[fix][broker]Check that the super user role is in the MultiRolesToken…

…AuthorizationProvider plugin (#20939) Fixed #20938
apache · Aug 11, 2023 · e41883e · e41883e
1 parent 9862884
commit e41883e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/...ain/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java b/...ain/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -89,15 +89,18 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
     @Override
     public CompletableFuture<Boolean> isSuperUser(String role, AuthenticationDataSource authenticationData,
                                                   ServiceConfiguration serviceConfiguration) {
-        Set<String> roles = getRoles(authenticationData);
-        if (roles.isEmpty()) {
-            return CompletableFuture.completedFuture(false);
-        }
+        // if superUser role contains in config, return true.
         Set<String> superUserRoles = serviceConfiguration.getSuperUserRoles();
         if (superUserRoles.isEmpty()) {
             return CompletableFuture.completedFuture(false);
         }
-
+        if (role != null && superUserRoles.contains(role)) {
+            return CompletableFuture.completedFuture(true);
+        }
+        Set<String> roles = getRoles(authenticationData);
+        if (roles.isEmpty()) {
+            return CompletableFuture.completedFuture(false);
+        }
         return CompletableFuture.completedFuture(roles.stream().anyMatch(superUserRoles::contains));
     }
 

diff --git a/...java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java b/...java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.java
@@ -31,6 +31,7 @@
 import org.testng.annotations.Test;
 
 import javax.crypto.SecretKey;
+import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 
 public class MultiRolesTokenAuthorizationProviderTest {
@@ -198,4 +199,35 @@ public String getHttpHeader(String name) {
             return CompletableFuture.completedFuture(false);
         }).get());
     }
+
+    @Test
+    public void testMultiRolesAuthzWithSuperUser() throws Exception {
+        SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
+        String testAdminRole = "admin";
+        String token = Jwts.builder().claim("sub", testAdminRole).signWith(secretKey).compact();
+
+        ServiceConfiguration conf = new ServiceConfiguration();
+        conf.setSuperUserRoles(Set.of(testAdminRole));
+
+        MultiRolesTokenAuthorizationProvider provider = new MultiRolesTokenAuthorizationProvider();
+        provider.initialize(conf, mock(PulsarResources.class));
+
+        AuthenticationDataSource ads = new AuthenticationDataSource() {
+            @Override
+            public boolean hasDataFromHttp() {
+                return true;
+            }
+
+            @Override
+            public String getHttpHeader(String name) {
+                if (name.equals("Authorization")) {
+                    return "Bearer " + token;
+                } else {
+                    throw new IllegalArgumentException("Wrong HTTP header");
+                }
+            }
+        };
+
+        assertTrue(provider.isSuperUser(testAdminRole, ads, conf).get());
+    }
 }