You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2018/12/13 15:26:21 UTC

[GitHub] sijie closed pull request #3187: Enable specifying allowed offset when verifying athenz role token

sijie closed pull request #3187: Enable specifying allowed offset when verifying athenz role token
URL: https://github.com/apache/pulsar/pull/3187
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java b/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
index c2cf45da15..955a96d3a0 100644
--- a/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
+++ b/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
@@ -31,6 +31,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.Lists;
 import com.yahoo.athenz.auth.token.RoleToken;
 import com.yahoo.athenz.zpe.AuthZpeClient;
@@ -41,8 +42,10 @@
     private static final String DOMAIN_NAME_LIST = "athenzDomainNames";
 
     private static final String SYS_PROP_DOMAIN_NAME_LIST = "pulsar.athenz.domain.names";
+    private static final String SYS_PROP_ALLOWED_OFFSET = "pulsar.athenz.role.token_allowed_offset";
 
     private List<String> domainNameList = null;
+    private int allowedOffset = 30;
 
     @Override
     public void initialize(ServiceConfiguration config) throws IOException {
@@ -57,6 +60,20 @@ public void initialize(ServiceConfiguration config) throws IOException {
 
         domainNameList = Lists.newArrayList(domainNames.split(","));
         log.info("Supported domain names for athenz: {}", domainNameList);
+
+        if (!StringUtils.isEmpty(System.getProperty(SYS_PROP_ALLOWED_OFFSET))) {
+            try {
+                allowedOffset = Integer.parseInt(System.getProperty(SYS_PROP_ALLOWED_OFFSET));
+            } catch (NumberFormatException e) {
+                throw new IOException("Invalid allowed offset for athenz role token verification specified", e);
+            }
+
+            if (allowedOffset < 0) {
+                throw new IOException("Allowed offset for athenz role token verification must not be negative");
+            }
+        }
+
+        log.info("Allowed offset for athenz role token verification: {} sec", allowedOffset);
     }
 
     @Override
@@ -103,7 +120,6 @@ public String authenticate(AuthenticationDataSource authData) throws Authenticat
         // Synchronize for non-thread safe static calls inside athenz library
         synchronized (this) {
             PublicKey ztsPublicKey = AuthZpeClient.getZtsPublicKey(token.getKeyId());
-            int allowedOffset = 0;
 
             if (ztsPublicKey == null) {
                 throw new AuthenticationException("Unable to retrieve ZTS Public Key");
@@ -123,5 +139,10 @@ public String authenticate(AuthenticationDataSource authData) throws Authenticat
     public void close() throws IOException {
     }
 
+    @VisibleForTesting
+    int getAllowedOffset() {
+        return this.allowedOffset;
+    }
+
     private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderAthenz.class);
 }
diff --git a/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java b/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
index 1946a014e7..b56021bb69 100644
--- a/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
+++ b/pulsar-broker-auth-athenz/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
@@ -29,6 +29,7 @@
 import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
 import org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
@@ -70,12 +71,38 @@ public void testInitilizeFromSystemPropeties() {
         ServiceConfiguration emptyConf = new ServiceConfiguration();
         Properties emptyProp = new Properties();
         emptyConf.setProperties(emptyProp);
-        AuthenticationProviderAthenz sysPropProvider = new AuthenticationProviderAthenz();
+        AuthenticationProviderAthenz sysPropProvider1 = new AuthenticationProviderAthenz();
         try {
-            sysPropProvider.initialize(emptyConf);
+            sysPropProvider1.initialize(emptyConf);
+            assertEquals(sysPropProvider1.getAllowedOffset(), 30); // default allowed offset is 30 sec
         } catch (Exception e) {
             fail("Fail to Read pulsar.athenz.domain.names from System Properties");
         }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "0");
+        AuthenticationProviderAthenz sysPropProvider2 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider2.initialize(config);
+            assertEquals(sysPropProvider2.getAllowedOffset(), 0);
+        } catch (Exception e) {
+            fail("Failed to get allowd offset from system property");
+        }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "invalid");
+        AuthenticationProviderAthenz sysPropProvider3 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider3.initialize(config);
+            fail("Invalid allowed offset should not be specified");
+        } catch (IOException e) {
+        }
+
+        System.setProperty("pulsar.athenz.role.token_allowed_offset", "-1");
+        AuthenticationProviderAthenz sysPropProvider4 = new AuthenticationProviderAthenz();
+        try {
+            sysPropProvider4.initialize(config);
+            fail("Negative allowed offset should not be specified");
+        } catch (IOException e) {
+        }
     }
 
     @Test
@@ -133,4 +160,4 @@ public void testAuthenticateSignedTokenWithDifferentDomain() throws Exception {
             // OK, expected
         }
     }
-}
\ No newline at end of file
+}


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services