private void handleCallbackError(Exception e) throws SaslException { String msg = String.format("%s: %s", INTERNAL_ERROR_ON_SERVER, e.getMessage()); log.debug(msg, e); throw new SaslException(msg); }
private void checkAuthStatus(Socket sock, QuorumAuth.Status qpStatus) throws SaslException { if (qpStatus == QuorumAuth.Status.SUCCESS) { LOG.info("Successfully completed the authentication using SASL. server addr: {}, status: {}", sock.getRemoteSocketAddress(), qpStatus); } else { throw new SaslException("Authentication failed against server addr: " + sock.getRemoteSocketAddress() + ", qpStatus: " + qpStatus); } }
@Override public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException { if (!PLAIN_MECHANISM.equals(mechanism)) throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism)); return new PlainSaslServer(cbh); }
public ClientFinalMessage(byte[] messageBytes) throws SaslException { String message = toMessage(messageBytes); Matcher matcher = PATTERN.matcher(message); if (!matcher.matches()) throw new SaslException("Invalid SCRAM client final message format: " + message); this.channelBinding = Base64.getDecoder().decode(matcher.group("channel")); this.nonce = matcher.group("nonce"); this.proof = Base64.getDecoder().decode(matcher.group("proof")); } public ClientFinalMessage(byte[] channelBinding, String nonce) {
private void handleServerFinalMessage(byte[] signature) throws SaslException { try { byte[] serverKey = formatter.serverKey(saltedPassword); byte[] serverSignature = formatter.serverSignature(serverKey, clientFirstMessage, serverFirstMessage, clientFinalMessage); if (!Arrays.equals(signature, serverSignature)) throw new SaslException("Invalid server signature in server final message"); } catch (InvalidKeyException e) { throw new SaslException("Sasl server signature verification failed", e); } }
public ServerFirstMessage(byte[] messageBytes) throws SaslException { String message = toMessage(messageBytes); Matcher matcher = PATTERN.matcher(message); if (!matcher.matches()) throw new SaslException("Invalid SCRAM server first message format: " + message); try { this.iterations = Integer.parseInt(matcher.group("iterations")); if (this.iterations <= 0) throw new SaslException("Invalid SCRAM server first message format: invalid iterations " + iterations); } catch (NumberFormatException e) { throw new SaslException("Invalid SCRAM server first message format: invalid iterations"); } this.nonce = matcher.group("nonce"); String salt = matcher.group("salt"); this.salt = Base64.getDecoder().decode(salt); } public ServerFirstMessage(String clientNonce, String serverNonce, byte[] salt, int iterations) {
public ClientFirstMessage(byte[] messageBytes) throws SaslException { String message = toMessage(messageBytes); Matcher matcher = PATTERN.matcher(message); if (!matcher.matches()) throw new SaslException("Invalid SCRAM client first message format: " + message); String authzid = matcher.group("authzid"); this.authorizationId = authzid != null ? authzid : ""; this.saslName = matcher.group("saslname"); this.nonce = matcher.group("nonce"); String extString = matcher.group("extensions"); this.extensions = extString.startsWith(",") ? new ScramExtensions(extString.substring(1)) : new ScramExtensions(); } public ClientFirstMessage(String saslName, String nonce, Map<String, String> extensions) {
public ServerFinalMessage(byte[] messageBytes) throws SaslException { String message = toMessage(messageBytes); Matcher matcher = PATTERN.matcher(message); if (!matcher.matches()) throw new SaslException("Invalid SCRAM server final message format: " + message); String error = null; try { error = matcher.group("error"); } catch (IllegalArgumentException e) { // ignore } if (error == null) { this.serverSignature = Base64.getDecoder().decode(matcher.group("signature")); this.error = null; } else { this.serverSignature = null; this.error = error; } } public ServerFinalMessage(String error, byte[] serverSignature) {
private void createSaslServer(String mechanism) throws IOException { this.saslMechanism = mechanism; Subject subject = subjects.get(mechanism); final AuthenticateCallbackHandler callbackHandler = callbackHandlers.get(mechanism); if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) { saslServer = createSaslKerberosServer(callbackHandler, configs, subject); } else { try { saslServer = Subject.doAs(subject, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(saslMechanism, "kafka", serverAddress().getHostName(), configs, callbackHandler)); } catch (PrivilegedActionException e) { throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause()); } } }
private void verifyClientProof(ClientFinalMessage clientFinalMessage) throws SaslException { try { byte[] expectedStoredKey = scramCredential.storedKey(); byte[] clientSignature = formatter.clientSignature(expectedStoredKey, clientFirstMessage, serverFirstMessage, clientFinalMessage); byte[] computedStoredKey = formatter.storedKey(clientSignature, clientFinalMessage.proof()); if (!Arrays.equals(computedStoredKey, expectedStoredKey)) throw new SaslException("Invalid client credentials"); } catch (InvalidKeyException e) { throw new SaslException("Sasl client verification failed", e); } }
@Override public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException { if (!ScramMechanism.isScram(mechanism)) { throw new SaslException(String.format("Requested mechanism '%s' is not supported. Supported mechanisms are '%s'.", mechanism, ScramMechanism.mechanismNames())); } try { return new ScramSaslServer(ScramMechanism.forMechanismName(mechanism), props, cbh); } catch (NoSuchAlgorithmException e) { throw new SaslException("Hash algorithm not supported for mechanism " + mechanism, e); } }
@Override public SaslClient createSaslClient(String[] mechanisms, String authorizationId, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException { ScramMechanism mechanism = null; for (String mech : mechanisms) { mechanism = ScramMechanism.forMechanismName(mech); if (mechanism != null) break; } if (mechanism == null) throw new SaslException(String.format("Requested mechanisms '%s' not supported. Supported mechanisms are '%s'.", Arrays.asList(mechanisms), ScramMechanism.mechanismNames())); try { return new ScramSaslClient(mechanism, cbh); } catch (NoSuchAlgorithmException e) { throw new SaslException("Hash algorithm not supported for mechanism " + mechanism, e); } }
private SaslExtensions retrieveCustomExtensions() throws SaslException { SaslExtensionsCallback extensionsCallback = new SaslExtensionsCallback(); try { callbackHandler().handle(new Callback[] {extensionsCallback}); } catch (UnsupportedCallbackException e) { log.debug("Extensions callback is not supported by client callback handler {}, no extensions will be added", callbackHandler()); } catch (Exception e) { throw new SaslException("SASL extensions could not be obtained", e); } return extensionsCallback.extensions(); }
private void sendSaslPacket(byte[] saslToken, ClientCnxn cnxn) throws SaslException{ if (LOG.isDebugEnabled()) { LOG.debug("ClientCnxn:sendSaslPacket:length="+saslToken.length); } GetSASLRequest request = new GetSASLRequest(); request.setToken(saslToken); SetSASLResponse response = new SetSASLResponse(); ServerSaslResponseCallback cb = new ServerSaslResponseCallback(); try { cnxn.sendPacket(request,response,cb, ZooDefs.OpCode.sasl); } catch (IOException e) { throw new SaslException("Failed to send SASL packet to server.", e); } }
public static TTransport getTokenTransport(String tokenStr, String host, TTransport underlyingTransport, Map<String, String> saslProps) throws SaslException { HadoopThriftAuthBridge.Client authBridge = HadoopThriftAuthBridge.getBridge().createClientWithConf("kerberos"); try { return authBridge.createClientTransport(null, host, "DIGEST", tokenStr, underlyingTransport, saslProps); } catch (IOException e) { throw new SaslException("Failed to open client transport", e); } }
public void initialize(ClientCnxn cnxn) throws SaslException { if (saslClient == null) { saslState = SaslState.FAILED; throw new SaslException("saslClient failed to initialize properly: it's null."); } if (saslState == SaslState.INITIAL) { if (saslClient.hasInitialResponse()) { sendSaslPacket(cnxn); } else { byte[] emptyToken = new byte[0]; sendSaslPacket(emptyToken, cnxn); } saslState = SaslState.INTERMEDIATE; } }
@Override public void dispose() throws IOException { if (!server.isComplete()) { onError(new SaslException("Server closed before SASL negotiation finished.")); } server.dispose(); }
@Override public void dispose() throws IOException { if (!client.isComplete()) { onError(new SaslException("Client closed before SASL negotiation finished.")); } client.dispose(); }
private ClientFinalMessage handleServerFirstMessage(char[] password) throws SaslException { try { byte[] passwordBytes = formatter.normalize(new String(password)); this.saltedPassword = formatter.hi(passwordBytes, serverFirstMessage.salt(), serverFirstMessage.iterations()); ClientFinalMessage clientFinalMessage = new ClientFinalMessage("n,,".getBytes(StandardCharsets.UTF_8), serverFirstMessage.nonce()); byte[] clientProof = formatter.clientProof(saltedPassword, clientFirstMessage, serverFirstMessage, clientFinalMessage); clientFinalMessage.proof(clientProof); return clientFinalMessage; } catch (InvalidKeyException e) { throw new SaslException("Client final message could not be created", e); } }
private void sendSaslPacket(ClientCnxn cnxn) throws SaslException { if (LOG.isDebugEnabled()) { LOG.debug("ClientCnxn:sendSaslPacket:length="+saslToken.length); } GetSASLRequest request = new GetSASLRequest(); request.setToken(createSaslToken()); SetSASLResponse response = new SetSASLResponse(); ServerSaslResponseCallback cb = new ServerSaslResponseCallback(); try { cnxn.sendPacket(request,response,cb, ZooDefs.OpCode.sasl); } catch (IOException e) { throw new SaslException("Failed to send SASL packet to server due " + "to IOException:", e); } }