下面列出了io.jsonwebtoken.io.Encoders#org.apache.pulsar.broker.authentication.utils.AuthTokenUtils 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
public String createBrokerToken(String role, String expiryTime) {
Key signingKey;
if (jwtBrokerTokenMode.equals("SECRET")) {
signingKey = decodeBySecretKey();
} else if (jwtBrokerTokenMode.equals("PRIVATE")){
signingKey = decodeByPrivateKey();
} else {
log.info("Default disable JWT auth, please set jwt.broker.token.mode.");
return null;
}
if (signingKey == null) {
log.error("JWT Auth failed, signingKey is not empty");
return null;
}
Optional<Date> optExpiryTime = Optional.empty();
if (expiryTime != null) {
long relativeTimeMillis = TimeUnit.SECONDS
.toMillis(RelativeTimeUtil.parseRelativeTimeInSeconds(expiryTime));
optExpiryTime = Optional.of(new Date(System.currentTimeMillis() + relativeTimeMillis));
}
return AuthTokenUtils.createToken(signingKey, role, optExpiryTime);
}
@Test
public void testSerializeSecretKey() {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
String token = Jwts.builder()
.setSubject(SUBJECT)
.signWith(secretKey)
.compact();
@SuppressWarnings("unchecked")
Jwt<?, Claims> jwt = Jwts.parser()
.setSigningKey(AuthTokenUtils.decodeSecretKey(secretKey.getEncoded()))
.parse(token);
assertNotNull(jwt);
assertNotNull(jwt.getBody());
assertEquals(jwt.getBody().getSubject(), SUBJECT);
}
@Test
public void testSerializeKeyPair() throws Exception {
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
String privateKey = AuthTokenUtils.encodeKeyBase64(keyPair.getPrivate());
String publicKey = AuthTokenUtils.encodeKeyBase64(keyPair.getPublic());
String token = AuthTokenUtils.createToken(AuthTokenUtils.decodePrivateKey(Decoders.BASE64.decode(privateKey), SignatureAlgorithm.RS256),
SUBJECT,
Optional.empty());
@SuppressWarnings("unchecked")
Jwt<?, Claims> jwt = Jwts.parser()
.setSigningKey(AuthTokenUtils.decodePublicKey(Decoders.BASE64.decode(publicKey), SignatureAlgorithm.RS256))
.parse(token);
assertNotNull(jwt);
assertNotNull(jwt.getBody());
assertEquals(jwt.getBody().getSubject(), SUBJECT);
}
@Test(expectedExceptions = AuthenticationException.class)
public void testAuthenticateWhenInvalidTokenIsPassed() throws AuthenticationException, IOException {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
Properties properties = new Properties();
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY,
AuthTokenUtils.encodeKeyBase64(secretKey));
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
AuthenticationProviderToken provider = new AuthenticationProviderToken();
provider.initialize(conf);
provider.authenticate(new AuthenticationDataSource() {
@Override
public String getHttpHeader(String name) {
return AuthenticationProviderToken.HTTP_HEADER_VALUE_PREFIX + "invalid_token";
}
@Override
public boolean hasDataFromHttp() {
return true;
}
});
}
private Key decodeBySecretKey() {
try {
byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerSecretKey);
return AuthTokenUtils.decodeSecretKey(encodedKey);
} catch (IOException e) {
log.error("Decode failed by secrete key, error: {}", e.getMessage());
return null;
}
}
private Key decodeByPrivateKey() {
try {
byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerPrivateKey);
SignatureAlgorithm algorithm = SignatureAlgorithm.RS256;
return AuthTokenUtils.decodePrivateKey(encodedKey, algorithm);
} catch (IOException e) {
log.error("Decode failed by private key, error: {}", e.getMessage());
return null;
}
}
@Test
public void testAuthSecretKeyFromFile() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
File secretKeyFile = File.createTempFile("pulsar-test-secret-key-", ".key");
secretKeyFile.deleteOnExit();
Files.write(Paths.get(secretKeyFile.toString()), secretKey.getEncoded());
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY, "file://" + secretKeyFile.toString());
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
String token = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
@Test
public void testAuthSecretKeyFromValidFile() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
File secretKeyFile = File.createTempFile("pulsar-test-secret-key-valid", ".key");
secretKeyFile.deleteOnExit();
Files.write(Paths.get(secretKeyFile.toString()), secretKey.getEncoded());
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY, secretKeyFile.toString());
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
String token = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
@Test
public void testAuthSecretKeyFromDataBase64() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY,
"data:;base64," + AuthTokenUtils.encodeKeyBase64(secretKey));
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
String token = AuthTokenUtils.createToken(secretKey, SUBJECT, Optional.empty());
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
@Test
public void testAuthSecretKeyPair() throws Exception {
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
String privateKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPrivate());
String publicKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPublic());
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
// Use public key for validation
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_PUBLIC_KEY, publicKeyStr);
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
// Use private key to generate token
PrivateKey privateKey = AuthTokenUtils.decodePrivateKey(Decoders.BASE64.decode(privateKeyStr), SignatureAlgorithm.RS256);
String token = AuthTokenUtils.createToken(privateKey, SUBJECT, Optional.empty());
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
@Test
public void testAuthSecretKeyPairWithECDSA() throws Exception {
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.ES256);
String privateKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPrivate());
String publicKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPublic());
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
// Use public key for validation
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_PUBLIC_KEY, publicKeyStr);
// Set that we are using EC keys
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_PUBLIC_ALG, SignatureAlgorithm.ES256.getValue());
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
// Use private key to generate token
PrivateKey privateKey = AuthTokenUtils.decodePrivateKey(Decoders.BASE64.decode(privateKeyStr), SignatureAlgorithm.ES256);
String token = AuthTokenUtils.createToken(privateKey, SUBJECT, Optional.empty());
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
@Test
public void testExpiringToken() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
@Cleanup
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY,
AuthTokenUtils.encodeKeyBase64(secretKey));
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
// Create a token that will expire in 3 seconds
String expiringToken = AuthTokenUtils.createToken(secretKey, SUBJECT,
Optional.of(new Date(System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(3))));
AuthenticationState authState = provider.newAuthState(AuthData.of(expiringToken.getBytes()), null, null);
assertTrue(authState.isComplete());
assertFalse(authState.isExpired());
Thread.sleep(TimeUnit.SECONDS.toMillis(6));
assertTrue(authState.isExpired());
assertTrue(authState.isComplete());
AuthData brokerData = authState.refreshAuthentication();
assertNull(brokerData);
}
private static void testTokenAudienceWithDifferentConfig(Properties properties,
String audienceClaim, List<String> audiences) throws Exception {
@Cleanup
AuthenticationProviderToken provider = new AuthenticationProviderToken();
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
File secretKeyFile = File.createTempFile("pulsar-test-secret-key-valid", ".key");
secretKeyFile.deleteOnExit();
Files.write(Paths.get(secretKeyFile.toString()), secretKey.getEncoded());
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_SECRET_KEY, secretKeyFile.toString());
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
String token = createTokenWithAudience(secretKey, audienceClaim, audiences);
// Pulsar protocol auth
String subject = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(subject, SUBJECT);
provider.close();
}
public void run() throws IOException {
SecretKey secretKey = AuthTokenUtils.createSecretKey(algorithm);
byte[] encoded = secretKey.getEncoded();
if (base64) {
encoded = Encoders.BASE64.encode(encoded).getBytes();
}
if (outputFile != null) {
Files.write(Paths.get(outputFile), encoded);
} else {
System.out.write(encoded);
}
}
@BeforeClass
@Override
protected void setup() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(secretKey));
ServiceConfiguration authConf = new ServiceConfiguration();
authConf.setProperties(properties);
provider.initialize(authConf);
adminToken = AuthTokenUtils.createToken(secretKey, ADMIN_USER, Optional.empty());
super.resetConfig();
((KafkaServiceConfiguration) conf).setKafkaTenant(TENANT);
((KafkaServiceConfiguration) conf).setKafkaNamespace(NAMESPACE);
((KafkaServiceConfiguration) conf).setKafkaMetadataTenant("internal");
((KafkaServiceConfiguration) conf).setKafkaMetadataNamespace("__kafka");
((KafkaServiceConfiguration) conf).setEnableGroupCoordinator(true);
conf.setClusterName(CLUSTER_NAME);
conf.setAuthorizationEnabled(true);
conf.setAuthenticationEnabled(true);
conf.setAuthorizationAllowWildcardsMatching(true);
conf.setSuperUserRoles(Sets.newHashSet(ADMIN_USER));
conf.setAuthenticationProviders(
Sets.newHashSet("org.apache.pulsar.broker.authentication."
