Skip to content

Commit

Permalink
Support handling single role and non-jwt-token in MultiRolesTokenAuth…
Browse files Browse the repository at this point in the history 
…orizationProvider (apache#14857)

### Motivation

Currently, `MultiRolesTokenAuthorizationProvider` doesn't support handling the single string type role. It will return the empty role in that case. This PR adds support for handling the string-type role. This PR also adds support for handling the non-jwt-token.

### Modifications

* Add support for handling the string-type role
* Add support for handling the non-jwt-token

### Verifying this change

This change is already covered by existing tests, such as *testMultiRolesAuthzWithSingleRole*.
  • Loading branch information
@RobertIndie
RobertIndie authored May 8, 2022
1 parent a0dcab6 commit 8bf6785
Show file tree
Hide file tree
Showing 2 changed files with 107 additions and 2 deletions.
8 changes: 6 additions & 2 deletions ...ain/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ public class MultiRolesTokenAuthorizationProvider extends PulsarAuthorizationPro
// The token's claim that corresponds to the "role" string
static final String CONF_TOKEN_AUTH_CLAIM = "tokenAuthClaim";

private JwtParser parser;
private final JwtParser parser;
private String roleClaim;

public MultiRolesTokenAuthorizationProvider() {
Expand Down Expand Up @@ -107,11 +107,15 @@ private List<String> getRoles(AuthenticationDataSource authData) {
}

String[] splitToken = token.split("\\.");
if (splitToken.length < 2) {
log.warn("Unable to extract additional roles from JWT token");
return Collections.emptyList();
}
String unsignedToken = splitToken[0] + "." + splitToken[1] + ".";

Jwt<?, Claims> jwt = parser.parseClaimsJwt(unsignedToken);
try {
Collections.singletonList(jwt.getBody().get(roleClaim, String.class));
return Collections.singletonList(jwt.getBody().get(roleClaim, String.class));
} catch (RequiredTypeException requiredTypeException) {
try {
List list = jwt.getBody().get(roleClaim, List.class);
Expand Down
101 changes: 101 additions & 0 deletions ...java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,14 @@
*/
package org.apache.pulsar.broker.authorization;

import static org.mockito.Mockito.mock;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Properties;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.junit.Assert;
import org.testng.annotations.Test;

Expand Down Expand Up @@ -96,4 +100,101 @@ public String getHttpHeader(String name) {

Assert.assertFalse(provider.authorize(ads, role -> CompletableFuture.completedFuture(false)).get());
}

@Test
public void testMultiRolesAuthzWithSingleRole() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
String testRole = "test-role";
String token = Jwts.builder().claim("sub", testRole).signWith(secretKey).compact();

MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();

AuthenticationDataSource ads = new AuthenticationDataSource() {
@Override
public boolean hasDataFromHttp() {
return true;
}

@Override
public String getHttpHeader(String name) {
if (name.equals("Authorization")) {
return "Bearer " + token;
} else {
throw new IllegalArgumentException("Wrong HTTP header");
}
}
};

Assert.assertTrue(provider.authorize(ads, role -> {
if (role.equals(testRole)) {
return CompletableFuture.completedFuture(true);
}
return CompletableFuture.completedFuture(false);
}).get());
}

@Test
public void testMultiRolesNotFailNonJWT() throws Exception {
String token = "a-non-jwt-token";

MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();

AuthenticationDataSource ads = new AuthenticationDataSource() {
@Override
public boolean hasDataFromHttp() {
return true;
}

@Override
public String getHttpHeader(String name) {
if (name.equals("Authorization")) {
return "Bearer " + token;
} else {
throw new IllegalArgumentException("Wrong HTTP header");
}
}
};

Assert.assertFalse(provider.authorize(ads, role -> CompletableFuture.completedFuture(false)).get());
}

@Test
public void testMultiRolesAuthzWithCustomRolesClaims() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
String testRole = "test-role";
String customRolesClaims = "role";
String token = Jwts.builder().claim(customRolesClaims, new String[]{testRole}).signWith(secretKey).compact();

Properties properties = new Properties();
properties.setProperty("tokenSettingPrefix", "prefix_");
properties.setProperty("prefix_tokenAuthClaim", customRolesClaims);
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);

MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();
provider.initialize(conf, mock(PulsarResources.class));

AuthenticationDataSource ads = new AuthenticationDataSource() {
@Override
public boolean hasDataFromHttp() {
return true;
}

@Override
public String getHttpHeader(String name) {
if (name.equals("Authorization")) {
return "Bearer " + token;
} else {
throw new IllegalArgumentException("Wrong HTTP header");
}
}
};

Assert.assertTrue(provider.authorize(ads, role -> {
if (role.equals(testRole)) {
return CompletableFuture.completedFuture(true);
}
return CompletableFuture.completedFuture(false);
}).get());
}
}

0 comments on commit 8bf6785

Please sign in to comment.