This is an automated email from the ASF dual-hosted git repository. manikumar pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push: new 5afce2de685 KAFKA-15077: Code to trim token in FileTokenRetriever (#13835) 5afce2de685 is described below commit 5afce2de68517498e23c6c224a686115252d2611 Author: Sushant Mahajan <smaha...@confluent.io> AuthorDate: Sun Jun 11 11:52:25 2023 +0530 KAFKA-15077: Code to trim token in FileTokenRetriever (#13835) The FileTokenRetriever class is used to read the access_token from a file on the clients system and then it is passed along with the jaas config to the OAuthBearerSaslServer. In case the token was sent using FileTokenRetriever on the client side, some EOL character is getting appended to the token, causing authentication to fail with the message: Reviewers: Manikumar Reddy <manikumar.re...@gmail.com> --- .../internals/secured/FileTokenRetriever.java | 2 ++ .../OAuthBearerLoginCallbackHandlerTest.java | 29 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java index 6ffd9ad611d..1b8ab46a556 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java +++ b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java @@ -41,6 +41,8 @@ public class FileTokenRetriever implements AccessTokenRetriever { @Override public void init() throws IOException { this.accessToken = Utils.readFileAsString(accessTokenFile.toFile().getPath()); + // always non-null; to remove any newline chars or backend will report err + this.accessToken = this.accessToken.trim(); } @Override diff --git a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java index 4899e05c114..e7b839e4cfc 100644 --- a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java +++ b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java @@ -25,13 +25,16 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; import java.io.File; import java.io.IOException; import java.util.Base64; +import java.util.Calendar; import java.util.Collections; import java.util.HashMap; import java.util.Map; +import java.util.TimeZone; import javax.security.auth.callback.Callback; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.kafka.common.config.ConfigException; @@ -167,6 +170,32 @@ public class OAuthBearerLoginCallbackHandlerTest extends OAuthBearerTest { } } + @Test + public void testFileTokenRetrieverHandlesNewline() throws IOException { + Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("UTC")); + long cur = cal.getTimeInMillis() / 1000; + String exp = "" + (cur + 60 * 60); // 1 hour in future + String iat = "" + cur; + + String expected = createAccessKey("{}", String.format("{\"exp\":%s, \"iat\":%s, \"sub\":\"subj\"}", exp, iat), "sign"); + String withNewline = expected + "\n"; + + File tmpDir = createTempDir("access-token"); + File accessTokenFile = createTempFile(tmpDir, "access-token-", ".json", withNewline); + + Map<String, ?> configs = getSaslConfigs(); + OAuthBearerLoginCallbackHandler handler = createHandler(new FileTokenRetriever(accessTokenFile.toPath()), configs); + OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback(); + try { + handler.handle(new Callback[]{callback}); + assertEquals(callback.token().value(), expected); + } catch (Exception e) { + fail(e); + } finally { + handler.close(); + } + } + @Test public void testNotConfigured() { OAuthBearerLoginCallbackHandler handler = new OAuthBearerLoginCallbackHandler();