+ "AuthenticationProviderToken"));
conf.setBrokerClientAuthenticationPlugin(AuthenticationToken.class.getName());
conf.setBrokerClientAuthenticationParameters("token:" + adminToken);
conf.setProperties(properties);
super.internalSetup();
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
.authentication(AuthenticationToken.class.getName(), "token:" + adminToken).build());
admin.tenants().createTenant(TENANT,
new TenantInfo(Sets.newHashSet(ADMIN_USER), Sets.newHashSet(CLUSTER_NAME)));
admin.namespaces().createNamespace(TENANT + "/" + NAMESPACE);
admin.namespaces()
.setNamespaceReplicationClusters(TENANT + "/" + NAMESPACE, Sets.newHashSet(CLUSTER_NAME));
admin.topics().createPartitionedTopic(PULSAR_TOPIC_NAME, 1);
admin.namespaces().grantPermissionOnNamespace(TENANT + "/" + NAMESPACE, ADMIN_USER,
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
}
@BeforeClass
@Override
protected void setup() throws Exception {
SecretKey secretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(secretKey));
ServiceConfiguration authConf = new ServiceConfiguration();
authConf.setProperties(properties);
provider.initialize(authConf);
userToken = AuthTokenUtils.createToken(secretKey, SIMPLE_USER, Optional.empty());
adminToken = AuthTokenUtils.createToken(secretKey, ADMIN_USER, Optional.empty());
anotherToken = AuthTokenUtils.createToken(secretKey, ANOTHER_USER, Optional.empty());
super.resetConfig();
((KafkaServiceConfiguration) conf).setEnableGroupCoordinator(true);
((KafkaServiceConfiguration) conf).setSaslAllowedMechanisms(Sets.newHashSet("PLAIN"));
((KafkaServiceConfiguration) conf).setKafkaMetadataTenant("internal");
((KafkaServiceConfiguration) conf).setKafkaMetadataNamespace("__kafka");
conf.setClusterName(CLUSTER_NAME);
conf.setAuthorizationEnabled(true);
conf.setAuthenticationEnabled(true);
conf.setAuthorizationAllowWildcardsMatching(true);
conf.setSuperUserRoles(Sets.newHashSet(ADMIN_USER));
conf.setAuthenticationProviders(
Sets.newHashSet("org.apache.pulsar.broker.authentication."
+ "AuthenticationProviderToken"));
conf.setBrokerClientAuthenticationPlugin(AuthenticationToken.class.getName());
conf.setBrokerClientAuthenticationParameters("token:" + adminToken);
conf.setProperties(properties);
super.internalSetup();
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
.authentication(AuthenticationToken.class.getName(), "token:" + adminToken).build());
admin.tenants().createTenant(TENANT,
new TenantInfo(Sets.newHashSet(ADMIN_USER), Sets.newHashSet(CLUSTER_NAME)));
admin.namespaces().createNamespace(TENANT + "/" + NAMESPACE);
admin.topics().createPartitionedTopic(PULSAR_TOPIC_NAME, 1);
admin
.namespaces().grantPermissionOnNamespace(TENANT + "/" + NAMESPACE, SIMPLE_USER,
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
}
@Test
public void testAuthSecretKeyPairWithCustomClaim() throws Exception {
String authRoleClaim = "customClaim";
String authRole = "my-test-role";
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
String privateKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPrivate());
String publicKeyStr = AuthTokenUtils.encodeKeyBase64(keyPair.getPublic());
AuthenticationProviderToken provider = new AuthenticationProviderToken();
Properties properties = new Properties();
// Use public key for validation
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_PUBLIC_KEY, publicKeyStr);
// Set custom claim field
properties.setProperty(AuthenticationProviderToken.CONF_TOKEN_AUTH_CLAIM, authRoleClaim);
ServiceConfiguration conf = new ServiceConfiguration();
conf.setProperties(properties);
provider.initialize(conf);
// Use private key to generate token
PrivateKey privateKey = AuthTokenUtils.decodePrivateKey(Decoders.BASE64.decode(privateKeyStr), SignatureAlgorithm.RS256);
String token = Jwts.builder()
.setClaims(new HashMap<String, Object>() {{
put(authRoleClaim, authRole);
}})
.signWith(privateKey)
.compact();
// Pulsar protocol auth
String role = provider.authenticate(new AuthenticationDataSource() {
@Override
public boolean hasDataFromCommand() {
return true;
}
@Override
public String getCommandData() {
return token;
}
});
assertEquals(role, authRole);
provider.close();
}