nodece opened a new pull request, #25179: URL: https://github.com/apache/pulsar/pull/25179
Fixes https://github.com/apache/pulsar/issues/25071 ### Motivation This pull request enhances the authentication credential refresh logic in the Pulsar Proxy and adds comprehensive tests to ensure correct behavior when client credentials expire, especially when authorization credentials are not forwarded to the broker. The changes improve reliability and correctness in handling authentication expiration and provide a robust test for the new logic. ### Modifications **Proxy authentication refresh and expiration logic:** * Refactored the authentication credential refresh logic in `ProxyConnection.java` by introducing the `startAuthRefreshTaskIfNotStarted()` helper, ensuring the refresh task is only scheduled when needed and in the correct states. The refresh logic now checks if the connection is in an authenticated state and properly handles cases where credentials expire and authorization credentials are not forwarded (`forwardAuthorizationCredentials=false`). [[1]](diffhunk://#diff-bbca5aac9dede7618187e91b91ffd0c6c8ffb836cd79ff2d104439e8cf5fc0daL152-R157) [[2]](diffhunk://#diff-bbca5aac9dede7618187e91b91ffd0c6c8ffb836cd79ff2d104439e8cf5fc0daL415-R420) [[3]](diffhunk://#diff-bbca5aac9dede7618187e91b91ffd0c6c8ffb836cd79ff2d104439e8cf5fc0daR436-R439) [[4]](diffhunk://#diff-bbca5aac9dede7618187e91b91ffd0c6c8ffb836cd79ff2d104439e8cf5fc0daR521-R558) **Test suite improvements:** * Added a new test `testClientDisconnectWhenCredentialsExpireWithoutForwardAuth` in `ProxyAuthenticationTest.java` to verify that the client is disconnected when credentials expire and the proxy is not forwarding authorization credentials. The test uses Awaitility to assert proper disconnection behavior. * Updated and expanded the mock authentication provider and state in the test suite to simulate credential expiration and support the new authentication flow, including parsing and checking expiration within the mock state. [[1]](diffhunk://#diff-e8bd8b62a59dff014e3084ab83180fcdcc8a81f637a3373c51ca49b634be22eaR134-R198) [[2]](diffhunk://#diff-e8bd8b62a59dff014e3084ab83180fcdcc8a81f637a3373c51ca49b634be22eaL138-R222) **Minor test utility and import updates:** * Added necessary imports and updated HTTP header handling in the test authentication data provider for improved correctness and clarity. [[1]](diffhunk://#diff-e8bd8b62a59dff014e3084ab83180fcdcc8a81f637a3373c51ca49b634be22eaR21-R46) [[2]](diffhunk://#diff-e8bd8b62a59dff014e3084ab83180fcdcc8a81f637a3373c51ca49b634be22eaR55-R59) [[3]](diffhunk://#diff-e8bd8b62a59dff014e3084ab83180fcdcc8a81f637a3373c51ca49b634be22eaR94) ### Documentation <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. --> - [ ] `doc` <!-- Your PR contains doc changes. --> - [x] `doc-required` <!-- Your PR changes impact docs and you will update later --> - [ ] `doc-not-needed` <!-- Your PR changes do not impact docs --> - [ ] `doc-complete` <!-- Docs have been already added --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
