Examples with AuthenticationDataCommand - org.apache.pulsar.broker.authentication.AuthenticationDataCommand

Example 1 with AuthenticationDataCommand

use of org.apache.pulsar.broker.authentication.AuthenticationDataCommand in project incubator-pulsar by apache.

the class AuthenticationProviderAthenzTest method testAuthenticateUnsignedToken.

@Test
public void testAuthenticateUnsignedToken() throws Exception {
    List<String> roles = new ArrayList<String>() {

        {
            add("test_role");
        }
    };
    RoleToken token = new RoleToken.Builder("Z1", "test_provider", roles).principal("test_app").build();
    AuthenticationDataSource authData = new AuthenticationDataCommand(token.getUnsignedToken(), new InetSocketAddress("localhost", PortManager.nextFreePort()), null);
    try {
        provider.authenticate(authData);
        fail("Unsigned token should not be authenticated");
    } catch (AuthenticationException e) {
    // OK, expected
    }
}

Also used : AuthenticationDataCommand(org.apache.pulsar.broker.authentication.AuthenticationDataCommand) AuthenticationException(javax.naming.AuthenticationException) InetSocketAddress(java.net.InetSocketAddress) ArrayList(java.util.ArrayList) AuthenticationDataSource(org.apache.pulsar.broker.authentication.AuthenticationDataSource) RoleToken(com.yahoo.athenz.auth.token.RoleToken) Test(org.testng.annotations.Test)

Example 2 with AuthenticationDataCommand

use of org.apache.pulsar.broker.authentication.AuthenticationDataCommand in project incubator-pulsar by apache.

the class ServerCnxTest method testConnectCommandWithAuthenticationPositive.

@Test(timeOut = 30000)
public void testConnectCommandWithAuthenticationPositive() throws Exception {
    AuthenticationService authenticationService = mock(AuthenticationService.class);
    doReturn(authenticationService).when(brokerService).getAuthenticationService();
    doReturn("appid1").when(authenticationService).authenticate(new AuthenticationDataCommand(Mockito.anyString()), Mockito.anyString());
    doReturn(true).when(brokerService).isAuthenticationEnabled();
    resetChannel();
    assertTrue(channel.isActive());
    assertEquals(serverCnx.getState(), State.Start);
    // test server response to CONNECT
    ByteBuf clientCommand = Commands.newConnect("none", "", null);
    channel.writeInbound(clientCommand);
    assertEquals(serverCnx.getState(), State.Connected);
    assertTrue(getResponse() instanceof CommandConnected);
    channel.finish();
}

Also used : AuthenticationDataCommand(org.apache.pulsar.broker.authentication.AuthenticationDataCommand) CommandConnected(org.apache.pulsar.common.api.proto.PulsarApi.CommandConnected) ByteBuf(io.netty.buffer.ByteBuf) AuthenticationService(org.apache.pulsar.broker.authentication.AuthenticationService) Test(org.testng.annotations.Test)

Example 3 with AuthenticationDataCommand

use of org.apache.pulsar.broker.authentication.AuthenticationDataCommand in project incubator-pulsar by apache.

the class AuthorizationProducerConsumerTest method testAuthData.

@Test
public void testAuthData() throws Exception {
    log.info("-- Starting {} test --", methodName);
    conf.setAuthorizationProvider(TestAuthorizationProviderWithGrantPermission.class.getName());
    setup();
    AuthorizationService authorizationService = new AuthorizationService(conf, null);
    TopicName topicName = TopicName.get("persistent://prop/cluster/ns/t1");
    String role = "test-role";
    authorizationService.grantPermissionAsync(topicName, null, role, "auth-json").get();
    Assert.assertEquals(TestAuthorizationProviderWithGrantPermission.authDataJson, "auth-json");
    Assert.assertTrue(authorizationService.canProduce(topicName, role, new AuthenticationDataCommand("prod-auth")));
    Assert.assertEquals(TestAuthorizationProviderWithGrantPermission.authenticationData.getCommandData(), "prod-auth");
    Assert.assertTrue(authorizationService.canConsume(topicName, role, new AuthenticationDataCommand("cons-auth"), "sub1"));
    Assert.assertEquals(TestAuthorizationProviderWithGrantPermission.authenticationData.getCommandData(), "cons-auth");
    log.info("-- Exiting {} test --", methodName);
}

Also used : AuthenticationDataCommand(org.apache.pulsar.broker.authentication.AuthenticationDataCommand) AuthorizationService(org.apache.pulsar.broker.authorization.AuthorizationService) TopicName(org.apache.pulsar.common.naming.TopicName) Test(org.testng.annotations.Test)

Example 4 with AuthenticationDataCommand

use of org.apache.pulsar.broker.authentication.AuthenticationDataCommand in project incubator-pulsar by apache.

the class ServerConnection method handleConnect.

