-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: respect authentication.skip.paths properly #9224
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
* Copyright 2020 Confluent Inc. | ||
* | ||
* Licensed under the Confluent Community License (the "License"; you may not use | ||
* this file except in compliance with the License. You may obtain a copy of the | ||
* License at | ||
* | ||
* http://www.confluent.io/confluent-community-license | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
*/ | ||
|
||
package io.confluent.ksql.api.auth; | ||
|
||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.hamcrest.Matchers.is; | ||
|
||
import com.google.common.collect.ImmutableList; | ||
import java.util.List; | ||
import java.util.regex.Pattern; | ||
import org.junit.Test; | ||
|
||
public class AuthenticationPluginHandlerTest { | ||
|
||
@Test | ||
public void shouldBuildRegexThatRespectsSkipPaths() { | ||
// Given: | ||
final List<String> configs = ImmutableList.of("/heartbeat", "/lag"); | ||
|
||
// When: | ||
final Pattern skips = AuthenticationPluginHandler.getAuthorizationSkipPaths(configs); | ||
|
||
// Then: | ||
assertThat(skips.matcher("/heartbeat").matches(), is(true)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not also verify for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
that doesn't add any coverage, I'm ensuring that what is added in the config is able to skip
Sure I'll add a negative test There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I cannot follow. Why does verifying for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. adding There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The additional verification would check that the code works for all entries in the config. The code could not consider the other entry. Unit test should not only test the current code but they should also ensure that future refactorings of the code do not change the intended behavior. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I suppose I can see your point :) I'll add it in. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
/* | ||
* Copyright 2020 Confluent Inc. | ||
* | ||
* Licensed under the Confluent Community License (the "License"; you may not use | ||
* this file except in compliance with the License. You may obtain a copy of the | ||
* License at | ||
* | ||
* http://www.confluent.io/confluent-community-license | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
*/ | ||
|
||
package io.confluent.ksql.api.auth; | ||
|
||
import com.google.common.collect.ImmutableList; | ||
import com.google.common.collect.ImmutableMap; | ||
import io.confluent.ksql.api.server.Server; | ||
import io.confluent.ksql.rest.server.KsqlRestConfig; | ||
import io.confluent.ksql.security.KsqlAuthorizationProvider; | ||
import io.vertx.core.WorkerExecutor; | ||
import io.vertx.ext.web.RoutingContext; | ||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.mockito.Mock; | ||
import org.mockito.Mockito; | ||
import org.mockito.junit.MockitoJUnitRunner; | ||
|
||
@RunWith(MockitoJUnitRunner.class) | ||
public class KsqlAuthorizationProviderHandlerTest { | ||
|
||
@Mock | ||
private Server server; | ||
@Mock | ||
private KsqlAuthorizationProvider authProvider; | ||
@Mock | ||
private WorkerExecutor workerExecutor; | ||
@Mock | ||
private RoutingContext routingContext; | ||
|
||
@Test | ||
public void shouldRespectServerAuthSkipPathsConfig() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you also add a case where authentication is not skipped? |
||
// Given: | ||
Mockito.when(server.getWorkerExecutor()).thenReturn(workerExecutor); | ||
Mockito.when(server.getConfig()).thenReturn(new KsqlRestConfig( | ||
ImmutableMap.of( | ||
KsqlRestConfig.AUTHENTICATION_SKIP_PATHS_CONFIG, | ||
ImmutableList.of("/heartbeat") | ||
) | ||
)); | ||
Mockito.when(routingContext.normalisedPath()).thenReturn("/heartbeat"); | ||
KsqlAuthorizationProviderHandler handler = new KsqlAuthorizationProviderHandler(server, authProvider); | ||
|
||
// When: | ||
handler.handle(routingContext); | ||
|
||
// Then (make sure the authorization "work" is skipped): | ||
Mockito.verify(routingContext).next(); | ||
Mockito.verifyZeroInteractions(workerExecutor); | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh wow, so AUTHENTICATION_SKIP_PATHS_CONFIG was not taken into account at all before.