You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by gu...@apache.org on 2020/11/12 01:56:18 UTC

[pulsar-manager] branch master updated: When user management is disabled login fails (#351)

This is an automated email from the ASF dual-hosted git repository.

guangning pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-manager.git


The following commit(s) were added to refs/heads/master by this push:
     new 609510f  When user management is disabled login fails (#351)
609510f is described below

commit 609510f0d95fd426577e1521073628e9db6e6b81
Author: Stepan <ts...@gmail.com>
AuthorDate: Thu Nov 12 04:54:16 2020 +0300

    When user management is disabled login fails (#351)
    
    **Fixes #347**
    
    ### Motivation
    
    Bug. If user management is turned off then user has no way to log in as default credentials don't pass login validation.
    
    ### Modifications
    
    When check for super user is being performed and user management is disabled then use token generated for default credentials which are defined in properties file.
---
 .../manager/service/impl/RolesServiceImpl.java     | 19 +++++++++++
 .../manager/service/RolesServiceImplTest.java      | 38 +++++++++++++++++++++-
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/pulsar/manager/service/impl/RolesServiceImpl.java b/src/main/java/org/apache/pulsar/manager/service/impl/RolesServiceImpl.java
index cd6f61f..7c99587 100644
--- a/src/main/java/org/apache/pulsar/manager/service/impl/RolesServiceImpl.java
+++ b/src/main/java/org/apache/pulsar/manager/service/impl/RolesServiceImpl.java
@@ -31,13 +31,18 @@ import org.apache.pulsar.manager.entity.TenantsRepository;
 import org.apache.pulsar.manager.entity.UserInfoEntity;
 import org.apache.pulsar.manager.entity.UsersRepository;
 import org.apache.pulsar.manager.service.ClustersService;
+import org.apache.pulsar.manager.service.JwtService;
 import org.apache.pulsar.manager.service.RolesService;
 import org.apache.pulsar.manager.service.TenantsService;
 import org.apache.pulsar.manager.utils.ResourceType;
 import org.apache.pulsar.manager.utils.ResourceVerbs;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -47,6 +52,8 @@ import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Pattern;
 
+import static java.util.Objects.requireNonNull;
+
 @Slf4j
 @Service
 public class RolesServiceImpl implements RolesService {
@@ -75,6 +82,12 @@ public class RolesServiceImpl implements RolesService {
     @Autowired
     private NamespacesRepository namespacesRepository;
 
+    @Autowired
+    private JwtService jwtService;
+
+    @Value("${user.management.enable}")
+    private boolean userManagementEnabled;
+
     private final String VERBS_SEPARATOR = ",";
 
     private static final Pattern pattern = Pattern.compile("[A-Za-z0-9_]+");
@@ -247,7 +260,13 @@ public class RolesServiceImpl implements RolesService {
         result.put("message", "Validate tenant success");
         return result;
     }
+
     public boolean isSuperUser(String token) {
+        if (!userManagementEnabled) {
+            HttpServletRequest request = requireNonNull((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
+            String serverToken = jwtService.getToken(request.getSession().getId());
+            return StringUtils.equalsIgnoreCase(serverToken, token);
+        }
         Optional<UserInfoEntity> userInfoEntityOptional = usersRepository.findByAccessToken(token);
         if (!userInfoEntityOptional.isPresent()) {
             return false;
diff --git a/src/test/java/org/apache/pulsar/manager/service/RolesServiceImplTest.java b/src/test/java/org/apache/pulsar/manager/service/RolesServiceImplTest.java
index 604ec3d..071fb37 100644
--- a/src/test/java/org/apache/pulsar/manager/service/RolesServiceImplTest.java
+++ b/src/test/java/org/apache/pulsar/manager/service/RolesServiceImplTest.java
@@ -31,17 +31,27 @@ import org.apache.pulsar.manager.utils.ResourceVerbs;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.Mockito;
 import org.powermock.core.classloader.annotations.PowerMockIgnore;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.powermock.modules.junit4.PowerMockRunnerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.util.ReflectionTestUtils;
 
 import java.util.Map;
 
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
 @RunWith(PowerMockRunner.class)
 @PowerMockRunnerDelegate(SpringRunner.class)
 @PowerMockIgnore( {"javax.*", "sun.*", "com.sun.*", "org.xml.*", "org.w3c.*"})
@@ -73,6 +83,9 @@ public class RolesServiceImplTest {
     @Autowired
     private NamespacesRepository namespacesRepository;
 
+    @MockBean
+    private JwtService jwtService;
+
     @Test
     public void validateRoleInfoEntityTest() {
         RoleInfoEntity roleInfoEntity = new RoleInfoEntity();
@@ -126,7 +139,7 @@ public class RolesServiceImplTest {
 
         roleInfoEntity.setResourceVerbs("xxxx");
         Map<String, String> stringMapVerbs = rolesService.validateRoleInfoEntity(roleInfoEntity);
-        Assert.assertTrue(stringMapVerbs.get("error").startsWith("Verb"));
+        assertTrue(stringMapVerbs.get("error").startsWith("Verb"));
 
         roleInfoEntity.setResourceType(ResourceType.TOPICS.name());
         roleInfoEntity.setResourceVerbs(ResourceVerbs.ADMIN.name());
@@ -186,4 +199,27 @@ public class RolesServiceImplTest {
                 "test-access-token", "test-tenant");
         Assert.assertEquals(currentTenantValidateSuccess.get("message"), "Validate tenant success");
     }
+
+    @Test
+    public void isSuperUser_Permits_ifUserManagementIsOff_andDefaultUserIsUsed() {
+        ReflectionTestUtils.setField(rolesService, "userManagementEnabled", false);
+        String account = "pulsar";
+        String password = "pulsar";
+        String token = jwtService.toToken(account + "-" + password);
+
+        when(jwtService.getToken(Mockito.anyString())).thenReturn(token);
+        assertTrue(rolesService.isSuperUser(token));
+        ReflectionTestUtils.setField(rolesService, "userManagementEnabled", true);
+    }
+
+    @Test
+    public void isSuperUser_Forbids_ifUserManagementIsOn_andDefaultUserIsUsed() {
+        String account = "pulsar";
+        String password = "pulsar";
+        String token = jwtService.toToken(account + "-" + password);
+
+        assertFalse(rolesService.isSuperUser(token));
+        verify(jwtService, never()).getToken(anyString());
+    }
+
 }