Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable specifying allowed offset when verifying athenz role token #3187

Merged
merged 1 commit into from
Dec 13, 2018
Merged

Enable specifying allowed offset when verifying athenz role token #3187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion ...z/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.zpe.AuthZpeClient;
Expand All @@ -41,8 +42,10 @@ public class AuthenticationProviderAthenz implements AuthenticationProvider {
private static final String DOMAIN_NAME_LIST = "athenzDomainNames";

private static final String SYS_PROP_DOMAIN_NAME_LIST = "pulsar.athenz.domain.names";
private static final String SYS_PROP_ALLOWED_OFFSET = "pulsar.athenz.role.token_allowed_offset";

private List<String> domainNameList = null;
private int allowedOffset = 30;

@Override
public void initialize(ServiceConfiguration config) throws IOException {
Expand All @@ -57,6 +60,20 @@ public void initialize(ServiceConfiguration config) throws IOException {

domainNameList = Lists.newArrayList(domainNames.split(","));
log.info("Supported domain names for athenz: {}", domainNameList);

if (!StringUtils.isEmpty(System.getProperty(SYS_PROP_ALLOWED_OFFSET))) {
try {
allowedOffset = Integer.parseInt(System.getProperty(SYS_PROP_ALLOWED_OFFSET));
} catch (NumberFormatException e) {
throw new IOException("Invalid allowed offset for athenz role token verification specified", e);
}

if (allowedOffset < 0) {
throw new IOException("Allowed offset for athenz role token verification must not be negative");
}
}

log.info("Allowed offset for athenz role token verification: {} sec", allowedOffset);
}

@Override
Expand Down Expand Up @@ -103,7 +120,6 @@ public String authenticate(AuthenticationDataSource authData) throws Authenticat
// Synchronize for non-thread safe static calls inside athenz library
synchronized (this) {
PublicKey ztsPublicKey = AuthZpeClient.getZtsPublicKey(token.getKeyId());
int allowedOffset = 0;

if (ztsPublicKey == null) {
throw new AuthenticationException("Unable to retrieve ZTS Public Key");
Expand All @@ -123,5 +139,10 @@ public String authenticate(AuthenticationDataSource authData) throws Authenticat
public void close() throws IOException {
}

@VisibleForTesting
int getAllowedOffset() {
return this.allowedOffset;
}

private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderAthenz.class);
}
33 changes: 30 additions & 3 deletions ...c/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenzTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
Expand Down Expand Up @@ -70,12 +71,38 @@ public void testInitilizeFromSystemPropeties() {
ServiceConfiguration emptyConf = new ServiceConfiguration();
Properties emptyProp = new Properties();
emptyConf.setProperties(emptyProp);
AuthenticationProviderAthenz sysPropProvider = new AuthenticationProviderAthenz();
AuthenticationProviderAthenz sysPropProvider1 = new AuthenticationProviderAthenz();
try {
sysPropProvider.initialize(emptyConf);
sysPropProvider1.initialize(emptyConf);
assertEquals(sysPropProvider1.getAllowedOffset(), 30); // default allowed offset is 30 sec
} catch (Exception e) {
fail("Fail to Read pulsar.athenz.domain.names from System Properties");
}

System.setProperty("pulsar.athenz.role.token_allowed_offset", "0");
AuthenticationProviderAthenz sysPropProvider2 = new AuthenticationProviderAthenz();
try {
sysPropProvider2.initialize(config);
assertEquals(sysPropProvider2.getAllowedOffset(), 0);
} catch (Exception e) {
fail("Failed to get allowd offset from system property");
}

System.setProperty("pulsar.athenz.role.token_allowed_offset", "invalid");
AuthenticationProviderAthenz sysPropProvider3 = new AuthenticationProviderAthenz();
try {
sysPropProvider3.initialize(config);
fail("Invalid allowed offset should not be specified");
} catch (IOException e) {
}

System.setProperty("pulsar.athenz.role.token_allowed_offset", "-1");
AuthenticationProviderAthenz sysPropProvider4 = new AuthenticationProviderAthenz();
try {
sysPropProvider4.initialize(config);
fail("Negative allowed offset should not be specified");
} catch (IOException e) {
}
}

@Test
Expand Down Expand Up @@ -133,4 +160,4 @@ public void testAuthenticateSignedTokenWithDifferentDomain() throws Exception {
// OK, expected
}
}
}
}