Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[improve][authentication] Support for get token from HTTP params #16650

Merged
merged 1 commit into from
Jul 26, 2022
Merged

[improve][authentication] Support for get token from HTTP params #16650

merged 1 commit into from
Jul 26, 2022

Conversation

nodece
Copy link
Member

@nodece nodece commented Jul 18, 2022

Signed-off-by: Zixuan Liu nodeces@gmail.com

Fixes #16626

Motivation

A scenario that running the standalone Pulsar with WebSocket service, then using the token request param in a WebSocket URL gives an unauthorized response, it seems is not working as intended in the documentation, but it works using a separate WebSocket service.

The root cause is that we did not check whether the token is in the HTTP parameters.

Modifications

  • Add HttpServletRequestWrapper to support for get token from HTTP params
  • Add a test for this changes

Documentation

  • doc-not-needed

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jul 18, 2022
@nodece nodece added cherry-picked/branch-2.7 Archived: 2.7 is end of life cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 area/authn and removed doc-not-needed Your PR changes do not impact docs cherry-picked/branch-2.7 Archived: 2.7 is end of life labels Jul 18, 2022
@nodece nodece mentioned this pull request Jul 18, 2022
Closed
@nodece nodece removed cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 labels Jul 18, 2022
acortes-okode
acortes-okode reviewed Jul 18, 2022
View reviewed changes
Copy link

@acortes-okode acortes-okode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, it's first time for me submitting a review so I'm not sure if I'm doing it correctly. I have written only one consideration about checking "Bearer " prefix and I tried to test the code by building it locally but it gave me compilation errors on 'pulsar-common' (I'm unable to make it work sorry)

...ommon/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java Outdated Show resolved Hide resolved
@Technoboy- Technoboy- added this to the 2.11.0 milestone Jul 18, 2022
@Technoboy- Technoboy- added area/broker doc-not-needed Your PR changes do not impact docs labels Jul 18, 2022
@nodece
[improve][authentication] Support for get token from HTTP params
10ad71a 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece
Copy link
Member Author

nodece commented Jul 18, 2022

Hi, it's first time for me submitting a review so I'm not sure if I'm doing it correctly. I have written only one consideration about checking "Bearer " prefix and I tried to test the code by building it locally but it gave me compilation errors on 'pulsar-common' (I'm unable to make it work sorry)

You can use mvn clean install -Pcore-modules,-main -DskipTests -Dspotbugs.skip command to build this project.

@acortes-okode
Copy link

You can use mvn clean install -Pcore-modules,-main -DskipTests -Dspotbugs.skip command to build this project.

Thanks @nodece, I was able to pass the compilation problem on 'pulsar-common' but now I have others in 'managed-ledget', I think is something regarding lombok maybe since it says it cannot find some 'get' symbols. I'll try to figure out if I can later.

Anyways, I was trying to build it to test something I had in mind but maybe you could know it firsthand. The thing is, I'm not sure if AuthenticationProviderToken#newHttpAuthState is called for every HTTP request (correct me if I'm wrong) but, if it is, then I think one could manage to authenticate to other requests rather than the WebSocket one by using the token request query param (also not sure if this is intended). E.g.

curl "http://localhost:8080/admin/v2/brokers/configuration?token=ASDFGH...."

Thanks in advance!

@nodece
Copy link
Member Author

nodece commented Jul 19, 2022

You can use mvn clean install -Pcore-modules,-main -DskipTests -Dspotbugs.skip command to build this project.

Thanks @nodece, I was able to pass the compilation problem on 'pulsar-common' but now I have others in 'managed-ledget', I think is something regarding lombok maybe since it says it cannot find some 'get' symbols. I'll try to figure out if I can later.

Build Pulsar requires JDK 17.

Anyways, I was trying to build it to test something I had in mind but maybe you could know it firsthand. The thing is, I'm not sure if AuthenticationProviderToken#newHttpAuthState is called for every HTTP request (correct me if I'm wrong) but, if it is, then I think one could manage to authenticate to other requests rather than the WebSocket one by using the token request query param (also not sure if this is intended). E.g.

curl "http://localhost:8080/admin/v2/brokers/configuration?token=ASDFGH...."

Good idea, I verified that it worked.

@acortes-okode
Copy link

Anyways, I was trying to build it to test something I had in mind but maybe you could know it firsthand. The thing is, I'm not sure if AuthenticationProviderToken#newHttpAuthState is called for every HTTP request (correct me if I'm wrong) but, if it is, then I think one could manage to authenticate to other requests rather than the WebSocket one by using the token request query param (also not sure if this is intended). E.g.

curl "http://localhost:8080/admin/v2/brokers/configuration?token=ASDFGH...."

Good idea, I verified that it worked.

Hi @nodece, thanks for checking that!

Sorry since I think that I didn't expose correctly my concerns about that. They are regarding security, I think there is no other option than putting token information in the query param when there is a WebSocket request due to browser API limitations. But I think then that the token query param check should only be applied on WebSocket connection URIs (/ws/ and /ws/v2/) and not the rest.

Do not know if this could be addressed easily, maybe checking in the AuthorizationProviderToken for ws paths? I see references to this paths on pulsar-websocket classes:

But not in a "general" one, so maybe just check for /ws/** and /ws/v2/** in the same AuthorizationProviderToken is valid.

And I'm sure security here depends a lot on how Apache Pulsar is managed and if the users use that query param for other requests rather than the WebSocket ones but maybe it could be a security risk in some situations. I'm referencing an OWASP post about this.

Thank you again and sorry for not exposing clearly all my thoughts before!

@nodece
Copy link
Member Author

nodece commented Jul 20, 2022

@acortes-okode Thanks for your explanation about security!

But I think then that the token query param check should only be applied on WebSocket connection URIs (/ws/ and /ws/v2/) and not the rest.

You are right, we should add a filter to check the WebSocket connection URL.

And I'm sure security here depends a lot on how Apache Pulsar is managed and if the users use that query param for other requests rather than the WebSocket ones but maybe it could be a security risk in some situations. I'm referencing an OWASP post about this.

Hi @michaeljmarshall @lhotari, I think you will be interested in this, could you share your thoughts?

@codelipenghui codelipenghui modified the milestones: 2.11.0, 2.12.0 Jul 26, 2022
@Technoboy- Technoboy- merged commit 822f897 into apache:master Jul 26, 2022
@BewareMyPower
Copy link
Contributor

I found many code changes of this PR relies on #14044. @nodece Could you help verify whether could this PR cherry-picked into branch-2.8?

nodece added a commit to nodece/pulsar that referenced this pull request Jul 29, 2022
@nodece
[improve][authentication] Support for get token from HTTP params (apa…
1a5c6ae 
…che#16650)

(cherry picked from commit 822f897)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece nodece mentioned this pull request Jul 29, 2022
Merged
4 tasks
@nodece
Copy link
Member Author

nodece commented Jul 29, 2022
edited
Loading

I found many code changes of this PR relies on #14044. @nodece Could you help verify whether could this PR cherry-picked into branch-2.8?

@BewareMyPower I submitted #16871 for branch-2.8.

BewareMyPower pushed a commit that referenced this pull request Jul 31, 2022
@nodece
[improve][authentication] Support for get token from HTTP params (#16650
91810ae 
) (#16871)

(cherry picked from commit 822f897)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@BewareMyPower
Copy link
Contributor

Move the release/2.8.4 label to #16871

@Jason918
Copy link
Contributor

Jason918 commented Aug 1, 2022

Move release/2.7.5 label to #16892

@codelipenghui
Copy link
Contributor

codelipenghui commented Aug 8, 2022
edited
Loading

@nodece I think we don't need to cherry-pick this one to release branches? PR #14044 only happened on the master branch and will release in 2.11.0

@nodece
Copy link
Member Author

nodece commented Aug 8, 2022

@nodece I think we don't need to cherry-pick this one to release branches? PR #14044 only happened on the master branch and will release in 2.11.0

#14044 improves the HTTP authentication that adds a new methods to passing the HTTP data, but this issue is still presents in the old version, so we need to cherry-pick to release branches.

@nodece nodece mentioned this pull request Aug 8, 2022
Merged
4 tasks
@nodece
Copy link
Member Author

nodece commented Aug 8, 2022

Move release/2.10.2 to #16986.

@nodece nodece mentioned this pull request Aug 8, 2022
Merged
4 tasks
@nodece
Copy link
Member Author

nodece commented Aug 8, 2022

Move release/2.9.4 label to #16987.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acortes-okode acortes-okode acortes-okode left review comments

@Technoboy- Technoboy- Technoboy- approved these changes

@mattisonchao mattisonchao mattisonchao approved these changes

@michaeljmarshall michaeljmarshall Awaiting requested review from michaeljmarshall

@RobertIndie RobertIndie Awaiting requested review from RobertIndie

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

@gaoran10 gaoran10 Awaiting requested review from gaoran10

Assignees

@nodece nodece

Labels
area/authn area/broker doc-not-needed Your PR changes do not impact docs
Projects
None yet
Milestone
2.11.0
7 participants
@nodece @acortes-okode @BewareMyPower @Jason918 @codelipenghui @Technoboy- @mattisonchao