[pulsar] 02/02: Improve error handling when broker doesn't trust client certificates (#8998)

[pe...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit 56667b335c2043ea48afdc137724fdb732bae264
Author: Sijie Guo <si...@apache.org>
AuthorDate: Sun Dec 20 18:13:50 2020 -0800

    Improve error handling when broker doesn't trust client certificates (#8998)
    
    *Motivation*
    
    When TLS throws `SSLPeerUnverifiedException`, broker doesn't log any information and just returns `null`.
    It makes users very hard to debug problem.
    
    *Changes*
    
    Improve the error handling when broker doesn't trust client certificates.
    
    See more details at https://github.com/apache/pulsar/issues/8963
    
    (cherry picked from commit a292b0ac5d123eeb9d95b9012ba5205a2e26d79f)
---
 .../apache/pulsar/broker/authentication/AuthenticationDataCommand.java | 3 +++
 .../apache/pulsar/broker/authentication/AuthenticationProviderTls.java | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
index 7299eae..efc3329 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
@@ -23,7 +23,9 @@ import java.security.cert.Certificate;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
+import lombok.extern.slf4j.Slf4j;
 
+@Slf4j
 public class AuthenticationDataCommand implements AuthenticationDataSource {
     protected final String authData;
     protected final SocketAddress remoteAddress;
@@ -94,6 +96,7 @@ public class AuthenticationDataCommand implements AuthenticationDataSource {
         try {
             return sslSession.getPeerCertificates();
         } catch (SSLPeerUnverifiedException e) {
+            log.error("Failed to verify the peer's identity", e);
             return null;
         }
     }
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
index 077ade2..de04c8a 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
@@ -72,6 +72,9 @@ public class AuthenticationProviderTls implements AuthenticationProvider {
             // Example:
             // CN=Steve Kille,O=Isode Limited,C=GB
             Certificate[] certs = authData.getTlsCertificates();
+            if (null == certs) {
+                throw new AuthenticationException("Failed to get TLS certificates from client");
+            }
             String distinguishedName = ((X509Certificate) certs[0]).getSubjectX500Principal().getName();
             for (String keyValueStr : distinguishedName.split(",")) {
                 String[] keyValue = keyValueStr.split("=", 2);