[fix][proxy] Fix refresh client auth

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

Author: nodece

pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java

@@ -44,6 +44,7 @@
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
+import javax.naming.AuthenticationException;
 import lombok.AccessLevel;
 import lombok.Getter;
 import org.apache.commons.lang3.exception.ExceptionUtils;
@@ -253,8 +254,25 @@ public void channelActive(ChannelHandlerContext ctx) throws Exception {
         } else {
             log.info("{} Connected through proxy to target broker at {}", ctx.channel(), proxyToTargetBrokerAddress);
         }
-        // Send CONNECT command
-        ctx.writeAndFlush(newConnectCommand())
+        completeActive();
+    }
+
+    protected void completeActive() throws Exception {
+        sendConnectCommand(null, null, null);
+    }
+
+    protected final void sendConnectCommand(String originalPrincipal, AuthData originalAuthData,
+                                            String originalAuthMethod) throws Exception {
+        // mutual authentication is to auth between `remoteHostName` and this client for this channel.
+        // each channel will have a mutual client/server pair, mutual client evaluateChallenge with init data,
+        // and return authData to server.
+        authenticationDataProvider = authentication.getAuthData(remoteHostName);
+        AuthData authData = authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
+
+        ByteBuf byteBuf = Commands.newConnect(authentication.getAuthMethodName(), authData, this.protocolVersion,
+                PulsarVersion.getVersion(), proxyToTargetBrokerAddress, originalPrincipal, originalAuthData,
+                originalAuthMethod);
+        ctx.writeAndFlush(byteBuf)
                 .addListener(future -> {
                     if (future.isSuccess()) {
                         if (log.isDebugEnabled()) {
@@ -268,16 +286,6 @@ public void channelActive(ChannelHandlerContext ctx) throws Exception {
                 });
     }
 
-    protected ByteBuf newConnectCommand() throws Exception {
-        // mutual authentication is to auth between `remoteHostName` and this client for this channel.
-        // each channel will have a mutual client/server pair, mutual client evaluateChallenge with init data,
-        // and return authData to server.
-        authenticationDataProvider = authentication.getAuthData(remoteHostName);
-        AuthData authData = authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
-        return Commands.newConnect(authentication.getAuthMethodName(), authData, this.protocolVersion,
-                PulsarVersion.getVersion(), proxyToTargetBrokerAddress, null, null, null);
-    }
-
     @Override
     public void channelInactive(ChannelHandlerContext ctx) throws Exception {
         super.channelInactive(ctx);
@@ -361,51 +369,54 @@ protected void handleConnected(CommandConnected connected) {
         state = State.Ready;
     }
 
-    @Override
-    protected void handleAuthChallenge(CommandAuthChallenge authChallenge) {
-        checkArgument(authChallenge.hasChallenge());
-        checkArgument(authChallenge.getChallenge().hasAuthData());
+    protected final void sendMutualAuthCommand(String authMethod, AuthData authData) {
+        if (log.isDebugEnabled()) {
+            log.debug("{} Mutual auth {}", ctx.channel(), authMethod);
+        }
 
