1 /*******************************************************************************
2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 * ============LICENSE_END=========================================================
20 *******************************************************************************/
21 package org.onap.dmaap.kafkaAuthorize;
23 import java.io.UnsupportedEncodingException;
24 import java.util.Arrays;
27 import javax.security.auth.callback.CallbackHandler;
28 import javax.security.sasl.Sasl;
29 import javax.security.sasl.SaslException;
30 import javax.security.sasl.SaslServer;
31 import javax.security.sasl.SaslServerFactory;
33 import org.apache.kafka.common.security.JaasContext;
34 import org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler;
36 import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory;
39 * Simple SaslServer implementation for SASL/PLAIN. In order to make this
40 * implementation fully pluggable, authentication of username/password is fully
41 * contained within the server implementation.
43 * Valid users with passwords are specified in the Jaas configuration file. Each
44 * user is specified with user_<username> as key and <password> as value. This
45 * is consistent with Zookeeper Digest-MD5 implementation.
47 * To avoid storing clear passwords on disk or to integrate with external
48 * authentication servers in production systems, this module can be replaced
49 * with a different implementation.
52 public class PlainSaslServer1 implements SaslServer {
54 public static final String PLAIN_MECHANISM = "PLAIN";
56 private final JaasContext jaasContext;
58 private boolean complete;
59 private String authorizationID;
61 public PlainSaslServer1(JaasContext jaasContext) {
62 this.jaasContext = jaasContext;
66 public byte[] evaluateResponse(byte[] response) throws SaslException {
68 * Message format (from https://tools.ietf.org/html/rfc4616):
70 * message = [authzid] UTF8NUL authcid UTF8NUL passwd authcid = 1*SAFE ;
71 * MUST accept up to 255 octets authzid = 1*SAFE ; MUST accept up to 255
72 * octets passwd = 1*SAFE ; MUST accept up to 255 octets UTF8NUL = %x00
73 * ; UTF-8 encoded NUL character
75 * SAFE = UTF1 / UTF2 / UTF3 / UTF4 ;; any UTF-8 encoded Unicode
76 * character except NUL
81 tokens = new String(response, "UTF-8").split("\u0000");
82 } catch (UnsupportedEncodingException e) {
83 throw new SaslException("UTF-8 encoding not supported", e);
85 if (tokens.length != 3)
86 throw new SaslException("Invalid SASL/PLAIN response: expected 3 tokens, got " + tokens.length);
87 authorizationID = tokens[0];
88 String username = tokens[1];
89 String password = tokens[2];
91 if (username.isEmpty()) {
92 throw new SaslException("Authentication failed: username not specified");
94 if (password.isEmpty()) {
95 throw new SaslException("Authentication failed: password not specified");
97 if (authorizationID.isEmpty())
98 authorizationID = username;
100 String aafResponse = "Not Verified";
102 aafResponse = AuthorizationProviderFactory.getProviderFactory().getProvider().authenticate(username,
104 } catch (Exception e) {
107 if (null != aafResponse) {
108 throw new SaslException("Authentication failed: " + aafResponse + " User " + username);
116 public String getAuthorizationID() {
118 throw new IllegalStateException("Authentication exchange has not completed");
119 return authorizationID;
123 public String getMechanismName() {
124 return PLAIN_MECHANISM;
128 public Object getNegotiatedProperty(String propName) {
130 throw new IllegalStateException("Authentication exchange has not completed");
135 public boolean isComplete() {
140 public byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException {
142 throw new IllegalStateException("Authentication exchange has not completed");
143 return Arrays.copyOfRange(incoming, offset, offset + len);
147 public byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException {
149 throw new IllegalStateException("Authentication exchange has not completed");
150 return Arrays.copyOfRange(outgoing, offset, offset + len);
154 public void dispose() throws SaslException {
157 public static class PlainSaslServerFactory1 implements SaslServerFactory {
160 public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props,
161 CallbackHandler cbh) throws SaslException {
163 if (!PLAIN_MECHANISM.equals(mechanism))
164 throw new SaslException(
165 String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism));
167 if (!(cbh instanceof SaslServerCallbackHandler))
168 throw new SaslException(
169 "CallbackHandler must be of type SaslServerCallbackHandler, but it is: " + cbh.getClass());
171 return new PlainSaslServer1(((SaslServerCallbackHandler) cbh).jaasContext());
175 public String[] getMechanismNames(Map<String, ?> props) {
177 return new String[] { PLAIN_MECHANISM };
178 String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT);
179 if ("true".equals(noPlainText))
180 return new String[] {};
182 return new String[] { PLAIN_MECHANISM };