This is an automated email from the ASF dual-hosted git repository.
dimas pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new fa472299f Embrace request-scoped TokenBroker (#3024)
fa472299f is described below
commit fa472299fdf86736822b5fb60c0cfe22633603ac
Author: Christopher Lambert <[email protected]>
AuthorDate: Wed Nov 12 15:20:10 2025 +0100
Embrace request-scoped TokenBroker (#3024)
* Embrace request-scoped TokenBroker
`TokenBroker` and `CallContext` are both request-scoped, so instead of
passing the former into the latter, we can do this via the
`TokenBrokerFactory` and thus simplify the `TokenBroker` interface.
---
.../service/auth/internal/broker/JWTBroker.java | 15 +++--
.../auth/internal/broker/RSAKeyPairJWTBroker.java | 4 +-
.../broker/RSAKeyPairJWTBrokerFactory.java | 36 +++++------
.../internal/broker/SymmetricKeyJWTBroker.java | 4 +-
.../broker/SymmetricKeyJWTBrokerFactory.java | 65 +++++++++----------
.../service/auth/internal/broker/TokenBroker.java | 3 -
.../auth/internal/broker/TokenBrokerFactory.java | 9 ++-
.../internal/service/DefaultOAuth2ApiService.java | 19 +-----
.../polaris/service/config/ServiceProducers.java | 7 +-
.../broker/JWTSymmetricKeyGeneratorTest.java | 4 +-
.../internal/broker/RSAKeyPairJWTBrokerTest.java | 4 +-
.../service/DefaultOAuth2ApiServiceTest.java | 74 ++++------------------
12 files changed, 91 insertions(+), 153 deletions(-)
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/JWTBroker.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/JWTBroker.java
index 71ea0d054..2779f5a58 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/JWTBroker.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/JWTBroker.java
@@ -49,10 +49,15 @@ public abstract class JWTBroker implements TokenBroker {
private static final String CLAIM_KEY_SCOPE = "scope";
private final PolarisMetaStoreManager metaStoreManager;
+ private final PolarisCallContext polarisCallContext;
private final int maxTokenGenerationInSeconds;
- JWTBroker(PolarisMetaStoreManager metaStoreManager, int
maxTokenGenerationInSeconds) {
+ JWTBroker(
+ PolarisMetaStoreManager metaStoreManager,
+ PolarisCallContext polarisCallContext,
+ int maxTokenGenerationInSeconds) {
this.metaStoreManager = metaStoreManager;
+ this.polarisCallContext = polarisCallContext;
this.maxTokenGenerationInSeconds = maxTokenGenerationInSeconds;
}
@@ -86,7 +91,6 @@ public abstract class JWTBroker implements TokenBroker {
String subjectToken,
String grantType,
String scope,
- PolarisCallContext polarisCallContext,
TokenType requestedTokenType) {
if (requestedTokenType != null &&
!TokenType.ACCESS_TOKEN.equals(requestedTokenType)) {
return TokenResponse.of(OAuthError.invalid_request);
@@ -125,7 +129,6 @@ public abstract class JWTBroker implements TokenBroker {
String clientSecret,
String grantType,
String scope,
- PolarisCallContext polarisCallContext,
TokenType requestedTokenType) {
// Initial sanity checks
TokenRequestValidator validator = new TokenRequestValidator();
@@ -135,8 +138,7 @@ public abstract class JWTBroker implements TokenBroker {
return TokenResponse.of(initialValidationResponse.get());
}
- Optional<PrincipalEntity> principal =
- findPrincipalEntity(clientId, clientSecret, polarisCallContext);
+ Optional<PrincipalEntity> principal = findPrincipalEntity(clientId,
clientSecret);
if (principal.isEmpty()) {
return TokenResponse.of(OAuthError.unauthorized_client);
}
@@ -176,8 +178,7 @@ public abstract class JWTBroker implements TokenBroker {
return scope == null || scope.isBlank() ?
DefaultAuthenticator.PRINCIPAL_ROLE_ALL : scope;
}
- private Optional<PrincipalEntity> findPrincipalEntity(
- String clientId, String clientSecret, PolarisCallContext
polarisCallContext) {
+ private Optional<PrincipalEntity> findPrincipalEntity(String clientId,
String clientSecret) {
// Validate the principal is present and secrets match
PrincipalSecretsResult principalSecrets =
metaStoreManager.loadPrincipalSecrets(polarisCallContext, clientId);
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBroker.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBroker.java
index a2d903f6e..f70623f02 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBroker.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBroker.java
@@ -21,6 +21,7 @@ package org.apache.polaris.service.auth.internal.broker;
import com.auth0.jwt.algorithms.Algorithm;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
/** Generates a JWT using a Public/Private RSA Key */
@@ -30,9 +31,10 @@ public class RSAKeyPairJWTBroker extends JWTBroker {
RSAKeyPairJWTBroker(
PolarisMetaStoreManager metaStoreManager,
+ PolarisCallContext polarisCallContext,
int maxTokenGenerationInSeconds,
KeyProvider keyProvider) {
- super(metaStoreManager, maxTokenGenerationInSeconds);
+ super(metaStoreManager, polarisCallContext, maxTokenGenerationInSeconds);
this.keyProvider = keyProvider;
}
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerFactory.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerFactory.java
index 74b4f90ef..6a6c81bb0 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerFactory.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerFactory.java
@@ -25,8 +25,8 @@ import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.context.RealmContext;
-import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
import org.apache.polaris.service.auth.AuthenticationConfiguration;
import org.apache.polaris.service.auth.AuthenticationRealmConfiguration;
@@ -36,38 +36,32 @@ import
org.apache.polaris.service.auth.AuthenticationRealmConfiguration.TokenBro
@Identifier("rsa-key-pair")
public class RSAKeyPairJWTBrokerFactory implements TokenBrokerFactory {
- private final MetaStoreManagerFactory metaStoreManagerFactory;
private final AuthenticationConfiguration authenticationConfiguration;
- private final ConcurrentMap<String, RSAKeyPairJWTBroker> tokenBrokers = new
ConcurrentHashMap<>();
+ private final ConcurrentMap<String, KeyProvider> keyProviders = new
ConcurrentHashMap<>();
@Inject
- public RSAKeyPairJWTBrokerFactory(
- MetaStoreManagerFactory metaStoreManagerFactory,
- AuthenticationConfiguration authenticationConfiguration) {
- this.metaStoreManagerFactory = metaStoreManagerFactory;
+ public RSAKeyPairJWTBrokerFactory(AuthenticationConfiguration
authenticationConfiguration) {
this.authenticationConfiguration = authenticationConfiguration;
}
@Override
- public TokenBroker apply(RealmContext realmContext) {
- return tokenBrokers.computeIfAbsent(
- realmContext.getRealmIdentifier(), k ->
createTokenBroker(realmContext));
- }
-
- private RSAKeyPairJWTBroker createTokenBroker(RealmContext realmContext) {
+ public TokenBroker create(
+ PolarisMetaStoreManager metaStoreManager, PolarisCallContext
polarisCallContext) {
+ RealmContext realmContext = polarisCallContext.getRealmContext();
AuthenticationRealmConfiguration config =
authenticationConfiguration.forRealm(realmContext);
Duration maxTokenGeneration = config.tokenBroker().maxTokenGeneration();
KeyProvider keyProvider =
- config
- .tokenBroker()
- .rsaKeyPair()
- .map(this::fileSystemKeyPair)
- .orElseGet(this::generateEphemeralKeyPair);
- PolarisMetaStoreManager metaStoreManager =
- metaStoreManagerFactory.getOrCreateMetaStoreManager(realmContext);
+ keyProviders.computeIfAbsent(
+ realmContext.getRealmIdentifier(),
+ k ->
+ config
+ .tokenBroker()
+ .rsaKeyPair()
+ .map(this::fileSystemKeyPair)
+ .orElseGet(this::generateEphemeralKeyPair));
return new RSAKeyPairJWTBroker(
- metaStoreManager, (int) maxTokenGeneration.toSeconds(), keyProvider);
+ metaStoreManager, polarisCallContext, (int)
maxTokenGeneration.toSeconds(), keyProvider);
}
private KeyProvider fileSystemKeyPair(RSAKeyPairConfiguration config) {
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBroker.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBroker.java
index 0ca456f26..98315fdd0 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBroker.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBroker.java
@@ -20,6 +20,7 @@ package org.apache.polaris.service.auth.internal.broker;
import com.auth0.jwt.algorithms.Algorithm;
import java.util.function.Supplier;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
/** Generates a JWT using a Symmetric Key. */
@@ -28,9 +29,10 @@ public class SymmetricKeyJWTBroker extends JWTBroker {
public SymmetricKeyJWTBroker(
PolarisMetaStoreManager metaStoreManager,
+ PolarisCallContext polarisCallContext,
int maxTokenGenerationInSeconds,
Supplier<String> secretSupplier) {
- super(metaStoreManager, maxTokenGenerationInSeconds);
+ super(metaStoreManager, polarisCallContext, maxTokenGenerationInSeconds);
this.secretSupplier = secretSupplier;
}
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBrokerFactory.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBrokerFactory.java
index 302b32393..b8fb3176c 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBrokerFactory.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/SymmetricKeyJWTBrokerFactory.java
@@ -27,11 +27,13 @@ import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.time.Duration;
+import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.function.Supplier;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.context.RealmContext;
-import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
+import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
import org.apache.polaris.service.auth.AuthenticationConfiguration;
import org.apache.polaris.service.auth.AuthenticationRealmConfiguration;
import
org.apache.polaris.service.auth.AuthenticationRealmConfiguration.TokenBrokerConfiguration.SymmetricKeyConfiguration;
@@ -40,51 +42,46 @@ import
org.apache.polaris.service.auth.AuthenticationRealmConfiguration.TokenBro
@Identifier("symmetric-key")
public class SymmetricKeyJWTBrokerFactory implements TokenBrokerFactory {
- private final MetaStoreManagerFactory metaStoreManagerFactory;
private final AuthenticationConfiguration authenticationConfiguration;
- private final ConcurrentMap<String, SymmetricKeyJWTBroker> tokenBrokers =
- new ConcurrentHashMap<>();
+ private final ConcurrentMap<String, Supplier<String>> secretSuppliers = new
ConcurrentHashMap<>();
@Inject
- public SymmetricKeyJWTBrokerFactory(
- MetaStoreManagerFactory metaStoreManagerFactory,
- AuthenticationConfiguration authenticationConfiguration) {
- this.metaStoreManagerFactory = metaStoreManagerFactory;
+ public SymmetricKeyJWTBrokerFactory(AuthenticationConfiguration
authenticationConfiguration) {
this.authenticationConfiguration = authenticationConfiguration;
}
@Override
- public TokenBroker apply(RealmContext realmContext) {
- return tokenBrokers.computeIfAbsent(
- realmContext.getRealmIdentifier(), k ->
createTokenBroker(realmContext));
- }
-
- private SymmetricKeyJWTBroker createTokenBroker(RealmContext realmContext) {
+ public TokenBroker create(
+ PolarisMetaStoreManager metaStoreManager, PolarisCallContext
polarisCallContext) {
+ RealmContext realmContext = polarisCallContext.getRealmContext();
AuthenticationRealmConfiguration config =
authenticationConfiguration.forRealm(realmContext);
Duration maxTokenGeneration = config.tokenBroker().maxTokenGeneration();
- SymmetricKeyConfiguration symmetricKeyConfiguration =
- config
- .tokenBroker()
- .symmetricKey()
- .orElseThrow(() -> new IllegalStateException("Symmetric key
configuration is missing"));
- String secret = symmetricKeyConfiguration.secret().orElse(null);
- Path file = symmetricKeyConfiguration.file().orElse(null);
- checkState(secret != null || file != null, "Either file or secret must be
set");
- Supplier<String> secretSupplier = secret != null ? () -> secret :
readSecretFromDisk(file);
+ Supplier<String> secretSupplier =
+ secretSuppliers.computeIfAbsent(
+ realmContext.getRealmIdentifier(),
+ k -> {
+ SymmetricKeyConfiguration symmetricKeyConfiguration =
+ config
+ .tokenBroker()
+ .symmetricKey()
+ .orElseThrow(
+ () ->
+ new IllegalStateException("Symmetric key
configuration is missing"));
+ String secret = symmetricKeyConfiguration.secret().orElse(null);
+ Path file = symmetricKeyConfiguration.file().orElse(null);
+ checkState(secret != null || file != null, "Either file or
secret must be set");
+ return () -> Objects.requireNonNullElseGet(secret, () ->
