1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
/******************************************************************************
* ============LICENSE_START=======================================================
* org.onap.dmaap
* ================================================================================
* Copyright © 2017 AT&T Intellectual Property. All rights reserved.
* Modification copyright (C) 2021 Nordix Foundation.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ============LICENSE_END=========================================================
*
*
*******************************************************************************/
package org.onap.dmaap.kafkaauthorize;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory;
/**
* Simple SaslServer implementation for SASL/PLAIN. In order to make this
* implementation fully pluggable, authentication of username/password is fully
* contained within the server implementation.
* <p>
* Valid users with passwords are specified in the Jaas configuration file. Each
* user is specified with user_<username> as key and <password> as value. This
* is consistent with Zookeeper Digest-MD5 implementation.
* <p>
* To avoid storing clear passwords on disk or to integrate with external
* authentication servers in production systems, this module can be replaced
* with a different implementation.
*
*/
public class PlainSaslServer1 implements SaslServer {
public static final String PLAIN_MECHANISM = "PLAIN";
private boolean complete;
private String authorizationId;
private static final String AUTH_EXC_NOT_COMPLETE = "Authentication exchange has not completed";
/**
* @throws SaslAuthenticationException if username/password combination is invalid or if the requested
* authorization id is not the same as username.
* <p>
* <b>Note:</b> This method may throw {@link SaslAuthenticationException} to provide custom error messages
* to clients. But care should be taken to avoid including any information in the exception message that
* should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in
* some cases so that a standard error message is returned to clients.
* </p>
*/
@Override
public byte[] evaluateResponse(byte[] responseBytes) throws SaslAuthenticationException {
/*
* Message format (from https://tools.ietf.org/html/rfc4616):
*
* message = [authzid] UTF8NUL authcid UTF8NUL passwd
* authcid = 1*SAFE ; MUST accept up to 255 octets
* authzid = 1*SAFE ; MUST accept up to 255 octets
* passwd = 1*SAFE ; MUST accept up to 255 octets
* UTF8NUL = %x00 ; UTF-8 encoded NUL character
*
* SAFE = UTF1 / UTF2 / UTF3 / UTF4
* ;; any UTF-8 encoded Unicode character except NUL
*/
String response = new String(responseBytes, StandardCharsets.UTF_8);
List<String> tokens = extractTokens(response);
String authorizationIdFromClient = tokens.get(0);
String username = tokens.get(1);
String password = tokens.get(2);
if (username.isEmpty()) {
throw new SaslAuthenticationException("Authentication failed: username not specified");
}
if (password.isEmpty()) {
throw new SaslAuthenticationException("Authentication failed: password not specified");
}
String aafResponse = "Not Verified";
try {
aafResponse = AuthorizationProviderFactory.getProviderFactory().getProvider().authenticate(username,
password);
} catch (Exception ignored) {
throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username);
}
if (null != aafResponse) {
throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username);
}
if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username))
throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username");
this.authorizationId = username;
complete = true;
return new byte[0];
}
private List<String> extractTokens(String string) {
List<String> tokens = new ArrayList<>();
int startIndex = 0;
for (int i = 0; i < 4; ++i) {
int endIndex = string.indexOf("\u0000", startIndex);
if (endIndex == -1) {
tokens.add(string.substring(startIndex));
break;
}
tokens.add(string.substring(startIndex, endIndex));
startIndex = endIndex + 1;
}
if (tokens.size() != 3)
throw new SaslAuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " +
tokens.size());
return tokens;
}
@Override
public String getAuthorizationID() {
if (!complete)
throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE);
return authorizationId;
}
@Override
public String getMechanismName() {
return PLAIN_MECHANISM;
}
@Override
public Object getNegotiatedProperty(String propName) {
if (!complete)
throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE);
return null;
}
@Override
public boolean isComplete() {
return complete;
}
@Override
public byte[] unwrap(byte[] incoming, int offset, int len) {
if (!complete)
throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE);
return Arrays.copyOfRange(incoming, offset, offset + len);
}
@Override
public byte[] wrap(byte[] outgoing, int offset, int len) {
if (!complete)
throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE);
return Arrays.copyOfRange(outgoing, offset, offset + len);
}
@Override
public void dispose() {
// TODO Auto-generate method stub
}
public static class PlainSaslServerFactory1 implements SaslServerFactory {
@Override
public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh)
throws SaslException {
if (!PLAIN_MECHANISM.equals(mechanism))
throw new SaslException(String.format("Mechanism '%s' is not supported. Only PLAIN is supported.", mechanism));
return new PlainSaslServer1();
}
@Override
public String[] getMechanismNames(Map<String, ?> props) {
if (props == null) return new String[]{PLAIN_MECHANISM};
String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT);
if ("true".equals(noPlainText))
return new String[]{};
else
return new String[]{PLAIN_MECHANISM};
}
}
}
|
