forked from apache/pulsar
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[improve][broker] ServerCnx: go to Failed state when auth fails (apac…
…he#19312) PIP: apache#12105 When authentication fails in the `ServerCnx`, the state is left in `Start` if the primary `authData` fails authentication and in `Connecting` or `Connected` if the `originalAuthData` authentication fails. To prevent any kind of unexpected behavior, we should go to `Failed` state. Note that the tests verify the current behavior where a failed `originalAuthData` results first in a `Connected` command from the broker and then an `Error` command. I documented that I think this is sub optimal here apache#19311. * Update `ServerCnx` state to `Failed` when there is an authentication exception during `handleConnect` and during `handleAuthResponse`. * Update `handleAuthResponse` reply to `"Unable to authenticate"` instead of the `AuthenticationState` exception. A new test is added. The added test covers the change made in apache#19295 where we updated `ServerCnx` so that we call `AuthState#authenticate` instead of relying on the implementation detail that the initialization calls `authenticate`. That PR should have added a test. This is not a breaking change. - [x] `doc-not-needed` PR in forked repository: #18 (cherry picked from commit 8049690) (cherry picked from commit 3ef3bf1) (cherry picked from commit 467cd32)
- Loading branch information
1 parent
85f0a85
commit 94de805
Showing
5 changed files
with
206 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
...ker/src/test/java/org/apache/pulsar/broker/auth/MockMultiStageAuthenticationProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
/** | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package org.apache.pulsar.broker.auth; | ||
|
||
import javax.naming.AuthenticationException; | ||
import javax.net.ssl.SSLSession; | ||
import java.net.SocketAddress; | ||
import org.apache.pulsar.broker.authentication.AuthenticationState; | ||
import org.apache.pulsar.common.api.AuthData; | ||
|
||
/** | ||
* Class that provides the same authentication semantics as the {@link MockAuthenticationProvider} except | ||
* that this one initializes the {@link MockMultiStageAuthenticationState} class to support testing | ||
* multistage authentication. | ||
*/ | ||
public class MockMultiStageAuthenticationProvider extends MockAuthenticationProvider { | ||
|
||
@Override | ||
public String getAuthMethodName() { | ||
return "multi-stage"; | ||
} | ||
|
||
@Override | ||
public AuthenticationState newAuthState(AuthData authData, | ||
SocketAddress remoteAddress, | ||
SSLSession sslSession) throws AuthenticationException { | ||
return new MockMultiStageAuthenticationState(this); | ||
} | ||
} |
76 changes: 76 additions & 0 deletions
76
...broker/src/test/java/org/apache/pulsar/broker/auth/MockMultiStageAuthenticationState.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
/** | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package org.apache.pulsar.broker.auth; | ||
|
||
import org.apache.pulsar.broker.authentication.AuthenticationDataCommand; | ||
import org.apache.pulsar.broker.authentication.AuthenticationDataSource; | ||
import org.apache.pulsar.broker.authentication.AuthenticationState; | ||
import org.apache.pulsar.common.api.AuthData; | ||
|
||
import javax.naming.AuthenticationException; | ||
|
||
import static java.nio.charset.StandardCharsets.UTF_8; | ||
|
||
/** | ||
* Performs multistage authentication by extending the paradigm created in {@link MockAuthenticationProvider}. | ||
*/ | ||
public class MockMultiStageAuthenticationState implements AuthenticationState { | ||
|
||
private final MockMultiStageAuthenticationProvider provider; | ||
private String authRole = null; | ||
|
||
MockMultiStageAuthenticationState(MockMultiStageAuthenticationProvider provider) { | ||
this.provider = provider; | ||
} | ||
|
||
@Override | ||
public String getAuthRole() throws AuthenticationException { | ||
if (authRole == null) { | ||
throw new AuthenticationException("Must authenticate first"); | ||
} | ||
return null; | ||
} | ||
|
||
@Override | ||
public AuthData authenticate(AuthData authData) throws AuthenticationException { | ||
String data = new String(authData.getBytes(), UTF_8); | ||
String[] parts = data.split("\\."); | ||
if (parts.length == 2) { | ||
if ("challenge".equals(parts[0])) { | ||
return AuthData.of("challenged".getBytes()); | ||
} else { | ||
AuthenticationDataCommand command = new AuthenticationDataCommand(data); | ||
authRole = provider.authenticate(command); | ||
// Auth successful, no more auth required | ||
return null; | ||
} | ||
} | ||
throw new AuthenticationException("Failed to authenticate"); | ||
} | ||
|
||
@Override | ||
public AuthenticationDataSource getAuthDataSource() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public boolean isComplete() { | ||
return authRole != null; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters