Search in sources :

Example 1 with OAuthBearerTokenCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.

the class OAuthBearerLoginCallbackHandlerTest method testHandleTokenCallback.

@Test
public void testHandleTokenCallback() throws Exception {
    Map<String, ?> configs = getSaslConfigs();
    AccessTokenBuilder builder = new AccessTokenBuilder().jwk(createRsaJwk()).alg(AlgorithmIdentifiers.RSA_USING_SHA256);
    String accessToken = builder.build();
    AccessTokenRetriever accessTokenRetriever = () -> accessToken;
    OAuthBearerLoginCallbackHandler handler = createHandler(accessTokenRetriever, configs);
    try {
        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
        handler.handle(new Callback[] { callback });
        assertNotNull(callback.token());
        OAuthBearerToken token = callback.token();
        assertEquals(accessToken, token.value());
        assertEquals(builder.subject(), token.principalName());
        assertEquals(builder.expirationSeconds() * 1000, token.lifetimeMs());
        assertEquals(builder.issuedAtSeconds() * 1000, token.startTimeMs());
    } finally {
        handler.close();
    }
}
Also used : OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Test(org.junit.jupiter.api.Test)

Example 2 with OAuthBearerTokenCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.

the class OAuthBearerLoginCallbackHandlerTest method testInvalidAccessToken.

private void testInvalidAccessToken(String accessToken, String expectedMessageSubstring) throws Exception {
    Map<String, ?> configs = getSaslConfigs();
    OAuthBearerLoginCallbackHandler handler = createHandler(() -> accessToken, configs);
    try {
        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
        handler.handle(new Callback[] { callback });
        assertNull(callback.token());
        String actualMessage = callback.errorDescription();
        assertNotNull(actualMessage);
        assertTrue(actualMessage.contains(expectedMessageSubstring), String.format("The error message \"%s\" didn't contain the expected substring \"%s\"", actualMessage, expectedMessageSubstring));
    } finally {
        handler.close();
    }
}
Also used : OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)

Example 3 with OAuthBearerTokenCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.

the class OAuthBearerUnsecuredLoginCallbackHandlerTest method validOptionsWithExplicitOptionValues.

@SuppressWarnings("unchecked")
@Test
public void validOptionsWithExplicitOptionValues() throws IOException, UnsupportedCallbackException {
    String explicitScope1 = "scope1";
    String explicitScope2 = "scope2";
    String explicitScopeClaimName = "putScopeInHere";
    String principalClaimName = "principal";
    final String[] scopeClaimNameOptionValues = { null, explicitScopeClaimName };
    for (String scopeClaimNameOptionValue : scopeClaimNameOptionValues) {
        Map<String, String> options = new HashMap<>();
        String user = "user";
        options.put("unsecuredLoginStringClaim_" + principalClaimName, user);
        options.put("unsecuredLoginListClaim_" + "list", ",1,2,");
        options.put("unsecuredLoginListClaim_" + "emptyList1", "");
        options.put("unsecuredLoginListClaim_" + "emptyList2", ",");
        options.put("unsecuredLoginNumberClaim_" + "number", "1");
        long lifetmeSeconds = 10000;
        options.put("unsecuredLoginLifetimeSeconds", String.valueOf(lifetmeSeconds));
        options.put("unsecuredLoginPrincipalClaimName", principalClaimName);
        if (scopeClaimNameOptionValue != null)
            options.put("unsecuredLoginScopeClaimName", scopeClaimNameOptionValue);
        String actualScopeClaimName = scopeClaimNameOptionValue == null ? "scope" : explicitScopeClaimName;
        options.put("unsecuredLoginListClaim_" + actualScopeClaimName, String.format("|%s|%s", explicitScope1, explicitScope2));
        MockTime mockTime = new MockTime();
        OAuthBearerUnsecuredLoginCallbackHandler callbackHandler = createCallbackHandler(options, mockTime);
        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
        callbackHandler.handle(new Callback[] { callback });
        OAuthBearerUnsecuredJws jws = (OAuthBearerUnsecuredJws) callback.token();
        assertNotNull(jws, "create token failed");
        long startMs = mockTime.milliseconds();
        confirmCorrectValues(jws, user, startMs, lifetmeSeconds * 1000);
        Map<String, Object> claims = jws.claims();
        assertEquals(new HashSet<>(Arrays.asList(actualScopeClaimName, principalClaimName, "iat", "exp", "number", "list", "emptyList1", "emptyList2")), claims.keySet());
        assertEquals(new HashSet<>(Arrays.asList(explicitScope1, explicitScope2)), new HashSet<>((List<String>) claims.get(actualScopeClaimName)));
        assertEquals(new HashSet<>(Arrays.asList(explicitScope1, explicitScope2)), jws.scope());
        assertEquals(1.0, jws.claim("number", Number.class));
        assertEquals(Arrays.asList("1", "2", ""), jws.claim("list", List.class));
        assertEquals(Collections.emptyList(), jws.claim("emptyList1", List.class));
        assertEquals(Collections.emptyList(), jws.claim("emptyList2", List.class));
    }
}
Also used : HashMap(java.util.HashMap) OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) List(java.util.List) MockTime(org.apache.kafka.common.utils.MockTime) Test(org.junit.jupiter.api.Test)

