Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][test] ProxyWithoutServiceDiscoveryTest should enable authz #20348

Merged
merged 1 commit into from
May 18, 2023
Merged

[fix][test] ProxyWithoutServiceDiscoveryTest should enable authz #20348

merged 1 commit into from
May 18, 2023

Conversation

michaeljmarshall
Copy link
Member

@michaeljmarshall michaeljmarshall commented May 18, 2023
edited
Loading

Motivation

The ProxyWithoutServiceDiscoveryTest is documented to verify e2e tls + Authentication + Authorization (client -> proxy -> broker). However, the TLS is insecure and authorization is disabled. This PR cleans up that test.

Modifications

  • Enable authorization in the broker config.
  • Replace the certs with ones provided by the parent class.
  • Add proxyRoles so authorization will pass.
  • Update the superUserRoles because the different certs have different CNs.
  • Enable secure TLS

Verifying this change

The test passes locally and the logs look right.

Documentation

  • doc-not-needed

@michaeljmarshall michaeljmarshall added this to the 3.1.0 milestone May 18, 2023
@michaeljmarshall michaeljmarshall requested a review from lhotari May 18, 2023 05:27
@michaeljmarshall michaeljmarshall self-assigned this May 18, 2023
tisonkun
tisonkun reviewed May 18, 2023
View reviewed changes
pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithoutServiceDiscoveryTest.java
@@ -198,10 +196,10 @@ public void testDiscoveryService() throws Exception {
}

protected final PulsarClient createPulsarClient(Authentication auth, String lookupUrl) throws Exception {
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString()).tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
.allowTlsInsecureConnection(true).authentication(auth).build());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why remove allowTlsInsecureConnection(true)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is documented as verifying end to end TLS, but this setting disables verification of the TLS certificate, which defeats the purpose of testing TLS.

@codecov-commenter
Copy link

codecov-commenter commented May 18, 2023
edited
Loading

Codecov Report

Merging #20348 (7077502) into master (1a66b64) will increase coverage by 38.34%.
The diff coverage is 68.75%.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #20348       +/-   ##
=============================================
+ Coverage     34.55%   72.90%   +38.34%     
- Complexity    12631    31828    +19197     
=============================================
  Files          1614     1864      +250     
  Lines        126234   138281    +12047     
  Branches      13779    15172     +1393     
=============================================
+ Hits          43622   100812    +57190     
+ Misses        76999    29455    -47544     
- Partials       5613     8014     +2401
Flag Coverage Δ
inttests 24.22% <15.62%> (+0.10%) ⬆️
systests 24.92% <15.62%> (?)
unittests 72.18% <68.75%> (+38.88%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...hentication/oidc/AuthenticationProviderOpenID.java 75.86% <ø> (+75.86%) ⬆️
...org/apache/pulsar/broker/ServiceConfiguration.java 99.37% <ø> (+1.45%) ⬆️
...apache/pulsar/broker/namespace/OwnershipCache.java 85.26% <ø> (+12.63%) ⬆️
...ache/pulsar/broker/namespace/NamespaceService.java 69.93% <20.00%> (+26.29%) ⬆️
...pache/pulsar/broker/admin/impl/NamespacesBase.java 71.76% <66.66%> (+45.65%) ⬆️
...e/pulsar/broker/authentication/oidc/JwksCache.java 66.66% <93.75%> (+66.66%) ⬆️
...ker/service/persistent/PersistentSubscription.java 75.91% <100.00%> (+25.83%) ⬆️

... and 1503 files with indirect coverage changes

lhotari
lhotari approved these changes May 18, 2023
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lhotari lhotari merged commit 2ebb379 into apache:master May 18, 2023
@michaeljmarshall michaeljmarshall deleted the fix-proxy-service-disco-test branch May 18, 2023 18:14
@michaeljmarshall michaeljmarshall mentioned this pull request May 19, 2023
Merged
1 task
lhotari pushed a commit that referenced this pull request Jan 26, 2024
@michaeljmarshall @lhotari
[fix][test] ProxyWithoutServiceDiscoveryTest should enable authz (#20348
d510b1d 
)

(cherry picked from commit 2ebb379)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tisonkun tisonkun tisonkun left review comments

@lhotari lhotari lhotari approved these changes

Assignees

@michaeljmarshall michaeljmarshall

Labels
area/proxy area/test cherry-picked/branch-3.0 cherry-picked/branch-3.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.3 release/3.1.3
Projects
None yet
Milestone
3.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@michaeljmarshall @codecov-commenter @lhotari @tisonkun