You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ma...@apache.org on 2023/11/02 08:33:36 UTC
(pulsar) branch master updated: [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)
This is an automated email from the ASF dual-hosted git repository.
mattisonchao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 1cbfb515ec4 [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)
1cbfb515ec4 is described below
commit 1cbfb515ec42065b42d2a77d4faaf8c4e8a21420
Author: Qiang Zhao <ma...@apache.org>
AuthorDate: Thu Nov 2 16:33:30 2023 +0800
[fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)
Co-authored-by: Jiwe Guo <te...@apache.org>
---
.../MultiRolesTokenAuthorizationProvider.java | 9 +++++-
.../MultiRolesTokenAuthorizationProviderTest.java | 35 +++++++++++++++++++++-
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
index 7d17d180cf1..fdab233a510 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -183,7 +183,14 @@ public class MultiRolesTokenAuthorizationProvider extends PulsarAuthorizationPro
Jwt<?, Claims> jwt = parser.parseClaimsJwt(unsignedToken);
try {
- return new HashSet<>(Collections.singletonList(jwt.getBody().get(roleClaim, String.class)));
+ final String jwtRole = jwt.getBody().get(roleClaim, String.class);
+ if (jwtRole == null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Do not have corresponding claim in jwt token. claim={}", roleClaim);
+ }
+ return Collections.emptySet();
+ }
+ return new HashSet<>(Collections.singletonList(jwtRole));
} catch (RequiredTypeException requiredTypeException) {
try {
List list = jwt.getBody().get(roleClaim, List.class);
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
index c4fc35f6401..ed9626dffe2 100644
--- a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
@@ -32,7 +32,6 @@ import org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.testng.annotations.Test;
-
import javax.crypto.SecretKey;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
@@ -144,6 +143,40 @@ public class MultiRolesTokenAuthorizationProviderTest {
}).get());
}
+ @Test
+ public void testMultiRolesAuthzWithoutClaim() throws Exception {
+ final SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+ final String testRole = "test-role";
+ // broker will use "sub" as the claim by default.
+ final String token = Jwts.builder()
+ .claim("whatever", testRole).signWith(secretKey).compact();
+ ServiceConfiguration conf = new ServiceConfiguration();
+ final MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();
+ provider.initialize(conf, mock(PulsarResources.class));
+ final AuthenticationDataSource ads = new AuthenticationDataSource() {
+ @Override
+ public boolean hasDataFromHttp() {
+ return true;
+ }
+
+ @Override
+ public String getHttpHeader(String name) {
+ if (name.equals("Authorization")) {
+ return "Bearer " + token;
+ } else {
+ throw new IllegalArgumentException("Wrong HTTP header");
+ }
+ }
+ };
+
+ assertFalse(provider.authorize("test", ads, role -> {
+ if (role == null) {
+ throw new IllegalStateException("We should avoid pass null to sub providers");
+ }
+ return CompletableFuture.completedFuture(role.equals(testRole));
+ }).get());
+ }
+
@Test
public void testMultiRolesAuthzWithAnonymousUser() throws Exception {
@Cleanup