This is an automated email from the ASF dual-hosted git repository.
zixuan pushed a commit to branch branch-2.11
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.11 by this push:
new 58aa8da2d52 [fix][authentication] Store the original authentication
data (#19519)
58aa8da2d52 is described below
commit 58aa8da2d52808aa49a8bb890428c8d695f86a4c
Author: Zixuan Liu <[email protected]>
AuthorDate: Thu Mar 2 17:52:43 2023 +0800
[fix][authentication] Store the original authentication data (#19519)
Signed-off-by: Zixuan Liu <[email protected]>
(cherry picked from commit 2d90089dfa2a6af99cfe257bd1f2b3d24166303a)
Signed-off-by: Zixuan Liu <[email protected]>
---
.../apache/pulsar/broker/service/ServerCnx.java | 25 +++++----
.../auth/MockAlwaysExpiredAuthenticationState.java | 60 ++--------------------
.../auth/MockMutableAuthenticationProvider.java | 32 ++++++++++++
...te.java => MockMutableAuthenticationState.java} | 27 ++++------
.../pulsar/broker/service/ServerCnxTest.java | 49 ++++++++++++++++++
5 files changed, 109 insertions(+), 84 deletions(-)
diff --git
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index 31e42df24f3..b71a7150f7d 100644
---
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -679,20 +679,12 @@ public class ServerCnx extends PulsarHandler implements
TransportCnx {
// 2. an authentication refresh, in which case we need to refresh
authenticationData
String newAuthRole = authState.getAuthRole();
+ AuthenticationDataSource newAuthDataSource =
authState.getAuthDataSource();
- // Refresh the auth data.
- this.authenticationData = authState.getAuthDataSource();
- if (log.isDebugEnabled()) {
- log.debug("[{}] Auth data refreshed for role={}",
remoteAddress, this.authRole);
- }
-
+ // Set the auth data and auth role
if (!useOriginalAuthState) {
this.authRole = newAuthRole;
- }
-
- if (log.isDebugEnabled()) {
- log.debug("[{}] Client successfully authenticated with {} role
{} and originalPrincipal {}",
- remoteAddress, authMethod, this.authRole,
originalPrincipal);
+ this.authenticationData = newAuthDataSource;
}
if (state != State.Connected) {
@@ -712,7 +704,18 @@ public class ServerCnx extends PulsarHandler implements
TransportCnx {
maybeScheduleAuthenticationCredentialsRefresh();
}
completeConnect(clientProtocolVersion, clientVersion,
enableSubscriptionPatternEvaluation);
+ if (log.isDebugEnabled()) {
+ log.debug("[{}] Client successfully authenticated with {}
role {} and originalPrincipal {}",
+ remoteAddress, authMethod, this.authRole,
originalPrincipal);
+ }
} else {
+ // Refresh the auth data
+ if (!useOriginalAuthState) {
+ this.authenticationData = newAuthDataSource;
+ } else {
+ this.originalAuthData = newAuthDataSource;
+ }
+
// If the connection was already ready, it means we're doing a
refresh
if (!StringUtils.isEmpty(authRole)) {
if (!authRole.equals(newAuthRole)) {
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
index b1c4a4d1f75..ad03ddb925a 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
@@ -18,67 +18,15 @@
*/
package org.apache.pulsar.broker.auth;
-import org.apache.pulsar.broker.authentication.AuthenticationDataCommand;
-import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
-import org.apache.pulsar.broker.authentication.AuthenticationState;
-import org.apache.pulsar.common.api.AuthData;
-
-import javax.naming.AuthenticationException;
-import java.util.concurrent.CompletableFuture;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
+import org.apache.pulsar.broker.authentication.AuthenticationProvider;
/**
* Class to use when verifying the behavior around expired authentication data
because it will always return
* true when isExpired is called.
*/
-public class MockAlwaysExpiredAuthenticationState implements
AuthenticationState {
- final MockAlwaysExpiredAuthenticationProvider provider;
- AuthenticationDataSource authenticationDataSource;
- volatile String authRole;
-
-
MockAlwaysExpiredAuthenticationState(MockAlwaysExpiredAuthenticationProvider
provider) {
- this.provider = provider;
- }
-
-
- @Override
- public String getAuthRole() throws AuthenticationException {
- if (authRole == null) {
- throw new AuthenticationException("Must authenticate first.");
- }
- return authRole;
- }
-
- @Override
- public AuthData authenticate(AuthData authData) throws
AuthenticationException {
- authenticationDataSource = new AuthenticationDataCommand(new
String(authData.getBytes(), UTF_8));
- authRole = provider.authenticate(authenticationDataSource);
- return null;
- }
-
- /**
- * This authentication is always single stage, so it returns immediately
- */
- @Override
- public CompletableFuture<AuthData> authenticateAsync(AuthData authData) {
- authenticationDataSource = new AuthenticationDataCommand(new
String(authData.getBytes(), UTF_8));
- return provider
- .authenticateAsync(authenticationDataSource)
- .thenApply(role -> {
- authRole = role;
- return null;
- });
- }
-
- @Override
- public AuthenticationDataSource getAuthDataSource() {
- return authenticationDataSource;
- }
-
- @Override
- public boolean isComplete() {
- return authRole != null;
+public class MockAlwaysExpiredAuthenticationState extends
MockMutableAuthenticationState {
+ MockAlwaysExpiredAuthenticationState(AuthenticationProvider provider) {
+ super(provider);
}
@Override
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationProvider.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationProvider.java
new file mode 100644
index 00000000000..01d56f891e2
--- /dev/null
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationProvider.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.broker.auth;
+
+import org.apache.pulsar.broker.authentication.AuthenticationState;
+import org.apache.pulsar.common.api.AuthData;
+import javax.net.ssl.SSLSession;
+import java.net.SocketAddress;
+
+public class MockMutableAuthenticationProvider extends
MockAuthenticationProvider {
+ public AuthenticationState newAuthState(AuthData authData,
+ SocketAddress remoteAddress,
+ SSLSession sslSession) {
+ return new MockMutableAuthenticationState(this);
+ }
+}
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationState.java
similarity index 80%
copy from
pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
copy to
pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationState.java
index b1c4a4d1f75..c04913a1fd8 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAlwaysExpiredAuthenticationState.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockMutableAuthenticationState.java
@@ -18,30 +18,25 @@
*/
package org.apache.pulsar.broker.auth;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import javax.naming.AuthenticationException;
+import java.util.concurrent.CompletableFuture;
import org.apache.pulsar.broker.authentication.AuthenticationDataCommand;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
+import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.broker.authentication.AuthenticationState;
import org.apache.pulsar.common.api.AuthData;
-import javax.naming.AuthenticationException;
-import java.util.concurrent.CompletableFuture;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-
-/**
- * Class to use when verifying the behavior around expired authentication data
because it will always return
- * true when isExpired is called.
- */
-public class MockAlwaysExpiredAuthenticationState implements
AuthenticationState {
- final MockAlwaysExpiredAuthenticationProvider provider;
+// MockMutableAuthenticationState always update the authentication data source
and auth role.
