All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.streamnative.pulsar.handlers.kop.security.SslAuthenticator Maven / Gradle / Ivy

There is a newer version: 4.0.0.4
Show newest version
/**
 * Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved.
 */
/**
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.streamnative.pulsar.handlers.kop.security;

import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler;
import io.streamnative.pulsar.handlers.kop.KafkaServiceConfiguration;
import java.net.SocketAddress;
import java.util.concurrent.ExecutionException;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import javax.net.ssl.SSLSession;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.broker.authentication.AuthenticationState;
import org.apache.pulsar.common.api.AuthData;

/**
 * Note that client SSL authentication is handled in SslHandler.
 * This class is only used to pass the session information to authorizer.
 */
public class SslAuthenticator implements Authenticator {

    private static final byte[] emptyArray = new byte[0];
    private final AuthenticationProvider provider;
    private final KafkaServiceConfiguration kafkaConfig;
    private Session session;

    public SslAuthenticator(AuthenticationProvider provider, KafkaServiceConfiguration kafkaConfig) {
        this.provider = provider;
        this.kafkaConfig = kafkaConfig;
    }

    @Override
    public void authenticate(ChannelHandlerContext ctx, ByteBuf requestBuf,
                             BiConsumer registerRequestParseLatency,
                             BiConsumer registerRequestLatency,
                             Function tenantAccessValidationFunction) throws AuthenticationException {
        // init authState and other var
        ChannelHandler sslHandler = ctx.channel().pipeline().get(KafkaProtocolHandler.TLS_HANDLER);
        SSLSession sslSession = null;
        if (sslHandler != null) {
            sslSession = ((SslHandler) sslHandler).engine().getSession();
        }
        AuthData authData = AuthData.of(emptyArray);
        SocketAddress remoteAddress = ctx.channel().remoteAddress();
        try {
            AuthenticationState authState = provider.newAuthState(authData, remoteAddress, sslSession);
            authState.authenticateAsync(authData).get();
            this.session = new Session(
                new KafkaPrincipal(KafkaPrincipal.USER_TYPE,
                    authState.getAuthRole(),
                    kafkaConfig.getKafkaTenant(),
                    null,
                    authState.getAuthDataSource()), null);
        } catch (javax.naming.AuthenticationException | ExecutionException | InterruptedException e) {
            throw new AuthenticationException(e.getMessage());
        }
    }

    @Override
    public void sendAuthenticationFailureResponse(Consumer> listener) {
        // No-Op for ssl authenticator
    }

    @Override
    public Session session() {
        return session;
    }

    @Override
    public boolean complete() {
        return session != null;
    }

    @Override
    public void close() {
        this.session = null;
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy