Example 11 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerSaslClient method evaluateChallenge.
@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
try {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
switch(state) {
case SEND_CLIENT_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0)
throw new SaslException("Expected empty challenge");
callbackHandler().handle(new Callback[] { callback });
SaslExtensions extensions = retrieveCustomExtensions();
setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
return new OAuthBearerClientInitialResponse(callback.token().value(), extensions).toBytes();
case RECEIVE_SERVER_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0) {
String jsonErrorResponse = new String(challenge, StandardCharsets.UTF_8);
if (log.isDebugEnabled())
log.debug("Sending %%x01 response to server after receiving an error: {}", jsonErrorResponse);
setState(State.RECEIVE_SERVER_MESSAGE_AFTER_FAILURE);
return new byte[] { BYTE_CONTROL_A };
}
callbackHandler().handle(new Callback[] { callback });
if (log.isDebugEnabled())
log.debug("Successfully authenticated as {}", callback.token().principalName());
setState(State.COMPLETE);
return null;
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
}
} catch (SaslException e) {
setState(State.FAILED);
throw e;
} catch (IOException | UnsupportedCallbackException e) {
setState(State.FAILED);
throw new SaslException(e.getMessage(), e);
}
}
Also used :
OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException)
IOException(java.io.IOException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SaslException(javax.security.sasl.SaslException)
Example 12 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class SaslClientCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
Subject subject = Subject.getSubject(AccessController.getContext());
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nc = (NameCallback) callback;
if (subject != null && !subject.getPublicCredentials(String.class).isEmpty()) {
nc.setName(subject.getPublicCredentials(String.class).iterator().next());
} else
nc.setName(nc.getDefaultName());
} else if (callback instanceof PasswordCallback) {
if (subject != null && !subject.getPrivateCredentials(String.class).isEmpty()) {
char[] password = subject.getPrivateCredentials(String.class).iterator().next().toCharArray();
((PasswordCallback) callback).setPassword(password);
} else {
String errorMessage = "Could not login: the client is being asked for a password, but the Kafka" + " client code does not currently support obtaining a password from the user.";
throw new UnsupportedCallbackException(callback, errorMessage);
}
} else if (callback instanceof RealmCallback) {
RealmCallback rc = (RealmCallback) callback;
rc.setText(rc.getDefaultText());
} else if (callback instanceof AuthorizeCallback) {
AuthorizeCallback ac = (AuthorizeCallback) callback;
String authId = ac.getAuthenticationID();
String authzId = ac.getAuthorizationID();
ac.setAuthorized(authId.equals(authzId));
if (ac.isAuthorized())
ac.setAuthorizedID(authzId);
} else if (callback instanceof ScramExtensionsCallback) {
if (ScramMechanism.isScram(mechanism) && subject != null && !subject.getPublicCredentials(Map.class).isEmpty()) {
@SuppressWarnings("unchecked") Map<String, String> extensions = (Map<String, String>) subject.getPublicCredentials(Map.class).iterator().next();
((ScramExtensionsCallback) callback).extensions(extensions);
}
} else if (callback instanceof SaslExtensionsCallback) {
if (!SaslConfigs.GSSAPI_MECHANISM.equals(mechanism) && subject != null && !subject.getPublicCredentials(SaslExtensions.class).isEmpty()) {
SaslExtensions extensions = subject.getPublicCredentials(SaslExtensions.class).iterator().next();
((SaslExtensionsCallback) callback).extensions(extensions);
}
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized SASL ClientCallback");
}
}
}
Also used :
Subject(javax.security.auth.Subject)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
SaslExtensionsCallback(org.apache.kafka.common.security.auth.SaslExtensionsCallback)
RealmCallback(javax.security.sasl.RealmCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
ScramExtensionsCallback(org.apache.kafka.common.security.scram.ScramExtensionsCallback)
SaslExtensionsCallback(org.apache.kafka.common.security.auth.SaslExtensionsCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
ScramExtensionsCallback(org.apache.kafka.common.security.scram.ScramExtensionsCallback)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Map(java.util.Map)
RealmCallback(javax.security.sasl.RealmCallback)
Example 13 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerUnsecuredLoginCallbackHandler method handleExtensionsCallback.
