the code gets executed to avoid blocking the main reactive flow.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,5 +2,4 @@ The api:security.authentication.provider.ReactiveAuthenticationProvider[] interf

		snippet::io.micronaut.security.docs.blockingauthenticationprovider.CustomAuthenticationProvider[tags="clazz"]

		IMPORTANT: If your implementation is blocking (e.g., you fetch the user credentials from a database in a blocking way to check against the supplied authentication request), annotate the `authenticate` method with `@Blocking`. If the `authenticate` method is annotated with `@Blocking`, it will be executed in a managed thread using the `TaskExecutors.BLOCKING` executor to avoid blocking the main reactive flow.

		IMPORTANT: If your implementation is blocking (e.g., you fetch the user credentials from a database in a blocking way to check against the supplied authentication request), implement the api:security.authentication.provider.ExecutorAuthenticationProvider[] or api:security.authentication.provider.HttpRequestExecutorAuthenticationProvider[] interface. Those APIs specify the executor name, by default `TaskExecutors.BLOCKING`, where the code gets executed to avoid blocking the main reactive flow.