mimaison commented on code in PR #18519:
URL: https://github.com/apache/kafka/pull/18519#discussion_r1918747208
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java:
##########
@@ -55,21 +63,34 @@ public void
testConfigureRefreshingFileAccessTokenRetriever() throws Exception {
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidDirectory() {
// Should fail because the parent path doesn't exist.
- Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString());
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, file);
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidFile() throws
Exception {
- // Should fail because the while the parent path exists, the file
itself doesn't.
+ // Should fail because the parent path exists, the file itself doesn't.
Review Comment:
If think it should be `// Should fail because while the parent path exists,
...`
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java:
##########
@@ -228,4 +233,16 @@ public <T> T get(String name) {
return (T) configs.get(name);
}
+ // make sure the url is in the
"org.apache.kafka.sasl.oauthbearer.allowed.urls" system property
+ public void throwIfURLIsNotAllowed(String urlConfig) {
+ Set<String> allowedLoginModuleList = Arrays.stream(
+
System.getProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, "").split(","))
Review Comment:
Maybe we should create `ALLOWED_SASL_OAUTHBEARER_URLS_DEFAULT` instead of
having `""` here. WDYT?
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java:
##########
@@ -228,4 +233,16 @@ public <T> T get(String name) {
return (T) configs.get(name);
}
+ // make sure the url is in the
"org.apache.kafka.sasl.oauthbearer.allowed.urls" system property
+ public void throwIfURLIsNotAllowed(String urlConfig) {
+ Set<String> allowedLoginModuleList = Arrays.stream(
+
System.getProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, "").split(","))
+ .map(String::trim)
+ .collect(Collectors.toSet());
+ String value = get(urlConfig);
+ if (!allowedLoginModuleList.contains(value)) {
+ throw new IllegalArgumentException(value + " is not allowed.
Update System property '"
Review Comment:
nit: `System` -> `system`
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactoryTest.java:
##########
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
+
+import org.apache.kafka.common.config.ConfigException;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.File;
+import java.util.Collections;
+import java.util.Map;
+
+import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL;
+import static
org.apache.kafka.common.config.internals.BrokerSecurityConfigs.ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG;
+
+public class VerificationKeyResolverFactoryTest extends OAuthBearerTest {
+
+ @AfterEach
+ public void tearDown() throws Exception {
+ System.clearProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG);
+ }
+
+ @Test
+ public void testConfigureRefreshingFileVerificationKeyResolver() throws
Exception {
+ File tmpDir = createTempDir("access-token");
+ File verificationKeyFile = createTempFile(tmpDir, "access-token-",
".json", "{}");
+
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
verificationKeyFile.toURI().toString());
+ Map<String, ?> configs =
Collections.singletonMap(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL,
verificationKeyFile.toURI().toString());
+ Map<String, Object> jaasConfig = Collections.emptyMap();
+
+ // verify it won't throw exception
+ try (CloseableVerificationKeyResolver verificationKeyResolver =
VerificationKeyResolverFactory.create(configs, jaasConfig)) { }
+ }
+
+ @Test
+ public void
testConfigureRefreshingFileVerificationKeyResolverWithInvalidDirectory() {
+ // Should fail because the parent path doesn't exist.
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, file);
+ Map<String, Object> jaasConfig = Collections.emptyMap();
+ assertThrowsWithMessage(ConfigException.class, () ->
VerificationKeyResolverFactory.create(configs, jaasConfig), "that doesn't
exist");
+ }
+
+ @Test
+ public void
testConfigureRefreshingFileVerificationKeyResolverWithInvalidFile() throws
Exception {
+ // Should fail because the parent path exists, the file itself doesn't.
+ File tmpDir = createTempDir("this-directory-does-exist");
+ File verificationKeyFile = new File(tmpDir,
"this-file-does-not-exist.json");
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
verificationKeyFile.toURI().toString());
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL,
verificationKeyFile.toURI().toString());
+ Map<String, Object> jaasConfig = Collections.emptyMap();
+ assertThrowsWithMessage(ConfigException.class, () ->
VerificationKeyResolverFactory.create(configs, jaasConfig), "that doesn't
exist");
+ }
+
+ @Test
+ public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws
Exception {
+ // Should fail because the while the parent path exists, the file
itself doesn't.
Review Comment:
`because the while the parent` -> `because while the parent`
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java:
##########
@@ -55,21 +63,34 @@ public void
testConfigureRefreshingFileAccessTokenRetriever() throws Exception {
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidDirectory() {
// Should fail because the parent path doesn't exist.
- Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString());
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, file);
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidFile() throws
Exception {
- // Should fail because the while the parent path exists, the file
itself doesn't.
+ // Should fail because the parent path exists, the file itself doesn't.
File tmpDir = createTempDir("this-directory-does-exist");
File accessTokenFile = new File(tmpDir,
"this-file-does-not-exist.json");
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
accessTokenFile.toURI().toString());
Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL,
accessTokenFile.toURI().toString());
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
+ @Test
+ public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws
Exception {
+ // Should fail because the while the parent path exists, the file
itself doesn't.
+ File tmpDir = createTempDir("not_allowed");
+ File accessTokenFile = new File(tmpDir, "not_allowed.json");
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL,
accessTokenFile.toURI().toString());
+ assertThrowsWithMessage(IllegalArgumentException.class, () ->
AccessTokenRetrieverFactory.create(configs, Collections.emptyMap()),
+ accessTokenFile.toURI().toString() + " is not allowed. Update
System property 'org.apache.kafka.sasl.oauthbearer.allowed.urls' to allow " +
accessTokenFile.toURI().toString());
Review Comment:
Not sure if we need to check the exact full error message. Maybe just
checking that it includes `ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG` would be
enough?
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java:
##########
@@ -55,21 +63,34 @@ public void
testConfigureRefreshingFileAccessTokenRetriever() throws Exception {
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidDirectory() {
// Should fail because the parent path doesn't exist.
- Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString());
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, file);
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidFile() throws
Exception {
- // Should fail because the while the parent path exists, the file
itself doesn't.
+ // Should fail because the parent path exists, the file itself doesn't.
File tmpDir = createTempDir("this-directory-does-exist");
File accessTokenFile = new File(tmpDir,
"this-file-does-not-exist.json");
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
accessTokenFile.toURI().toString());
Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL,
accessTokenFile.toURI().toString());
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
+ @Test
+ public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws
Exception {
+ // Should fail because the while the parent path exists, the file
itself doesn't.
Review Comment:
`because the while the parent` -> `because while the parent`
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactoryTest.java:
##########
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
+
+import org.apache.kafka.common.config.ConfigException;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.File;
+import java.util.Collections;
+import java.util.Map;
+
+import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL;
+import static
org.apache.kafka.common.config.internals.BrokerSecurityConfigs.ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG;
+
+public class VerificationKeyResolverFactoryTest extends OAuthBearerTest {
+
+ @AfterEach
+ public void tearDown() throws Exception {
+ System.clearProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG);
+ }
+
+ @Test
+ public void testConfigureRefreshingFileVerificationKeyResolver() throws
Exception {
+ File tmpDir = createTempDir("access-token");
+ File verificationKeyFile = createTempFile(tmpDir, "access-token-",
".json", "{}");
+
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
verificationKeyFile.toURI().toString());
+ Map<String, ?> configs =
Collections.singletonMap(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL,
verificationKeyFile.toURI().toString());
+ Map<String, Object> jaasConfig = Collections.emptyMap();
+
+ // verify it won't throw exception
+ try (CloseableVerificationKeyResolver verificationKeyResolver =
VerificationKeyResolverFactory.create(configs, jaasConfig)) { }
+ }
+
+ @Test
+ public void
testConfigureRefreshingFileVerificationKeyResolverWithInvalidDirectory() {
+ // Should fail because the parent path doesn't exist.
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, file);
+ Map<String, Object> jaasConfig = Collections.emptyMap();
+ assertThrowsWithMessage(ConfigException.class, () ->
VerificationKeyResolverFactory.create(configs, jaasConfig), "that doesn't
exist");
+ }
+
+ @Test
+ public void
testConfigureRefreshingFileVerificationKeyResolverWithInvalidFile() throws
Exception {
+ // Should fail because the parent path exists, the file itself doesn't.
Review Comment:
`because the parent` -> `because while the parent`
##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java:
##########
@@ -55,21 +63,34 @@ public void
testConfigureRefreshingFileAccessTokenRetriever() throws Exception {
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidDirectory() {
// Should fail because the parent path doesn't exist.
- Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString());
+ String file = new
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, file);
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, file);
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
@Test
public void
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidFile() throws
Exception {
- // Should fail because the while the parent path exists, the file
itself doesn't.
+ // Should fail because the parent path exists, the file itself doesn't.
File tmpDir = createTempDir("this-directory-does-exist");
File accessTokenFile = new File(tmpDir,
"this-file-does-not-exist.json");
+ System.setProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG,
accessTokenFile.toURI().toString());
Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL,
accessTokenFile.toURI().toString());
Map<String, Object> jaasConfig = Collections.emptyMap();
assertThrowsWithMessage(ConfigException.class, () ->
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
}
+ @Test
+ public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws
Exception {
+ // Should fail because the while the parent path exists, the file
itself doesn't.
+ File tmpDir = createTempDir("not_allowed");
+ File accessTokenFile = new File(tmpDir, "not_allowed.json");
+ Map<String, ?> configs =
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL,
accessTokenFile.toURI().toString());
+ assertThrowsWithMessage(IllegalArgumentException.class, () ->
AccessTokenRetrieverFactory.create(configs, Collections.emptyMap()),
+ accessTokenFile.toURI().toString() + " is not allowed. Update
System property 'org.apache.kafka.sasl.oauthbearer.allowed.urls' to allow " +
accessTokenFile.toURI().toString());
Review Comment:
If so, same in `ConfigurationUtilsTest`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
