Examples with AuthenticationDataSource org.apache.pulsar.broker.authentication.AuthenticationDataSource used on opensource projects

Example 1 with AuthenticationDataSource

use of org.apache.pulsar.broker.authentication.AuthenticationDataSource in project incubator-pulsar by apache.

the class AuthenticationProviderAthenzTest method testAuthenticateUnsignedToken.

@Test
public void testAuthenticateUnsignedToken() throws Exception {
    List<String> roles = new ArrayList<String>() {

        {
            add("test_role");
        }
    };
    RoleToken token = new RoleToken.Builder("Z1", "test_provider", roles).principal("test_app").build();
    AuthenticationDataSource authData = new AuthenticationDataCommand(token.getUnsignedToken(), new InetSocketAddress("localhost", PortManager.nextFreePort()), null);
    try {
        provider.authenticate(authData);
        fail("Unsigned token should not be authenticated");
    } catch (AuthenticationException e) {
    // OK, expected
    }
}

Example 2 with AuthenticationDataSource

use of org.apache.pulsar.broker.authentication.AuthenticationDataSource in project incubator-pulsar by apache.

the class PulsarAuthorizationProvider method canConsumeAsync.

/**
 * Check if the specified role has permission to receive messages from the specified fully qualified topic
 * name.
 *
 * @param topicName
 *            the fully qualified topic name associated with the topic.
 * @param role
 *            the app id used to receive messages from the topic.
 * @param subscription
 *            the subscription name defined by the client
 */
@Override
public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, AuthenticationDataSource authenticationData, String subscription) {
    CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
    try {
        configCache.policiesCache().getAsync(POLICY_ROOT + topicName.getNamespace()).thenAccept(policies -> {
            if (!policies.isPresent()) {
                if (log.isDebugEnabled()) {
                    log.debug("Policies node couldn't be found for topic : {}", topicName);
                }
            } else {
                if (isNotBlank(subscription) && !isSuperUser(role)) {
                    switch(policies.get().subscription_auth_mode) {
                        case Prefix:
                            if (!subscription.startsWith(role)) {
                                PulsarServerException ex = new PulsarServerException(String.format("Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like %s-xxxx for topic: %s", role, topicName));
                                permissionFuture.completeExceptionally(ex);
                                return;
                            }
                            break;
                        default:
                            break;
                    }
                }
            }
            checkAuthorization(topicName, role, AuthAction.consume).thenAccept(isAuthorized -> {
                permissionFuture.complete(isAuthorized);
            });
        }).exceptionally(ex -> {
            log.warn("Client with Role - {} failed to get permissions for topic - {}. {}", role, topicName, ex.getMessage());
            permissionFuture.completeExceptionally(ex);
            return null;
        });
    } catch (Exception e) {
        log.warn("Client  with Role - {} failed to get permissions for topic - {}. {}", role, topicName, e.getMessage());
        permissionFuture.completeExceptionally(e);
    }
    return permissionFuture;
}

Example 3 with AuthenticationDataSource

use of org.apache.pulsar.broker.authentication.AuthenticationDataSource in project incubator-pulsar by apache.

the class AuthenticationProviderAthenzTest method testAuthenticateSignedTokenWithDifferentDomain.

@Test
public void testAuthenticateSignedTokenWithDifferentDomain() throws Exception {
    List<String> roles = new ArrayList<String>() {

        {
            add("test_role");
        }
    };
    RoleToken token = new RoleToken.Builder("Z1", "invalid", roles).principal("test_app").build();
    String privateKey = new String(Files.readAllBytes(Paths.get("./src/test/resources/zts_private.pem")));
    token.sign(privateKey);
    AuthenticationDataSource authData = new AuthenticationDataCommand(token.getSignedToken(), new InetSocketAddress("localhost", PortManager.nextFreePort()), null);
    try {
        provider.authenticate(authData);
        fail("Token which has different domain should not be authenticated");
    } catch (AuthenticationException e) {
    // OK, expected
    }
}

Example 4 with AuthenticationDataSource

use of org.apache.pulsar.broker.authentication.AuthenticationDataSource in project incubator-pulsar by apache.

the class AuthenticationProviderAthenzTest method testAuthenticateSignedToken.

@Test
public void testAuthenticateSignedToken() throws Exception {
    List<String> roles = new ArrayList<String>() {

        {
            add("test_role");
        }
    };
    RoleToken token = new RoleToken.Builder("Z1", "test_provider", roles).principal("test_app").build();
    String privateKey = new String(Files.readAllBytes(Paths.get("./src/test/resources/zts_private.pem")));
    token.sign(privateKey);
    AuthenticationDataSource authData = new AuthenticationDataCommand(token.getSignedToken(), new InetSocketAddress("localhost", PortManager.nextFreePort()), null);
    assertEquals(provider.authenticate(authData), "test_app");
}

Example 5 with AuthenticationDataSource

use of org.apache.pulsar.broker.authentication.AuthenticationDataSource in project incubator-pulsar by apache.

the class AbstractWebSocketHandler method checkAuth.

protected boolean checkAuth(ServletUpgradeResponse response) {
    String authRole = "<none>";
    AuthenticationDataSource authenticationData = new AuthenticationDataHttps(request);
    if (service.isAuthenticationEnabled()) {
        try {
            authRole = service.getAuthenticationService().authenticateHttpRequest(request);
            log.info("[{}:{}] Authenticated WebSocket client {} on topic {}", request.getRemoteAddr(), request.getRemotePort(), authRole, topic);
        } catch (AuthenticationException e) {
            log.warn("[{}:{}] Failed to authenticated WebSocket client {} on topic {}: {}", request.getRemoteAddr(), request.getRemotePort(), authRole, topic, e.getMessage());
            try {
                response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Failed to authenticate");
            } catch (IOException e1) {
                log.warn("[{}:{}] Failed to send error: {}", request.getRemoteAddr(), request.getRemotePort(), e1.getMessage(), e1);
            }
            return false;
        }
    }
    if (service.isAuthorizationEnabled()) {
        try {
            if (!isAuthorized(authRole, authenticationData)) {
                log.warn("[{}:{}] WebSocket Client [{}] is not authorized on topic {}", request.getRemoteAddr(), request.getRemotePort(), authRole, topic);
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Not authorized");
                return false;
            }
        } catch (Exception e) {
            log.warn("[{}:{}] Got an exception when authorizing WebSocket client {} on topic {} on: {}", request.getRemoteAddr(), request.getRemotePort(), authRole, topic, e.getMessage());
            try {
                response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Server error");
            } catch (IOException e1) {
                log.warn("[{}:{}] Failed to send error: {}", request.getRemoteAddr(), request.getRemotePort(), e1.getMessage(), e1);
            }
            return false;
        }
    }
    return true;
}