This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 24f85ce [security] handle a few unexpected authn token conditions
24f85ce is described below
commit 24f85cedcd47e585ea9c308c317da963c5ab8fa9
Author: Alexey Serbin <[email protected]>
AuthorDate: Wed Feb 23 21:22:23 2022 -0800
[security] handle a few unexpected authn token conditions
This patch addresses a few unexpected error conditions in the
server-side negotiation code when authenticating a client with
its authn token.
I didn't add any tests since there is no mock for the corresponding
client side and implementing it from scratch just to verify these
two simple cases looked like an overkill.
Change-Id: Ic05ff6a9b289877d8440b94f00b2375da938c901
Reviewed-on: http://gerrit.cloudera.org:8080/18271
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: Attila Bukor <[email protected]>
Reviewed-by: Andrew Wong <[email protected]>
---
src/kudu/rpc/server_negotiation.cc | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/src/kudu/rpc/server_negotiation.cc
b/src/kudu/rpc/server_negotiation.cc
index bcbebf6..025c36a 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -688,12 +688,17 @@ Status ServerNegotiation::AuthenticateByToken(faststring*
recv_buf) {
NegotiatePB pb;
RETURN_NOT_OK(RecvNegotiatePB(&pb, recv_buf));
- if (pb.step() != NegotiatePB::TOKEN_EXCHANGE) {
- Status s = Status::NotAuthorized("expected TOKEN_EXCHANGE step",
-
NegotiatePB::NegotiateStep_Name(pb.step()));
+ if (PREDICT_FALSE(pb.step() != NegotiatePB::TOKEN_EXCHANGE)) {
+ const auto s = Status::NotAuthorized("expected TOKEN_EXCHANGE step",
+
NegotiatePB::NegotiateStep_Name(pb.step()));
+ RETURN_NOT_OK(SendError(ErrorStatusPB::FATAL_UNAUTHORIZED, s));
+ return s;
}
- if (!pb.has_authn_token()) {
- Status s = Status::NotAuthorized("TOKEN_EXCHANGE message must include an
authentication token");
+ if (PREDICT_FALSE(!pb.has_authn_token())) {
+ const auto s = Status::NotAuthorized(
+ "TOKEN_EXCHANGE message must include an authentication token");
+ RETURN_NOT_OK(SendError(ErrorStatusPB::FATAL_UNAUTHORIZED, s));
+ return s;
}
// TODO(KUDU-1924): propagate the specific token verification failure back
to the client,
@@ -701,9 +706,10 @@ Status ServerNegotiation::AuthenticateByToken(faststring*
recv_buf) {
security::TokenPB token;
auto verification_result =
token_verifier_->VerifyTokenSignature(pb.authn_token(), &token);
ErrorStatusPB::RpcErrorCodePB error;
- Status s = ParseTokenVerificationResult(verification_result,
- ErrorStatusPB::FATAL_INVALID_AUTHENTICATION_TOKEN, &error);
- if (!s.ok()) {
+ if (const auto s = ParseTokenVerificationResult(
+ verification_result,
+ ErrorStatusPB::FATAL_INVALID_AUTHENTICATION_TOKEN,
+ &error); !s.ok()) {
RETURN_NOT_OK(SendError(error, s));
return s;
}
