You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2022/08/13 02:35:55 UTC
[pulsar] branch branch-2.10 updated: [improve][authentication] Support for get token from HTTP params (#16986)
This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.10 by this push:
new 743e821dc6a [improve][authentication] Support for get token from HTTP params (#16986)
743e821dc6a is described below
commit 743e821dc6a7fbaed56fba661c2814f8dd826968
Author: Zixuan Liu <no...@gmail.com>
AuthorDate: Sat Aug 13 10:35:50 2022 +0800
[improve][authentication] Support for get token from HTTP params (#16986)
---
.../authentication/AuthenticationDataHttps.java | 2 +-
.../AuthenticationProviderToken.java | 22 +++++++
.../AuthenticationProviderTokenTest.java | 68 +++++++++++++++++++---
3 files changed, 82 insertions(+), 10 deletions(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataHttps.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataHttps.java
index ec4dc292c13..0c262f5c620 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataHttps.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataHttps.java
@@ -26,7 +26,7 @@ public class AuthenticationDataHttps extends AuthenticationDataHttp {
protected final X509Certificate[] certificates;
public AuthenticationDataHttps(HttpServletRequest request) {
- super(request);
+ super(new AuthenticationProviderToken.HttpServletRequestWrapper(request));
certificates = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
}
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
index 451c63fb807..3943764f943 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
@@ -38,6 +38,7 @@ import java.util.Date;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.net.ssl.SSLSession;
+import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.metrics.AuthenticationMetrics;
@@ -363,4 +364,25 @@ public class AuthenticationProviderToken implements AuthenticationProvider {
return expiration < System.currentTimeMillis();
}
}
+ public static final class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper {
+ private final HttpServletRequest request;
+
+ public HttpServletRequestWrapper(HttpServletRequest request) {
+ super(request);
+ this.request = request;
+ }
+
+ @Override
+ public String getHeader(String name) {
+ // The browser javascript WebSocket client couldn't add the auth param to the request header, use the
+ // query param `token` to transport the auth token for the browser javascript WebSocket client.
+ if (name.equals(HTTP_HEADER_NAME) && request.getHeader(HTTP_HEADER_NAME) == null) {
+ String token = request.getParameter(TOKEN);
+ if (token != null) {
+ return !token.startsWith(HTTP_HEADER_VALUE_PREFIX) ? HTTP_HEADER_VALUE_PREFIX + token : token;
+ }
+ }
+ return super.getHeader(name);
+ }
+ }
}
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
index 4d1de003875..6e7e267086e 100644
--- a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
@@ -19,12 +19,13 @@
package org.apache.pulsar.broker.authentication;
import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.mock;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertFalse;
import static org.testng.Assert.assertNotNull;
import static org.testng.Assert.assertTrue;
import static org.testng.Assert.fail;
-
import com.google.common.collect.Lists;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
@@ -33,26 +34,24 @@ import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
-import java.security.Key;
-import java.util.Arrays;
-import java.util.List;
-import lombok.Cleanup;
-
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
+import java.security.Key;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.sql.Date;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.List;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
-
import javax.crypto.SecretKey;
import javax.naming.AuthenticationException;
-
+import javax.servlet.http.HttpServletRequest;
+import lombok.Cleanup;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.common.api.AuthData;
@@ -815,7 +814,7 @@ public class AuthenticationProviderTokenTest {
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
- ServiceConfiguration mockConf = Mockito.mock(ServiceConfiguration.class);
+ ServiceConfiguration mockConf = mock(ServiceConfiguration.class);
String prefix = "test";
Mockito.when(mockConf.getProperty(anyString()))
@@ -842,6 +841,57 @@ public class AuthenticationProviderTokenTest {
.getProperty(prefix + AuthenticationProviderToken.CONF_TOKEN_AUDIENCE);
}
+ @Test
+ public void testTokenFromHttpParams() throws Exception {
+ SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+
+ @Cleanup
+ AuthenticationProviderToken provider = new AuthenticationProviderToken();
+
+ Properties properties = new Properties();
+ properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY,
+ AuthTokenUtils.encodeKeyBase64(secretKey));
+
+ ServiceConfiguration conf = new ServiceConfiguration();
+ conf.setProperties(properties);
+ provider.initialize(conf);
+
+ String token = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
+ HttpServletRequest servletRequest = mock(HttpServletRequest.class);
+ doReturn(token).when(servletRequest).getParameter("token");
+ doReturn(null).when(servletRequest).getHeader("Authorization");
+ doReturn("127.0.0.1").when(servletRequest).getRemoteAddr();
+ doReturn(0).when(servletRequest).getRemotePort();
+
+ AuthenticationDataHttps authenticationDataHttps = new AuthenticationDataHttps(servletRequest);
+ provider.authenticate(authenticationDataHttps);
+ }
+
+ @Test
+ public void testTokenFromHttpHeaders() throws Exception {
+ SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+
+ @Cleanup
+ AuthenticationProviderToken provider = new AuthenticationProviderToken();
+
+ Properties properties = new Properties();
+ properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY,
+ AuthTokenUtils.encodeKeyBase64(secretKey));
+
+ ServiceConfiguration conf = new ServiceConfiguration();
+ conf.setProperties(properties);
+ provider.initialize(conf);
+
+ String token = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
+ HttpServletRequest servletRequest = mock(HttpServletRequest.class);
+ doReturn("Bearer " + token).when(servletRequest).getHeader("Authorization");
+ doReturn("127.0.0.1").when(servletRequest).getRemoteAddr();
+ doReturn(0).when(servletRequest).getRemotePort();
+
+ AuthenticationDataHttps authenticationDataHttps = new AuthenticationDataHttps(servletRequest);
+ provider.authenticate(authenticationDataHttps);
+ }
+
private static String createTokenWithAudience(Key signingKey, String audienceClaim, List<String> audience) {
JwtBuilder builder = Jwts.builder()
.setSubject(SUBJECT)