[pulsar] branch branch-3.0 updated: [fix][broker]Check that the super user role is in the MultiRolesTokenAuthorizationProvider plugin (#20939)

Wed, 16 Aug 2023 19:56:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

technoboy pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new d869b9e865d [fix][broker]Check that the super user role is in the 
MultiRolesTokenAuthorizationProvider plugin (#20939)
d869b9e865d is described below

commit d869b9e865d5258342126a441989930686804f59
Author: Guangning E <[email protected]>
AuthorDate: Fri Aug 11 23:21:32 2023 +0800

    [fix][broker]Check that the super user role is in the 
MultiRolesTokenAuthorizationProvider plugin (#20939)
    
    Fixed https://github.com/apache/pulsar/issues/20938
---
 .../MultiRolesTokenAuthorizationProvider.java      | 13 +++++----
 .../MultiRolesTokenAuthorizationProviderTest.java  | 32 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
index fa613245cfa..db5f4f18e8c 100644
--- 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
+++ 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -89,15 +89,18 @@ public class MultiRolesTokenAuthorizationProvider extends 
PulsarAuthorizationPro
     @Override
     public CompletableFuture<Boolean> isSuperUser(String role, 
AuthenticationDataSource authenticationData,
                                                   ServiceConfiguration 
serviceConfiguration) {
-        Set<String> roles = getRoles(authenticationData);
-        if (roles.isEmpty()) {
-            return CompletableFuture.completedFuture(false);
-        }
+        // if superUser role contains in config, return true.
         Set<String> superUserRoles = serviceConfiguration.getSuperUserRoles();
         if (superUserRoles.isEmpty()) {
             return CompletableFuture.completedFuture(false);
         }
-
+        if (role != null && superUserRoles.contains(role)) {
+            return CompletableFuture.completedFuture(true);
+        }
+        Set<String> roles = getRoles(authenticationData);
+        if (roles.isEmpty()) {
+            return CompletableFuture.completedFuture(false);
+        }
         return 
CompletableFuture.completedFuture(roles.stream().anyMatch(superUserRoles::contains));
     }
 
diff --git 
a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
 
b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
index 7e329d14307..f0a857bdd69 100644
--- 
a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
+++ 
b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
@@ -31,6 +31,7 @@ import org.apache.pulsar.broker.resources.PulsarResources;
 import org.testng.annotations.Test;
 
 import javax.crypto.SecretKey;
+import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 
 public class MultiRolesTokenAuthorizationProviderTest {
@@ -198,4 +199,35 @@ public class MultiRolesTokenAuthorizationProviderTest {
             return CompletableFuture.completedFuture(false);
         }).get());
     }
+
+    @Test
+    public void testMultiRolesAuthzWithSuperUser() throws Exception {
+        SecretKey secretKey = 
AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+        String testAdminRole = "admin";
+        String token = Jwts.builder().claim("sub", 
testAdminRole).signWith(secretKey).compact();
+
+        ServiceConfiguration conf = new ServiceConfiguration();
+        conf.setSuperUserRoles(Set.of(testAdminRole));
+
+        MultiRolesTokenAuthorizationProvider provider = new 
MultiRolesTokenAuthorizationProvider();
+        provider.initialize(conf, mock(PulsarResources.class));
+
+        AuthenticationDataSource ads = new AuthenticationDataSource() {
+            @Override
+            public boolean hasDataFromHttp() {
+                return true;
+            }
+
+            @Override
+            public String getHttpHeader(String name) {
+                if (name.equals("Authorization")) {
+                    return "Bearer " + token;
+                } else {
+                    throw new IllegalArgumentException("Wrong HTTP header");
+                }
+            }
+        };
+
+        assertTrue(provider.isSuperUser(testAdminRole, ads, conf).get());
+    }
 }

Reply via email to