fix: Internal Server Error for /healthcheck endpoint in RBAC-enabled

[spena]

Description

Fixes #6479

Context:
There are endpoints in KsqlServerEndpoints that do not require a security context initialized. Some of these endpoints do not require authentication, so a security context should not be initialized because there is no Principal authenticated.

The current Vert.x code in KsqlServerEndpoints attempted to initialize the security context on endpoints where the user was not authenticated. This caused an error when calling these endpoints even with valid credentials. The fix was just to prevent initializing the security contexts, which is unnecessary.

Testing done

Added unit tests.
Verified manually with Confluent RBAC library.

• User:ksql has valid credentials and has authorization to the server.
• User:user1 has valid credentials but not authorization to the server.

1. Endpoints that required authentication only

curl   http://localhost:8088/info | jq .
{
  "@type": "generic_error",
  "error_code": 40100,
  "message": "Failed authentication"
}

curl -u user1:user1  http://localhost:8088/info | jq .
{
  "KsqlServerInfo": {
    "version": "6.1.0-0",
    "kafkaClusterId": "Bj_7MIRSQ36T97mtEimh-A",
    "ksqlServiceId": "default_",
    "serverStatus": "RUNNING"
  }
}

2. Endpoints that do not require authentication

 curl http://localhost:8088/v1/metadata/id 2>/dev/null | jq .
{
  "scope": {
    "path": [],
    "clusters": {
      "kafka-cluster": "Bj_7MIRSQ36T97mtEimh-A",
      "ksql-cluster": "default_"
    }
  },
  "id": ""
}

3. Endpoints that require authentication and authorization

$ curl http://localhost:8088/info 2>/dev/null | jq .
{
  "@type": "generic_error",
  "error_code": 40100,
  "message": "Failed authentication"
}

$ curl -u user1:user1 http://localhost:8088/status 2>/dev/null | jq .
{
  "@type": "generic_error",
  "error_code": 40300,
  "message": "You are forbidden from using this cluster."
}

$ curl -u ksql:ksql http://localhost:8088/status 2>/dev/null | jq .
{
  "commandStatuses": {
    "stream/`KSQL_PROCESSING_LOG`/create": "SUCCESS"
  }
}

Reviewer checklist

• Ensure docs are updated if necessary. (eg. if a user visible feature is being added or changed).
• Ensure relevant issues are linked (description should include text like "Fixes #")

[vcrfxia]

Hey @spena , I don't think this is the right way to address this bug. This PR fixes the issue for the default unauthenticated paths, but it doesn't solve the problem more generally. For example, if a user chooses to make the /ksql endpoint unauthenticated (not sure why anyone would do that but bear with me 😆), then they would again hit the bug in the Github issue. I'd need to dig into the code more in order to figure out the proper way to fix this. It might involve changes around ApiSecurityContext. Ping me tomorrow if you want to brainstorm together offline?

[vcrfxia]

Why can't this still be private?

[spena]

Left from another approach I was taking. Fixed.

[vcrfxia]

Can we move this into AuthenticationPluginHandler if we're going to rename it? It looks out of place here.

[spena]

done

[vcrfxia]

nit: can we rename this to sendPostRequest() in light of the new method above?

[spena]

done

[vcrfxia]

nit: can we rename this to sendPostRequestWithCreds() in light of the new method above?

[spena]

Done

[spena]

@vcrfxia You're right. I was expecting that whenever an endpoint required a service context, then the authentication would require a user to create one. It's just lucky that we don't have an endpoint that requires a service context with no authentication.

I fixed the issue, and now I create a default service context when there is a missing user. I left a comment in the code about why there's no problem about it.

I added tests to the DefaultKsqlServiceContextProvider, I copied the tests we had for this class (https://github.com/confluentinc/ksql/blob/5.5.x/ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/server/context/KsqlSecurityContextBinderFactoryTest.java), and added just one when the user missing.

I also noticed that the AuthTest just tests Authentication and Authorization. It does not test the path when building the user context. So I removed the unnecessary code, and rely now On the DefaultKsqlServiceContextProviderTest to return the right service context without failing.

I verified the endpoints work manually again.

[vcrfxia]

Thanks @spena -- LGTM with a suggested update to clarify the missing user case.