use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.
the class OAuthBearerValidatorCallbackHandlerTest method assertInvalidAccessTokenFails.
private void assertInvalidAccessTokenFails(String accessToken, String expectedMessageSubstring) throws Exception {
Map<String, ?> configs = getSaslConfigs();
OAuthBearerValidatorCallbackHandler handler = createHandler(configs, new AccessTokenBuilder());
try {
OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(accessToken);
handler.handle(new Callback[] { callback });
assertNull(callback.token());
String actualMessage = callback.errorStatus();
assertNotNull(actualMessage);
assertTrue(actualMessage.contains(expectedMessageSubstring), String.format("The error message \"%s\" didn't contain the expected substring \"%s\"", actualMessage, expectedMessageSubstring));
} finally {
handler.close();
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.
the class OAuthBearerSaslServerTest method throwsAuthenticationExceptionOnInvalidExtensions.
/**
* If the callback handler handles the `OAuthBearerExtensionsValidatorCallback`
* and finds an invalid extension, SaslServer should throw an authentication exception
*/
@Test
public void throwsAuthenticationExceptionOnInvalidExtensions() {
OAuthBearerUnsecuredValidatorCallbackHandler invalidHandler = new OAuthBearerUnsecuredValidatorCallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof OAuthBearerValidatorCallback) {
OAuthBearerValidatorCallback validationCallback = (OAuthBearerValidatorCallback) callback;
validationCallback.token(new OAuthBearerTokenMock());
} else if (callback instanceof OAuthBearerExtensionsValidatorCallback) {
OAuthBearerExtensionsValidatorCallback extensionsCallback = (OAuthBearerExtensionsValidatorCallback) callback;
extensionsCallback.error("firstKey", "is not valid");
extensionsCallback.error("secondKey", "is not valid either");
} else
throw new UnsupportedCallbackException(callback);
}
}
};
saslServer = new OAuthBearerSaslServer(invalidHandler);
Map<String, String> customExtensions = new HashMap<>();
customExtensions.put("firstKey", "value");
customExtensions.put("secondKey", "value");
assertThrows(SaslAuthenticationException.class, () -> saslServer.evaluateResponse(clientInitialResponse(null, false, customExtensions)));
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.
the class OAuthBearerSaslServer method process.
private byte[] process(String tokenValue, String authorizationId, SaslExtensions extensions) throws SaslException {
OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(tokenValue);
try {
callbackHandler.handle(new Callback[] { callback });
} catch (IOException | UnsupportedCallbackException e) {
handleCallbackError(e);
}
OAuthBearerToken token = callback.token();
if (token == null) {
errorMessage = jsonErrorResponse(callback.errorStatus(), callback.errorScope(), callback.errorOpenIDConfiguration());
log.debug(errorMessage);
return errorMessage.getBytes(StandardCharsets.UTF_8);
}
/*
* We support the client specifying an authorization ID as per the SASL
* specification, but it must match the principal name if it is specified.
*/
if (!authorizationId.isEmpty() && !authorizationId.equals(token.principalName()))
throw new SaslAuthenticationException(String.format("Authentication failed: Client requested an authorization id (%s) that is different from the token's principal name (%s)", authorizationId, token.principalName()));
Map<String, String> validExtensions = processExtensions(token, extensions);
tokenForNegotiatedProperty = token;
this.extensions = new SaslExtensions(validExtensions);
complete = true;
log.debug("Successfully authenticate User={}", token.principalName());
return new byte[0];
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.
the class OAuthBearerUnsecuredValidatorCallbackHandlerTest method confirmFailsValidation.
private static void confirmFailsValidation(String headerJson, String claimsJson, Map<String, String> moduleOptionsMap, String optionalFailureScope) throws OAuthBearerConfigException, OAuthBearerIllegalTokenException {
Object validationResultObj = validationResult(headerJson, claimsJson, moduleOptionsMap);
assertTrue(validationResultObj instanceof OAuthBearerValidatorCallback);
OAuthBearerValidatorCallback callback = (OAuthBearerValidatorCallback) validationResultObj;
assertNull(callback.token());
assertNull(callback.errorOpenIDConfiguration());
if (optionalFailureScope == null) {
assertEquals("invalid_token", callback.errorStatus());
assertNull(callback.errorScope());
} else {
assertEquals("insufficient_scope", callback.errorStatus());
assertEquals(optionalFailureScope, callback.errorScope());
}
}
use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.
the class OAuthBearerUnsecuredValidatorCallbackHandlerTest method validationResult.
private static Object validationResult(String headerJson, String claimsJson, Map<String, String> moduleOptionsMap) {
Encoder urlEncoderNoPadding = Base64.getUrlEncoder().withoutPadding();
try {
String tokenValue = String.format("%s.%s.", urlEncoderNoPadding.encodeToString(headerJson.getBytes(StandardCharsets.UTF_8)), urlEncoderNoPadding.encodeToString(claimsJson.getBytes(StandardCharsets.UTF_8)));
OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(tokenValue);
createCallbackHandler(moduleOptionsMap).handle(new Callback[] { callback });
return callback;
} catch (Exception e) {
return e;
}
}
Aggregations