Search in sources :

Example 1 with OAuthBearerValidatorCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.

the class OAuthBearerValidatorCallbackHandlerTest method assertInvalidAccessTokenFails.

private void assertInvalidAccessTokenFails(String accessToken, String expectedMessageSubstring) throws Exception {
    Map<String, ?> configs = getSaslConfigs();
    OAuthBearerValidatorCallbackHandler handler = createHandler(configs, new AccessTokenBuilder());
    try {
        OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(accessToken);
        handler.handle(new Callback[] { callback });
        assertNull(callback.token());
        String actualMessage = callback.errorStatus();
        assertNotNull(actualMessage);
        assertTrue(actualMessage.contains(expectedMessageSubstring), String.format("The error message \"%s\" didn't contain the expected substring \"%s\"", actualMessage, expectedMessageSubstring));
    } finally {
        handler.close();
    }
}
Also used : OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)

Example 2 with OAuthBearerValidatorCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.

the class OAuthBearerSaslServerTest method throwsAuthenticationExceptionOnInvalidExtensions.

/**
 * If the callback handler handles the `OAuthBearerExtensionsValidatorCallback`
 *  and finds an invalid extension, SaslServer should throw an authentication exception
 */
@Test
public void throwsAuthenticationExceptionOnInvalidExtensions() {
    OAuthBearerUnsecuredValidatorCallbackHandler invalidHandler = new OAuthBearerUnsecuredValidatorCallbackHandler() {

        @Override
        public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
            for (Callback callback : callbacks) {
                if (callback instanceof OAuthBearerValidatorCallback) {
                    OAuthBearerValidatorCallback validationCallback = (OAuthBearerValidatorCallback) callback;
                    validationCallback.token(new OAuthBearerTokenMock());
                } else if (callback instanceof OAuthBearerExtensionsValidatorCallback) {
                    OAuthBearerExtensionsValidatorCallback extensionsCallback = (OAuthBearerExtensionsValidatorCallback) callback;
                    extensionsCallback.error("firstKey", "is not valid");
                    extensionsCallback.error("secondKey", "is not valid either");
                } else
                    throw new UnsupportedCallbackException(callback);
            }
        }
    };
    saslServer = new OAuthBearerSaslServer(invalidHandler);
    Map<String, String> customExtensions = new HashMap<>();
    customExtensions.put("firstKey", "value");
    customExtensions.put("secondKey", "value");
    assertThrows(SaslAuthenticationException.class, () -> saslServer.evaluateResponse(clientInitialResponse(null, false, customExtensions)));
}
Also used : OAuthBearerUnsecuredValidatorCallbackHandler(org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler) OAuthBearerTokenMock(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenMock) OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) OAuthBearerExtensionsValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback) Callback(javax.security.auth.callback.Callback) HashMap(java.util.HashMap) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) OAuthBearerExtensionsValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) Test(org.junit.jupiter.api.Test)

Example 3 with OAuthBearerValidatorCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.

the class OAuthBearerSaslServer method process.

private byte[] process(String tokenValue, String authorizationId, SaslExtensions extensions) throws SaslException {
    OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(tokenValue);
    try {
        callbackHandler.handle(new Callback[] { callback });
    } catch (IOException | UnsupportedCallbackException e) {
        handleCallbackError(e);
    }
    OAuthBearerToken token = callback.token();
    if (token == null) {
        errorMessage = jsonErrorResponse(callback.errorStatus(), callback.errorScope(), callback.errorOpenIDConfiguration());
        log.debug(errorMessage);
        return errorMessage.getBytes(StandardCharsets.UTF_8);
    }
    /*
         * We support the client specifying an authorization ID as per the SASL
         * specification, but it must match the principal name if it is specified.
         */
    if (!authorizationId.isEmpty() && !authorizationId.equals(token.principalName()))
        throw new SaslAuthenticationException(String.format("Authentication failed: Client requested an authorization id (%s) that is different from the token's principal name (%s)", authorizationId, token.principalName()));
    Map<String, String> validExtensions = processExtensions(token, extensions);
    tokenForNegotiatedProperty = token;
    this.extensions = new SaslExtensions(validExtensions);
    complete = true;
    log.debug("Successfully authenticate User={}", token.principalName());
    return new byte[0];
}
Also used : SaslExtensions(org.apache.kafka.common.security.auth.SaslExtensions) OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SaslAuthenticationException(org.apache.kafka.common.errors.SaslAuthenticationException)

Example 4 with OAuthBearerValidatorCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.

the class OAuthBearerUnsecuredValidatorCallbackHandlerTest method confirmFailsValidation.

private static void confirmFailsValidation(String headerJson, String claimsJson, Map<String, String> moduleOptionsMap, String optionalFailureScope) throws OAuthBearerConfigException, OAuthBearerIllegalTokenException {
    Object validationResultObj = validationResult(headerJson, claimsJson, moduleOptionsMap);
    assertTrue(validationResultObj instanceof OAuthBearerValidatorCallback);
    OAuthBearerValidatorCallback callback = (OAuthBearerValidatorCallback) validationResultObj;
    assertNull(callback.token());
    assertNull(callback.errorOpenIDConfiguration());
    if (optionalFailureScope == null) {
        assertEquals("invalid_token", callback.errorStatus());
        assertNull(callback.errorScope());
    } else {
        assertEquals("insufficient_scope", callback.errorStatus());
        assertEquals(optionalFailureScope, callback.errorScope());
    }
}
Also used : OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)

Example 5 with OAuthBearerValidatorCallback

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback in project kafka by apache.

the class OAuthBearerUnsecuredValidatorCallbackHandlerTest method validationResult.

private static Object validationResult(String headerJson, String claimsJson, Map<String, String> moduleOptionsMap) {
    Encoder urlEncoderNoPadding = Base64.getUrlEncoder().withoutPadding();
    try {
        String tokenValue = String.format("%s.%s.", urlEncoderNoPadding.encodeToString(headerJson.getBytes(StandardCharsets.UTF_8)), urlEncoderNoPadding.encodeToString(claimsJson.getBytes(StandardCharsets.UTF_8)));
        OAuthBearerValidatorCallback callback = new OAuthBearerValidatorCallback(tokenValue);
        createCallbackHandler(moduleOptionsMap).handle(new Callback[] { callback });
        return callback;
    } catch (Exception e) {
        return e;
    }
}
Also used : Encoder(java.util.Base64.Encoder) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) IOException(java.io.IOException)

Aggregations

OAuthBearerValidatorCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)6 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)3 IOException (java.io.IOException)2 OAuthBearerToken (org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)2 Test (org.junit.jupiter.api.Test)2 Encoder (java.util.Base64.Encoder)1 HashMap (java.util.HashMap)1 Callback (javax.security.auth.callback.Callback)1 SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1 SaslExtensions (org.apache.kafka.common.security.auth.SaslExtensions)1 OAuthBearerExtensionsValidatorCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback)1 OAuthBearerTokenCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)1 OAuthBearerTokenMock (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenMock)1 OAuthBearerUnsecuredValidatorCallbackHandler (org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler)1