(pulsar) branch branch-3.1 updated: [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)

technoboy Fri, 10 Nov 2023 01:11:25 -0800

This is an automated email from the ASF dual-hosted git repository.

technoboy pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/pulsar.git



The following commit(s) were added to refs/heads/branch-3.1 by this push:
     new 47232c7fe5a [fix][broker] Avoid pass null role in 
MultiRolesTokenAuthorizationProvider (#21486)
47232c7fe5a is described below

commit 47232c7fe5a636aeb3229b1c4545b5e38e7ae971
Author: Qiang Zhao <[email protected]>
AuthorDate: Thu Nov 2 16:33:30 2023 +0800

    [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider 
(#21486)
    
    Co-authored-by: Jiwe Guo <[email protected]>
---
 .../MultiRolesTokenAuthorizationProvider.java      |  9 +++++-
 .../MultiRolesTokenAuthorizationProviderTest.java  | 35 +++++++++++++++++++++-
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
index 7d17d180cf1..fdab233a510 100644
--- 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
+++ 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -183,7 +183,14 @@ public class MultiRolesTokenAuthorizationProvider extends 
PulsarAuthorizationPro
 
         Jwt<?, Claims> jwt = parser.parseClaimsJwt(unsignedToken);
         try {
-            return new 
HashSet<>(Collections.singletonList(jwt.getBody().get(roleClaim, 
String.class)));
+            final String jwtRole = jwt.getBody().get(roleClaim, String.class);
+            if (jwtRole == null) {
+                if (log.isDebugEnabled()) {
+                    log.debug("Do not have corresponding claim in jwt token. 
claim={}", roleClaim);
+                }
+                return Collections.emptySet();
+            }
+            return new HashSet<>(Collections.singletonList(jwtRole));
         } catch (RequiredTypeException requiredTypeException) {
             try {
                 List list = jwt.getBody().get(roleClaim, List.class);
diff --git 
a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
 
b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
index c4fc35f6401..ed9626dffe2 100644
--- 
a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
+++ 
b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
@@ -32,7 +32,6 @@ import 
org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
 import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
 import org.apache.pulsar.broker.resources.PulsarResources;
 import org.testng.annotations.Test;
-
 import javax.crypto.SecretKey;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
@@ -144,6 +143,40 @@ public class MultiRolesTokenAuthorizationProviderTest {
         }).get());
     }
 
+    @Test
+    public void testMultiRolesAuthzWithoutClaim() throws Exception {
+        final SecretKey secretKey = 
AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+        final String testRole = "test-role";
+        // broker will use "sub" as the claim by default.
+        final String token = Jwts.builder()
+                .claim("whatever", testRole).signWith(secretKey).compact();
+        ServiceConfiguration conf = new ServiceConfiguration();
+        final MultiRolesTokenAuthorizationProvider provider = new 
MultiRolesTokenAuthorizationProvider();
+        provider.initialize(conf, mock(PulsarResources.class));
+        final AuthenticationDataSource ads = new AuthenticationDataSource() {
+            @Override
+            public boolean hasDataFromHttp() {
+                return true;
+            }
+
+            @Override
+            public String getHttpHeader(String name) {
+                if (name.equals("Authorization")) {
+                    return "Bearer " + token;
+                } else {
+                    throw new IllegalArgumentException("Wrong HTTP header");
+                }
+            }
+        };
+
+        assertFalse(provider.authorize("test", ads, role -> {
+            if (role == null) {
+                throw new IllegalStateException("We should avoid pass null to 
sub providers");
+            }
+            return CompletableFuture.completedFuture(role.equals(testRole));
+        }).get());
+    }
+
     @Test
     public void testMultiRolesAuthzWithAnonymousUser() throws Exception {
         @Cleanup

(pulsar) branch branch-3.1 updated: [fix][broker] Avoid pass null role in MultiRolesTokenAuthorizationProvider (#21486)

Reply via email to