/**
 * handles connect request and sends {@code State.Connected} ack to client
 */
@Override
protected void handleConnect(CommandConnect connect) {
    checkArgument(state == State.Start);
    if (LOG.isDebugEnabled()) {
        LOG.debug("Received CONNECT from {}", remoteAddress);
    }
    if (service.getConfiguration().isAuthenticationEnabled()) {
        try {
            String authMethod = "none";
            if (connect.hasAuthMethodName()) {
                authMethod = connect.getAuthMethodName();
            } else if (connect.hasAuthMethod()) {
                // Legacy client is passing enum
                authMethod = connect.getAuthMethod().name().substring(10).toLowerCase();
            }
            String authData = connect.getAuthData().toStringUtf8();
            ChannelHandler sslHandler = ctx.channel().pipeline().get(TLS_HANDLER);
            SSLSession sslSession = null;
            if (sslHandler != null) {
                sslSession = ((SslHandler) sslHandler).engine().getSession();
            }
            this.authenticationData = new AuthenticationDataCommand(authData, remoteAddress, sslSession);
            authRole = service.getAuthenticationService().authenticate(this.authenticationData, authMethod);
            LOG.info("[{}] Client successfully authenticated with {} role {}", remoteAddress, authMethod, authRole);
        } catch (AuthenticationException e) {
            String msg = "Unable to authenticate";
            LOG.warn("[{}] {}: {}", remoteAddress, msg, e.getMessage());
            ctx.writeAndFlush(Commands.newError(-1, ServerError.AuthenticationError, msg));
            close();
            return;
        }
    }
    ctx.writeAndFlush(Commands.newConnected(connect.getProtocolVersion()));
    state = State.Connected;
    remoteEndpointProtocolVersion = connect.getProtocolVersion();
}

Also used : AuthenticationDataCommand(org.apache.pulsar.broker.authentication.AuthenticationDataCommand) AuthenticationException(javax.naming.AuthenticationException) SSLSession(javax.net.ssl.SSLSession) ChannelHandler(io.netty.channel.ChannelHandler) SslHandler(io.netty.handler.ssl.SslHandler)

Example 5 with AuthenticationDataCommand

use of org.apache.pulsar.broker.authentication.AuthenticationDataCommand in project incubator-pulsar by apache.

the class ProxyConnection method verifyAuthenticationIfNeeded.

private boolean verifyAuthenticationIfNeeded(CommandConnect connect) {
    if (!service.getConfiguration().isAuthenticationEnabled()) {
        return true;
    }
    try {
        String authMethod = "none";
        if (connect.hasAuthMethodName()) {
            authMethod = connect.getAuthMethodName();
        } else if (connect.hasAuthMethod()) {
            // Legacy client is passing enum
            authMethod = connect.getAuthMethod().name().substring(10).toLowerCase();
        }
        String authData = connect.getAuthData().toStringUtf8();
        if (service.getConfiguration().forwardAuthorizationCredentials()) {
            clientAuthData = authData;
            clientAuthMethod = authMethod;
        }
        ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
        SSLSession sslSession = null;
        if (sslHandler != null) {
            sslSession = ((SslHandler) sslHandler).engine().getSession();
        }
        authenticationData = new AuthenticationDataCommand(authData, remoteAddress, sslSession);
        clientAuthRole = service.getAuthenticationService().authenticate(authenticationData, authMethod);
        LOG.info("[{}] Client successfully authenticated with {} role {}", remoteAddress, authMethod, clientAuthRole);
        return true;
    } catch (AuthenticationException e) {
        LOG.warn("[{}] Unable to authenticate: {}", remoteAddress, e.getMessage());
        return false;
    }
}

Also used : AuthenticationDataCommand(org.apache.pulsar.broker.authentication.AuthenticationDataCommand) AuthenticationException(javax.naming.AuthenticationException) SSLSession(javax.net.ssl.SSLSession) ChannelHandler(io.netty.channel.ChannelHandler) SslHandler(io.netty.handler.ssl.SslHandler)

Aggregations

AuthenticationDataCommand (org.apache.pulsar.broker.authentication.AuthenticationDataCommand)9 AuthenticationException (javax.naming.AuthenticationException)6 Test (org.testng.annotations.Test)6 RoleToken (com.yahoo.athenz.auth.token.RoleToken)3 ChannelHandler (io.netty.channel.ChannelHandler)3 SslHandler (io.netty.handler.ssl.SslHandler)3 InetSocketAddress (java.net.InetSocketAddress)3 ArrayList (java.util.ArrayList)3 SSLSession (javax.net.ssl.SSLSession)3 AuthenticationDataSource (org.apache.pulsar.broker.authentication.AuthenticationDataSource)3 ByteBuf (io.netty.buffer.ByteBuf)2 AuthenticationService (org.apache.pulsar.broker.authentication.AuthenticationService)2 AuthorizationService (org.apache.pulsar.broker.authorization.AuthorizationService)1 CommandConnected (org.apache.pulsar.common.api.proto.PulsarApi.CommandConnected)1 CommandError (org.apache.pulsar.common.api.proto.PulsarApi.CommandError)1 TopicName (org.apache.pulsar.common.naming.TopicName)1