+public class MockMutableAuthenticationState implements AuthenticationState {
+ final AuthenticationProvider provider;
AuthenticationDataSource authenticationDataSource;
volatile String authRole;
-
MockAlwaysExpiredAuthenticationState(MockAlwaysExpiredAuthenticationProvider
provider) {
+ MockMutableAuthenticationState(AuthenticationProvider provider) {
this.provider = provider;
}
-
@Override
public String getAuthRole() throws AuthenticationException {
if (authRole == null) {
@@ -52,8 +47,6 @@ public class MockAlwaysExpiredAuthenticationState implements
AuthenticationState
@Override
public AuthData authenticate(AuthData authData) throws
AuthenticationException {
- authenticationDataSource = new AuthenticationDataCommand(new
String(authData.getBytes(), UTF_8));
- authRole = provider.authenticate(authenticationDataSource);
return null;
}
@@ -78,11 +71,11 @@ public class MockAlwaysExpiredAuthenticationState
implements AuthenticationState
@Override
public boolean isComplete() {
- return authRole != null;
+ return true;
}
@Override
public boolean isExpired() {
- return true;
+ return false;
}
}
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java
index cccc6eb59ed..437a55103bf 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java
@@ -82,6 +82,7 @@ import org.apache.bookkeeper.mledger.impl.PositionImpl;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.auth.MockAlwaysExpiredAuthenticationProvider;
+import org.apache.pulsar.broker.auth.MockMutableAuthenticationProvider;
import org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
import org.apache.pulsar.broker.TransactionMetadataStoreService;
import org.apache.pulsar.broker.auth.MockAuthenticationProvider;
@@ -1076,6 +1077,54 @@ public class ServerCnxTest {
}));
}
+ @Test
+ public void testRefreshOriginalPrincipalWithAuthDataForwardedFromProxy()
throws Exception {
+ AuthenticationService authenticationService =
mock(AuthenticationService.class);
+ AuthenticationProvider authenticationProvider = new
MockMutableAuthenticationProvider();
+ String authMethodName = authenticationProvider.getAuthMethodName();
+
when(brokerService.getAuthenticationService()).thenReturn(authenticationService);
+
when(authenticationService.getAuthenticationProvider(authMethodName)).thenReturn(authenticationProvider);
+ svcConfig.setAuthenticationEnabled(true);
+ svcConfig.setAuthenticateOriginalAuthData(true);
+ svcConfig.setProxyRoles(Collections.singleton("pass.proxy"));
+
+ resetChannel();
+ assertTrue(channel.isActive());
+ assertEquals(serverCnx.getState(), State.Start);
+
+ String proxyRole = "pass.proxy";
+ String clientRole = "pass.client";
+ ByteBuf connect = Commands.newConnect(authMethodName, proxyRole,
"test", "localhost",
+ clientRole, clientRole, authMethodName);
+ channel.writeInbound(connect);
+ Object connectResponse = getResponse();
+ assertTrue(connectResponse instanceof CommandConnected);
+ assertEquals(serverCnx.getOriginalAuthData().getCommandData(),
clientRole);
+ assertEquals(serverCnx.getOriginalAuthState().getAuthRole(),
clientRole);
+ assertEquals(serverCnx.getOriginalPrincipal(), clientRole);
+ assertEquals(serverCnx.getAuthData().getCommandData(), proxyRole);
+ assertEquals(serverCnx.getAuthRole(), proxyRole);
+ assertEquals(serverCnx.getAuthState().getAuthRole(), proxyRole);
+
+ // Request refreshing the original auth.
+ // Expected:
+ // 1. Original role and original data equals to
"pass.RefreshOriginAuthData".
+ // 2. The broker disconnects the client, because the new role doesn't
equal the old role.
+ String newClientRole = "pass.RefreshOriginAuthData";
+ ByteBuf refreshAuth = Commands.newAuthResponse(authMethodName,
+ AuthData.of(newClientRole.getBytes(StandardCharsets.UTF_8)),
0, "test");
+ channel.writeInbound(refreshAuth);
+
+ assertEquals(serverCnx.getOriginalAuthData().getCommandData(),
newClientRole);
+ assertEquals(serverCnx.getOriginalAuthState().getAuthRole(),
newClientRole);
+ assertEquals(serverCnx.getAuthData().getCommandData(), proxyRole);
+ assertEquals(serverCnx.getAuthRole(), proxyRole);
+ assertEquals(serverCnx.getAuthState().getAuthRole(), proxyRole);
+
+ assertFalse(channel.isOpen());
+ assertFalse(channel.isActive());
+ }
+
@Test(timeOut = 30000)
public void testProducerCommand() throws Exception {
resetChannel();
