Example 16 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerSaslServerTest method clientInitialResponse.
private byte[] clientInitialResponse(String authorizationId, boolean illegalToken, Map<String, String> customExtensions) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
LOGIN_CALLBACK_HANDLER.handle(new Callback[] { callback });
OAuthBearerToken token = callback.token();
String compactSerialization = token.value();
String tokenValue = compactSerialization + (illegalToken ? "AB" : "");
return new OAuthBearerClientInitialResponse(tokenValue, authorizationId, new SaslExtensions(customExtensions)).toBytes();
}
Also used :
OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)
Example 17 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerLoginModuleTest method loginAbortLoginCommitLogout.
@Test
public void loginAbortLoginCommitLogout() throws LoginException {
/*
* Invoke login(); invoke abort(); invoke login(); logout()
*/
Subject subject = new Subject();
Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();
// Create callback handler
OAuthBearerToken[] tokens = new OAuthBearerToken[] { mock(OAuthBearerToken.class), mock(OAuthBearerToken.class) };
SaslExtensions[] extensions = new SaslExtensions[] { mock(SaslExtensions.class), mock(SaslExtensions.class) };
TestCallbackHandler testTokenCallbackHandler = new TestCallbackHandler(tokens, extensions);
// Create login module
OAuthBearerLoginModule loginModule = new OAuthBearerLoginModule();
loginModule.initialize(subject, testTokenCallbackHandler, Collections.emptyMap(), Collections.emptyMap());
// Should start with nothing
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule.login();
// Should still have nothing until commit() is called
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule.abort();
// Should still have nothing since we aborted
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule.login();
// Should still have nothing until commit() is called
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule.commit();
// Now we should have the second token
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[1], privateCredentials.iterator().next());
assertSame(extensions[1], publicCredentials.iterator().next());
loginModule.logout();
// Should have nothing again
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
verifyNoInteractions((Object[]) tokens);
verifyNoInteractions((Object[]) extensions);
}
Also used :
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
Subject(javax.security.auth.Subject)
Test(org.junit.jupiter.api.Test)
Example 18 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerLoginModuleTest method login1Commit1Login2Commit2Logout1Login3Commit3Logout2.
@Test
public void login1Commit1Login2Commit2Logout1Login3Commit3Logout2() throws LoginException {
/*
* Invoke login()/commit() on loginModule1; invoke login/commit() on
* loginModule2; invoke logout() on loginModule1; invoke login()/commit() on
* loginModule3; invoke logout() on loginModule2
*/
Subject subject = new Subject();
Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();
// Create callback handler
OAuthBearerToken[] tokens = new OAuthBearerToken[] { mock(OAuthBearerToken.class), mock(OAuthBearerToken.class), mock(OAuthBearerToken.class) };
SaslExtensions[] extensions = new SaslExtensions[] { mock(SaslExtensions.class), mock(SaslExtensions.class), mock(SaslExtensions.class) };
TestCallbackHandler testTokenCallbackHandler = new TestCallbackHandler(tokens, extensions);
// Create login modules
OAuthBearerLoginModule loginModule1 = new OAuthBearerLoginModule();
loginModule1.initialize(subject, testTokenCallbackHandler, Collections.emptyMap(), Collections.emptyMap());
OAuthBearerLoginModule loginModule2 = new OAuthBearerLoginModule();
loginModule2.initialize(subject, testTokenCallbackHandler, Collections.emptyMap(), Collections.emptyMap());
OAuthBearerLoginModule loginModule3 = new OAuthBearerLoginModule();
loginModule3.initialize(subject, testTokenCallbackHandler, Collections.emptyMap(), Collections.emptyMap());
// Should start with nothing
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule1.login();
// Should still have nothing until commit() is called
assertEquals(0, privateCredentials.size());
assertEquals(0, publicCredentials.size());
loginModule1.commit();
// Now we should have the first token and extensions
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[0], privateCredentials.iterator().next());
assertSame(extensions[0], publicCredentials.iterator().next());
// Now login on loginModule2 to get the second token
// loginModule2 does not support the extensions callback and will raise UnsupportedCallbackException
loginModule2.login();
// Should still have just the first token and extensions
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[0], privateCredentials.iterator().next());
assertSame(extensions[0], publicCredentials.iterator().next());
loginModule2.commit();
// Should have the first and second tokens at this point
