use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.
the class OAuthBearerLoginCallbackHandlerTest method testHandleTokenCallback.
@Test
public void testHandleTokenCallback() throws Exception {
Map<String, ?> configs = getSaslConfigs();
AccessTokenBuilder builder = new AccessTokenBuilder().jwk(createRsaJwk()).alg(AlgorithmIdentifiers.RSA_USING_SHA256);
String accessToken = builder.build();
AccessTokenRetriever accessTokenRetriever = () -> accessToken;
OAuthBearerLoginCallbackHandler handler = createHandler(accessTokenRetriever, configs);
try {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
handler.handle(new Callback[] { callback });
assertNotNull(callback.token());
OAuthBearerToken token = callback.token();
assertEquals(accessToken, token.value());
assertEquals(builder.subject(), token.principalName());
assertEquals(builder.expirationSeconds() * 1000, token.lifetimeMs());
assertEquals(builder.issuedAtSeconds() * 1000, token.startTimeMs());
} finally {
handler.close();
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.
the class OAuthBearerLoginCallbackHandlerTest method testInvalidAccessToken.
private void testInvalidAccessToken(String accessToken, String expectedMessageSubstring) throws Exception {
Map<String, ?> configs = getSaslConfigs();
OAuthBearerLoginCallbackHandler handler = createHandler(() -> accessToken, configs);
try {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
handler.handle(new Callback[] { callback });
assertNull(callback.token());
String actualMessage = callback.errorDescription();
assertNotNull(actualMessage);
assertTrue(actualMessage.contains(expectedMessageSubstring), String.format("The error message \"%s\" didn't contain the expected substring \"%s\"", actualMessage, expectedMessageSubstring));
} finally {
handler.close();
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.
the class OAuthBearerUnsecuredLoginCallbackHandlerTest method validOptionsWithExplicitOptionValues.
@SuppressWarnings("unchecked")
@Test
public void validOptionsWithExplicitOptionValues() throws IOException, UnsupportedCallbackException {
String explicitScope1 = "scope1";
String explicitScope2 = "scope2";
String explicitScopeClaimName = "putScopeInHere";
String principalClaimName = "principal";
final String[] scopeClaimNameOptionValues = { null, explicitScopeClaimName };
for (String scopeClaimNameOptionValue : scopeClaimNameOptionValues) {
Map<String, String> options = new HashMap<>();
String user = "user";
options.put("unsecuredLoginStringClaim_" + principalClaimName, user);
options.put("unsecuredLoginListClaim_" + "list", ",1,2,");
options.put("unsecuredLoginListClaim_" + "emptyList1", "");
options.put("unsecuredLoginListClaim_" + "emptyList2", ",");
options.put("unsecuredLoginNumberClaim_" + "number", "1");
long lifetmeSeconds = 10000;
options.put("unsecuredLoginLifetimeSeconds", String.valueOf(lifetmeSeconds));
options.put("unsecuredLoginPrincipalClaimName", principalClaimName);
if (scopeClaimNameOptionValue != null)
options.put("unsecuredLoginScopeClaimName", scopeClaimNameOptionValue);
String actualScopeClaimName = scopeClaimNameOptionValue == null ? "scope" : explicitScopeClaimName;
options.put("unsecuredLoginListClaim_" + actualScopeClaimName, String.format("|%s|%s", explicitScope1, explicitScope2));
MockTime mockTime = new MockTime();
OAuthBearerUnsecuredLoginCallbackHandler callbackHandler = createCallbackHandler(options, mockTime);
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
callbackHandler.handle(new Callback[] { callback });
OAuthBearerUnsecuredJws jws = (OAuthBearerUnsecuredJws) callback.token();
assertNotNull(jws, "create token failed");
long startMs = mockTime.milliseconds();
confirmCorrectValues(jws, user, startMs, lifetmeSeconds * 1000);
Map<String, Object> claims = jws.claims();
assertEquals(new HashSet<>(Arrays.asList(actualScopeClaimName, principalClaimName, "iat", "exp", "number", "list", "emptyList1", "emptyList2")), claims.keySet());
assertEquals(new HashSet<>(Arrays.asList(explicitScope1, explicitScope2)), new HashSet<>((List<String>) claims.get(actualScopeClaimName)));
assertEquals(new HashSet<>(Arrays.asList(explicitScope1, explicitScope2)), jws.scope());
assertEquals(1.0, jws.claim("number", Number.class));
assertEquals(Arrays.asList("1", "2", ""), jws.claim("list", List.class));
assertEquals(Collections.emptyList(), jws.claim("emptyList1", List.class));
assertEquals(Collections.emptyList(), jws.claim("emptyList2", List.class));
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.
the class OAuthBearerSaslClient method evaluateChallenge.
@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
try {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
switch(state) {
case SEND_CLIENT_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0)
throw new SaslException("Expected empty challenge");
callbackHandler().handle(new Callback[] { callback });
SaslExtensions extensions = retrieveCustomExtensions();
setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
return new OAuthBearerClientInitialResponse(callback.token().value(), extensions).toBytes();
case RECEIVE_SERVER_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0) {
String jsonErrorResponse = new String(challenge, StandardCharsets.UTF_8);
if (log.isDebugEnabled())
log.debug("Sending %%x01 response to server after receiving an error: {}", jsonErrorResponse);
setState(State.RECEIVE_SERVER_MESSAGE_AFTER_FAILURE);
return new byte[] { BYTE_CONTROL_A };
}
callbackHandler().handle(new Callback[] { callback });
if (log.isDebugEnabled())
log.debug("Successfully authenticated as {}", callback.token().principalName());
setState(State.COMPLETE);
return null;
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
}
} catch (SaslException e) {
setState(State.FAILED);
throw e;
} catch (IOException | UnsupportedCallbackException e) {
setState(State.FAILED);
throw new SaslException(e.getMessage(), e);
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback in project kafka by apache.
the class OAuthBearerSaslServerTest method clientInitialResponse.
private byte[] clientInitialResponse(String authorizationId, boolean illegalToken, Map<String, String> customExtensions) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException {
OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
LOGIN_CALLBACK_HANDLER.handle(new Callback[] { callback });
OAuthBearerToken token = callback.token();
String compactSerialization = token.value();
String tokenValue = compactSerialization + (illegalToken ? "AB" : "");
return new OAuthBearerClientInitialResponse(tokenValue, authorizationId, new SaslExtensions(customExtensions)).toBytes();
}
Aggregations