bom/pom.xml

-Original file line number
+Diff line change
@@ Expand Up @@
               </exclusion>
             </exclusions>
           </dependency>
+          <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-proton</artifactId>
+            <version>4.5.22</version>
+          </dependency>
         </dependencies>
       </dependencyManagement>
@@ Expand Down @@

...e-base/src/main/java/org/eclipse/hono/service/auth/AbstractHonoAuthenticationService.java

-Original file line number
+Diff line change
@@ Expand Up @@
                 final String authzid = new String(authRequest.getBinary(AuthenticationConstants.FIELD_SASL_RESPONSE), StandardCharsets.UTF_8);
                 final String subject = authRequest.getString(AuthenticationConstants.FIELD_SUBJECT_DN);
-                log.debug("processing EXTERNAL authentication request [Subject DN: {}]", subject);
+                log.debug("processing EXTERNAL authentication request [Subject DN: {}, Authz ID: {}]", subject, authzid);
                 return verifyExternal(authzid, subject);
             } else {
@@ Expand Down @@

...se/src/main/java/org/eclipse/hono/service/auth/delegating/AuthenticationServerClient.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -66,20 +66,30 @@ public AuthenticationServerClient( @@
         /**
          * Verifies a Subject DN with a remote authentication server using SASL EXTERNAL.
-         * <p>
-         * This method currently always fails the handler because there is no way (yet) in vertx-proton
-         * to perform a SASL EXTERNAL exchange including an authorization id.
          *
          * @param authzid The identity to act as.
          * @param subjectDn The Subject DN.
          * @return A future indicating the outcome of the authentication attempt. On successful authentication,
          *                                    the result contains a JWT with the authenticated user's claims.
          */
         public Future<HonoUser> verifyExternal(final String authzid, final String subjectDn) {
-            // unsupported mechanism (until we get better control over client SASL params in vertx-proton)
-            return Future.failedFuture(new ClientErrorException(
-                    HttpURLConnection.HTTP_BAD_REQUEST,
-                    "unsupported mechanism"));
+            final ProtonClientOptions options = new ProtonClientOptions();
+            options.setReconnectAttempts(3).setReconnectInterval(50);
+            options.addEnabledSaslMechanism(AuthenticationConstants.MECHANISM_EXTERNAL);
+            options.setAuthorizationId(AuthenticationConstants.getCommonName(subjectDn));
+            final var connectAttempt = factory.connect(options, null, null);
+            return connectAttempt
+                    .compose(openCon -> getToken(openCon))
+                    .recover(t -> Future.failedFuture(mapConnectionFailureToServiceInvocationException(t)))
+                    .onComplete(s -> {
+                        Optional.ofNullable(connectAttempt.result())
+                                .ifPresent(con -> {
+                                    LOG.debug("closing connection to Authentication service");
+                                    con.close();
+                                });
+                    });
         }
         /**
@@ Expand Down @@

...se/src/main/java/org/eclipse/hono/authentication/file/FileBasedAuthenticationService.java

-Original file line number
+Diff line change
@@ Expand Up @@
             JsonObject effectiveUser = user;
             String effectiveAuthorizationId = authenticationId;
-            if (authorizationId != null && !authorizationId.isEmpty() && isAuthorizedToImpersonate(user)) {
+            if (authorizationId != null && !authorizationId.isEmpty()) {
+                if (!isAuthorizedToImpersonate(user)) {
+                    return Future.failedFuture(new ClientErrorException(
+                            HttpURLConnection.HTTP_UNAUTHORIZED,
+                            UNAUTHORIZED));
+                }
                 final JsonObject impersonatedUser = users.get(authorizationId);
                 if (impersonatedUser != null) {
                     effectiveUser = impersonatedUser;
@@ Expand Down @@

...rc/test/java/org/eclipse/hono/authentication/file/FileBasedAuthenticationServiceTest.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -21,11 +21,13 @@ @@
     import static com.google.common.truth.Truth.assertThat;
     import java.io.FileNotFoundException;
+    import java.net.HttpURLConnection;
     import java.time.Duration;
     import java.util.concurrent.TimeUnit;
     import org.eclipse.hono.auth.Authorities;
     import org.eclipse.hono.auth.HonoUser;
+    import org.eclipse.hono.client.ClientErrorException;
     import org.eclipse.hono.service.auth.AuthTokenFactory;
     import org.eclipse.hono.util.ResourceIdentifier;
     import org.junit.jupiter.api.BeforeEach;
@@ Expand Down Expand Up @@
             givenAStartedService()
                 .compose(ok -> authService.verifyPlain("userB", "hono-client@HONO", "secret"))
-                .onComplete(ctx.succeeding(res -> {
-                    assertUserAndToken(ctx, res, "hono-client@HONO", TOKEN);
+                .onComplete(ctx.failing(t -> {
+                    ctx.verify(() -> {
+                        assertThat(t).isInstanceOf(ClientErrorException.class);
+                        assertThat(((ClientErrorException) t).getErrorCode()).isEqualTo(HttpURLConnection.HTTP_UNAUTHORIZED);
+                    });
                     ctx.completeNow();
                 }));
         }
@@ Expand Down Expand Up @@
             givenAStartedService()
                 .compose(ok -> authService.verifyExternal("userB", "CN=userA"))
-                .onComplete(ctx.succeeding(res -> {
-                    assertUserAndToken(ctx, res, "userA", TOKEN);
+                .onComplete(ctx.failing(t -> {
+                    ctx.verify(() -> {
+                        assertThat(t).isInstanceOf(ClientErrorException.class);
+                        assertThat(((ClientErrorException) t).getErrorCode()).isEqualTo(HttpURLConnection.HTTP_UNAUTHORIZED);
+                    });
                     ctx.completeNow();
                 }));
         }
@@ Expand Down @@