assertEquals(2, privateCredentials.size());
assertEquals(2, publicCredentials.size());
Iterator<Object> iterator = privateCredentials.iterator();
Iterator<Object> publicIterator = publicCredentials.iterator();
assertNotSame(tokens[2], iterator.next());
assertNotSame(tokens[2], iterator.next());
assertNotSame(extensions[2], publicIterator.next());
assertNotSame(extensions[2], publicIterator.next());
// finally logout() on loginModule1
loginModule1.logout();
// Now we should have just the second token and extension
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[1], privateCredentials.iterator().next());
assertSame(extensions[1], publicCredentials.iterator().next());
// Now login on loginModule3 to get the third token
loginModule3.login();
// Should still have just the second token and extensions
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[1], privateCredentials.iterator().next());
assertSame(extensions[1], publicCredentials.iterator().next());
loginModule3.commit();
// Should have the second and third tokens at this point
assertEquals(2, privateCredentials.size());
assertEquals(2, publicCredentials.size());
iterator = privateCredentials.iterator();
publicIterator = publicCredentials.iterator();
assertNotSame(tokens[0], iterator.next());
assertNotSame(tokens[0], iterator.next());
assertNotSame(extensions[0], publicIterator.next());
assertNotSame(extensions[0], publicIterator.next());
// finally logout() on loginModule2
loginModule2.logout();
// Now we should have just the third token
assertEquals(1, privateCredentials.size());
assertEquals(1, publicCredentials.size());
assertSame(tokens[2], privateCredentials.iterator().next());
assertSame(extensions[2], publicCredentials.iterator().next());
verifyNoInteractions((Object[]) tokens);
verifyNoInteractions((Object[]) extensions);
}
Also used :
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
Subject(javax.security.auth.Subject)
Test(org.junit.jupiter.api.Test)
Example 19 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class OAuthBearerLoginModuleTest method commitDoesNotThrowOnUnsupportedExtensionsCallback.
/**
* 2.1.0 added customizable SASL extensions and a new callback type.
* Ensure that old, custom-written callbackHandlers that do not handle the callback work
*/
@Test
public void commitDoesNotThrowOnUnsupportedExtensionsCallback() throws LoginException {
Subject subject = new Subject();
// Create callback handler
OAuthBearerToken[] tokens = new OAuthBearerToken[] { mock(OAuthBearerToken.class), mock(OAuthBearerToken.class), mock(OAuthBearerToken.class) };
TestCallbackHandler testTokenCallbackHandler = new TestCallbackHandler(tokens, new SaslExtensions[] { RAISE_UNSUPPORTED_CB_EXCEPTION_FLAG });
// Create login modules
OAuthBearerLoginModule loginModule1 = new OAuthBearerLoginModule();
loginModule1.initialize(subject, testTokenCallbackHandler, Collections.emptyMap(), Collections.emptyMap());
loginModule1.login();
// Should populate public credentials with SaslExtensions and not throw an exception
loginModule1.commit();
SaslExtensions extensions = subject.getPublicCredentials(SaslExtensions.class).iterator().next();
assertNotNull(extensions);
assertTrue(extensions.map().isEmpty());
verifyNoInteractions((Object[]) tokens);
}
Also used :
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
Subject(javax.security.auth.Subject)
Test(org.junit.jupiter.api.Test)
Example 20 with SaslExtensions
use of org.apache.kafka.common.security.auth.SaslExtensions in project kafka by apache.
the class SaslExtensionsTest method testReturnedMapIsImmutable.
@Test
public void testReturnedMapIsImmutable() {
SaslExtensions extensions = new SaslExtensions(this.map);
assertThrows(UnsupportedOperationException.class, () -> extensions.map().put("hello", "test"));
}
Also used :
SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions)
Test(org.junit.jupiter.api.Test)
Aggregations
SaslExtensions (org.apache.kafka.common.security.auth.SaslExtensions)20
Test (org.junit.jupiter.api.Test)13
HashMap (java.util.HashMap)7
Subject (javax.security.auth.Subject)6
Map (java.util.Map)3
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)3
SaslException (javax.security.sasl.SaslException)3
IOException (java.io.IOException)2
ConfigException (org.apache.kafka.common.config.ConfigException)2
OAuthBearerToken (org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)2
OAuthBearerTokenCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)2
Callback (javax.security.auth.callback.Callback)1
NameCallback (javax.security.auth.callback.NameCallback)1
PasswordCallback (javax.security.auth.callback.PasswordCallback)1
AuthorizeCallback (javax.security.sasl.AuthorizeCallback)1
RealmCallback (javax.security.sasl.RealmCallback)1
IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1
SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1
SaslExtensionsCallback (org.apache.kafka.common.security.auth.SaslExtensionsCallback)1
OAuthBearerValidatorCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)1
