PIP-30: interface and mutual change authentication

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataSource.java

@@ -18,8 +18,10 @@
  */
 package org.apache.pulsar.broker.authentication;
 
+import java.io.IOException;
 import java.net.SocketAddress;
 import java.security.cert.Certificate;
+import org.apache.pulsar.common.api.AuthData;
 
 /**
  * Interface for accessing data which are used in variety of authentication schemes on server side
@@ -31,15 +33,15 @@ public interface AuthenticationDataSource {
 
     /**
      * Check if data from TLS are available.
-     * 
+     *
      * @return true if this authentication data contain data from TLS
      */
     default boolean hasDataFromTls() {
         return false;
     }
 
     /**
-     * 
+     *
      * @return a client certificate chain, or null if the data are not available
      */
     default Certificate[] getTlsCertificates() {
@@ -52,23 +54,23 @@ default Certificate[] getTlsCertificates() {
 
     /**
      * Check if data from HTTP are available.
-     * 
+     *
      * @return true if this authentication data contain data from HTTP
      */
     default boolean hasDataFromHttp() {
         return false;
     }
 
     /**
-     * 
+     *
      * @return a authentication scheme, or <code>null<c/ode> if the request is not be authenticated
      */
     default String getHttpAuthType() {
         return null;
     }
 
     /**
-     * 
+     *
      * @return a <code>String</code> containing the value of the specified header, or <code>null</code> if the header
      *         does not exist.
      */
@@ -82,36 +84,44 @@ default String getHttpHeader(String name) {
 
     /**
      * Check if data from Pulsar protocol are available.
-     * 
+     *
      * @return true if this authentication data contain data from Pulsar protocol
      */
     default boolean hasDataFromCommand() {
         return false;
     }
 
     /**
-     * 
+     *
      * @return authentication data which is stored in a command
      */
     default String getCommandData() {
         return null;
     }
 
+    /**
+     * Evaluate and challenge the data that passed in, and return processed data back.
+     * It is used for mutual authentication like SASL.
+     */
+    default AuthData authenticate(AuthData data) throws IOException {
+        throw new UnsupportedOperationException();
+    }
+
     /*
      * Peer
      */
 
     /**
      * Check if data from peer are available.
-     * 
+     *
      * @return true if this authentication data contain data from peer
      */
     default boolean hasDataFromPeer() {
         return false;
     }
 
     /**
-     * 
+     *
      * @return a <code>String</code> containing the IP address of the client
      */
     default SocketAddress getPeerAddress() {

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProvider.java

@@ -21,9 +21,12 @@
 import java.io.Closeable;
 import java.io.IOException;
 
+import java.net.SocketAddress;
 import javax.naming.AuthenticationException;
 
+import javax.net.ssl.SSLSession;
 import org.apache.pulsar.broker.ServiceConfiguration;
+import org.apache.pulsar.common.api.AuthData;
 
 /**
  * Provider of authentication mechanism
@@ -46,14 +49,28 @@ public interface AuthenticationProvider extends Closeable {
     String getAuthMethodName();
 
     /**
-     * Validate the authentication for the given credentials with the specified authentication data
-     * 
+     * Validate the authentication for the given credentials with the specified authentication data.
+     * This method is useful in one stage authn, if you're not doing one stage or if you're providing
+     * your own state implementation for one stage authn, it should throw an exception.
+     *
      * @param authData
      *            provider specific authentication data
      * @return the "role" string for the authenticated connection, if the authentication was successful
      * @throws AuthenticationException
      *             if the credentials are not valid
      */
-    String authenticate(AuthenticationDataSource authData) throws AuthenticationException;
+    default String authenticate(AuthenticationDataSource authData) throws AuthenticationException {
+        throw new AuthenticationException("Not supported");
+    }
+
+    /**
+     * Create an authentication data State use passed in AuthenticationDataSource.
+     */
+    default AuthenticationState newAuthState(AuthData authData,
+                                             SocketAddress remoteAddress,
+                                             SSLSession sslSession)
+        throws AuthenticationException{
+        return new OneStageAuthenticationState(authData, remoteAddress, sslSession, this);
+    }
 
 }

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationService.java

@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.Map;
 
+import java.util.Optional;
 import javax.naming.AuthenticationException;
 import javax.servlet.http.HttpServletRequest;
 
@@ -105,6 +106,18 @@ public String authenticateHttpRequest(HttpServletRequest request) throws Authent
         }
     }
 
+    public AuthenticationProvider getAuthenticationProvider(String authMethodName) {
+        return providers.get(authMethodName);
+    }
+
+    // called when authn enabled, but no authentication provided
+    public Optional<String> getAnonymousUserRole() {
+        if (StringUtils.isNotBlank(anonymousUserRole)) {
+            return Optional.of(anonymousUserRole);
+        }
+        return Optional.empty();
+    }
+
     @Override
     public void close() throws IOException {
         for (AuthenticationProvider provider : providers.values()) {

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java

@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.pulsar.broker.authentication;
+
+import javax.naming.AuthenticationException;
+import org.apache.pulsar.common.api.AuthData;
+
+/**
+ * Interface for authentication state.
+ *
+ * It tell broker whether the authentication is completed or not,
+ * if completed, what is the AuthRole is.
+ */
+public interface AuthenticationState {
+    /**
+     * After the authentication between client and broker completed,
+     * get authentication role represent for the client.
+     * It should throw exception if auth not complete.
+     */
+    String getAuthRole() throws AuthenticationException;
+
+    /**
+     * Challenge passed in auth data and get response data.
+     */
+    AuthData authenticate(AuthData authData) throws AuthenticationException;
+
+    /**
+     * Return AuthenticationDataSource.
+     */
+    AuthenticationDataSource getAuthDataSource();
+
+    /**
+     * Whether the authentication is completed or not
+     */
+    boolean isComplete();
+}

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/OneStageAuthenticationState.java

@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.pulsar.broker.authentication;
+
+import java.net.SocketAddress;
+import javax.naming.AuthenticationException;
+import javax.net.ssl.SSLSession;
+import org.apache.pulsar.common.api.AuthData;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Interface for authentication state.
+ *
+ * It tell broker whether the authentication is completed or not,
+ * if completed, what is the AuthRole is.
+ */
+public class OneStageAuthenticationState implements AuthenticationState {
+
+    private final AuthenticationDataSource authenticationDataSource;
+    private final String authRole;
+
+    public OneStageAuthenticationState(AuthData authData,
+                                       SocketAddress remoteAddress,
+                                       SSLSession sslSession,
+                                       AuthenticationProvider provider) throws AuthenticationException {
+        this.authenticationDataSource = new AuthenticationDataCommand(
+            new String(authData.getBytes(), UTF_8), remoteAddress, sslSession);;
+        this.authRole = provider.authenticate(authenticationDataSource);
+    }
+
+    @Override
+    public String getAuthRole() {
+        return authRole;
+    }
+
+    @Override
+    public AuthenticationDataSource getAuthDataSource() {
+        return authenticationDataSource;
+    }
+
+    @Override
+    public AuthData authenticate(AuthData authData) {
+        return null;
+    }
+
+    @Override
+    public boolean isComplete() {
+        return true;
+    }
+}