readSecretFromDisk(file));
+ });
return new SymmetricKeyJWTBroker(
- metaStoreManagerFactory.getOrCreateMetaStoreManager(realmContext),
- (int) maxTokenGeneration.toSeconds(),
- secretSupplier);
+ metaStoreManager, polarisCallContext, (int)
maxTokenGeneration.toSeconds(), secretSupplier);
}
- private static Supplier<String> readSecretFromDisk(Path file) {
- return () -> {
- try {
- return Files.readString(file);
- } catch (IOException e) {
- throw new RuntimeException("Failed to read secret from file: " + file,
e);
- }
- };
+ private static String readSecretFromDisk(Path file) {
+ try {
+ return Files.readString(file);
+ } catch (IOException e) {
+ throw new RuntimeException("Failed to read secret from file: " + file,
e);
+ }
}
}
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBroker.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBroker.java
index e35561b07..50597b006 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBroker.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBroker.java
@@ -18,7 +18,6 @@
*/
package org.apache.polaris.service.auth.internal.broker;
-import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.service.auth.PolarisCredential;
import org.apache.polaris.service.types.TokenType;
@@ -39,7 +38,6 @@ public interface TokenBroker {
final String clientSecret,
final String grantType,
final String scope,
- PolarisCallContext polarisCallContext,
TokenType requestedTokenType);
/**
@@ -52,7 +50,6 @@ public interface TokenBroker {
String subjectToken,
final String grantType,
final String scope,
- PolarisCallContext polarisCallContext,
TokenType requestedTokenType);
/** Decodes and verifies the token, then returns the associated {@link
PolarisCredential}. */
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBrokerFactory.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBrokerFactory.java
index 52d8aa1b7..9d3226701 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBrokerFactory.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/TokenBrokerFactory.java
@@ -18,11 +18,14 @@
*/
package org.apache.polaris.service.auth.internal.broker;
-import java.util.function.Function;
-import org.apache.polaris.core.context.RealmContext;
+import org.apache.polaris.core.PolarisCallContext;
+import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
/**
* Factory that creates a {@link TokenBroker} for generating and parsing. The
{@link TokenBroker} is
* created based on the realm context.
*/
-public interface TokenBrokerFactory extends Function<RealmContext,
TokenBroker> {}
+public interface TokenBrokerFactory {
+ TokenBroker create(
+ PolarisMetaStoreManager metaStoreManager, PolarisCallContext
polarisCallContext);
+}
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiService.java
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiService.java
index e02f93888..8400bd327 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiService.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiService.java
@@ -27,7 +27,6 @@ import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.util.Base64;
import org.apache.iceberg.rest.responses.OAuthTokenResponse;
-import org.apache.polaris.core.context.CallContext;
import org.apache.polaris.core.context.RealmContext;
import org.apache.polaris.service.auth.internal.broker.TokenBroker;
import org.apache.polaris.service.auth.internal.broker.TokenResponse;
@@ -49,12 +48,10 @@ public class DefaultOAuth2ApiService implements
IcebergRestOAuth2ApiService {
private static final String BEARER = "bearer";
private final TokenBroker tokenBroker;
- private final CallContext callContext;
@Inject
- public DefaultOAuth2ApiService(TokenBroker tokenBroker, CallContext
callContext) {
+ public DefaultOAuth2ApiService(TokenBroker tokenBroker) {
this.tokenBroker = tokenBroker;
- this.callContext = callContext;
}
@Override
@@ -104,21 +101,11 @@ public class DefaultOAuth2ApiService implements
IcebergRestOAuth2ApiService {
if (clientSecret != null) {
tokenResponse =
tokenBroker.generateFromClientSecrets(
- clientId,
- clientSecret,
- grantType,
- scope,
- callContext.getPolarisCallContext(),
- requestedTokenType);
+ clientId, clientSecret, grantType, scope, requestedTokenType);
} else if (subjectToken != null) {
tokenResponse =
tokenBroker.generateFromToken(
- subjectTokenType,
- subjectToken,
- grantType,
- scope,
- callContext.getPolarisCallContext(),
- requestedTokenType);
+ subjectTokenType, subjectToken, grantType, scope,
requestedTokenType);
} else {
return OAuthUtils.getResponseFromError(OAuthError.invalid_request);
}
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
index 13768f2ba..080cbc5ba 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
@@ -398,13 +398,14 @@ public class ServiceProducers {
@RequestScoped
public TokenBroker tokenBroker(
AuthenticationRealmConfiguration config,
- RealmContext realmContext,
- @Any Instance<TokenBrokerFactory> tokenBrokerFactories) {
+ @Any Instance<TokenBrokerFactory> tokenBrokerFactories,
+ PolarisMetaStoreManager polarisMetaStoreManager,
+ CallContext callContext) {
String type =
config.type() == AuthenticationType.EXTERNAL ? "none" :
config.tokenBroker().type();
TokenBrokerFactory tokenBrokerFactory =
tokenBrokerFactories.select(Identifier.Literal.of(type)).get();
- return tokenBrokerFactory.apply(realmContext);
+ return tokenBrokerFactory.create(polarisMetaStoreManager,
callContext.getPolarisCallContext());
}
// other beans
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/JWTSymmetricKeyGeneratorTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/JWTSymmetricKeyGeneratorTest.java
index 651fc1a9d..058542d35 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/JWTSymmetricKeyGeneratorTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/JWTSymmetricKeyGeneratorTest.java
@@ -52,14 +52,14 @@ public class JWTSymmetricKeyGeneratorTest {
new
PrincipalEntity.Builder().setId(principalId).setName("principal").build();
Mockito.when(metastoreManager.findPrincipalById(polarisCallContext,
principalId))
.thenReturn(Optional.of(principal));
- TokenBroker generator = new SymmetricKeyJWTBroker(metastoreManager, 666,
() -> "polaris");
+ TokenBroker generator =
+ new SymmetricKeyJWTBroker(metastoreManager, polarisCallContext, 666,
() -> "polaris");
TokenResponse token =
generator.generateFromClientSecrets(
clientId,
mainSecret,
TokenRequestValidator.CLIENT_CREDENTIALS,
"PRINCIPAL_ROLE:TEST",
- polarisCallContext,
TokenType.ACCESS_TOKEN);
assertThat(token).isNotNull();
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerTest.java
index 13bd7f3df..32d45c1ee 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/RSAKeyPairJWTBrokerTest.java
@@ -64,14 +64,14 @@ public class RSAKeyPairJWTBrokerTest {
Mockito.when(metastoreManager.findPrincipalById(polarisCallContext,
principalId))
.thenReturn(Optional.of(principal));
KeyProvider provider = new LocalRSAKeyProvider(keyPair);
- TokenBroker tokenBroker = new RSAKeyPairJWTBroker(metastoreManager, 420,
provider);
+ TokenBroker tokenBroker =
+ new RSAKeyPairJWTBroker(metastoreManager, polarisCallContext, 420,
provider);
TokenResponse token =
tokenBroker.generateFromClientSecrets(
clientId,
mainSecret,
TokenRequestValidator.CLIENT_CREDENTIALS,
scope,
- polarisCallContext,
TokenType.ACCESS_TOKEN);
assertThat(token).isNotNull();
assertThat(token.getExpiresIn()).isEqualTo(420);
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiServiceTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiServiceTest.java
index 14bcc45bb..f8dff0269 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiServiceTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/auth/internal/service/DefaultOAuth2ApiServiceTest.java
@@ -24,15 +24,12 @@ import jakarta.ws.rs.core.Response;
import java.nio.charset.Charset;
import java.util.Base64;
import org.apache.iceberg.rest.responses.OAuthTokenResponse;
-import org.apache.polaris.core.PolarisCallContext;
-import org.apache.polaris.core.context.CallContext;
import org.apache.polaris.core.context.RealmContext;
import org.apache.polaris.service.auth.internal.broker.TokenBroker;
import org.apache.polaris.service.auth.internal.broker.TokenResponse;
import org.apache.polaris.service.types.TokenType;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
@@ -41,14 +38,6 @@ class DefaultOAuth2ApiServiceTest {
private static final String CLIENT_CREDENTIALS = "client_credentials";
private static final String TOKEN_EXCHANGE =
"urn:ietf:params:oauth:grant-type:token-exchange";
- private CallContext callContext;
-
- @BeforeEach
- void setUp() {
- callContext = Mockito.mock(CallContext.class);
-
when(callContext.getPolarisCallContext()).thenReturn(Mockito.mock(PolarisCallContext.class));
