Search in sources :

Example 6 with InvalidTokenException

use of io.pravega.auth.InvalidTokenException in project pravega by pravega.

the class TokenVerifierImpl method verifyToken.

@Override
public JsonWebToken verifyToken(@NonNull String resource, String token, @NonNull AuthHandler.Permissions expectedLevel) throws TokenExpiredException, InvalidTokenException, InvalidClaimException, TokenException {
    if (Strings.isNullOrEmpty(token)) {
        throw new InvalidTokenException("Token is null or empty");
    }
    // All key value pairs inside the payload are returned, including standard fields such as sub (for subject),
    // aud (for audience), iat, exp, as well as custom fields of the form "<resource> -> <permission>" set by
    // Pravega.
    JsonWebToken jwt = JwtParser.parse(token, tokenSigningKey);
    Map<String, Object> permissionsByResource = jwt.getPermissionsByResource();
    Optional<Map.Entry<String, Object>> matchingClaim = permissionsByResource.entrySet().stream().filter(entry -> resourceMatchesClaimKey(entry.getKey(), resource) && expectedLevel.compareTo(AuthHandler.Permissions.valueOf(entry.getValue().toString())) <= 0).findFirst();
    if (!matchingClaim.isPresent()) {
        log.debug(String.format("No matching claim found for resource [%s] and permission [%s] in token.", resource, expectedLevel));
        throw new InvalidClaimException(String.format("No matching claim found for resource: [%s] and permission: [%s] in the delegation token.", resource, expectedLevel));
    }
    return jwt;
}
Also used : InvalidClaimException(io.pravega.auth.InvalidClaimException) TokenExpiredException(io.pravega.auth.TokenExpiredException) NonNull(lombok.NonNull) AuthHandler(io.pravega.auth.AuthHandler) Exceptions(io.pravega.common.Exceptions) JsonWebToken(io.pravega.shared.security.token.JsonWebToken) Strings(com.google.common.base.Strings) Slf4j(lombok.extern.slf4j.Slf4j) JwtParser(io.pravega.shared.security.token.JwtParser) InvalidTokenException(io.pravega.auth.InvalidTokenException) Map(java.util.Map) TokenException(io.pravega.auth.TokenException) Optional(java.util.Optional) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Pattern(java.util.regex.Pattern) InvalidTokenException(io.pravega.auth.InvalidTokenException) InvalidClaimException(io.pravega.auth.InvalidClaimException) JsonWebToken(io.pravega.shared.security.token.JsonWebToken)

Example 7 with InvalidTokenException

use of io.pravega.auth.InvalidTokenException in project pravega by pravega.

the class JwtParser method parse.

public static JsonWebToken parse(String token, byte[] signingKey) {
    Claims claims = parseClaims(token, signingKey);
    if (claims == null) {
        throw new InvalidTokenException("Token has no claims.");
    }
    final Map<String, Object> permissionsByResource = new HashMap<>();
    claims.entrySet().forEach(entry -> {
        if (!CLAIMS_TO_FILTER.contains(entry.getKey())) {
            permissionsByResource.put(entry.getKey(), entry.getValue());
        }
    });
    return new JsonWebToken(claims.getSubject(), claims.getAudience(), signingKey, claims.getExpiration(), permissionsByResource);
}
Also used : InvalidTokenException(io.pravega.auth.InvalidTokenException) Claims(io.jsonwebtoken.Claims) HashMap(java.util.HashMap)

Example 8 with InvalidTokenException

use of io.pravega.auth.InvalidTokenException in project pravega by pravega.

the class AdminRequestProcessorAuthFailedTest method setUp.

@Before
public void setUp() throws Exception {
    StreamSegmentStore store = mock(StreamSegmentStore.class);
    connection = mock(ServerConnection.class);
    processor = new AdminRequestProcessorImpl(store, mock(TableStore.class), new TrackedConnection(connection), SegmentStatsRecorder.noOp(), TableSegmentStatsRecorder.noOp(), (resource, token, expectedLevel) -> {
        throw new InvalidTokenException("Token verification failed.");
    }, false);
}
Also used : TOKEN_CHECK_FAILED(io.pravega.shared.protocol.netty.WireCommands.AuthTokenCheckFailed.ErrorCode.TOKEN_CHECK_FAILED) TableStore(io.pravega.segmentstore.contracts.tables.TableStore) Test(org.junit.Test) WireCommands(io.pravega.shared.protocol.netty.WireCommands) TableSegmentStatsRecorder(io.pravega.segmentstore.server.host.stat.TableSegmentStatsRecorder) Mockito.verify(org.mockito.Mockito.verify) InvalidTokenException(io.pravega.auth.InvalidTokenException) After(org.junit.After) SegmentStatsRecorder(io.pravega.segmentstore.server.host.stat.SegmentStatsRecorder) AdminRequestProcessor(io.pravega.shared.protocol.netty.AdminRequestProcessor) StreamSegmentStore(io.pravega.segmentstore.contracts.StreamSegmentStore) Before(org.junit.Before) Mockito.mock(org.mockito.Mockito.mock) StreamSegmentStore(io.pravega.segmentstore.contracts.StreamSegmentStore) InvalidTokenException(io.pravega.auth.InvalidTokenException) Before(org.junit.Before)

Example 9 with InvalidTokenException

use of io.pravega.auth.InvalidTokenException in project pravega by pravega.

the class AppendProcessorAuthFailedTest method setUp.

@Before
public void setUp() throws Exception {
    StreamSegmentStore store = mock(StreamSegmentStore.class);
    connection = mock(ServerConnection.class);
    processor = AppendProcessor.defaultBuilder().store(store).connection(new TrackedConnection(connection)).tokenVerifier((resource, token, expectedLevel) -> {
        throw new InvalidTokenException("Token verification failed.");
    }).build();
}
Also used : StreamSegmentStore(io.pravega.segmentstore.contracts.StreamSegmentStore) InvalidTokenException(io.pravega.auth.InvalidTokenException) Before(org.junit.Before)

Aggregations

InvalidTokenException (io.pravega.auth.InvalidTokenException)9 Test (org.junit.Test)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)3 TokenExpiredException (io.pravega.auth.TokenExpiredException)3 ClientConnection (io.pravega.client.connection.impl.ClientConnection)3 StreamSegmentStore (io.pravega.segmentstore.contracts.StreamSegmentStore)3 PravegaNodeUri (io.pravega.shared.protocol.netty.PravegaNodeUri)3 WireCommands (io.pravega.shared.protocol.netty.WireCommands)3 Claims (io.jsonwebtoken.Claims)2 MockConnectionFactoryImpl (io.pravega.client.stream.mock.MockConnectionFactoryImpl)2 MockController (io.pravega.client.stream.mock.MockController)2 Exceptions (io.pravega.common.Exceptions)2 TableStore (io.pravega.segmentstore.contracts.tables.TableStore)2 SegmentStatsRecorder (io.pravega.segmentstore.server.host.stat.SegmentStatsRecorder)2 TableSegmentStatsRecorder (io.pravega.segmentstore.server.host.stat.TableSegmentStatsRecorder)2 ReplyProcessor (io.pravega.shared.protocol.netty.ReplyProcessor)2 TOKEN_CHECK_FAILED (io.pravega.shared.protocol.netty.WireCommands.AuthTokenCheckFailed.ErrorCode.TOKEN_CHECK_FAILED)2 Cleanup (lombok.Cleanup)2 Before (org.junit.Before)2 InvocationOnMock (org.mockito.invocation.InvocationOnMock)2