Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Let's say today if the leader sends a message to the replica and it takes more than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will not pass the principal and RuleBasedAuthorizationPlugin will notice this and throw a 401
PKIAuthenticationPlugin.java
if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) { log.error("Invalid key request timestamp: {} , received timestamp: {} , TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY); filterChain.doFilter(request, response); return true; }
RuleBasedAuthorizationPlugin.java
if (principal == null) { log.info("request has come without principal. failed permission {} ",permission); //this resource needs a principal but the request has come without //any credential. return MatchStatus.USER_REQUIRED; }
I was trying to verify this with PKIAuthenticationIntegrationTest but I noticed that since this test uses MockAuthorizationPlugin where no principal is treated as a 200 the test won't fail.
So we should enhance MockAuthorizationPlugin to treat no principal as a 401 and add a test in PKIAuthenticationIntegrationTest to verify the behaviour