- }
-
@Test
public void testNoSupportGrantType() {
RealmContext realmContext = () -> "realm";
@@ -56,12 +45,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(CLIENT_CREDENTIALS)).thenReturn(false);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- "client",
- "secret",
- CLIENT_CREDENTIALS,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ "client", "secret", CLIENT_CREDENTIALS, "scope",
TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -71,7 +55,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(CLIENT_CREDENTIALS)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenErrorResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenErrorResponse.class))
@@ -85,12 +69,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(CLIENT_CREDENTIALS)).thenReturn(true);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(false);
when(tokenBroker.generateFromClientSecrets(
- "client",
- "secret",
- CLIENT_CREDENTIALS,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ "client", "secret", CLIENT_CREDENTIALS, "scope",
TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -100,7 +79,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(CLIENT_CREDENTIALS)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenErrorResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenErrorResponse.class))
@@ -114,12 +93,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(CLIENT_CREDENTIALS)).thenReturn(true);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- null,
- "secret",
- CLIENT_CREDENTIALS,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ null, "secret", CLIENT_CREDENTIALS, "scope",
TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -128,7 +102,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(CLIENT_CREDENTIALS)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenResponse.class))
@@ -142,12 +116,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(CLIENT_CREDENTIALS)).thenReturn(true);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- "client",
- "secret",
- CLIENT_CREDENTIALS,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ "client", "secret", CLIENT_CREDENTIALS, "scope",
TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -157,7 +126,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(CLIENT_CREDENTIALS)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenResponse.class))
@@ -171,12 +140,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(TOKEN_EXCHANGE)).thenReturn(true);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- "client",
- "secret",
- TOKEN_EXCHANGE,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ "client", "secret", TOKEN_EXCHANGE, "scope",
TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -188,7 +152,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(TOKEN_EXCHANGE)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenResponse.class))
@@ -202,12 +166,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsGrantType(TOKEN_EXCHANGE)).thenReturn(true);
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- null,
- "secret",
- TOKEN_EXCHANGE,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ null, "secret", TOKEN_EXCHANGE, "scope", TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -219,7 +178,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(TOKEN_EXCHANGE)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenErrorResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenErrorResponse.class))
@@ -234,12 +193,7 @@ class DefaultOAuth2ApiServiceTest {
when(tokenBroker.supportsRequestedTokenType(TokenType.ACCESS_TOKEN)).thenReturn(true);
when(tokenBroker.generateFromClientSecrets(
- "",
- "secret",
- TOKEN_EXCHANGE,
- "scope",
- callContext.getPolarisCallContext(),
- TokenType.ACCESS_TOKEN))
+ "", "secret", TOKEN_EXCHANGE, "scope", TokenType.ACCESS_TOKEN))
.thenReturn(TokenResponse.of("token",
TokenType.ACCESS_TOKEN.getValue(), 3600));
Response response =
new InvocationBuilder()
@@ -253,7 +207,7 @@ class DefaultOAuth2ApiServiceTest {
.grantType(TOKEN_EXCHANGE)
.requestedTokenType(TokenType.ACCESS_TOKEN)
.realmContext(realmContext)
- .invoke(new DefaultOAuth2ApiService(tokenBroker, callContext));
+ .invoke(new DefaultOAuth2ApiService(tokenBroker));
Assertions.assertThat(response.getEntity())
.isInstanceOf(OAuthTokenResponse.class)
.asInstanceOf(InstanceOfAssertFactories.type(OAuthTokenResponse.class))
