Google Git
Sign in
apache / pulsar / refs/tags/v2.6.3-candidate-1 / . / pulsar-proxy / src / test / java / org / apache / pulsar / proxy / server / ProxyRolesEnforcementTest.java
blob: 57018eae212dc2d38c7917c7ddd09bf5550ecc4c [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.pulsar.proxy.server;
import static org.mockito.Mockito.spy;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Optional;
import java.util.Set;
import javax.naming.AuthenticationException;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.broker.authentication.AuthenticationService;
import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.ProducerConsumerBase;
import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class ProxyRolesEnforcementTest extends ProducerConsumerBase {
private static final Logger log = LoggerFactory.getLogger(ProxyRolesEnforcementTest.class);
public static class BasicAuthenticationData implements AuthenticationDataProvider {
private String authParam;
public BasicAuthenticationData(String authParam) {
this.authParam = authParam;
}
public boolean hasDataFromCommand() {
return true;
}
public String getCommandData() {
return authParam;
}
public boolean hasDataForHttp() {
return true;
}
@Override
public Set<Entry<String, String>> getHttpHeaders() {
Map<String, String> headers = new HashMap<>();
headers.put("BasicAuthentication", authParam);
return headers.entrySet();
}
}
public static class BasicAuthentication implements Authentication {
private String authParam;
@Override
public void close() throws IOException {
// noop
}
@Override
public String getAuthMethodName() {
return "BasicAuthentication";
}
@Override
public AuthenticationDataProvider getAuthData() throws PulsarClientException {
try {
return new BasicAuthenticationData(authParam);
} catch (Exception e) {
throw new PulsarClientException(e);
}
}
@Override
public void configure(Map<String, String> authParams) {
this.authParam = authParams.get("authParam");
}
@Override
public void start() throws PulsarClientException {
// noop
}
}
public static class BasicAuthenticationProvider implements AuthenticationProvider {
@Override
public void close() throws IOException {
}
@Override
public void initialize(ServiceConfiguration config) throws IOException {
}
@Override
public String getAuthMethodName() {
return "BasicAuthentication";
}
@Override
public String authenticate(AuthenticationDataSource authData) throws AuthenticationException {
if (authData.hasDataFromCommand()) {
return authData.getCommandData();
} else if (authData.hasDataFromHttp()) {
return authData.getHttpHeader("BasicAuthentication");
}
return null;
}
}
@BeforeMethod
@Override
protected void setup() throws Exception {
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
conf.setBrokerClientAuthenticationPlugin(BasicAuthentication.class.getName());
conf.setBrokerClientAuthenticationParameters("authParam:broker");
Set<String> superUserRoles = new HashSet<String>();
superUserRoles.add("admin");
conf.setSuperUserRoles(superUserRoles);
Set<String> providers = new HashSet<String>();
providers.add(BasicAuthenticationProvider.class.getName());
conf.setAuthenticationProviders(providers);
conf.setClusterName("test");
Set<String> proxyRoles = new HashSet<String>();
proxyRoles.add("proxy");
conf.setProxyRoles(proxyRoles);
super.init();
createAdminClient();
producerBaseSetup();
}
@Override
@AfterMethod
protected void cleanup() throws Exception {
super.internalCleanup();
}
@Test
public void testIncorrectRoles() throws Exception {
log.info("-- Starting {} test --", methodName);
// Step 1: Create Admin Client
createAdminClient();
// create a client which connects to proxy and pass authData
String namespaceName = "my-property/my-ns";
String topicName = "persistent://my-property/my-ns/my-topic1";
String subscriptionName = "my-subscriber-name";
String clientAuthParams = "authParam:client";
String proxyAuthParams = "authParam:proxy";
admin.namespaces().grantPermissionOnNamespace(namespaceName, "proxy",
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
admin.namespaces().grantPermissionOnNamespace(namespaceName, "client",
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
// Step 2: Try to use proxy Client as a normal Client - expect exception
PulsarClient proxyClient = createPulsarClient(pulsar.getBrokerServiceUrl(), proxyAuthParams);
boolean exceptionOccurred = false;
try {
proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
} catch (Exception ex) {
exceptionOccurred = true;
}
Assert.assertTrue(exceptionOccurred);
// Step 3: Run Pulsar Proxy and pass proxy params as client params - expect exception
ProxyConfiguration proxyConfig = new ProxyConfiguration();
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setWebServicePort(Optional.of(0));
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerClientAuthenticationPlugin(BasicAuthentication.class.getName());
proxyConfig.setBrokerClientAuthenticationParameters(proxyAuthParams);
Set<String> providers = new HashSet<>();
providers.add(BasicAuthenticationProvider.class.getName());
proxyConfig.setAuthenticationProviders(providers);
ProxyService proxyService = new ProxyService(proxyConfig,
new AuthenticationService(
PulsarConfigurationLoader.convertFrom(proxyConfig)));
proxyService.start();
proxyClient = createPulsarClient(proxyService.getServiceUrl(), proxyAuthParams);
exceptionOccurred = false;
try {
proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
} catch (Exception ex) {
exceptionOccurred = true;
}
Assert.assertTrue(exceptionOccurred);
// Step 4: Pass correct client params
proxyClient = createPulsarClient(proxyService.getServiceUrl(), clientAuthParams);
proxyClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
proxyClient.close();
proxyService.close();
}
private void createAdminClient() throws PulsarClientException {
String adminAuthParams = "authParam:admin";
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
.authentication(BasicAuthentication.class.getName(), adminAuthParams).build());
}
private PulsarClient createPulsarClient(String proxyServiceUrl, String authParams) throws PulsarClientException {
return PulsarClient.builder().serviceUrl(proxyServiceUrl).authentication(BasicAuthentication.class.getName(),
authParams).build();
}
}