[kafka] branch trunk updated: KAFKA-15077: Code to trim token in FileTokenRetriever (#13835)

Sat, 10 Jun 2023 23:22:44 -0700 

This is an automated email from the ASF dual-hosted git repository.

manikumar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 5afce2de685 KAFKA-15077: Code to trim token in FileTokenRetriever 
(#13835)
5afce2de685 is described below

commit 5afce2de68517498e23c6c224a686115252d2611
Author: Sushant Mahajan <smaha...@confluent.io>
AuthorDate: Sun Jun 11 11:52:25 2023 +0530

    KAFKA-15077: Code to trim token in FileTokenRetriever (#13835)
    
    The FileTokenRetriever class is used to read the access_token from a file 
on the clients system and then it is passed along with the jaas config to the 
OAuthBearerSaslServer. In case the token was sent using FileTokenRetriever on 
the client side, some EOL character is getting appended to the token, causing 
authentication to fail with the message:
    
    
    Reviewers: Manikumar Reddy <manikumar.re...@gmail.com>
---
 .../internals/secured/FileTokenRetriever.java      |  2 ++
 .../OAuthBearerLoginCallbackHandlerTest.java       | 29 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
index 6ffd9ad611d..1b8ab46a556 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
@@ -41,6 +41,8 @@ public class FileTokenRetriever implements 
AccessTokenRetriever {
     @Override
     public void init() throws IOException {
         this.accessToken = 
Utils.readFileAsString(accessTokenFile.toFile().getPath());
+        // always non-null; to remove any newline chars or backend will report 
err
+        this.accessToken = this.accessToken.trim();
     }
 
     @Override
diff --git 
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
 
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
index 4899e05c114..e7b839e4cfc 100644
--- 
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
+++ 
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
@@ -25,13 +25,16 @@ import static 
org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 import java.io.File;
 import java.io.IOException;
 import java.util.Base64;
+import java.util.Calendar;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.TimeZone;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import org.apache.kafka.common.config.ConfigException;
@@ -167,6 +170,32 @@ public class OAuthBearerLoginCallbackHandlerTest extends 
OAuthBearerTest {
         }
     }
 
+    @Test
+    public void testFileTokenRetrieverHandlesNewline() throws IOException {
+        Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
+        long cur = cal.getTimeInMillis() / 1000;
+        String exp = "" + (cur + 60 * 60);  // 1 hour in future
+        String iat = "" + cur;
+
+        String expected = createAccessKey("{}", String.format("{\"exp\":%s, 
\"iat\":%s, \"sub\":\"subj\"}", exp, iat), "sign");
+        String withNewline = expected + "\n";
+
+        File tmpDir = createTempDir("access-token");
+        File accessTokenFile = createTempFile(tmpDir, "access-token-", 
".json", withNewline);
+
+        Map<String, ?> configs = getSaslConfigs();
+        OAuthBearerLoginCallbackHandler handler = createHandler(new 
FileTokenRetriever(accessTokenFile.toPath()), configs);
+        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
+        try {
+            handler.handle(new Callback[]{callback});
+            assertEquals(callback.token().value(), expected);
+        } catch (Exception e) {
+            fail(e);
+        } finally {
+            handler.close();
+        }
+    }
+
     @Test
     public void testNotConfigured() {
         OAuthBearerLoginCallbackHandler handler = new 
OAuthBearerLoginCallbackHandler();

Reply via email to