Example 1 with DelegationTokenCredentialCallback
use of org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback in project apache-kafka-on-k8s by banzaicloud.
the class ScramSaslServer method evaluateResponse.
/**
* @throws SaslAuthenticationException if the requested authorization id is not the same as username.
* <p>
* <b>Note:</b> This method may throw {@link SaslAuthenticationException} to provide custom error messages
* to clients. But care should be taken to avoid including any information in the exception message that
* should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in
* most cases so that a standard error message is returned to clients.
* </p>
*/
@Override
public byte[] evaluateResponse(byte[] response) throws SaslException, SaslAuthenticationException {
try {
switch(state) {
case RECEIVE_CLIENT_FIRST_MESSAGE:
this.clientFirstMessage = new ClientFirstMessage(response);
this.scramExtensions = clientFirstMessage.extensions();
if (!SUPPORTED_EXTENSIONS.containsAll(scramExtensions.extensionNames())) {
log.debug("Unsupported extensions will be ignored, supported {}, provided {}", SUPPORTED_EXTENSIONS, scramExtensions.extensionNames());
}
String serverNonce = formatter.secureRandomString();
try {
String saslName = clientFirstMessage.saslName();
this.username = formatter.username(saslName);
NameCallback nameCallback = new NameCallback("username", username);
ScramCredentialCallback credentialCallback;
if (scramExtensions.tokenAuthenticated()) {
DelegationTokenCredentialCallback tokenCallback = new DelegationTokenCredentialCallback();
credentialCallback = tokenCallback;
callbackHandler.handle(new Callback[] { nameCallback, tokenCallback });
if (tokenCallback.tokenOwner() == null)
throw new SaslException("Token Authentication failed: Invalid tokenId : " + username);
this.authorizationId = tokenCallback.tokenOwner();
} else {
credentialCallback = new ScramCredentialCallback();
callbackHandler.handle(new Callback[] { nameCallback, credentialCallback });
this.authorizationId = username;
}
this.scramCredential = credentialCallback.scramCredential();
if (scramCredential == null)
throw new SaslException("Authentication failed: Invalid user credentials");
String authorizationIdFromClient = clientFirstMessage.authorizationId();
if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username))
throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username");
if (scramCredential.iterations() < mechanism.minIterations())
throw new SaslException("Iterations " + scramCredential.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
this.serverFirstMessage = new ServerFirstMessage(clientFirstMessage.nonce(), serverNonce, scramCredential.salt(), scramCredential.iterations());
setState(State.RECEIVE_CLIENT_FINAL_MESSAGE);
return serverFirstMessage.toBytes();
} catch (IOException | NumberFormatException | UnsupportedCallbackException e) {
throw new SaslException("Authentication failed: Credentials could not be obtained", e);
}
case RECEIVE_CLIENT_FINAL_MESSAGE:
try {
ClientFinalMessage clientFinalMessage = new ClientFinalMessage(response);
verifyClientProof(clientFinalMessage);
byte[] serverKey = scramCredential.serverKey();
byte[] serverSignature = formatter.serverSignature(serverKey, clientFirstMessage, serverFirstMessage, clientFinalMessage);
ServerFinalMessage serverFinalMessage = new ServerFinalMessage(null, serverSignature);
clearCredentials();
setState(State.COMPLETE);
return serverFinalMessage.toBytes();
} catch (InvalidKeyException e) {
throw new SaslException("Authentication failed: Invalid client final message", e);
}
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl server state " + state);
}
} catch (SaslException e) {
clearCredentials();
setState(State.FAILED);
throw e;
}
}
Also used :
ClientFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFirstMessage)
IOException(java.io.IOException)
IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException)
SaslException(javax.security.sasl.SaslException)
InvalidKeyException(java.security.InvalidKeyException)
NameCallback(javax.security.auth.callback.NameCallback)
ClientFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFinalMessage)
ServerFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)
DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback)
ServerFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SaslAuthenticationException(org.apache.kafka.common.errors.SaslAuthenticationException)
Example 2 with DelegationTokenCredentialCallback
use of org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback in project apache-kafka-on-k8s by banzaicloud.
the class ScramServerCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
String username = null;
for (Callback callback : callbacks) {
if (callback instanceof NameCallback)
username = ((NameCallback) callback).getDefaultName();
else if (callback instanceof DelegationTokenCredentialCallback) {
DelegationTokenCredentialCallback tokenCallback = (DelegationTokenCredentialCallback) callback;
tokenCallback.scramCredential(tokenCache.credential(saslMechanism, username));
tokenCallback.tokenOwner(tokenCache.owner(username));
} else if (callback instanceof ScramCredentialCallback) {
ScramCredentialCallback sc = (ScramCredentialCallback) callback;
sc.scramCredential(credentialCache.get(username));
} else
throw new UnsupportedCallbackException(callback);
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
DelegationTokenCredentialCallback(org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Aggregations
NameCallback (javax.security.auth.callback.NameCallback)2
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2
DelegationTokenCredentialCallback (org.apache.kafka.common.security.token.delegation.DelegationTokenCredentialCallback)2
IOException (java.io.IOException)1
InvalidKeyException (java.security.InvalidKeyException)1
Callback (javax.security.auth.callback.Callback)1
SaslException (javax.security.sasl.SaslException)1
IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1
SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1
ClientFinalMessage (org.apache.kafka.common.security.scram.ScramMessages.ClientFinalMessage)1
ClientFirstMessage (org.apache.kafka.common.security.scram.ScramMessages.ClientFirstMessage)1
ServerFinalMessage (org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)1
ServerFirstMessage (org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)1
