Examples with KafkaListenerAuthenticationOAuth io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth used on opensource projects

Search in sources :

Example 46 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class KafkaCluster method getVolumeMounts.

private List<VolumeMount> getVolumeMounts() {
    List<VolumeMount> volumeMountList = new ArrayList<>();
    volumeMountList.addAll(VolumeUtils.createVolumeMounts(storage, mountPath, false));
    volumeMountList.add(createTempDirVolumeMount());
    volumeMountList.add(VolumeUtils.createVolumeMount(CLUSTER_CA_CERTS_VOLUME, CLUSTER_CA_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(BROKER_CERTS_VOLUME, BROKER_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(CLIENT_CA_CERTS_VOLUME, CLIENT_CA_CERTS_VOLUME_MOUNT));
    volumeMountList.add(VolumeUtils.createVolumeMount(logAndMetricsConfigVolumeName, logAndMetricsConfigMountPath));
    volumeMountList.add(VolumeUtils.createVolumeMount("ready-files", "/var/opt/kafka"));
    if (rack != null || isExposedWithNodePort()) {
        volumeMountList.add(VolumeUtils.createVolumeMount(INIT_VOLUME_NAME, INIT_VOLUME_MOUNT));
    }
    for (GenericKafkaListener listener : listeners) {
        String identifier = ListenersUtils.identifier(listener);
        if (listener.isTls() && listener.getConfiguration() != null && listener.getConfiguration().getBrokerCertChainAndKey() != null) {
            volumeMountList.add(VolumeUtils.createVolumeMount("custom-" + identifier + "-certs", "/opt/kafka/certificates/custom-" + identifier + "-certs"));
        }
        if (isListenerWithOAuth(listener)) {
            KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
            volumeMountList.addAll(AuthenticationUtils.configureOauthCertificateVolumeMounts("oauth-" + identifier, oauth.getTlsTrustedCertificates(), OAUTH_TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/oauth-" + identifier + "-certs"));
        }
        if (isListenerWithCustomAuth(listener)) {
            KafkaListenerAuthenticationCustom custom = (KafkaListenerAuthenticationCustom) listener.getAuth();
            volumeMountList.addAll(AuthenticationUtils.configureGenericSecretVolumeMounts("custom-listener-" + identifier, custom.getSecrets(), CUSTOM_AUTHN_SECRETS_VOLUME_MOUNT + "/custom-listener-" + identifier));
        }
    }
    if (authorization instanceof KafkaAuthorizationKeycloak) {
        KafkaAuthorizationKeycloak keycloakAuthz = (KafkaAuthorizationKeycloak) authorization;
        volumeMountList.addAll(AuthenticationUtils.configureOauthCertificateVolumeMounts("authz-keycloak", keycloakAuthz.getTlsTrustedCertificates(), OAUTH_TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/authz-keycloak-certs"));
    }
    return volumeMountList;
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) ArrayList(java.util.ArrayList) VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)

Example 47 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class OauthScopeIsolatedST method testClientScopeKafkaSetIncorrectly.

@IsolatedTest("Modification of shared Kafka cluster")
void testClientScopeKafkaSetIncorrectly(ExtensionContext extensionContext) throws UnexpectedException {
    final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
    final String producerName = OAUTH_PRODUCER_NAME + "-" + clusterName;
    final String consumerName = OAUTH_CONSUMER_NAME + "-" + clusterName;
    final String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
    final LabelSelector kafkaSelector = KafkaResource.getLabelSelector(oauthClusterName, KafkaResources.kafkaStatefulSetName(oauthClusterName));
    KafkaClients oauthInternalClientChecksJob = new KafkaClientsBuilder().withNamespaceName(clusterOperator.getDeploymentNamespace()).withProducerName(producerName).withConsumerName(consumerName).withBootstrapAddress(KafkaResources.bootstrapServiceName(oauthClusterName) + ":" + scopeListenerPort).withTopicName(topicName).withMessageCount(MESSAGE_COUNT).withAdditionalConfig(additionalOauthConfig).build();
    Map<String, String> kafkaPods = PodUtils.podSnapshot(clusterOperator.getDeploymentNamespace(), kafkaSelector);
    // re-configuring Kafka listener to have client scope assigned to null
    KafkaResource.replaceKafkaResourceInSpecificNamespace(oauthClusterName, kafka -> {
        List<GenericKafkaListener> scopeListeners = kafka.getSpec().getKafka().getListeners().stream().filter(listener -> listener.getName().equals(scopeListener)).collect(Collectors.toList());
        ((KafkaListenerAuthenticationOAuth) scopeListeners.get(0).getAuth()).setClientScope(null);
        kafka.getSpec().getKafka().getListeners().set(0, scopeListeners.get(0));
    }, clusterOperator.getDeploymentNamespace());
    kafkaPods = RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(clusterOperator.getDeploymentNamespace(), kafkaSelector, 3, kafkaPods);
    // verification phase client should fail here because clientScope is set to 'null'
    resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(oauthClusterName, topicName, clusterOperator.getDeploymentNamespace()).build());
    resourceManager.createResource(extensionContext, oauthInternalClientChecksJob.producerStrimzi());
    // client should fail because the listener requires scope: 'test' in JWT token but was (the listener) temporarily
    // configured without clientScope resulting in a JWT token without the scope claim when using the clientId and
    // secret passed via SASL/PLAIN to obtain an access token in client's name.
    ClientUtils.waitForClientTimeout(producerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
    JobUtils.deleteJobWithWait(clusterOperator.getDeploymentNamespace(), producerName);
    // rollback previous configuration
    // re-configuring Kafka listener to have client scope assigned to 'test'
    KafkaResource.replaceKafkaResourceInSpecificNamespace(oauthClusterName, kafka -> {
        List<GenericKafkaListener> scopeListeners = kafka.getSpec().getKafka().getListeners().stream().filter(listener -> listener.getName().equals(scopeListener)).collect(Collectors.toList());
        ((KafkaListenerAuthenticationOAuth) scopeListeners.get(0).getAuth()).setClientScope("test");
        kafka.getSpec().getKafka().getListeners().set(0, scopeListeners.get(0));
    }, clusterOperator.getDeploymentNamespace());
    RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(clusterOperator.getDeploymentNamespace(), kafkaSelector, 3, kafkaPods);
}
Also used : KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder) ParallelTest(io.strimzi.systemtest.annotations.ParallelTest) CoreMatchers(org.hamcrest.CoreMatchers) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) KafkaConnectTemplates(io.strimzi.systemtest.templates.crd.KafkaConnectTemplates) CONNECT(io.strimzi.systemtest.Constants.CONNECT) KafkaResource(io.strimzi.systemtest.resources.crd.KafkaResource) Level(org.apache.logging.log4j.Level) ResourceManager.kubeClient(io.strimzi.systemtest.resources.ResourceManager.kubeClient) ExtensionContext(org.junit.jupiter.api.extension.ExtensionContext) AfterAll(org.junit.jupiter.api.AfterAll) PodUtils(io.strimzi.systemtest.utils.kubeUtils.objects.PodUtils) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) KubeClusterResource(io.strimzi.test.k8s.KubeClusterResource) BeforeAll(org.junit.jupiter.api.BeforeAll) Map(java.util.Map) Tag(org.junit.jupiter.api.Tag) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) StUtils(io.strimzi.systemtest.utils.StUtils) KafkaTemplates(io.strimzi.systemtest.templates.crd.KafkaTemplates) RollingUpdateUtils(io.strimzi.systemtest.utils.RollingUpdateUtils) IsolatedSuite(io.strimzi.systemtest.annotations.IsolatedSuite) KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients) JobUtils(io.strimzi.systemtest.utils.kubeUtils.controllers.JobUtils) KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) UnexpectedException(java.rmi.UnexpectedException) OAUTH(io.strimzi.systemtest.Constants.OAUTH) Collectors(java.util.stream.Collectors) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) ClientUtils(io.strimzi.systemtest.utils.ClientUtils) IsolatedTest(io.strimzi.systemtest.annotations.IsolatedTest) KeycloakUtils(io.strimzi.systemtest.utils.specific.KeycloakUtils) List(java.util.List) KafkaListenerType(io.strimzi.api.kafka.model.listener.arraylistener.KafkaListenerType) KafkaTopicTemplates(io.strimzi.systemtest.templates.crd.KafkaTopicTemplates) REGRESSION(io.strimzi.systemtest.Constants.REGRESSION) KafkaConnectResources(io.strimzi.api.kafka.model.KafkaConnectResources) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) IsolatedTest(io.strimzi.systemtest.annotations.IsolatedTest)

Example 48 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithOAuthWithIntrospectionWithNoTypeCheck.

@ParallelTest
public void testOAuthValidationWithOAuthWithIntrospectionWithNoTypeCheck() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withValidIssuerUri("http://valid-issuer").withClientId("my-kafka-id").withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().withIntrospectionEndpointUri("http://introspection-endpoint").withCheckAccessTokenType(false).build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 49 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationMissingValidIssuerUri.

@ParallelTest
public void testOAuthValidationMissingValidIssuerUri() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withIntrospectionEndpointUri("http://introspection").withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 50 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationIntrospectionEndpointUriWithoutClientId.

@ParallelTest
public void testOAuthValidationIntrospectionEndpointUriWithoutClientId() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withIntrospectionEndpointUri("http://introspection").withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)60 KafkaListenerAuthenticationOAuthBuilder (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)44 ParallelTest (io.strimzi.test.annotations.ParallelTest)44 GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)14 ArrayList (java.util.ArrayList)12 KafkaAuthorizationKeycloak (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak)8 KafkaListenerAuthenticationCustom (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)8 CertAndKeySecretSource (io.strimzi.api.kafka.model.CertAndKeySecretSource)6 Volume (io.fabric8.kubernetes.api.model.Volume)4 VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)4 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)4 HashMap (java.util.HashMap)4 List (java.util.List)4 Collectors (java.util.stream.Collectors)4 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)3 EnvVar (io.fabric8.kubernetes.api.model.EnvVar)2 LabelSelector (io.fabric8.kubernetes.api.model.LabelSelector)2 ContainerEnvVar (io.strimzi.api.kafka.model.ContainerEnvVar)2 CruiseControlSpec (io.strimzi.api.kafka.model.CruiseControlSpec)2 KafkaAuthorization (io.strimzi.api.kafka.model.KafkaAuthorization)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial