Skip to content

Commit

Permalink
Merge pull request #33 from CleverCloud/biscuit2.0
Browse files Browse the repository at this point in the history
Biscuit 2.0
  • Loading branch information
KannarFr authored Mar 4, 2022
2 parents c3b495f + a98522d commit b4f1d42
Show file tree
Hide file tree
Showing 13 changed files with 347 additions and 947 deletions.
7 changes: 0 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ This only supports Apache Pulsar v2.9+.

The listed dependencies can be necessary to add to the /lib of pulsar folder as jars:

- curve25519-elisabeth
- vavr
- protobuf
- biscuit-java
Expand All @@ -28,7 +27,6 @@ We currently are using this script to put libs on pulsar nodes:
```bash
#!/bin/bash

wget -P "pulsar/lib" "https://repo1.maven.org/maven2/cafe/cryptography/curve25519-elisabeth/0.1.0/curve25519-elisabeth-0.1.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/io/vavr/vavr/0.10.3/vavr-0.10.3.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.16.1/protobuf-java-3.16.1.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-java/<VERSION>/biscuit-java-<VERSION>.jar"
Expand All @@ -54,7 +52,6 @@ authorizationProvider=com.clevercloud.biscuitpulsar.AuthorizationProviderBiscuit

### --- Biscuit Authentication Provider --- ###
biscuitPublicRootKey=@@BISCUIT_PUBLIC_ROOT_KEY@@
biscuitSealingKey=@@BISCUIT_PUBLIC_SEALING_KEY@@
# support JWT side by side with Biscuit for AuthenticationToken
biscuitSupportJWT=true|false
# biscuit verify run limits before TimeOut
Expand All @@ -69,10 +66,6 @@ biscuitRunLimitsMaxTimeMillis=30
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" standalone.conf

sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" standalone.conf
```

## Usage
Expand Down
22 changes: 3 additions & 19 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,10 @@
<nexus-staging-maven.version>1.6.7</nexus-staging-maven.version>

<!-- dependencies -->
<biscuit-java.version>1.1.4</biscuit-java.version>
<biscuit-java.version>2.0.0</biscuit-java.version>
<logback-classic.version>1.2.10</logback-classic.version>
<protobuf.version>3.16.1</protobuf.version>
<pulsar.version>2.9.1</pulsar.version>
<slf4j-api.version>1.7.32</slf4j-api.version>
<vavr.version>0.10.2</vavr.version>

<!-- test dependencies -->
Expand Down Expand Up @@ -174,33 +173,18 @@
<artifactId>vavr</artifactId>
<version>${vavr.version}</version>
</dependency>
<dependency>
<groupId>org.apache.pulsar</groupId>
<artifactId>pulsar-client</artifactId>
<version>${pulsar.version}</version>
</dependency>
<dependency>
<groupId>org.apache.pulsar</groupId>
<artifactId>pulsar-broker</artifactId>
<version>${pulsar.version}</version>
</dependency>
<dependency>
<groupId>org.apache.pulsar</groupId>
<artifactId>pulsar-common</artifactId>
<version>${pulsar.version}</version>
<exclusions>
<exclusion>
<groupId>io.grpc</groupId>
<artifactId>grpc-all</artifactId>
<groupId>org.apache.pulsar</groupId>
<artifactId>pulsar-functions-runtime</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-api.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.EncodedAuthenticationParameterSupport;
import org.apache.pulsar.client.api.PulsarClientException;

import java.io.IOException;
import java.net.URI;
Expand All @@ -31,7 +30,7 @@ public AuthenticationBiscuit(Supplier<String> biscuitSupplier) {
}

@Override
public void close() throws IOException {
public void close() {
// noop
}

Expand All @@ -41,7 +40,7 @@ public String getAuthMethodName() {
}

@Override
public AuthenticationDataProvider getAuthData() throws PulsarClientException {
public AuthenticationDataProvider getAuthData() {
return new AuthenticationDataBiscuit(biscuitSupplier);
}

Expand Down Expand Up @@ -72,7 +71,7 @@ public void configure(Map<String, String> authParams) {
}

@Override
public void start() throws PulsarClientException {
public void start() {
// noop
}
}
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
package com.clevercloud.biscuitpulsar;

import biscuit.format.schema.Schema;
import com.clevercloud.biscuit.crypto.PublicKey;
import com.clevercloud.biscuit.error.Error;
import com.clevercloud.biscuit.token.Biscuit;
import io.vavr.control.Either;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
Expand All @@ -14,7 +14,9 @@

import javax.naming.AuthenticationException;
import java.io.IOException;
import java.util.Base64;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;

public class AuthenticationProviderBiscuit implements AuthenticationProvider {
private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderBiscuit.class);
Expand All @@ -24,12 +26,10 @@ public class AuthenticationProviderBiscuit implements AuthenticationProvider {

final static String BISCUIT = "token";

final static String CONF_BISCUIT_SEALING_KEY = "biscuitSealingKey";
final static String CONF_BISCUIT_PUBLIC_ROOT_KEY = "biscuitPublicRootKey";
final static String CONF_BISCUIT_SUPPORT_JWT = "biscuitSupportJWT";

private PublicKey rootKey;
static String SEALING_KEY;
static PublicKey rootKey;

private AuthenticationProviderToken jwtAuthenticator;
private Boolean isJWTSupported;
Expand All @@ -39,8 +39,7 @@ public void close() throws IOException {
}

public void initialize(ServiceConfiguration serviceConfiguration) throws IOException {
log.info("Initialize Pulsar Biscuit Authentication plugin...");

log.info("Initializing Pulsar Biscuit Authentication plugin...");
log.info("With JWT authentication support?");
isJWTSupported = Boolean.parseBoolean((String) serviceConfiguration.getProperty(CONF_BISCUIT_SUPPORT_JWT));
if (isJWTSupported) {
Expand All @@ -55,13 +54,11 @@ public void initialize(ServiceConfiguration serviceConfiguration) throws IOExcep
log.info("Biscuit authentication configuration...");
String key = (String) serviceConfiguration.getProperty(CONF_BISCUIT_PUBLIC_ROOT_KEY);
log.debug("Got biscuit root public key: {}", key);
SEALING_KEY = (String) serviceConfiguration.getProperty(CONF_BISCUIT_SEALING_KEY);
log.debug("Got biscuit sealing key: {}", SEALING_KEY);
try {
rootKey = new PublicKey(hexStringToByteArray(key));
rootKey = new PublicKey(Schema.PublicKey.Algorithm.Ed25519, hexStringToByteArray(key));
log.info("Biscuit authentication initialized.");
} catch (Exception e) {
log.error("Could not decode Biscuit root public key: {}", e);
} catch (Exception ex) {
log.error("Could not decode Biscuit root public key", ex);
throw new IOException();
}
}
Expand Down Expand Up @@ -113,27 +110,13 @@ private static String validateBearer(final String bearer) throws AuthenticationE
}
}

private String parseBiscuit(final String biscuit) throws AuthenticationException {
log.debug("Biscuit to parse: {}", biscuit);
private String parseBiscuit(final String biscuitB64Url) throws AuthenticationException {
log.debug("Biscuit to parse: {}", biscuitB64Url);
try {
Either<Error, Biscuit> deser = Biscuit.from_b64(biscuit);

if (deser.isLeft()) {
throw new AuthenticationException("Could not deserialize biscuit");
} else {
Biscuit realBiscuit = deser.get();
log.debug("Deserialized biscuit");

if (realBiscuit.check_root_key(rootKey).isLeft()) {
throw new AuthenticationException("This biscuit was not generated with the expected root key");
}
log.debug("Root key is valid");

byte[] sealed = realBiscuit.seal(SEALING_KEY.getBytes()).get();
log.debug("Biscuit deserialized and sealed");
return "biscuit:" + Base64.getUrlEncoder().encodeToString(sealed);
}
} catch (IllegalArgumentException e) {
Biscuit.from_b64url(biscuitB64Url, rootKey);
log.debug("Deserialized biscuit");
return "biscuit:" + biscuitB64Url;
} catch (IllegalArgumentException | NoSuchAlgorithmException | SignatureException | InvalidKeyException | Error e) {
throw new AuthenticationException(e.getMessage());
}
}
Expand Down
Loading

0 comments on commit b4f1d42

Please sign in to comment.