Varun Thacker created SOLR-11827:
------------------------------------
Summary: MockAuthorizationPlugin should return 401 if no principal
is specified
Key: SOLR-11827
URL: https://issues.apache.org/jira/browse/SOLR-11827
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Varun Thacker
Let's say today if the leader sends a message to the replica and it takes more
than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will not pass
the principal and RuleBasedAuthorizationPlugin will notice this and throw a 401
{code:title=PKIAuthenticationPlugin.java|borderStyle=solid}
if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) {
log.error("Invalid key request timestamp: {} , received timestamp: {} ,
TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY);
filterChain.doFilter(request, response);
return true;
}
{code}
{code:title=RuleBasedAuthorizationPlugin.java|borderStyle=solid}
if (principal == null) {
log.info("request has come without principal. failed permission {}
",permission);
//this resource needs a principal but the request has come without
//any credential.
return MatchStatus.USER_REQUIRED;
}
{code}
I was trying to verify this with PKIAuthenticationIntegrationTest but I noticed
that since this test uses MockAuthorizationPlugin where no principal is treated
as a 200 the test won't fail.
So we should enhance MockAuthorizationPlugin to treat no principal as a 401 and
add a test in PKIAuthenticationIntegrationTest to verify the behaviour
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
