Examples with KafkaListenerAuthenticationOAuth io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth used on opensource projects

Search in sources :

Example 41 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithReadTimeout.

@ParallelTest
public void testOAuthValidationWithReadTimeout() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withValidIssuerUri("http://valid-issuer").withJwksEndpointUri("http://jwks-endpoint").withReadTimeoutSeconds(0).build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 42 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithIntrospectionMinimalPlain.

@ParallelTest
public void testOAuthValidationWithIntrospectionMinimalPlain() {
    KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withValidIssuerUri("http://valid-issuer").withIntrospectionEndpointUri("http://introspection").withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build();
    ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 43 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithJwksExpiryAndIntrospection.

@ParallelTest
public void testOAuthValidationWithJwksExpiryAndIntrospection() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withValidIssuerUri("http://valid-issuer").withIntrospectionEndpointUri("http://introspection").withJwksExpirySeconds(120).withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 44 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithReauthAndIntrospection.

@ParallelTest
public void testOAuthValidationWithReauthAndIntrospection() {
    KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withValidIssuerUri("http://valid-issuer").withIntrospectionEndpointUri("http://introspection").withMaxSecondsWithoutReauthentication(1800).withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build();
    ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 45 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi-kafka-operator by strimzi.

the class ListenersValidator method validateOauth.

/**
 * Validates provided OAuth configuration. Throws InvalidResourceException when OAuth configuration contains forbidden combinations.
 *
 * @param errors    List where any found errors will be added
 * @param listener  The listener where OAuth authentication should be validated
 */
@SuppressWarnings({ "checkstyle:BooleanExpressionComplexity", "checkstyle:NPathComplexity", "checkstyle:CyclomaticComplexity" })
private static void validateOauth(Set<String> errors, GenericKafkaListener listener) {
    if (isListenerWithOAuth(listener)) {
        KafkaListenerAuthenticationOAuth oAuth = (KafkaListenerAuthenticationOAuth) listener.getAuth();
        String listenerName = listener.getName();
        if (!oAuth.isEnablePlain() && !oAuth.isEnableOauthBearer()) {
            errors.add("listener " + listenerName + ": At least one of 'enablePlain', 'enableOauthBearer' has to be set to 'true'");
        }
        boolean hasJwksRefreshSecondsValidInput = oAuth.getJwksRefreshSeconds() != null && oAuth.getJwksRefreshSeconds() > 0;
        boolean hasJwksExpirySecondsValidInput = oAuth.getJwksExpirySeconds() != null && oAuth.getJwksExpirySeconds() > 0;
        boolean hasJwksMinRefreshPauseSecondsValidInput = oAuth.getJwksMinRefreshPauseSeconds() != null && oAuth.getJwksMinRefreshPauseSeconds() >= 0;
        if (oAuth.getIntrospectionEndpointUri() == null && oAuth.getJwksEndpointUri() == null) {
            errors.add("listener " + listenerName + ": Introspection endpoint URI or JWKS endpoint URI has to be specified");
        }
        if (oAuth.getValidIssuerUri() == null && oAuth.isCheckIssuer()) {
            errors.add("listener " + listenerName + ": Valid Issuer URI has to be specified or 'checkIssuer' set to 'false'");
        }
        if (oAuth.getConnectTimeoutSeconds() != null && oAuth.getConnectTimeoutSeconds() <= 0) {
            errors.add("listener " + listenerName + ": 'connectTimeoutSeconds' needs to be a positive integer (set to: " + oAuth.getConnectTimeoutSeconds() + ")");
        }
        if (oAuth.getReadTimeoutSeconds() != null && oAuth.getReadTimeoutSeconds() <= 0) {
            errors.add("listener " + listenerName + ": 'readTimeoutSeconds' needs to be a positive integer (set to: " + oAuth.getReadTimeoutSeconds() + ")");
        }
        if (oAuth.isCheckAudience() && oAuth.getClientId() == null) {
            errors.add("listener " + listenerName + ": 'clientId' has to be configured when 'checkAudience' is 'true'");
        }
        String customCheckQuery = oAuth.getCustomClaimCheck();
        if (customCheckQuery != null) {
            try {
                JsonPathFilterQuery.parse(customCheckQuery);
            } catch (Exception e) {
                errors.add("listener " + listenerName + ": 'customClaimCheck' value not a valid JsonPath filter query - " + e.getMessage());
            }
        }
        if (oAuth.getIntrospectionEndpointUri() != null && (oAuth.getClientId() == null || oAuth.getClientSecret() == null)) {
            errors.add("listener " + listenerName + ": Introspection Endpoint URI needs to be configured together with 'clientId' and 'clientSecret'");
        }
        if (oAuth.getUserInfoEndpointUri() != null && oAuth.getIntrospectionEndpointUri() == null) {
            errors.add("listener " + listenerName + ": User Info Endpoint URI can only be used if Introspection Endpoint URI is also configured");
        }
        if (oAuth.getJwksEndpointUri() == null && (hasJwksRefreshSecondsValidInput || hasJwksExpirySecondsValidInput || hasJwksMinRefreshPauseSecondsValidInput)) {
            errors.add("listener " + listenerName + ": 'jwksRefreshSeconds', 'jwksExpirySeconds' and 'jwksMinRefreshPauseSeconds' can only be used together with 'jwksEndpointUri'");
        }
        if (oAuth.getJwksRefreshSeconds() != null && !hasJwksRefreshSecondsValidInput) {
            errors.add("listener " + listenerName + ": 'jwksRefreshSeconds' needs to be a positive integer (set to: " + oAuth.getJwksRefreshSeconds() + ")");
        }
        if (oAuth.getJwksExpirySeconds() != null && !hasJwksExpirySecondsValidInput) {
            errors.add("listener " + listenerName + ": 'jwksExpirySeconds' needs to be a positive integer (set to: " + oAuth.getJwksExpirySeconds() + ")");
        }
        if (oAuth.getJwksMinRefreshPauseSeconds() != null && !hasJwksMinRefreshPauseSecondsValidInput) {
            errors.add("listener " + listenerName + ": 'jwksMinRefreshPauseSeconds' needs to be a positive integer or zero (set to: " + oAuth.getJwksMinRefreshPauseSeconds() + ")");
        }
        if ((hasJwksExpirySecondsValidInput && hasJwksRefreshSecondsValidInput && oAuth.getJwksExpirySeconds() < oAuth.getJwksRefreshSeconds() + 60) || (!hasJwksExpirySecondsValidInput && hasJwksRefreshSecondsValidInput && KafkaListenerAuthenticationOAuth.DEFAULT_JWKS_EXPIRY_SECONDS < oAuth.getJwksRefreshSeconds() + 60) || (hasJwksExpirySecondsValidInput && !hasJwksRefreshSecondsValidInput && oAuth.getJwksExpirySeconds() < KafkaListenerAuthenticationOAuth.DEFAULT_JWKS_REFRESH_SECONDS + 60)) {
            errors.add("listener " + listenerName + ": The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in `jwksExpirySeconds`");
        }
        if (!oAuth.isAccessTokenIsJwt()) {
            if (oAuth.getJwksEndpointUri() != null) {
                errors.add("listener " + listenerName + ": 'accessTokenIsJwt' can not be 'false' when 'jwksEndpointUri' is set");
            }
            if (!oAuth.isCheckAccessTokenType()) {
                errors.add("listener " + listenerName + ": 'checkAccessTokenType' can not be set to 'false' when 'accessTokenIsJwt' is 'false'");
            }
        }
        if (!oAuth.isCheckAccessTokenType() && oAuth.getIntrospectionEndpointUri() != null) {
            errors.add("listener " + listenerName + ": 'checkAccessTokenType' can not be set to 'false' when 'introspectionEndpointUri' is set");
        }
        if (oAuth.getValidTokenType() != null && oAuth.getIntrospectionEndpointUri() == null) {
            errors.add("listener " + listenerName + ": 'validTokenType' can only be used when 'introspectionEndpointUri' is set");
        }
        String groupsQuery = oAuth.getGroupsClaim();
        if (groupsQuery != null) {
            try {
                JsonPathQuery.parse(groupsQuery);
            } catch (Exception e) {
                errors.add("listener " + listenerName + ": 'groupsClaim' value not a valid JsonPath query - " + e.getMessage());
            }
        }
    }
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)

Aggregations

KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)60 KafkaListenerAuthenticationOAuthBuilder (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)44 ParallelTest (io.strimzi.test.annotations.ParallelTest)44 GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)14 ArrayList (java.util.ArrayList)12 KafkaAuthorizationKeycloak (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak)8 KafkaListenerAuthenticationCustom (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)8 CertAndKeySecretSource (io.strimzi.api.kafka.model.CertAndKeySecretSource)6 Volume (io.fabric8.kubernetes.api.model.Volume)4 VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)4 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)4 HashMap (java.util.HashMap)4 List (java.util.List)4 Collectors (java.util.stream.Collectors)4 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)3 EnvVar (io.fabric8.kubernetes.api.model.EnvVar)2 LabelSelector (io.fabric8.kubernetes.api.model.LabelSelector)2 ContainerEnvVar (io.strimzi.api.kafka.model.ContainerEnvVar)2 CruiseControlSpec (io.strimzi.api.kafka.model.CruiseControlSpec)2 KafkaAuthorization (io.strimzi.api.kafka.model.KafkaAuthorization)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial