Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11827

MockAuthorizationPlugin should return 401 if no principal is specified

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None

      Description

      Let's say today if the leader sends a message to the replica and it takes more than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will not pass the principal and RuleBasedAuthorizationPlugin will notice this and throw a 401

      PKIAuthenticationPlugin.java
          if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) {
              log.error("Invalid key request timestamp: {} , received timestamp: {} , TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY);
              filterChain.doFilter(request, response);
              return true;
          }
      
      RuleBasedAuthorizationPlugin.java
      if (principal == null) {
              log.info("request has come without principal. failed permission {} ",permission);
              //this resource needs a principal but the request has come without
              //any credential.
              return MatchStatus.USER_REQUIRED;
            }
      

      I was trying to verify this with PKIAuthenticationIntegrationTest but I noticed that since this test uses MockAuthorizationPlugin where no principal is treated as a 200 the test won't fail.

      So we should enhance MockAuthorizationPlugin to treat no principal as a 401 and add a test in PKIAuthenticationIntegrationTest to verify the behaviour

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              varunthacker Varun Thacker
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: