Examples with AuthData org.apache.pulsar.common.api.AuthData used on opensource projects

Example 6 with AuthData

use of org.apache.pulsar.common.api.AuthData in project pulsar by apache.

the class ClientCnx method newConnectCommand.

protected ByteBuf newConnectCommand() throws Exception {
    // mutual authentication is to auth between `remoteHostName` and this client for this channel.
    // each channel will have a mutual client/server pair, mutual client evaluateChallenge with init data,
    // and return authData to server.
    authenticationDataProvider = authentication.getAuthData(remoteHostName);
    AuthData authData = authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
    return Commands.newConnect(authentication.getAuthMethodName(), authData, this.protocolVersion, PulsarVersion.getVersion(), proxyToTargetBrokerAddress, null, null, null);
}

Example 7 with AuthData

use of org.apache.pulsar.common.api.AuthData in project pulsar by apache.

the class ProxyClientCnx method newConnectCommand.

@Override
protected ByteBuf newConnectCommand() throws Exception {
    if (log.isDebugEnabled()) {
        log.debug("New Connection opened via ProxyClientCnx with params clientAuthRole = {}," + " clientAuthData = {}, clientAuthMethod = {}", clientAuthRole, clientAuthData, clientAuthMethod);
    }
    authenticationDataProvider = authentication.getAuthData(remoteHostName);
    AuthData authData = authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
    return Commands.newConnect(authentication.getAuthMethodName(), authData, this.protocolVersion, PulsarVersion.getVersion(), proxyToTargetBrokerAddress, clientAuthRole, clientAuthData, clientAuthMethod);
}

Example 8 with AuthData

use of org.apache.pulsar.common.api.AuthData in project pulsar by apache.

the class ProxyConnection method handleConnect.

@Override
protected void handleConnect(CommandConnect connect) {
    checkArgument(state == State.Init);
    this.setRemoteEndpointProtocolVersion(connect.getProtocolVersion());
    this.hasProxyToBrokerUrl = connect.hasProxyToBrokerUrl();
    this.protocolVersionToAdvertise = getProtocolVersionToAdvertise(connect);
    this.proxyToBrokerUrl = connect.hasProxyToBrokerUrl() ? connect.getProxyToBrokerUrl() : "null";
    if (LOG.isDebugEnabled()) {
        LOG.debug("Received CONNECT from {} proxyToBroker={}", remoteAddress, proxyToBrokerUrl);
        LOG.debug("[{}] Protocol version to advertise to broker is {}, clientProtocolVersion={}, proxyProtocolVersion={}", remoteAddress, protocolVersionToAdvertise, getRemoteEndpointProtocolVersion(), Commands.getCurrentProtocolVersion());
    }
    if (getRemoteEndpointProtocolVersion() < ProtocolVersion.v10.getValue()) {
        LOG.warn("[{}] Client doesn't support connecting through proxy", remoteAddress);
        state = State.Closing;
        ctx.close();
        return;
    }
    try {
        // init authn
        this.clientConf = createClientConfiguration();
        // authn not enabled, complete
        if (!service.getConfiguration().isAuthenticationEnabled()) {
            completeConnect(null);
            return;
        }
        AuthData clientData = AuthData.of(connect.hasAuthData() ? connect.getAuthData() : EMPTY_CREDENTIALS);
        if (connect.hasAuthMethodName()) {
            authMethod = connect.getAuthMethodName();
        } else if (connect.hasAuthMethod()) {
            // Legacy client is passing enum
            authMethod = connect.getAuthMethod().name().substring(10).toLowerCase();
        } else {
            authMethod = "none";
        }
        authenticationProvider = service.getAuthenticationService().getAuthenticationProvider(authMethod);
        // In AuthenticationDisabled, it will set authMethod "none".
        if (authenticationProvider == null) {
            clientAuthRole = service.getAuthenticationService().getAnonymousUserRole().orElseThrow(() -> new AuthenticationException("No anonymous role, and no authentication provider configured"));
            completeConnect(clientData);
            return;
        }
        // init authState and other var
        ChannelHandler sslHandler = ctx.channel().pipeline().get(PulsarChannelInitializer.TLS_HANDLER);
        SSLSession sslSession = null;
        if (sslHandler != null) {
            sslSession = ((SslHandler) sslHandler).engine().getSession();
        }
        authState = authenticationProvider.newAuthState(clientData, remoteAddress, sslSession);
        authenticationData = authState.getAuthDataSource();
        doAuthentication(clientData);
    } catch (Exception e) {
        LOG.warn("[{}] Unable to authenticate: ", remoteAddress, e);
        ctx.writeAndFlush(Commands.newError(-1, ServerError.AuthenticationError, "Failed to authenticate"));
        close();
    }
}

Example 9 with AuthData

use of org.apache.pulsar.common.api.AuthData in project kop by streamnative.

the class PlainSaslServerTest method testAssignPrincipal.

private void testAssignPrincipal(String username, String role, String expectedRole) throws AuthenticationException, SaslException {
    Set<String> proxyRoles = new HashSet<>();
    proxyRoles.add("proxy");
    proxyRoles.add("secondproxy");
    AuthenticationService authenticationService = mock(AuthenticationService.class);
    AuthenticationProvider provider = mock(AuthenticationProvider.class);
    when(authenticationService.getAuthenticationProvider(eq("token"))).thenReturn(provider);
    AuthenticationState state = new AuthenticationState() {

        @Override
        public String getAuthRole() throws AuthenticationException {
            return role;
        }

        @Override
        public AuthData authenticate(AuthData authData) throws AuthenticationException {
            return authData;
        }

        @Override
        public AuthenticationDataSource getAuthDataSource() {
            return null;
        }

        @Override
        public boolean isComplete() {
            return true;
        }
    };
    when(provider.newAuthState(any(AuthData.class), any(), any())).thenReturn(state);
    PlainSaslServer server = new PlainSaslServer(authenticationService, null, proxyRoles);
    String challengeNoProxy = "XXXXX\000" + username + "\000token:xxxxx";
    server.evaluateResponse(challengeNoProxy.getBytes(StandardCharsets.US_ASCII));
    String detectedRole = server.getAuthorizationID();
    assertEquals(detectedRole, expectedRole);
}

Example 10 with AuthData

use of org.apache.pulsar.common.api.AuthData in project pulsar by yahoo.

the class ServerCnx method handleConnect.

@Override
protected void handleConnect(CommandConnect connect) {
    checkArgument(state == State.Start);
    if (log.isDebugEnabled()) {
        log.debug("Received CONNECT from {}, auth enabled: {}:" + " has original principal = {}, original principal = {}", remoteAddress, service.isAuthenticationEnabled(), connect.hasOriginalPrincipal(), connect.hasOriginalPrincipal() ? connect.getOriginalPrincipal() : null);
    }
    String clientVersion = connect.getClientVersion();
    int clientProtocolVersion = connect.getProtocolVersion();
    features = new FeatureFlags();
    if (connect.hasFeatureFlags()) {
        features.copyFrom(connect.getFeatureFlags());
    }
    if (!service.isAuthenticationEnabled()) {
        completeConnect(clientProtocolVersion, clientVersion);
        return;
    }
    try {
        byte[] authData = connect.hasAuthData() ? connect.getAuthData() : emptyArray;
        AuthData clientData = AuthData.of(authData);
        // init authentication
        if (connect.hasAuthMethodName()) {
            authMethod = connect.getAuthMethodName();
        } else if (connect.hasAuthMethod()) {
            // Legacy client is passing enum
            authMethod = connect.getAuthMethod().name().substring(10).toLowerCase();
        } else {
            authMethod = "none";
        }
        authenticationProvider = getBrokerService().getAuthenticationService().getAuthenticationProvider(authMethod);
        // In AuthenticationDisabled, it will set authMethod "none".
        if (authenticationProvider == null) {
            authRole = getBrokerService().getAuthenticationService().getAnonymousUserRole().orElseThrow(() -> new AuthenticationException("No anonymous role, and no authentication provider configured"));
            completeConnect(clientProtocolVersion, clientVersion);
            return;
        }
        // init authState and other var
        ChannelHandler sslHandler = ctx.channel().pipeline().get(PulsarChannelInitializer.TLS_HANDLER);
        SSLSession sslSession = null;
        if (sslHandler != null) {
            sslSession = ((SslHandler) sslHandler).engine().getSession();
        }
        authState = authenticationProvider.newAuthState(clientData, remoteAddress, sslSession);
        if (log.isDebugEnabled()) {
            String role = "";
            if (authState != null && authState.isComplete()) {
                role = authState.getAuthRole();
            } else {
                role = "authentication incomplete or null";
            }
            log.debug("[{}] Authenticate role : {}", remoteAddress, role);
        }
        state = doAuthentication(clientData, clientProtocolVersion, clientVersion);
        // 3. no credentials were passed
        if (connect.hasOriginalPrincipal() && service.getPulsar().getConfig().isAuthenticateOriginalAuthData()) {
            // init authentication
            String originalAuthMethod;
            if (connect.hasOriginalAuthMethod()) {
                originalAuthMethod = connect.getOriginalAuthMethod();
            } else {
                originalAuthMethod = "none";
            }
            AuthenticationProvider originalAuthenticationProvider = getBrokerService().getAuthenticationService().getAuthenticationProvider(originalAuthMethod);
            if (originalAuthenticationProvider == null) {
                throw new AuthenticationException(String.format("Can't find AuthenticationProvider for original role" + " using auth method [%s] is not available", originalAuthMethod));
            }
            originalAuthState = originalAuthenticationProvider.newAuthState(AuthData.of(connect.getOriginalAuthData().getBytes()), remoteAddress, sslSession);
            originalAuthData = originalAuthState.getAuthDataSource();
            originalPrincipal = originalAuthState.getAuthRole();
            if (log.isDebugEnabled()) {
                log.debug("[{}] Authenticate original role : {}", remoteAddress, originalPrincipal);
            }
        } else {
            originalPrincipal = connect.hasOriginalPrincipal() ? connect.getOriginalPrincipal() : null;
            if (log.isDebugEnabled()) {
                log.debug("[{}] Authenticate original role (forwarded from proxy): {}", remoteAddress, originalPrincipal);
            }
        }
    } catch (Exception e) {
        service.getPulsarStats().recordConnectionCreateFail();
        logAuthException(remoteAddress, "connect", getPrincipal(), Optional.empty(), e);
        String msg = "Unable to authenticate";
        ctx.writeAndFlush(Commands.newError(-1, ServerError.AuthenticationError, msg));
        close();
    }
}