Implement service authentication using SASL EXTERNAL mechanism #3710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

JCapucho wants to merge 2 commits into eclipse-hono:master from JCapucho:services-external-authz

-Original file line number
+Diff line change
@@ Expand Up @@
               </exclusion>
             </exclusions>
           </dependency>
+          <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-proton</artifactId>
+            <version>4.5.22</version>
+          </dependency>
         </dependencies>
       </dependencyManagement>
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
                 final String authzid = new String(authRequest.getBinary(AuthenticationConstants.FIELD_SASL_RESPONSE), StandardCharsets.UTF_8);
                 final String subject = authRequest.getString(AuthenticationConstants.FIELD_SUBJECT_DN);
-                log.debug("processing EXTERNAL authentication request [Subject DN: {}]", subject);
+                log.debug("processing EXTERNAL authentication request [Subject DN: {}, Authz ID: {}]", subject, authzid);
                 return verifyExternal(authzid, subject);
             } else {
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -66,20 +66,30 @@ public AuthenticationServerClient( @@
         /**
          * Verifies a Subject DN with a remote authentication server using SASL EXTERNAL.
-         * <p>
-         * This method currently always fails the handler because there is no way (yet) in vertx-proton
-         * to perform a SASL EXTERNAL exchange including an authorization id.
          *
          * @param authzid The identity to act as.
          * @param subjectDn The Subject DN.
          * @return A future indicating the outcome of the authentication attempt. On successful authentication,
          *                                    the result contains a JWT with the authenticated user's claims.
          */
         public Future<HonoUser> verifyExternal(final String authzid, final String subjectDn) {
-            // unsupported mechanism (until we get better control over client SASL params in vertx-proton)
-            return Future.failedFuture(new ClientErrorException(
-                    HttpURLConnection.HTTP_BAD_REQUEST,
-                    "unsupported mechanism"));
+            final ProtonClientOptions options = new ProtonClientOptions();
+            options.setReconnectAttempts(3).setReconnectInterval(50);
+            options.addEnabledSaslMechanism(AuthenticationConstants.MECHANISM_EXTERNAL);
+            options.setAuthorizationId(AuthenticationConstants.getCommonName(subjectDn));
+            final var connectAttempt = factory.connect(options, null, null);
+            return connectAttempt
+                    .compose(openCon -> getToken(openCon))
+                    .recover(t -> Future.failedFuture(mapConnectionFailureToServiceInvocationException(t)))
+                    .onComplete(s -> {
+                        Optional.ofNullable(connectAttempt.result())
+                                .ifPresent(con -> {
+                                    LOG.debug("closing connection to Authentication service");
+                                    con.close();
+                                });
+                    });
         }
         /**
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
             JsonObject effectiveUser = user;
             String effectiveAuthorizationId = authenticationId;
-            if (authorizationId != null && !authorizationId.isEmpty() && isAuthorizedToImpersonate(user)) {
+            if (authorizationId != null && !authorizationId.isEmpty()) {
+                if (!isAuthorizedToImpersonate(user)) {
+                    return Future.failedFuture(new ClientErrorException(
+                            HttpURLConnection.HTTP_UNAUTHORIZED,
+                            UNAUTHORIZED));
+                }
                 final JsonObject impersonatedUser = users.get(authorizationId);
                 if (impersonatedUser != null) {
                     effectiveUser = impersonatedUser;
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -21,11 +21,13 @@ @@
     import static com.google.common.truth.Truth.assertThat;
     import java.io.FileNotFoundException;
+    import java.net.HttpURLConnection;
     import java.time.Duration;
     import java.util.concurrent.TimeUnit;
     import org.eclipse.hono.auth.Authorities;
     import org.eclipse.hono.auth.HonoUser;
+    import org.eclipse.hono.client.ClientErrorException;
     import org.eclipse.hono.service.auth.AuthTokenFactory;
     import org.eclipse.hono.util.ResourceIdentifier;
     import org.junit.jupiter.api.BeforeEach;
@@ Expand Down Expand Up @@
             givenAStartedService()
                 .compose(ok -> authService.verifyPlain("userB", "hono-client@HONO", "secret"))
-                .onComplete(ctx.succeeding(res -> {
-                    assertUserAndToken(ctx, res, "hono-client@HONO", TOKEN);
+                .onComplete(ctx.failing(t -> {
+                    ctx.verify(() -> {
+                        assertThat(t).isInstanceOf(ClientErrorException.class);
+                        assertThat(((ClientErrorException) t).getErrorCode()).isEqualTo(HttpURLConnection.HTTP_UNAUTHORIZED);
+                    });
                     ctx.completeNow();
                 }));
         }
@@ Expand Down Expand Up @@
             givenAStartedService()
                 .compose(ok -> authService.verifyExternal("userB", "CN=userA"))
-                .onComplete(ctx.succeeding(res -> {
-                    assertUserAndToken(ctx, res, "userA", TOKEN);
+                .onComplete(ctx.failing(t -> {
+                    ctx.verify(() -> {
+                        assertThat(t).isInstanceOf(ClientErrorException.class);
+                        assertThat(((ClientErrorException) t).getErrorCode()).isEqualTo(HttpURLConnection.HTTP_UNAUTHORIZED);
+                    });
                     ctx.completeNow();
                 }));
         }
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement service authentication using SASL EXTERNAL mechanism #3710

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Implement service authentication using SASL EXTERNAL mechanism #3710

Are you sure you want to change the base?

Uh oh!

Implement service authentication using SASL EXTERNAL mechanism #3710

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing