Fixing cross domain component for dedicated server connection. (#81)

* Fixing cross domain component for dedicated server connection.

Co-authored-by: Rahul Rane <[email protected]>

zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProvider.java

@@ -19,8 +19,10 @@
 package org.apache.zookeeper.server.auth.znode.groupacl;
 
 import java.util.Collections;
+import java.util.stream.Collectors;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.List;
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
@@ -216,9 +218,19 @@ private void assignAuthInfo(ServerCnxn cnxn, String clientId, Set<String> domain
     String superUser = X509AuthenticationConfig.getInstance().getZnodeGroupAclSuperUserId();
 
     Set<Id> newAuthIds = new HashSet<>();
+
+    // Find interesecting super user domains/cross domains from provided domains list
+    List<String> commonSuperUserDomains =
+        superUserDomainNames.stream().filter(domains::contains).collect(Collectors.toList());
+
     // Check if user belongs to super user group
     if (clientId.equals(superUser)) {
       newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, clientId));
+    } else if (!commonSuperUserDomains.isEmpty()) {
+      // For cross domain components, add (super:domainName) in authInfo
+      // "super" scheme gives access to all znodes without checking znode ACL vs authorized domain name
+      commonSuperUserDomains.stream().forEach(d ->
+          newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, d)));
     } else if (X509AuthenticationConfig.getInstance().isZnodeGroupAclDedicatedServerEnabled()) {
       // If connection filtering feature is turned on, use connection filtering instead of normal authorization
       String serverNamespace = X509AuthenticationConfig.getInstance().getZnodeGroupAclServerDedicatedDomain();
@@ -235,16 +247,8 @@ private void assignAuthInfo(ServerCnxn cnxn, String clientId, Set<String> domain
         cnxn.close(ServerCnxn.DisconnectReason.SSL_AUTH_FAILURE);
       }
     } else {
-      domains.forEach(d -> {
-        // For cross domain components, add (super:domainName) in authInfo
-        // "super" scheme gives access to all znodes without checking znode ACL vs authorized domain name
-        if (superUserDomainNames.contains(d)) {
-          newAuthIds.add(new Id(X509AuthenticationUtil.SUPERUSER_AUTH_SCHEME, d));
-        } else {
-          // For other cases, add (x509:domainName) in authInfo
-          newAuthIds.add(new Id(getScheme(), d));
-        }
-      });
+      // For other cases, add (x509:domainName) in authInfo
+      domains.stream().forEach(d -> newAuthIds.add(new Id(getScheme(), d)));
     }
 
     // Update the existing connection AuthInfo accordingly.

zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/X509ZNodeGroupAclProviderTest.java

@@ -60,7 +60,7 @@ public class X509ZNodeGroupAclProviderTest extends ZKTestCase {
   private TestNIOServerCnxnFactory serverCnxnFactory;
   private ZooKeeper admin;
   private static final String AUTH_PROVIDER_PROPERTY_NAME = "zookeeper.authProvider.x509";
-  private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/_CLIENT_URI_DOMAIN_MAPPING";
+  private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/zookeeper/uri-domain-map";
   private static final String[] MAPPING_PATHS = {CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH,
       CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH + "/CrossDomain",
       CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH + "/CrossDomain/CrossDomainUser",
@@ -264,6 +264,17 @@ public void testConnectionFiltering() {
     Assert.assertEquals("super", authInfo.get(0).getScheme());
     Assert.assertEquals("SuperUser", authInfo.get(0).getId());
     System.clearProperty(X509AuthenticationConfig.DEDICATED_DOMAIN);
+
+    // Cross domain components
+    provider = createProvider(crossDomainCert);
+    cnxn = new MockServerCnxn();
+    cnxn.clientChain = new X509Certificate[]{crossDomainCert};
+    Assert.assertEquals(KeeperException.Code.OK, provider
+        .handleAuthentication(new ServerAuthenticationProvider.ServerObjs(zks, cnxn), new byte[0]));
+    authInfo = cnxn.getAuthInfo();
+    Assert.assertEquals(1, authInfo.size());
+    Assert.assertEquals("super", authInfo.get(0).getScheme());
+    Assert.assertEquals("CrossDomain", authInfo.get(0).getId());
   }
 
   private X509ZNodeGroupAclProvider createProvider(X509Certificate trustedCert) {

zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/znode/groupacl/ZkClientUriDomainMappingHelperTest.java

@@ -49,7 +49,7 @@ public class ZkClientUriDomainMappingHelperTest extends ZKTestCase {
   private static final Logger LOG =
       LoggerFactory.getLogger(ZkClientUriDomainMappingHelperTest.class);
   private static final String HOSTPORT = "127.0.0.1:" + PortAssignment.unique();
-  private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/_CLIENT_URI_DOMAIN_MAPPING";
+  private static final String CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH = "/zookeeper/uri-domain-map";
   private static final int CONNECTION_TIMEOUT = 300000;
   private static final String[] MAPPING_PATHS = {
       CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH,
@@ -108,16 +108,6 @@ public void cleanUp() throws InterruptedException, IOException, KeeperException
         ClientBase.waitForServerDown(HOSTPORT, CONNECTION_TIMEOUT));
   }
 
-  /**
-   * Mapping root path hasn't been created - should create the node automatically
-   */
-  @Test
-  public void testA_ZkClientUriDomainMappingHelper() {
-    new ZkClientUriDomainMappingHelper(zookeeperServer);
-    Assert.assertNotNull(
-        zookeeperServer.getZKDatabase().getNode(CLIENT_URI_DOMAIN_MAPPING_ROOT_PATH));
-  }
-
   /**
    * Create a dummy mapping and verify that the helper correctly updates changes to the mapping
    * stored in ZNodes.