diff options
Diffstat (limited to 'src/main/java/org')
| -rw-r--r-- | src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProvider.java | 9 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProviderFactory.java | 10 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/Cadi3AAFProvider.java | 45 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/kafkaauthorize/KafkaCustomAuthorizer.java (renamed from src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java) | 68 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/kafkaauthorize/PlainLoginModule1.java (renamed from src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java) | 16 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServer1.java (renamed from src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java) | 28 | ||||
| -rw-r--r-- | src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServerProvider1.java (renamed from src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java) | 5 |
7 files changed, 86 insertions, 95 deletions
diff --git a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProvider.java b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProvider.java index da96929..551cf81 100644 --- a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProvider.java +++ b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProvider.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,11 +21,13 @@ *******************************************************************************/ package org.onap.dmaap.commonauth.kafka.base.authorization; +import java.io.IOException; + public interface AuthorizationProvider { - public boolean hasPermission(String userId, String permission, String instance, String action); + boolean hasPermission(String userId, String permission, String instance, String action); - public String getId(); + String getId(); - public String authenticate(String userId, String password) throws Exception; + String authenticate(String userId, String password) throws IOException; } diff --git a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProviderFactory.java b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProviderFactory.java index 6b872af..bdced2d 100644 --- a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProviderFactory.java +++ b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/AuthorizationProviderFactory.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,9 +24,12 @@ package org.onap.dmaap.commonauth.kafka.base.authorization; import java.util.HashMap; import java.util.Map; import java.util.ServiceLoader; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -public class AuthorizationProviderFactory<K, V> { - private static final Map<String, AuthorizationProvider> AUTHORIZATION_PROVIDER_MAP = new HashMap<String, AuthorizationProvider>(); +public class AuthorizationProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(AuthorizationProviderFactory.class); + private static final Map<String, AuthorizationProvider> AUTHORIZATION_PROVIDER_MAP = new HashMap<>(); private static final AuthorizationProviderFactory AUTHORIZATION_PROVIDER_FACTORY = new AuthorizationProviderFactory(); private AuthorizationProviderFactory() { @@ -36,7 +40,7 @@ public class AuthorizationProviderFactory<K, V> { } } catch (Exception ee) { - System.out.println(ee); + logger.error(ee.getMessage(), ee); System.exit(0); } } diff --git a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/Cadi3AAFProvider.java b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/Cadi3AAFProvider.java index b5193cc..92e27b7 100644 --- a/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/Cadi3AAFProvider.java +++ b/src/main/java/org/onap/dmaap/commonauth/kafka/base/authorization/Cadi3AAFProvider.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,14 +25,8 @@ import java.io.FileInputStream; import java.io.IOException; import java.util.Map; import java.util.Properties; - import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; @@ -39,6 +34,8 @@ import org.onap.aaf.cadi.aaf.v2_0.AAFCon; import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur; import org.onap.aaf.cadi.principal.UnAuthPrincipal; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class Cadi3AAFProvider implements AuthorizationProvider { @@ -51,16 +48,17 @@ public class Cadi3AAFProvider implements AuthorizationProvider { private static AAFAuthn<?> aafAuthn; private static AbsAAFLur<AAFPermission> aafLur; private static boolean enableCadi = false; + private static final String ENABLE_CADI = "enableCadi"; private static final Logger logger = LoggerFactory.getLogger(Cadi3AAFProvider.class); static { - if (System.getProperty("enableCadi") != null) { - if (System.getProperty("enableCadi").equals("true")) { + if (System.getProperty(ENABLE_CADI) != null) { + if (System.getProperty(ENABLE_CADI).equals("true")) { enableCadi = true; } } else{ - if (System.getenv("enableCadi") != null && System.getenv("enableCadi").equals("true")) { + if (System.getenv(ENABLE_CADI) != null && System.getenv(ENABLE_CADI).equals("true")) { enableCadi = true; } } @@ -78,8 +76,7 @@ public class Cadi3AAFProvider implements AuthorizationProvider { apiKey = "apiKey"; } else { - for (int i = 0; i < entries.length; i++) { - AppConfigurationEntry entry = entries[i]; + for (AppConfigurationEntry entry : entries) { Map<String, ?> optionsMap = entry.getOptions(); kafkaUsername = (String) optionsMap.get("username"); apiKey = (String) optionsMap.get("password"); @@ -87,7 +84,7 @@ public class Cadi3AAFProvider implements AuthorizationProvider { } } } catch (Exception e) { - logger.error("CRITICAL ERROR: JAAS configuration incorrectly set: " + e.getMessage()); + logger.error("CRITICAL ERROR: JAAS configuration incorrectly set: {}", e.getMessage()); } } @@ -100,13 +97,6 @@ public class Cadi3AAFProvider implements AuthorizationProvider { return enableCadi; } - public static AAFAuthn<?> getAafAuthn() throws CadiException { - if (aafAuthn == null) { - throw new CadiException("Cadi is uninitialized in Cadi3AAFProvider.getAafAuthn()"); - } - return aafAuthn; - } - public Cadi3AAFProvider() { setup(); } @@ -115,7 +105,7 @@ public class Cadi3AAFProvider implements AuthorizationProvider { if (access == null) { Properties props = new Properties(); - FileInputStream fis = null; + FileInputStream fis; try { if (System.getProperty("CADI_PROPERTIES") != null) { fis = new FileInputStream(System.getProperty("CADI_PROPERTIES")); @@ -158,8 +148,7 @@ public class Cadi3AAFProvider implements AuthorizationProvider { public boolean hasPermission(String userId, String permission, String instance, String action) { boolean hasPermission = false; try { - logger.info("^ Event at hasPermission to validate userid " + userId + " with " + permission + " " + instance - + " " + action); + logger.info("^ Event at hasPermission to validate userid {} with {} {} {}", userId, permission, instance, action); // AAF Style permissions are in the form // Resource Name, Resource Type, Action if (userId.equals("admin")) { @@ -169,7 +158,7 @@ public class Cadi3AAFProvider implements AuthorizationProvider { AAFPermission perm = new AAFPermission(null, permission, instance, action); if (aafLur != null) { hasPermission = aafLur.fish(new UnAuthPrincipal(userId), perm); - logger.trace("Permission: " + perm.getKey() + " for user :" + userId + " found: " + hasPermission); + logger.trace("Permission: {} for user : {} found: {}" , perm.getKey(), userId, hasPermission); } else { logger.error("AAF client not initialized. Not able to find permissions."); } @@ -183,16 +172,16 @@ public class Cadi3AAFProvider implements AuthorizationProvider { return "CADI_AAF_PROVIDER"; } - public String authenticate(String userId, String password) throws Exception { + public String authenticate(String userId, String password) throws IOException { - logger.info("^Event received with username " + userId); + logger.info("^Event received with username {}", userId); if (!enableCadi) { return null; } else { if (userId.equals(kafkaUsername)) { if (password.equals(apiKey)) { - logger.info("by passes the authentication for the admin " + kafkaUsername); + logger.info("by passes the authentication for the admin {}", kafkaUsername); return null; } else { String errorMessage = "Authentication failed for user " + kafkaUsername; @@ -203,10 +192,10 @@ public class Cadi3AAFProvider implements AuthorizationProvider { } String aafResponse = aafAuthn.validate(userId, password); - logger.info("aafResponse=" + aafResponse + " for " + userId); + logger.info("aafResponse = {} for {}", aafResponse, userId); if (aafResponse != null) { - logger.error("Authentication failed for user ." + userId); + logger.error("Authentication failed for user {}", userId); } return aafResponse; } diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java b/src/main/java/org/onap/dmaap/kafkaauthorize/KafkaCustomAuthorizer.java index 950cd9f..09f704a 100644 --- a/src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java +++ b/src/main/java/org/onap/dmaap/kafkaauthorize/KafkaCustomAuthorizer.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ * * *******************************************************************************/ -package org.onap.dmaap.kafkaAuthorize; +package org.onap.dmaap.kafkaauthorize; import java.util.EnumSet; import java.util.Map; @@ -45,12 +46,13 @@ import scala.collection.immutable.Set; */ public class KafkaCustomAuthorizer implements Authorizer { - private String[] adminPermission = new String[3]; - public static final EnumSet<AclOperation> TOPIC_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.DESCRIBE_CONFIGS); - public static final EnumSet<AclOperation> TOPIC_READ_WRITE_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.WRITE, + private final String[] adminPermission = new String[3]; + protected static final