/**
* Add and validate all the configured extensions.
* Token keys, apart from passing regex validation, must not be equal to the reserved key {@link OAuthBearerClientInitialResponse#AUTH_KEY}
*/
private void handleExtensionsCallback(SaslExtensionsCallback callback) {
Map<String, String> extensions = new HashMap<>();
for (Map.Entry<String, String> configEntry : this.moduleOptions.entrySet()) {
String key = configEntry.getKey();
if (!key.startsWith(EXTENSION_PREFIX))
continue;
extensions.put(key.substring(EXTENSION_PREFIX.length()), configEntry.getValue());
}
SaslExtensions saslExtensions = new SaslExtensions(extensions);
try {
OAuthBearerClientInitialResponse.validateExtensions(saslExtensions);
} catch (SaslException e) {
throw new ConfigException(e.getMessage());
}
callback.extensions(saslExtensions);
}
Also used :
HashMap(java.util.HashMap)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
ConfigException(org.apache.kafka.common.config.ConfigException)
SaslException(javax.security.sasl.SaslException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 14 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerLoginCallbackHandler method handleExtensionsCallback.
private void handleExtensionsCallback(SaslExtensionsCallback callback) {
checkInitialized();
Map<String, String> extensions = new HashMap<>();
for (Map.Entry<String, Object> configEntry : this.moduleOptions.entrySet()) {
String key = configEntry.getKey();
if (!key.startsWith(EXTENSION_PREFIX))
continue;
Object valueRaw = configEntry.getValue();
String value;
if (valueRaw instanceof String)
value = (String) valueRaw;
else
value = String.valueOf(valueRaw);
extensions.put(key.substring(EXTENSION_PREFIX.length()), value);
}
SaslExtensions saslExtensions = new SaslExtensions(extensions);
try {
OAuthBearerClientInitialResponse.validateExtensions(saslExtensions);
} catch (SaslException e) {
throw new ConfigException(e.getMessage());
}
callback.extensions(saslExtensions);
}
Also used :
HashMap(java.util.HashMap)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
ConfigException(org.apache.kafka.common.config.ConfigException)
SaslException(javax.security.sasl.SaslException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 15 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerExtensionsValidatorCallbackTest method testCannotValidateExtensionWhichWasNotGiven.
@Test
public void testCannotValidateExtensionWhichWasNotGiven() {
Map<String, String> extensions = new HashMap<>();
extensions.put("hello", "bye");
OAuthBearerExtensionsValidatorCallback callback = new OAuthBearerExtensionsValidatorCallback(TOKEN, new SaslExtensions(extensions));
assertThrows(IllegalArgumentException.class, () -> callback.valid("???"));
}
Also used :
HashMap(java.util.HashMap)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
Test(org.junit.jupiter.api.Test)
Aggregations
SaslExtensions (org.apache.kafka.common.security.auth.SaslExtensions)20
Test (org.junit.jupiter.api.Test)13
HashMap (java.util.HashMap)7
Subject (javax.security.auth.Subject)6
Map (java.util.Map)3
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)3
SaslException (javax.security.sasl.SaslException)3
IOException (java.io.IOException)2
ConfigException (org.apache.kafka.common.config.ConfigException)2
OAuthBearerToken (org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)2
OAuthBearerTokenCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)2
Callback (javax.security.auth.callback.Callback)1
NameCallback (javax.security.auth.callback.NameCallback)1
PasswordCallback (javax.security.auth.callback.PasswordCallback)1
AuthorizeCallback (javax.security.sasl.AuthorizeCallback)1
RealmCallback (javax.security.sasl.RealmCallback)1
IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1
SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1
SaslExtensionsCallback (org.apache.kafka.common.security.auth.SaslExtensionsCallback)1
OAuthBearerValidatorCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)1
