zbendhiba commented on code in PR #23711: URL: https://github.com/apache/camel/pull/23711#discussion_r3354555016
########## components/camel-ai/camel-a2a/src/main/java/org/apache/camel/component/a2a/auth/A2AAuthHandler.java: ########## @@ -0,0 +1,145 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.a2a.auth; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +import org.apache.camel.CamelContext; +import org.apache.camel.Exchange; +import org.apache.camel.component.a2a.A2AConfiguration; +import org.apache.camel.component.a2a.model.AgentCard; +import org.apache.camel.component.a2a.model.SecurityScheme; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Authentication coordinator for the A2A component. Delegates to {@link A2ASecuritySchemeHandler} implementations based + * on the agent card's declared security schemes. Configuration parameters ({@code oauthProfile}, {@code bearerToken}, + * {@code apiKey}) influence scheme selection priority. + */ +public class A2AAuthHandler { + + private static final Logger LOG = LoggerFactory.getLogger(A2AAuthHandler.class); + + private final A2AConfiguration configuration; + private final Map<String, A2ASecuritySchemeHandler> handlers; + + public A2AAuthHandler(A2AConfiguration configuration, Map<String, A2ASecuritySchemeHandler> handlers) { + this.configuration = configuration; + this.handlers = handlers; + } + + /** + * Apply authentication headers to a producer exchange. Selects the appropriate scheme handler based on the resolved + * card's security schemes and configuration hints. + */ + public void applyProducerAuth(Exchange exchange, CamelContext context) { + applyProducerAuth(exchange, context, null); + } + + /** + * Apply authentication headers to a producer exchange using the given card's security schemes. + */ + public void applyProducerAuth(Exchange exchange, CamelContext context, AgentCard card) { + List<Map.Entry<String, SecurityScheme>> schemes = resolveSchemes(card); + + for (Map.Entry<String, SecurityScheme> entry : schemes) { + SecurityScheme scheme = entry.getValue(); + A2ASecuritySchemeHandler handler = handlers.get(scheme.getType()); + if (handler != null) { + handler.applyCredentials(exchange, scheme, configuration, context); + return; + } + } + + LOG.debug("No matching security scheme handler found — request will be unauthenticated"); + } + + /** + * Validate credentials from an incoming consumer request. Returns a user profile map on success, or null if + * {@code validateAuth} is disabled. Throws {@link SecurityException} if validation fails. + */ + public Map<String, Object> validateConsumerAuth(Exchange exchange, AgentCard card) { + if (!configuration.isValidateAuth()) { + return null; + } + + List<Map.Entry<String, SecurityScheme>> schemes = resolveSchemes(card); + if (schemes.isEmpty()) { + LOG.warn("validateAuth is enabled but agent card declares no security schemes — allowing request"); + return null; + } + + SecurityException lastFailure = null; + for (Map.Entry<String, SecurityScheme> entry : schemes) { + SecurityScheme scheme = entry.getValue(); + A2ASecuritySchemeHandler handler = handlers.get(scheme.getType()); + if (handler != null) { + try { + return handler.validateCredentials(exchange, scheme, configuration); + } catch (SecurityException e) { + lastFailure = e; + } + } + } + + throw lastFailure != null + ? lastFailure + : new SecurityException("No security scheme handler available for the declared schemes"); + } + + /** + * Resolves and prioritizes security schemes from the card, using config hints to determine order. If + * {@code oauthProfile} is configured, OAuth2/OIDC schemes come first. If {@code bearerToken} is configured, HTTP + * bearer schemes come first. If {@code apiKey} is configured, API key schemes come first. + */ + List<Map.Entry<String, SecurityScheme>> resolveSchemes(AgentCard card) { + if (card == null || card.getSecuritySchemes() == null || card.getSecuritySchemes().isEmpty()) { + return Collections.emptyList(); + } + + List<Map.Entry<String, SecurityScheme>> all = new ArrayList<>(card.getSecuritySchemes().entrySet()); + String preferredType = resolvePreferredSchemeType(); + if (preferredType != null) { + all.sort((a, b) -> { + boolean aMatch = preferredType.equals(a.getValue().getType()); + boolean bMatch = preferredType.equals(b.getValue().getType()); + if (aMatch == bMatch) { + return 0; + } + return aMatch ? -1 : 1; + }); + } + return all; + } + + private String resolvePreferredSchemeType() { + if (configuration.getOauthProfile() != null) { + return "oauth2"; + } + if (configuration.getBearerToken() != null) { + return "http"; Review Comment: Maybe we could some meaningful variables, declared in a section that explains this spec. WDYT ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