EnumSet<AclOperation> TOPIC_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.DESCRIBE_CONFIGS); + protected static final EnumSet<AclOperation> TOPIC_READ_WRITE_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.WRITE, AclOperation.READ, AclOperation.DESCRIBE_CONFIGS); - public static final EnumSet<AclOperation> TOPIC_ADMIN_OPERATIONS = EnumSet.of(AclOperation.ALTER, + protected static final EnumSet<AclOperation> TOPIC_ADMIN_OPERATIONS = EnumSet.of(AclOperation.ALTER, AclOperation.ALTER_CONFIGS, AclOperation.CREATE); + static final String TOPIC = "Topic"; private static final Logger logger = LoggerFactory.getLogger(KafkaCustomAuthorizer.class); @@ -85,10 +87,10 @@ public class KafkaCustomAuthorizer implements Authorizer { } } else if (aclOperation.equals(AclOperation.DELETE)) { - permission = new String(System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|destroy").split("\\|"); + permission = (System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|destroy").split("\\|"); } else if (TOPIC_ADMIN_OPERATIONS.contains(aclOperation)) { - permission = new String(System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|create").split("\\|"); + permission = (System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|create").split("\\|"); } return permission; @@ -113,7 +115,7 @@ public class KafkaCustomAuthorizer implements Authorizer { case ALTER_CONFIGS: case CREATE: case DELETE: - if (resource.equals("Topic")) { + if (resource.equals(TOPIC)) { permission = getTopicPermission(topicName, aclOperation); } else if (resource.equals("Cluster")) { permission = getAdminPermission(); @@ -122,7 +124,7 @@ public class KafkaCustomAuthorizer implements Authorizer { case DESCRIBE_CONFIGS: case READ: case WRITE: - if (resource.equals("Topic")) { + if (resource.equals(TOPIC)) { permission = getTopicPermission(topicName, aclOperation); } break; @@ -135,7 +137,6 @@ public class KafkaCustomAuthorizer implements Authorizer { break; } - return permission; } @@ -149,11 +150,11 @@ public class KafkaCustomAuthorizer implements Authorizer { String fullName = arg0.principal().getName(); fullName = fullName != null ? fullName.trim() : fullName; String topicName = null; - String[] permission = new String[3]; + String[] permission; String resource = arg2.resourceType().name(); - if (resource.equals("Topic")) { + if (resource.equals(TOPIC)) { topicName = arg2.name(); } @@ -167,31 +168,32 @@ public class KafkaCustomAuthorizer implements Authorizer { permission = getPermission(arg1.toJava(), resource, topicName); - if (permission[0] == null) { - return true; - } else { - - try { - - if (null != topicName) { - boolean hasResp = AuthorizationProviderFactory.getProviderFactory().getProvider() - .hasPermission(fullName, permission[0], permission[1], permission[2]); - if (hasResp) { - logger.info("Successful Authorization for " + fullName + " on " + topicName + " for " - + permission[0] + "|" + permission[1] + "|" + permission[2]); - } - if (!hasResp) { - logger.info(fullName + " is not allowed in " + permission[0] + "|" + permission[1] + "|" - + permission[2]); - return false; - } + if (permission[0] != null) { + return !checkPermissions(fullName, topicName, permission); + } + return true; + } + + private boolean checkPermissions(String fullName, String topicName, String[] permission) { + try { + + if (null != topicName) { + boolean hasResp = AuthorizationProviderFactory.getProviderFactory().getProvider() + .hasPermission(fullName, permission[0], permission[1], permission[2]); + if (hasResp) { + logger.info("Successful Authorization for {} on {} for {} | {} | {}", fullName, topicName, + permission[0], permission[1], permission[2]); + } + if (!hasResp) { + logger.info("{} is not allowed in {} | {} | {}", fullName, permission[0], permission[1], + permission[2]); + return true; } - } catch (final Exception e) { - return false; } + } catch (final Exception e) { return true; - } + return false; } @Override diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainLoginModule1.java index dd21682..f230418 100644 --- a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java +++ b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainLoginModule1.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,13 +19,11 @@ * * *******************************************************************************/ -package org.onap.dmaap.kafkaAuthorize; +package org.onap.dmaap.kafkaauthorize; import java.util.Map; - import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; public class PlainLoginModule1 implements LoginModule { @@ -37,8 +36,7 @@ public class PlainLoginModule1 implements LoginModule { } @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, - Map<String, ?