All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.kafka.common.security.plain.internals.PlainSaslServer Maven / Gradle / Ivy

There is a newer version: 3.3.8
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements. See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.kafka.common.security.plain.internals;

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;

import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.plain.PlainAuthenticateCallback;

/**
 * Simple SaslServer implementation for SASL/PLAIN. In order to make this implementation
 * fully pluggable, authentication of username/password is fully contained within the
 * server implementation.
 * 

* Valid users with passwords are specified in the Jaas configuration file. Each user * is specified with user_ as key and as value. This is consistent * with Zookeeper Digest-MD5 implementation. *

* To avoid storing clear passwords on disk or to integrate with external authentication * servers in production systems, this module can be replaced with a different implementation. * */ public class PlainSaslServer implements SaslServer { public static final String PLAIN_MECHANISM = "PLAIN"; private final CallbackHandler callbackHandler; private boolean complete; private String authorizationId; public PlainSaslServer(CallbackHandler callbackHandler) { this.callbackHandler = callbackHandler; } /** * @throws SaslAuthenticationException if username/password combination is invalid or if the requested * authorization id is not the same as username. *

* Note: This method may throw {@link SaslAuthenticationException} to provide custom error messages * to clients. But care should be taken to avoid including any information in the exception message that * should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in * some cases so that a standard error message is returned to clients. *

*/ @Override public byte[] evaluateResponse(byte[] responseBytes) throws SaslAuthenticationException { /* * Message format (from https://tools.ietf.org/html/rfc4616): * * message = [authzid] UTF8NUL authcid UTF8NUL passwd * authcid = 1*SAFE ; MUST accept up to 255 octets * authzid = 1*SAFE ; MUST accept up to 255 octets * passwd = 1*SAFE ; MUST accept up to 255 octets * UTF8NUL = %x00 ; UTF-8 encoded NUL character * * SAFE = UTF1 / UTF2 / UTF3 / UTF4 * ;; any UTF-8 encoded Unicode character except NUL */ String response = new String(responseBytes, StandardCharsets.UTF_8); List tokens = extractTokens(response); String authorizationIdFromClient = tokens.get(0); String username = tokens.get(1); String password = tokens.get(2); if (username.isEmpty()) { throw new SaslAuthenticationException("Authentication failed: username not specified"); } if (password.isEmpty()) { throw new SaslAuthenticationException("Authentication failed: password not specified"); } NameCallback nameCallback = new NameCallback("username", username); PlainAuthenticateCallback authenticateCallback = new PlainAuthenticateCallback(password.toCharArray()); try { callbackHandler.handle(new Callback[]{nameCallback, authenticateCallback}); } catch (Throwable e) { throw new SaslAuthenticationException("Authentication failed: credentials for user could not be verified", e); } if (!authenticateCallback.authenticated()) throw new SaslAuthenticationException("Authentication failed: Invalid username or password"); if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username)) throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username"); this.authorizationId = username; complete = true; return new byte[0]; } private List extractTokens(String string) { List tokens = new ArrayList<>(); int startIndex = 0; for (int i = 0; i < 4; ++i) { int endIndex = string.indexOf("\u0000", startIndex); if (endIndex == -1) { tokens.add(string.substring(startIndex)); break; } tokens.add(string.substring(startIndex, endIndex)); startIndex = endIndex + 1; } if (tokens.size() != 3) throw new SaslAuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " + tokens.size()); return tokens; } @Override public String getAuthorizationID() { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); return authorizationId; } @Override public String getMechanismName() { return PLAIN_MECHANISM; } @Override public Object getNegotiatedProperty(String propName) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); return null; } @Override public boolean isComplete() { return complete; } @Override public byte[] unwrap(byte[] incoming, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); return Arrays.copyOfRange(incoming, offset, offset + len); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); return Arrays.copyOfRange(outgoing, offset, offset + len); } @Override public void dispose() { } public static class PlainSaslServerFactory implements SaslServerFactory { @Override public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map props, CallbackHandler cbh) throws SaslException { if (!PLAIN_MECHANISM.equals(mechanism)) throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism)); return new PlainSaslServer(cbh); } @Override public String[] getMechanismNames(Map props) { if (props == null) return new String[]{PLAIN_MECHANISM}; String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT); if ("true".equals(noPlainText)) return new String[]{}; else return new String[]{PLAIN_MECHANISM}; } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy