You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ma...@apache.org on 2023/11/02 08:33:36 UTC

(pulsar) branch master updated: [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)

This is an automated email from the ASF dual-hosted git repository.

mattisonchao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 1cbfb515ec4 [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)
1cbfb515ec4 is described below

commit 1cbfb515ec42065b42d2a77d4faaf8c4e8a21420
Author: Qiang Zhao <ma...@apache.org>
AuthorDate: Thu Nov 2 16:33:30 2023 +0800

    [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)
    
    Co-authored-by: Jiwe Guo <te...@apache.org>
---
 .../MultiRolesTokenAuthorizationProvider.java      |  9 +++++-
 .../MultiRolesTokenAuthorizationProviderTest.java  | 35 +++++++++++++++++++++-
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
index 7d17d180cf1..fdab233a510 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -183,7 +183,14 @@ public class MultiRolesTokenAuthorizationProvider extends PulsarAuthorizationPro
 
         Jwt<?, Claims> jwt = parser.parseClaimsJwt(unsignedToken);
         try {
-            return new HashSet<>(Collections.singletonList(jwt.getBody().get(roleClaim, String.class)));
+            final String jwtRole = jwt.getBody().get(roleClaim, String.class);
+            if (jwtRole == null) {
+                if (log.isDebugEnabled()) {
+                    log.debug("Do not have corresponding claim in jwt token. claim={}", roleClaim);
+                }
+                return Collections.emptySet();
+            }
+            return new HashSet<>(Collections.singletonList(jwtRole));
         } catch (RequiredTypeException requiredTypeException) {
             try {
                 List list = jwt.getBody().get(roleClaim, List.class);
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
index c4fc35f6401..ed9626dffe2 100644
--- a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
@@ -32,7 +32,6 @@ import org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
 import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
 import org.apache.pulsar.broker.resources.PulsarResources;
 import org.testng.annotations.Test;
-
 import javax.crypto.SecretKey;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
@@ -144,6 +143,40 @@ public class MultiRolesTokenAuthorizationProviderTest {
         }).get());
     }
 
+    @Test
+    public void testMultiRolesAuthzWithoutClaim() throws Exception {
+        final SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+        final String testRole = "test-role";
+        // broker will use "sub" as the claim by default.
+        final String token = Jwts.builder()
+                .claim("whatever", testRole).signWith(secretKey).compact();
+        ServiceConfiguration conf = new ServiceConfiguration();
+        final MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();
+        provider.initialize(conf, mock(PulsarResources.class));
+        final AuthenticationDataSource ads = new AuthenticationDataSource() {
+            @Override
+            public boolean hasDataFromHttp() {
+                return true;
+            }
+
+            @Override
+            public String getHttpHeader(String name) {
+                if (name.equals("Authorization")) {
+                    return "Bearer " + token;
+                } else {
+                    throw new IllegalArgumentException("Wrong HTTP header");
+                }
+            }
+        };
+
+        assertFalse(provider.authorize("test", ads, role -> {
+            if (role == null) {
+                throw new IllegalStateException("We should avoid pass null to sub providers");
+            }
+            return CompletableFuture.completedFuture(role.equals(testRole));
+        }).get());
+    }
+
     @Test
     public void testMultiRolesAuthzWithAnonymousUser() throws Exception {
         @Cleanup