> options) { + public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { String username = (String) options.get(USERNAME_CONFIG); if (username != null) subject.getPublicCredentials().add(username); @@ -49,22 +47,22 @@ public class PlainLoginModule1 implements LoginModule { } @Override - public boolean login() throws LoginException { + public boolean login() { return true; } @Override - public boolean logout() throws LoginException { + public boolean logout() { return true; } @Override - public boolean commit() throws LoginException { + public boolean commit() { return true; } @Override - public boolean abort() throws LoginException { + public boolean abort() { return false; } } diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServer1.java index 6213b9b..ae15bbc 100644 --- a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java +++ b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServer1.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,28 +19,19 @@ * * *******************************************************************************/ -package org.onap.dmaap.kafkaAuthorize; +package org.onap.dmaap.kafkaauthorize; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.Map; - -import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.NameCallback; import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; import javax.security.sasl.SaslServerFactory; - import org.apache.kafka.common.errors.SaslAuthenticationException; -import org.apache.kafka.common.security.JaasContext; -import org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler; -import org.apache.kafka.common.security.plain.PlainAuthenticateCallback; -import org.apache.kafka.common.security.plain.internals.PlainSaslServer; import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory; /** @@ -62,6 +54,7 @@ public class PlainSaslServer1 implements SaslServer { private boolean complete; private String authorizationId; + private static final String AUTH_EXC_NOT_COMPLETE = "Authentication exchange has not completed"; /** @@ -105,13 +98,13 @@ public class PlainSaslServer1 implements SaslServer { try { aafResponse = AuthorizationProviderFactory.getProviderFactory().getProvider().authenticate(username, password); - } catch (Exception e) { + } catch (Exception ignored) { + throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username); } if (null != aafResponse) { throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username); } - if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username)) throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username"); @@ -144,7 +137,7 @@ public class PlainSaslServer1 implements SaslServer { @Override public String getAuthorizationID() { if (!complete) - throw new IllegalStateException("Authentication exchange has not completed"); + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); return authorizationId; } @@ -156,7 +149,7 @@ public class PlainSaslServer1 implements SaslServer { @Override public Object getNegotiatedProperty(String propName) { if (!complete) - throw new IllegalStateException("Authentication exchange has not completed"); + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); return null; } @@ -168,19 +161,20 @@ public class PlainSaslServer1 implements SaslServer { @Override public byte[] unwrap(byte[] incoming, int offset, int len) { if (!complete) - throw new IllegalStateException("Authentication exchange has not completed"); + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); return Arrays.copyOfRange(incoming, offset, offset + len); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!complete) - throw new IllegalStateException("Authentication exchange has not completed"); + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); return Arrays.copyOfRange(outgoing, offset, offset + len); } @Override public void dispose() { + // TODO Auto-generate method stub } public static class PlainSaslServerFactory1 implements SaslServerFactory { @@ -190,7 +184,7 @@ public class PlainSaslServer1 implements SaslServer { throws SaslException { if (!PLAIN_MECHANISM.equals(mechanism)) - throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism)); + throw new SaslException(String.format("Mechanism '%s' is not supported. Only PLAIN is supported.", mechanism)); return new PlainSaslServer1(); } diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServerProvider1.java index 441a023..b9fbf7a 100644 --- a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java +++ b/src/main/java/org/onap/dmaap/kafkaauthorize/PlainSaslServerProvider1.java @@ -3,6 +3,7 @@ * org.onap.dmaap * ================================================================================ * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,12 +19,12 @@ * * *******************************************************************************/ -package org.onap.dmaap.kafkaAuthorize; +package org.onap.dmaap.kafkaauthorize; import java.security.Provider; import java.security.Security; -import org.onap.dmaap.kafkaAuthorize.PlainSaslServer1.PlainSaslServerFactory1; +import org.onap.dmaap.kafkaauthorize.PlainSaslServer1.PlainSaslServerFactory1; public class PlainSaslServerProvider1 extends Provider { |