Search in sources :

Example 1 with ScramCredentialCallback

use of org.apache.kafka.common.security.scram.ScramCredentialCallback in project kafka by apache.

the class ScramServerCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
    String username = null;
    for (Callback callback : callbacks) {
        if (callback instanceof NameCallback)
            username = ((NameCallback) callback).getDefaultName();
        else if (callback instanceof DelegationTokenCredentialCallback) {
            DelegationTokenCredentialCallback tokenCallback = (DelegationTokenCredentialCallback) callback;
            tokenCallback.scramCredential(tokenCache.credential(saslMechanism, username));
            tokenCallback.tokenOwner(tokenCache.owner(username));
            TokenInformation tokenInfo = tokenCache.token(username);
            if (tokenInfo != null)
                tokenCallback.tokenExpiryTimestamp(tokenInfo.expiryTimestamp());
        } else if (callback instanceof ScramCredentialCallback) {
            ScramCredentialCallback sc = (ScramCredentialCallback) callback;
            sc.scramCredential(credentialCache.get(username));
        } else
            throw new UnsupportedCallbackException(callback);
    }
}
Also used : ScramCredentialCallback(org.apache.kafka.common.security.scram.ScramCredentialCallback) DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCredentialCallback) NameCallback(javax.security.auth.callback.NameCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) ScramCredentialCallback(org.apache.kafka.common.security.scram.ScramCredentialCallback) DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCredentialCallback) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Example 2 with ScramCredentialCallback

use of org.apache.kafka.common.security.scram.ScramCredentialCallback in project kafka by apache.

the class ScramSaslServer method evaluateResponse.

/**
 * @throws SaslAuthenticationException if the requested authorization id is not the same as username.
 * <p>
 * <b>Note:</b> This method may throw {@link SaslAuthenticationException} to provide custom error messages
 * to clients. But care should be taken to avoid including any information in the exception message that
 * should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in
 * most cases so that a standard error message is returned to clients.
 * </p>
 */
@Override
public byte[] evaluateResponse(byte[] response) throws SaslException, SaslAuthenticationException {
    try {
        switch(state) {
            case RECEIVE_CLIENT_FIRST_MESSAGE:
                this.clientFirstMessage = new ClientFirstMessage(response);
                this.scramExtensions = clientFirstMessage.extensions();
                if (!SUPPORTED_EXTENSIONS.containsAll(scramExtensions.map().keySet())) {
                    log.debug("Unsupported extensions will be ignored, supported {}, provided {}", SUPPORTED_EXTENSIONS, scramExtensions.map().keySet());
                }
                String serverNonce = formatter.secureRandomString();
                try {
                    String saslName = clientFirstMessage.saslName();
                    this.username = ScramFormatter.username(saslName);
                    NameCallback nameCallback = new NameCallback("username", username);
                    ScramCredentialCallback credentialCallback;
                    if (scramExtensions.tokenAuthenticated()) {
                        DelegationTokenCredentialCallback tokenCallback = new DelegationTokenCredentialCallback();
                        credentialCallback = tokenCallback;
                        callbackHandler.handle(new Callback[] { nameCallback, tokenCallback });
                        if (tokenCallback.tokenOwner() == null)
                            throw new SaslException("Token Authentication failed: Invalid tokenId : " + username);
                        this.authorizationId = tokenCallback.tokenOwner();
                        this.tokenExpiryTimestamp = tokenCallback.tokenExpiryTimestamp();
                    } else {
                        credentialCallback = new ScramCredentialCallback();
                        callbackHandler.handle(new Callback[] { nameCallback, credentialCallback });
                        this.authorizationId = username;
                        this.tokenExpiryTimestamp = null;
                    }
                    this.scramCredential = credentialCallback.scramCredential();
                    if (scramCredential == null)
                        throw new SaslException("Authentication failed: Invalid user credentials");
                    String authorizationIdFromClient = clientFirstMessage.authorizationId();
                    if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username))
                        throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username");
                    if (scramCredential.iterations() < mechanism.minIterations())
                        throw new SaslException("Iterations " + scramCredential.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
                    this.serverFirstMessage = new ServerFirstMessage(clientFirstMessage.nonce(), serverNonce, scramCredential.salt(), scramCredential.iterations());
                    setState(State.RECEIVE_CLIENT_FINAL_MESSAGE);
                    return serverFirstMessage.toBytes();
                } catch (SaslException | AuthenticationException e) {
                    throw e;
                } catch (Throwable e) {
                    throw new SaslException("Authentication failed: Credentials could not be obtained", e);
                }
            case RECEIVE_CLIENT_FINAL_MESSAGE:
                try {
                    ClientFinalMessage clientFinalMessage = new ClientFinalMessage(response);
                    verifyClientProof(clientFinalMessage);
                    byte[] serverKey = scramCredential.serverKey();
                    byte[] serverSignature = formatter.serverSignature(serverKey, clientFirstMessage, serverFirstMessage, clientFinalMessage);
                    ServerFinalMessage serverFinalMessage = new ServerFinalMessage(null, serverSignature);
                    clearCredentials();
                    setState(State.COMPLETE);
                    return serverFinalMessage.toBytes();
                } catch (InvalidKeyException e) {
                    throw new SaslException("Authentication failed: Invalid client final message", e);
                }
            default:
                throw new IllegalSaslStateException("Unexpected challenge in Sasl server state " + state);
        }
    } catch (SaslException | AuthenticationException e) {
        clearCredentials();
        setState(State.FAILED);
        throw e;
    }
}
Also used : ClientFirstMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ClientFirstMessage) SaslAuthenticationException(org.apache.kafka.common.errors.SaslAuthenticationException) AuthenticationException(org.apache.kafka.common.errors.AuthenticationException) IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException) SaslException(javax.security.sasl.SaslException) InvalidKeyException(java.security.InvalidKeyException) NameCallback(javax.security.auth.callback.NameCallback) ScramCredentialCallback(org.apache.kafka.common.security.scram.ScramCredentialCallback) ClientFinalMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ClientFinalMessage) ServerFinalMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFinalMessage) DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCredentialCallback) ServerFirstMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFirstMessage) SaslAuthenticationException(org.apache.kafka.common.errors.SaslAuthenticationException)

Aggregations

NameCallback (javax.security.auth.callback.NameCallback)2 ScramCredentialCallback (org.apache.kafka.common.security.scram.ScramCredentialCallback)2 DelegationTokenCredentialCallback (org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCredentialCallback)2 InvalidKeyException (java.security.InvalidKeyException)1 Callback (javax.security.auth.callback.Callback)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 SaslException (javax.security.sasl.SaslException)1 AuthenticationException (org.apache.kafka.common.errors.AuthenticationException)1 IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1 SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1 ClientFinalMessage (org.apache.kafka.common.security.scram.internals.ScramMessages.ClientFinalMessage)1 ClientFirstMessage (org.apache.kafka.common.security.scram.internals.ScramMessages.ClientFirstMessage)1 ServerFinalMessage (org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFinalMessage)1 ServerFirstMessage (org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFirstMessage)1 TokenInformation (org.apache.kafka.common.security.token.delegation.TokenInformation)1