Re: [PR] MINOR: clean up for sasl endpoints for v3.9 [kafka]

via GitHub Mon, 20 Jan 2025 03:35:12 -0800


mimaison commented on code in PR #18576:
URL: https://github.com/apache/kafka/pull/18576#discussion_r1922255811



##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java:
##########
@@ -55,21 +62,33 @@ public void 
testConfigureRefreshingFileAccessTokenRetriever() throws Exception {
     @Test
     public void 
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidDirectory() {
         // Should fail because the parent path doesn't exist.
-        Map<String, ?> configs = 
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, new 
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString());
+        String file = new 
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+        Map<String, ?> configs = 
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, file);
         Map<String, Object> jaasConfig = Collections.emptyMap();
         assertThrowsWithMessage(ConfigException.class, () -> 
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
     }
 
     @Test
     public void 
testConfigureRefreshingFileAccessTokenRetrieverWithInvalidFile() throws 
Exception {
-        // Should fail because the while the parent path exists, the file 
itself doesn't.
+        // Should fail because while the parent path exists, the file itself 
doesn't.
         File tmpDir = createTempDir("this-directory-does-exist");
         File accessTokenFile = new File(tmpDir, 
"this-file-does-not-exist.json");
         Map<String, ?> configs = 
getSaslConfigs(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, 
accessTokenFile.toURI().toString());
         Map<String, Object> jaasConfig = Collections.emptyMap();
         assertThrowsWithMessage(ConfigException.class, () -> 
AccessTokenRetrieverFactory.create(configs, jaasConfig), "that doesn't exist");
     }
 
+    @Test
+    public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws 
Exception {
+        // Should fail because while the parent path exists, the file itself 
doesn't.

Review Comment:
   The comment is not right, this fails because the URL is not allowed?



##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java:
##########
@@ -228,4 +233,21 @@ public <T> T get(String name) {
         return (T) configs.get(name);
     }
 
+    // make sure the url is in the 
"org.apache.kafka.sasl.oauthbearer.allowed.urls" system property
+    public void throwIfURLIsNotAllowed(String urlConfig) {
+        String allowedLoginModuleProp = 
System.getProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG);

Review Comment:
   Should we call this `allowedUrlsProp`?



##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactoryTest.java:
##########
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
+
+import org.apache.kafka.common.config.ConfigException;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.File;
+import java.util.Collections;
+import java.util.Map;
+
+import static 
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL;
+import static 
org.apache.kafka.common.config.internals.BrokerSecurityConfigs.ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG;
+
+public class VerificationKeyResolverFactoryTest extends OAuthBearerTest {
+
+    @AfterEach
+    public void tearDown() throws Exception {
+        System.clearProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG);
+    }
+
+    @Test
+    public void testConfigureRefreshingFileVerificationKeyResolver() throws 
Exception {
+        File tmpDir = createTempDir("access-token");
+        File verificationKeyFile = createTempFile(tmpDir, "access-token-", 
".json", "{}");
+
+        Map<String, ?> configs = 
Collections.singletonMap(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, 
verificationKeyFile.toURI().toString());
+        Map<String, Object> jaasConfig = Collections.emptyMap();
+
+        // verify it won't throw exception
+        try (CloseableVerificationKeyResolver verificationKeyResolver = 
VerificationKeyResolverFactory.create(configs, jaasConfig)) { }
+    }
+
+    @Test
+    public void 
testConfigureRefreshingFileVerificationKeyResolverWithInvalidDirectory() {
+        // Should fail because the parent path doesn't exist.
+        String file = new 
File("/tmp/this-directory-does-not-exist/foo.json").toURI().toString();
+        Map<String, ?> configs = 
getSaslConfigs(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, file);
+        Map<String, Object> jaasConfig = Collections.emptyMap();
+        assertThrowsWithMessage(ConfigException.class, () -> 
VerificationKeyResolverFactory.create(configs, jaasConfig), "that doesn't 
exist");
+    }
+
+    @Test
+    public void 
testConfigureRefreshingFileVerificationKeyResolverWithInvalidFile() throws 
Exception {
+        // Should fail because while the parent path exists, the file itself 
doesn't.
+        File tmpDir = createTempDir("this-directory-does-exist");
+        File verificationKeyFile = new File(tmpDir, 
"this-file-does-not-exist.json");
+        Map<String, ?> configs = 
getSaslConfigs(SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, 
verificationKeyFile.toURI().toString());
+        Map<String, Object> jaasConfig = Collections.emptyMap();
+        assertThrowsWithMessage(ConfigException.class, () -> 
VerificationKeyResolverFactory.create(configs, jaasConfig), "that doesn't 
exist");
+    }
+
+    @Test
+    public void testSaslOauthbearerTokenEndpointUrlIsNotAllowed() throws 
Exception {
+        // Should fail because while the parent path exists, the file itself 
doesn't.

Review Comment:
   Ditto



##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java:
##########
@@ -228,4 +233,21 @@ public <T> T get(String name) {
         return (T) configs.get(name);
     }
 
+    // make sure the url is in the 
"org.apache.kafka.sasl.oauthbearer.allowed.urls" system property
+    public void throwIfURLIsNotAllowed(String urlConfig) {
+        String allowedLoginModuleProp = 
System.getProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG);
+        if (allowedLoginModuleProp == null) {
+            // by default, we accept all URLs
+            return;
+        }
+        Set<String> allowedLoginModuleList = 
Arrays.stream(allowedLoginModuleProp.split(","))

Review Comment:
   Again the name is not right, can we call this `allowedUrls`?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] MINOR: clean up for sasl endpoints for v3.9 [kafka]

Reply via email to