plain sasl server.

Author: loserwang1024

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/JaasContext.java

@@ -207,4 +207,19 @@ private static JaasContext defaultContext(
 
         return new JaasContext(contextName, contextType, jaasConfig, null);
     }
+
+    /**
+     * Returns the configuration option for <code>key</code> from this context.
+     * If login module name is specified, return option value only from that module.
+     */
+    public static String configEntryOption(List<AppConfigurationEntry> configurationEntries, String key, String loginModuleName) {
+        for (AppConfigurationEntry entry : configurationEntries) {
+            if (loginModuleName != null && !loginModuleName.equals(entry.getLoginModuleName()))
+                continue;
+            Object val = entry.getOptions().get(key);
+            if (val != null)
+                return (String) val;
+        }
+        return null;
+    }
 }

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/SaslServerAuthenticator.java

@@ -6,6 +6,7 @@
 import com.alibaba.fluss.security.acl.FlussPrincipal;
 import com.alibaba.fluss.security.auth.ServerAuthenticator;
 
+import com.alibaba.fluss.security.auth.sasl.plain.PlainServerCallbackHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -64,6 +65,7 @@ public void initialize(AuthenticateContext context) {
                 JaasContext.loadServerContext(listenerName, mechanism, dynamicJaasConfig);
         try {
             LoginManager loginManager = LoginManager.acquireLoginManager(jaasContext, mechanism);
+            // todo: 抽象方法
             createSaslServer(mechanism, loginManager.subject(), address);
         } catch (Exception e) {
             throw new RuntimeException(e);
@@ -98,8 +100,13 @@ public FlussPrincipal createPrincipal() {
     private void createSaslServer(String mechanism, Subject subject, String hostName)
             throws IOException {
         this.saslMechanism = mechanism;
-        final AuthenticateCallbackHandler callbackHandler = callbackHandlers.get(mechanism);
         // todo: check一下 digest login module, 当前支持
+        AuthenticateCallbackHandler callbackHandler;
+        if(mechanism.equals("PLAIN")){
+            callbackHandler = new PlainServerCallbackHandler();
+        } else {
+            throw new IllegalArgumentException("Unsupported mechanism: " + mechanism);
+        }
 
         try {
             saslServer =

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainAuthenticateCallback.java

@@ -0,0 +1,48 @@
+package com.alibaba.fluss.security.auth.sasl.plain;
+
+import javax.security.auth.callback.Callback;
+
+/*
+ * Authentication callback for SASL/PLAIN authentication. Callback handler must
+ * set authenticated flag to true if the client provided password in the callback
+ * matches the expected password.
+ */
+// todo: 这个主要将token的username, password传递给PlainServerCallbackHandler来校验
+public class PlainAuthenticateCallback implements Callback {
+
+    private final char[] password;
+    private boolean authenticated;
+
+    /**
+     * Creates a callback with the password provided by the client
+     * @param password The password provided by the client during SASL/PLAIN authentication
+     */
+    public PlainAuthenticateCallback(char[] password) {
+        this.password = password;
+    }
+
+    /**
+     * Returns the password provided by the client during SASL/PLAIN authentication
+     */
+    public char[] password() {
+        return password;
+    }
+
+    /**
+     * Returns true if client password matches expected password, false otherwise.
+     * This state is set the server-side callback handler.
+     */
+    public boolean authenticated() {
+        return this.authenticated;
+    }
+
+    /**
+     * Sets the authenticated state. This is set by the server-side callback handler
+     * by matching the client provided password with the expected password.
+     *
+     * @param authenticated true indicates successful authentication
+     */
+    public void authenticated(boolean authenticated) {
+        this.authenticated = authenticated;
+    }
+}

…security/auth/sasl/PlainLoginModule.java …ty/auth/sasl/plain/PlainLoginModule.javafluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/PlainLoginModule.java renamed to fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainLoginModule.java fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/PlainLoginModule.java renamed to fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainLoginModule.java

@@ -1,4 +1,4 @@
-package com.alibaba.fluss.security.auth.sasl;
+package com.alibaba.fluss.security.auth.sasl.plain;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
@@ -11,6 +11,11 @@ public class PlainLoginModule implements LoginModule {
     private static final String USERNAME_CONFIG = "username";
     private static final String PASSWORD_CONFIG = "password";
 
+    static {
+        // Register sasl server provider.
+        PlainSaslServerProvider.initialize();
+    }
+
     @Override
     public void initialize(
             Subject subject,

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainSaslServer.java

@@ -0,0 +1,161 @@
+package com.alibaba.fluss.security.auth.sasl.plain;
+
+import com.alibaba.fluss.exception.AuthenticationException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+import javax.security.sasl.SaslServerFactory;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+
+public class PlainSaslServer implements SaslServer {
+
+    public static final String PLAIN_MECHANISM = "PLAIN";
+
+    private final CallbackHandler callbackHandler;
+    private boolean complete;
+    private String authorizationId;
+
+    public PlainSaslServer(CallbackHandler callbackHandler) {
+        this.callbackHandler = callbackHandler;
+    }
+
+
+    @Override
+    public byte[] evaluateResponse(byte[] responseBytes) throws AuthenticationException {
+        /*
+         * Message format (from https://tools.ietf.org/html/rfc4616):
+         *
+         * message   = [authzid] UTF8NUL authcid UTF8NUL passwd
+         * authcid   = 1*SAFE ; MUST accept up to 255 octets
+         * authzid   = 1*SAFE ; MUST accept up to 255 octets
+         * passwd    = 1*SAFE ; MUST accept up to 255 octets
+         * UTF8NUL   = %x00 ; UTF-8 encoded NUL character
+         *
+         * SAFE      = UTF1 / UTF2 / UTF3 / UTF4
+         *                ;; any UTF-8 encoded Unicode character except NUL
+         */
+
+        String response = new String(responseBytes, StandardCharsets.UTF_8);
+        List<String> tokens = extractTokens(response);
+        String authorizationIdFromClient = tokens.get(0);
+        String username = tokens.get(1);
+        String password = tokens.get(2);
+
+        if (username.isEmpty()) {
+            throw new AuthenticationException("Authentication failed: username not specified");
+        }
+        if (password.isEmpty()) {
+            throw new AuthenticationException("Authentication failed: password not specified");
+        }
+
+        NameCallback nameCallback = new NameCallback("username", username);
+        PlainAuthenticateCallback authenticateCallback = new PlainAuthenticateCallback(password.toCharArray());
+        try {
+            callbackHandler.handle(new Callback[]{nameCallback, authenticateCallback});
+        } catch (Throwable e) {
+            throw new AuthenticationException("Authentication failed: credentials for user could not be verified", e);
+        }
+        if (!authenticateCallback.authenticated())
+            throw new AuthenticationException("Authentication failed: Invalid username or password");
+        if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username))
+            throw new AuthenticationException("Authentication failed: Client requested an authorization id that is different from username");
+
+        this.authorizationId = username;
+
+        complete = true;
+        return new byte[0];
+    }
+
+    private List<String> extractTokens(String string) {
+        List<String> tokens = new ArrayList<>();
+        int startIndex = 0;
+        for (int i = 0; i < 4; ++i) {
+            int endIndex = string.indexOf("\u0000", startIndex);
+            if (endIndex == -1) {
+                tokens.add(string.substring(startIndex));
+                break;
+            }
+            tokens.add(string.substring(startIndex, endIndex));
+            startIndex = endIndex + 1;
+        }
+
+        if (tokens.size() != 3)
+            throw new AuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " +
+                    tokens.size());
+
+        return tokens;
+    }
+
+    @Override
+    public String getAuthorizationID() {
+        if (!complete)
+            throw new IllegalStateException("Authentication exchange has not completed");
+        return authorizationId;
+    }
+
+    @Override
+    public String getMechanismName() {
+        return PLAIN_MECHANISM;
+    }
+
+    @Override
+    public Object getNegotiatedProperty(String propName) {
+        if (!complete)
+            throw new IllegalStateException("Authentication exchange has not completed");
+        return null;
+    }
+
+    @Override
+    public boolean isComplete() {
+        return complete;
+    }
+
+    @Override
+    public byte[] unwrap(byte[] incoming, int offset, int len) {
+        if (!complete)
+            throw new IllegalStateException("Authentication exchange has not completed");
+        return Arrays.copyOfRange(incoming, offset, offset + len);
+    }
+
+    @Override
+    public byte[] wrap(byte[] outgoing, int offset, int len) {
+        if (!complete)
+            throw new IllegalStateException("Authentication exchange has not completed");
+        return Arrays.copyOfRange(outgoing, offset, offset + len);
+    }
+
+    @Override
+    public void dispose() {
+    }
+
+    public static class PlainSaslServerFactory implements SaslServerFactory {
+
+        @Override
+        public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh)
+                throws SaslException {
+
+            if (!PLAIN_MECHANISM.equals(mechanism))
+                throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism));
+
+            return new PlainSaslServer(cbh);
+        }
+
+        @Override
+        public String[] getMechanismNames(Map<String, ?> props) {
+            if (props == null) return new String[]{PLAIN_MECHANISM};
+            String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT);
+            if ("true".equals(noPlainText))
+                return new String[]{};
+            else
+                return new String[]{PLAIN_MECHANISM};
+        }
+    }
+}

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainSaslServerProvider.java

@@ -0,0 +1,20 @@
+package com.alibaba.fluss.security.auth.sasl.plain;
+
+import java.security.Provider;
+import java.security.Security;
+
+public class PlainSaslServerProvider extends Provider {
+
+    private static final long serialVersionUID = 1L;
+
+    @SuppressWarnings("this-escape")
+    protected PlainSaslServerProvider() {
+        super("Simple SASL/PLAIN Server Provider", 1.0, "Simple SASL/PLAIN Server Provider for Kafka");
+        put("SaslServerFactory." + PlainSaslServer.PLAIN_MECHANISM, PlainSaslServer.PlainSaslServerFactory.class.getName());
+    }
+
+    public static void initialize() {
+        Security.addProvider(new PlainSaslServerProvider());
+    }
+}
+

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/plain/PlainServerCallbackHandler.java

@@ -0,0 +1,57 @@
+package com.alibaba.fluss.security.auth.sasl.plain;
+
+import com.alibaba.fluss.security.auth.sasl.AuthenticateCallbackHandler;
+import com.alibaba.fluss.security.auth.sasl.JaasContext;
+import com.alibaba.fluss.utils.ArrayUtils;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.AppConfigurationEntry;
+import java.io.IOException;
+import java.util.List;
+
+// todo: PlainServerCallbackHandler作为连接saslserver的bride, 用于比较用户传入的token和server端配置的账号密码
+public class PlainServerCallbackHandler implements AuthenticateCallbackHandler {
+    private static final String JAAS_USER_PREFIX = "user_";
+    private List<AppConfigurationEntry> jaasConfigEntries;
+
+    @Override
+    public void configure(String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries){
+        this.jaasConfigEntries = jaasConfigEntries;
+    }
+
+    @Override
+    public void close() {
+        // todo
+    }
+
+    @Override
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+        String username = null;
+        for (Callback callback: callbacks) {
+            if (callback instanceof NameCallback)
+                username = ((NameCallback) callback).getDefaultName();
+            else if (callback instanceof PlainAuthenticateCallback) {
+                PlainAuthenticateCallback plainCallback = (PlainAuthenticateCallback) callback;
+                boolean authenticated = authenticate(username, plainCallback.password());
+                plainCallback.authenticated(authenticated);
+            } else
+                throw new UnsupportedCallbackException(callback);
+        }
+    }
+
+    protected boolean authenticate(String username, char[] password) throws IOException {
+        if (username == null)
+            return false;
+        else {
+            String expectedPassword = JaasContext.configEntryOption(jaasConfigEntries,
+                    JAAS_USER_PREFIX + username,
+                    PlainLoginModule.class.getName());
+            return expectedPassword != null && ArrayUtils.isEqualConstantTime(password, expectedPassword.toCharArray());
+        }
+    }
+
+}
+
+

fluss-auth/fluss-auth-sasl/src/test/java/com/alibaba/fluss/security/auth/sasl/TestJaasConfig.java

@@ -16,6 +16,8 @@
 
 package com.alibaba.fluss.security.auth.sasl;
 
+import com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule;
+
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;