| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.kafka.common.security.plain.internals; |
| |
| import java.nio.charset.StandardCharsets; |
| import java.util.ArrayList; |
| import java.util.Arrays; |
| import java.util.List; |
| import java.util.Map; |
| |
| import javax.security.auth.callback.Callback; |
| import javax.security.auth.callback.CallbackHandler; |
| import javax.security.auth.callback.NameCallback; |
| import javax.security.sasl.Sasl; |
| import javax.security.sasl.SaslException; |
| import javax.security.sasl.SaslServer; |
| import javax.security.sasl.SaslServerFactory; |
| |
| import org.apache.kafka.common.errors.SaslAuthenticationException; |
| import org.apache.kafka.common.security.plain.PlainAuthenticateCallback; |
| |
| /** |
| * Simple SaslServer implementation for SASL/PLAIN. In order to make this implementation |
| * fully pluggable, authentication of username/password is fully contained within the |
| * server implementation. |
| * <p> |
| * Valid users with passwords are specified in the Jaas configuration file. Each user |
| * is specified with user_<username> as key and <password> as value. This is consistent |
| * with Zookeeper Digest-MD5 implementation. |
| * <p> |
| * To avoid storing clear passwords on disk or to integrate with external authentication |
| * servers in production systems, this module can be replaced with a different implementation. |
| * |
| */ |
| public class PlainSaslServer implements SaslServer { |
| |
| public static final String PLAIN_MECHANISM = "PLAIN"; |
| |
| private final CallbackHandler callbackHandler; |
| private boolean complete; |
| private String authorizationId; |
| |
| public PlainSaslServer(CallbackHandler callbackHandler) { |
| this.callbackHandler = callbackHandler; |
| } |
| |
| /** |
| * @throws SaslAuthenticationException if username/password combination is invalid or if the requested |
| * authorization id is not the same as username. |
| * <p> |
| * <b>Note:</b> This method may throw {@link SaslAuthenticationException} to provide custom error messages |
| * to clients. But care should be taken to avoid including any information in the exception message that |
| * should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in |
| * some cases so that a standard error message is returned to clients. |
| * </p> |
| */ |
| @Override |
| public byte[] evaluateResponse(byte[] responseBytes) throws SaslAuthenticationException { |
| /* |
| * Message format (from https://tools.ietf.org/html/rfc4616): |
| * |
| * message = [authzid] UTF8NUL authcid UTF8NUL passwd |
| * authcid = 1*SAFE ; MUST accept up to 255 octets |
| * authzid = 1*SAFE ; MUST accept up to 255 octets |
| * passwd = 1*SAFE ; MUST accept up to 255 octets |
| * UTF8NUL = %x00 ; UTF-8 encoded NUL character |
| * |
| * SAFE = UTF1 / UTF2 / UTF3 / UTF4 |
| * ;; any UTF-8 encoded Unicode character except NUL |
| */ |
| |
| String response = new String(responseBytes, StandardCharsets.UTF_8); |
| List<String> tokens = extractTokens(response); |
| String authorizationIdFromClient = tokens.get(0); |
| String username = tokens.get(1); |
| String password = tokens.get(2); |
| |
| if (username.isEmpty()) { |
| throw new SaslAuthenticationException("Authentication failed: username not specified"); |
| } |
| if (password.isEmpty()) { |
| throw new SaslAuthenticationException("Authentication failed: password not specified"); |
| } |
| |
| NameCallback nameCallback = new NameCallback("username", username); |
| PlainAuthenticateCallback authenticateCallback = new PlainAuthenticateCallback(password.toCharArray()); |
| try { |
| callbackHandler.handle(new Callback[]{nameCallback, authenticateCallback}); |
| } catch (Throwable e) { |
| throw new SaslAuthenticationException("Authentication failed: credentials for user could not be verified", e); |
| } |
| if (!authenticateCallback.authenticated()) |
| throw new SaslAuthenticationException("Authentication failed: Invalid username or password"); |
| if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username)) |
| throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username"); |
| |
| this.authorizationId = username; |
| |
| complete = true; |
| return new byte[0]; |
| } |
| |
| private List<String> extractTokens(String string) { |
| List<String> tokens = new ArrayList<>(); |
| int startIndex = 0; |
| for (int i = 0; i < 4; ++i) { |
| int endIndex = string.indexOf("\u0000", startIndex); |
| if (endIndex == -1) { |
| tokens.add(string.substring(startIndex)); |
| break; |
| } |
| tokens.add(string.substring(startIndex, endIndex)); |
| startIndex = endIndex + 1; |
| } |
| |
| if (tokens.size() != 3) |
| throw new SaslAuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " + |
| tokens.size()); |
| |
| return tokens; |
| } |
| |
| @Override |
| public String getAuthorizationID() { |
| if (!complete) |
| throw new IllegalStateException("Authentication exchange has not completed"); |
| return authorizationId; |
| } |
| |
| @Override |
| public String getMechanismName() { |
| return PLAIN_MECHANISM; |
| } |
| |
| @Override |
| public Object getNegotiatedProperty(String propName) { |
| if (!complete) |
| throw new IllegalStateException("Authentication exchange has not completed"); |
| return null; |
| } |
| |
| @Override |
| public boolean isComplete() { |
| return complete; |
| } |
| |
| @Override |
| public byte[] unwrap(byte[] incoming, int offset, int len) { |
| if (!complete) |
| throw new IllegalStateException("Authentication exchange has not completed"); |
| return Arrays.copyOfRange(incoming, offset, offset + len); |
| } |
| |
| @Override |
| public byte[] wrap(byte[] outgoing, int offset, int len) { |
| if (!complete) |
| throw new IllegalStateException("Authentication exchange has not completed"); |
| return Arrays.copyOfRange(outgoing, offset, offset + len); |
| } |
| |
| @Override |
| public void dispose() { |
| } |
| |
| public static class PlainSaslServerFactory implements SaslServerFactory { |
| |
| @Override |
| public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) |
| throws SaslException { |
| |
| if (!PLAIN_MECHANISM.equals(mechanism)) |
| throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism)); |
| |
| return new PlainSaslServer(cbh); |
| } |
| |
| @Override |
| public String[] getMechanismNames(Map<String, ?> props) { |
| if (props == null) return new String[]{PLAIN_MECHANISM}; |
| String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT); |
| if ("true".equals(noPlainText)) |
| return new String[]{}; |
| else |
| return new String[]{PLAIN_MECHANISM}; |
| } |
| } |
| } |