+        ByteBuf request = Commands.newAuthResponse(authMethod,
+                authData,
+                this.protocolVersion,
+                PulsarVersion.getVersion());
+
+        ctx.writeAndFlush(request).addListener(writeFuture -> {
+            if (!writeFuture.isSuccess()) {
+                log.warn("{} Failed to send request for mutual auth to broker: {}", ctx.channel(),
+                        writeFuture.cause().getMessage());
+                close(writeFuture.cause());
+            }
+        });
+    }
+
+    protected void prepareMutualAuth(CommandAuthChallenge authChallenge) throws AuthenticationException {
         if (Arrays.equals(AuthData.REFRESH_AUTH_DATA_BYTES, authChallenge.getChallenge().getAuthData())) {
             try {
                 authenticationDataProvider = authentication.getAuthData(remoteHostName);
             } catch (PulsarClientException e) {
                 log.error("{} Error when refreshing authentication data provider: {}", ctx.channel(), e);
-                connectionFuture.completeExceptionally(e);
+                close(e);
                 return;
             }
         }
-
         // mutual authn. If auth not complete, continue auth; if auth complete, complete connectionFuture.
-        try {
-            AuthData authData = authenticationDataProvider
-                .authenticate(AuthData.of(authChallenge.getChallenge().getAuthData()));
-
-            checkState(!authData.isComplete());
-
-            ByteBuf request = Commands.newAuthResponse(authentication.getAuthMethodName(),
-                authData,
-                this.protocolVersion,
-                PulsarVersion.getVersion());
-
-            if (log.isDebugEnabled()) {
-                log.debug("{} Mutual auth {}", ctx.channel(), authentication.getAuthMethodName());
-            }
-
-            ctx.writeAndFlush(request).addListener(writeFuture -> {
-                if (!writeFuture.isSuccess()) {
-                    log.warn("{} Failed to send request for mutual auth to broker: {}", ctx.channel(),
-                        writeFuture.cause().getMessage());
-                    connectionFuture.completeExceptionally(writeFuture.cause());
-                }
-            });
+        AuthData authData =
+                authenticationDataProvider.authenticate(AuthData.of(authChallenge.getChallenge().getAuthData()));
+        checkState(!authData.isComplete());
+        sendMutualAuthCommand(authentication.getAuthMethodName(), authData);
+    }
 
+    @Override
+    protected void handleAuthChallenge(CommandAuthChallenge authChallenge) {
+        checkArgument(authChallenge.hasChallenge());
+        checkArgument(authChallenge.getChallenge().hasAuthData());
+        try {
+            prepareMutualAuth(authChallenge);
             if (state == State.SentConnectFrame) {
                 state = State.Connecting;
             }
         } catch (Exception e) {
             log.error("{} Error mutual verify: {}", ctx.channel(), e);
-            connectionFuture.completeExceptionally(e);
+            close(e);
             return;
         }
     }
@@ -1243,6 +1254,13 @@ public void close() {
        }
     }
 
+    public void close(Throwable e) {
+       if (ctx != null) {
+           ctx.close();
+           connectionFuture.completeExceptionally(e);
+       }
+    }
+
     private void checkRequestTimeout() {
         while (!requestTimeoutQueue.isEmpty()) {
             RequestTime request = requestTimeoutQueue.peek();

pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java

@@ -18,46 +18,66 @@
  */
 package org.apache.pulsar.proxy.server;
 
-import io.netty.buffer.ByteBuf;
 import io.netty.channel.EventLoopGroup;
-import org.apache.pulsar.PulsarVersion;
+import java.util.Arrays;
+import java.util.concurrent.CompletableFuture;
+import java.util.function.Function;
+import javax.naming.AuthenticationException;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.pulsar.client.impl.ClientCnx;
 import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
 import org.apache.pulsar.common.api.AuthData;
-import org.apache.pulsar.common.protocol.Commands;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.pulsar.common.api.proto.CommandAuthChallenge;
 
+@Slf4j
 public class ProxyClientCnx extends ClientCnx {
-
-    String clientAuthRole;
-    AuthData clientAuthData;
-    String clientAuthMethod;
-    int protocolVersion;
+    private final boolean forwardClientAuth;
+    private final String clientAuthMethod;
+    private final String clientAuthRole;
+    private final Function<Boolean, CompletableFuture<AuthData>> clientAuthDataSupplier;
 
     public ProxyClientCnx(ClientConfigurationData conf, EventLoopGroup eventLoopGroup, String clientAuthRole,
-                          AuthData clientAuthData, String clientAuthMethod, int protocolVersion) {
-        super(conf, eventLoopGroup);
+                          Function<Boolean, CompletableFuture<AuthData>> clientAuthDataSupplier,
+                          String clientAuthMethod,
+                          int protocolVersion, boolean forwardClientAuth) {
+        super(conf, eventLoopGroup, protocolVersion);
         this.clientAuthRole = clientAuthRole;
-        this.clientAuthData = clientAuthData;
+        this.clientAuthDataSupplier = clientAuthDataSupplier;
         this.clientAuthMethod = clientAuthMethod;
-        this.protocolVersion = protocolVersion;
+        this.forwardClientAuth = forwardClientAuth;
     }
 
     @Override
-    protected ByteBuf newConnectCommand() throws Exception {
-        if (log.isDebugEnabled()) {
-            log.debug("New Connection opened via ProxyClientCnx with params clientAuthRole = {},"
-                            + " clientAuthData = {}, clientAuthMethod = {}",
-                    clientAuthRole, clientAuthData, clientAuthMethod);
+    protected void completeActive() throws Exception {
+        if (!forwardClientAuth) {
+            super.completeActive();
+            return;
         }
 
-        authenticationDataProvider = authentication.getAuthData(remoteHostName);
-        AuthData authData = authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
-        return Commands.newConnect(authentication.getAuthMethodName(), authData, this.protocolVersion,
-            PulsarVersion.getVersion(), proxyToTargetBrokerAddress, clientAuthRole, clientAuthData,
-            clientAuthMethod);
+        clientAuthDataSupplier.apply(false).thenAccept(clientAuthData -> {
+            try {
+                sendConnectCommand(clientAuthRole, clientAuthData, clientAuthMethod);
+            } catch (Exception e) {
+                log.error("{} Error during handshake", ctx.channel(), e);
+                close(e);
+            }
+        });
     }
 
-    private static final Logger log = LoggerFactory.getLogger(ProxyClientCnx.class);
+    @Override
+    protected void prepareMutualAuth(CommandAuthChallenge authChallenge) throws AuthenticationException {
+        boolean isRefresh = Arrays.equals(AuthData.REFRESH_AUTH_DATA_BYTES, authChallenge.getChallenge().getAuthData());
+        if (!forwardClientAuth || !isRefresh) {
+            super.prepareMutualAuth(authChallenge);
+            return;
+        }
+
+        clientAuthDataSupplier.apply(true).thenAccept(originalClientAuthData -> {
+            sendMutualAuthCommand(clientAuthMethod, originalClientAuthData);
+        }).exceptionally(e -> {
+            log.error("{} Error mutual verify", ctx.channel(), e);
+            close(e);
+            return null;
+        });
+    }
 }

pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java

@@ -37,6 +37,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.TimeUnit;
@@ -45,6 +46,7 @@
 import javax.naming.AuthenticationException;
 import javax.net.ssl.SSLSession;
 import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.pulsar.broker.PulsarServerException;
 import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
 import org.apache.pulsar.broker.authentication.AuthenticationProvider;
@@ -78,6 +80,7 @@
  * Handles incoming discovery request from client and sends appropriate response back to client.
  *
  */
+@Slf4j
 public class ProxyConnection extends PulsarHandler {
     private static final Logger LOG = LoggerFactory.getLogger(ProxyConnection.class);
     // ConnectionPool is used by the proxy to issue lookup requests
@@ -97,6 +100,7 @@ public class ProxyConnection extends PulsarHandler {
     String clientAuthRole;
     AuthData clientAuthData;
     String clientAuthMethod;
+    private CompletableFuture<AuthData> refreshAuthFuture;
 
     private String authMethod = "none";
     AuthenticationProvider authenticationProvider;
@@ -316,12 +320,12 @@ private synchronized void completeConnect(AuthData clientData) throws PulsarClie
                 this.clientAuthData = clientData;
                 this.clientAuthMethod = authMethod;
             }
-            clientCnxSupplier =
-                    () -> new ProxyClientCnx(clientConf, service.getWorkerGroup(), clientAuthRole, clientAuthData,
-                            clientAuthMethod, protocolVersionToAdvertise);
+            clientCnxSupplier = () -> new ProxyClientCnx(clientConf, service.getWorkerGroup(), clientAuthRole,
+                    this::getOrRefreshOriginalClientAuthData,
+                    clientAuthMethod, protocolVersionToAdvertise,
+                    service.getConfiguration().isForwardAuthorizationCredentials());
         } else {
-            clientCnxSupplier =
-                    () -> new ClientCnx(clientConf, service.getWorkerGroup(), protocolVersionToAdvertise);
+            clientCnxSupplier = () -> new ClientCnx(clientConf, service.getWorkerGroup(), protocolVersionToAdvertise);
         }
 
         if (this.connectionPool == null) {
@@ -428,11 +432,17 @@ private void doAuthentication(AuthData clientData) throws Exception {
         // authentication has completed, will send newConnected command.
         if (authState.isComplete()) {
             clientAuthRole = authState.getAuthRole();
+            clientAuthData = clientData;
             if (LOG.isDebugEnabled()) {
                 LOG.debug("[{}] Client successfully authenticated with {} role {}",
-                    remoteAddress, authMethod, clientAuthRole);
+                        remoteAddress, authMethod, clientAuthRole);
+            }
+            if (refreshAuthFuture != null) {
+                refreshAuthFuture.complete(clientData);
+                refreshAuthFuture = null;
+            } else {
+                completeConnect(clientData);
             }
-            completeConnect(clientData);
             return;
         }
 
@@ -523,7 +533,9 @@ remoteAddress, protocolVersionToAdvertise, getRemoteEndpointProtocolVersion(),
 
     @Override
     protected void handleAuthResponse(CommandAuthResponse authResponse) {
-        checkArgument(state == State.Connecting);
+        if (refreshAuthFuture == null) {
+            checkArgument(state == State.Connecting);
+        }
         checkArgument(authResponse.hasResponse());
         checkArgument(authResponse.getResponse().hasAuthData() && authResponse.getResponse().hasAuthMethodName());
 
@@ -543,6 +555,45 @@ protected void handleAuthResponse(CommandAuthResponse authResponse) {
         }
     }
 
+    private CompletableFuture<AuthData> getOrRefreshOriginalClientAuthData(boolean isRefresh) {
+        if (!isRefresh) {
+            return CompletableFuture.completedFuture(clientAuthData);
+        }
+
+        if (refreshAuthFuture != null && !refreshAuthFuture.isDone()) {
+            log.error("{} Mutual auth timeout", ctx.channel());
+            ctx.close();
+            return CompletableFuture.failedFuture(new AuthenticationException("Mutual auth timeout"));
+        }
+
+        refreshAuthFuture = new CompletableFuture<>();
+        try {
+            AuthData refreshAuthData = authState.refreshAuthentication();
+            ctx.writeAndFlush(Commands.newAuthChallenge(clientAuthMethod, refreshAuthData, protocolVersionToAdvertise))
+                    .addListener(writeFuture -> {
+                        if (writeFuture.isSuccess()) {
+                            if (LOG.isDebugEnabled()) {
+                                LOG.debug("{} Sent auth challenge to client to refresh credentials with method: {}",
+                                        ctx.channel(), clientAuthMethod);
+                            }
+                        } else {
+                            LOG.error("{} Failed to send request for mutual auth to client", ctx.channel(),
+                                    writeFuture.cause());
+                            refreshAuthFuture.completeExceptionally(writeFuture.cause());
+                            ctx.close();
+                        }
+                    });
+        } catch (AuthenticationException e) {
+            log.error("{} Failed to refresh authentication", ctx.channel(), e);
+            ctx.writeAndFlush(
+                            Commands.newError(-1, ServerError.AuthenticationError, "Failed to refresh authentication"))
+                    .addListener(ChannelFutureListener.CLOSE);
+            refreshAuthFuture.completeExceptionally(e);
+        }
+
+        return refreshAuthFuture;
+    }
+
     @Override
     protected void handlePartitionMetadataRequest(CommandPartitionedTopicMetadata partitionMetadata) {
         checkArgument(state == State.ProxyLookupRequests);