Skip to content

Commit 05c1e32

Browse files
massakammassakam
authored
Make ZTS proxy configurable in athenz auth plugin (#1360)
1 parent 0e1c1d6 commit 05c1e32

File tree

2 files changed

+96
-9
lines changed

2 files changed

+96
-9
lines changed

pulsar/auth/athenz.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ type athenzAuthProvider struct {
5050
principalHeader string
5151
roleHeader string
5252
ztsURL string
53+
ztsProxyURL string
5354
tokenBuilder zms.TokenBuilder
5455
roleToken zts.RoleToken
5556
zmsNewTokenBuilder func(domain, name string, privateKeyPEM []byte, keyVersion string) (zms.TokenBuilder, error)
@@ -78,6 +79,7 @@ func NewAuthenticationAthenzWithParams(params map[string]string) (Provider, erro
7879
params["principalHeader"],
7980
params["roleHeader"],
8081
params["ztsUrl"],
82+
params["ztsProxyUrl"],
8183
), nil
8284
}
8385

@@ -91,7 +93,8 @@ func NewAuthenticationAthenz(
9193
caCert string,
9294
principalHeader string,
9395
roleHeader string,
94-
ztsURL string) Provider {
96+
ztsURL string,
97+
ztsProxyURL string) Provider {
9598
fixedKeyID := defaultKeyID
9699
if keyID != "" {
97100
fixedKeyID = keyID
@@ -121,6 +124,7 @@ func NewAuthenticationAthenz(
121124
principalHeader: principalHeader,
122125
roleHeader: fixedRoleHeader,
123126
ztsURL: strings.TrimSuffix(ztsURL, "/"),
127+
ztsProxyURL: ztsProxyURL,
124128
zmsNewTokenBuilder: zms.NewTokenBuilder,
125129
ztsNewRoleToken: ztsNewRoleToken,
126130
ztsNewRoleTokenFromCert: ztsNewRoleTokenFromCert,
@@ -135,6 +139,7 @@ func (p *athenzAuthProvider) Init() error {
135139
var roleToken zts.RoleToken
136140
opts := zts.RoleTokenOptions{
137141
BaseZTSURL: p.ztsURL + "/zts/v1",
142+
ProxyURL: p.ztsProxyURL,
138143
MinExpire: minExpire,
139144
MaxExpire: maxExpire,
140145
PrefetchInterval: prefetchInterval,

pulsar/auth/athenz_test.go

Lines changed: 90 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,11 @@ func MockZtsNewRoleToken(tok zms.Token, domain string, opts zts.RoleTokenOptions
118118
}
119119

120120
mockRoleToken := new(MockRoleToken)
121-
mockRoleToken.On("RoleTokenValue").Return("mockRoleToken", nil)
121+
if opts.ProxyURL == "" {
122+
mockRoleToken.On("RoleTokenValue").Return("mockRoleToken", nil)
123+
} else {
124+
mockRoleToken.On("RoleTokenValue").Return("mockRoleToken-"+opts.ProxyURL, nil)
125+
}
122126
mockRoleToken.On("StartPrefetcher").Return(nil)
123127
mockRoleToken.On("StopPrefetcher").Return(nil)
124128
return mockRoleToken
@@ -136,7 +140,11 @@ func MockZtsNewRoleTokenFromCert(certFile, keyFile, domain string, opts zts.Role
136140
}
137141

138142
mockRoleToken := new(MockRoleToken)
139-
mockRoleToken.On("RoleTokenValue").Return("mockRoleTokenFromCert", nil)
143+
if opts.ProxyURL == "" {
144+
mockRoleToken.On("RoleTokenValue").Return("mockRoleTokenFromCert", nil)
145+
} else {
146+
mockRoleToken.On("RoleTokenValue").Return("mockRoleTokenFromCert-"+opts.ProxyURL, nil)
147+
}
140148
mockRoleToken.On("StartPrefetcher").Return(nil)
141149
mockRoleToken.On("StopPrefetcher").Return(nil)
142150
return mockRoleToken
@@ -154,7 +162,8 @@ func TestAthenzAuth(t *testing.T) {
154162
"", // caCert
155163
"", // principalHeader
156164
"", // roleHeader
157-
"http://localhost:9999") // ztsURL
165+
"http://localhost:9999", // ztsURL
166+
"") // ztsProxyURL
158167

159168
// inject mock function
160169
athenz := provider.(*athenzAuthProvider)
@@ -174,6 +183,39 @@ func TestAthenzAuth(t *testing.T) {
174183
assert.False(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
175184
}
176185

186+
func TestAthenzAuthWithProxy(t *testing.T) {
187+
privateKey := "file://" + clientKeyPath
188+
provider := NewAuthenticationAthenz(
189+
"pulsar.test.provider", // providerDomain
190+
"pulsar.test.tenant", // tenantDomain
191+
"service", // tenantService
192+
privateKey, // privateKey
193+
"", // keyID
194+
"", // x509CertChain
195+
"", // caCert
196+
"", // principalHeader
197+
"", // roleHeader
198+
"http://localhost:9999", // ztsURL
199+
"http://localhost:8080") // ztsProxyURL
200+
201+
// inject mock function
202+
athenz := provider.(*athenzAuthProvider)
203+
athenz.zmsNewTokenBuilder = MockZmsNewTokenBuilder
204+
athenz.ztsNewRoleToken = MockZtsNewRoleToken
205+
206+
err := athenz.Init()
207+
assert.NoError(t, err)
208+
assert.True(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
209+
210+
data, err := athenz.GetData()
211+
assert.Equal(t, []byte("mockRoleToken-http://localhost:8080"), data)
212+
assert.NoError(t, err)
213+
214+
err = athenz.Close()
215+
assert.NoError(t, err)
216+
assert.False(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
217+
}
218+
177219
func TestCopperArgos(t *testing.T) {
178220
privateKey := "file://" + clientKeyPath
179221
x509CertChain := "file://" + clientCertPath
@@ -189,7 +231,8 @@ func TestCopperArgos(t *testing.T) {
189231
caCert, // caCert
190232
"", // principalHeader
191233
"", // roleHeader
192-
"http://localhost:9999") // ztsURL
234+
"http://localhost:9999", // ztsURL
235+
"") // ztsProxyURL
193236

194237
// inject mock function
195238
athenz := provider.(*athenzAuthProvider)
@@ -208,6 +251,41 @@ func TestCopperArgos(t *testing.T) {
208251
assert.False(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
209252
}
210253

254+
func TestCopperArgosWithProxy(t *testing.T) {
255+
privateKey := "file://" + clientKeyPath
256+
x509CertChain := "file://" + clientCertPath
257+
caCert := "file://" + caCertPath
258+
259+
provider := NewAuthenticationAthenz(
260+
"pulsar.test.provider", // providerDomain
261+
"", // tenantDomain
262+
"", // tenantService
263+
privateKey, // privateKey
264+
"", // keyID
265+
x509CertChain, // x509CertChain
266+
caCert, // caCert
267+
"", // principalHeader
268+
"", // roleHeader
269+
"http://localhost:9999", // ztsURL
270+
"http://localhost:8080") // ztsProxyURL
271+
272+
// inject mock function
273+
athenz := provider.(*athenzAuthProvider)
274+
athenz.ztsNewRoleTokenFromCert = MockZtsNewRoleTokenFromCert
275+
276+
err := athenz.Init()
277+
assert.NoError(t, err)
278+
assert.True(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
279+
280+
data, err := athenz.GetData()
281+
assert.Equal(t, []byte("mockRoleTokenFromCert-http://localhost:8080"), data)
282+
assert.NoError(t, err)
283+
284+
err = athenz.Close()
285+
assert.NoError(t, err)
286+
assert.False(t, athenz.roleToken.(*MockRoleToken).isPrefetcherStarted)
287+
}
288+
211289
func TestIllegalParams(t *testing.T) {
212290
privateKey := "file://" + clientKeyPath
213291
x509CertChain := "file://" + clientCertPath
@@ -222,7 +300,8 @@ func TestIllegalParams(t *testing.T) {
222300
"", // caCert
223301
"", // principalHeader
224302
"", // roleHeader
225-
"http://localhost:9999") // ztsURL
303+
"http://localhost:9999", // ztsURL
304+
"") // ztsProxyURL
226305
athenz := provider.(*athenzAuthProvider)
227306

228307
err := athenz.Init()
@@ -239,7 +318,8 @@ func TestIllegalParams(t *testing.T) {
239318
"", // caCert
240319
"", // principalHeader
241320
"", // roleHeader
242-
"http://localhost:9999") // ztsURL
321+
"http://localhost:9999", // ztsURL
322+
"") // ztsProxyURL
243323
athenz = provider.(*athenzAuthProvider)
244324

245325
err = athenz.Init()
@@ -256,7 +336,8 @@ func TestIllegalParams(t *testing.T) {
256336
"", // caCert
257337
"", // principalHeader
258338
"", // roleHeader
259-
"http://localhost:9999") // ztsURL
339+
"http://localhost:9999", // ztsURL
340+
"") // ztsProxyURL
260341
athenz = provider.(*athenzAuthProvider)
261342

262343
err = athenz.Init()
@@ -273,7 +354,8 @@ func TestIllegalParams(t *testing.T) {
273354
"", // caCert
274355
"", // principalHeader
275356
"", // roleHeader
276-
"http://localhost:9999") // ztsURL
357+
"http://localhost:9999", // ztsURL
358+
"") // ztsProxyURL
277359
athenz = provider.(*athenzAuthProvider)
278360

279361
err = athenz.Init()

0 commit comments

Comments
 (0)