Example 4 with OAuthBearerTokenCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.

the class OAuthBearerSaslClient method evaluateChallenge.

@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
    try {
        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
        switch(state) {
            case SEND_CLIENT_FIRST_MESSAGE:
                if (challenge != null && challenge.length != 0)
                    throw new SaslException("Expected empty challenge");
                callbackHandler().handle(new Callback[] { callback });
                SaslExtensions extensions = retrieveCustomExtensions();
                setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
                return new OAuthBearerClientInitialResponse(callback.token().value(), extensions).toBytes();
            case RECEIVE_SERVER_FIRST_MESSAGE:
                if (challenge != null && challenge.length != 0) {
                    String jsonErrorResponse = new String(challenge, StandardCharsets.UTF_8);
                    if (log.isDebugEnabled())
                        log.debug("Sending %%x01 response to server after receiving an error: {}", jsonErrorResponse);
                    setState(State.RECEIVE_SERVER_MESSAGE_AFTER_FAILURE);
                    return new byte[] { BYTE_CONTROL_A };
                }
                callbackHandler().handle(new Callback[] { callback });
                if (log.isDebugEnabled())
                    log.debug("Successfully authenticated as {}", callback.token().principalName());
                setState(State.COMPLETE);
                return null;
            default:
                throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
        }
    } catch (SaslException e) {
        setState(State.FAILED);
        throw e;
    } catch (IOException | UnsupportedCallbackException e) {
        setState(State.FAILED);
        throw new SaslException(e.getMessage(), e);
    }
}
Also used : OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions) IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SaslException(javax.security.sasl.SaslException)

Example 5 with OAuthBearerTokenCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.

the class OAuthBearerSaslServerTest method clientInitialResponse.

private byte[] clientInitialResponse(String authorizationId, boolean illegalToken, Map<String, String> customExtensions) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException {
    OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
    LOGIN_CALLBACK_HANDLER.handle(new Callback[] { callback });
    OAuthBearerToken token = callback.token();
    String compactSerialization = token.value();
    String tokenValue = compactSerialization + (illegalToken ? "AB" : "");
    return new OAuthBearerClientInitialResponse(tokenValue, authorizationId, new SaslExtensions(customExtensions)).toBytes();
}
Also used : OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions) OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)

Aggregations

OAuthBearerTokenCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)7 Test (org.junit.jupiter.api.Test)4 IOException (java.io.IOException)2 HashMap (java.util.HashMap)2 SaslExtensions (org.apache.kafka.common.security.auth.SaslExtensions)2 OAuthBearerToken (org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)2 MockTime (org.apache.kafka.common.utils.MockTime)2 List (java.util.List)1 Callback (javax.security.auth.callback.Callback)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 SaslException (javax.security.sasl.SaslException)1 IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1 SaslExtensionsCallback (org.apache.kafka.common.security.auth.SaslExtensionsCallback)1