auth0 jwt factory

Author: zzzming

.gitignore

@@ -21,3 +21,6 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
+
+# maven
+target

README.md

@@ -1,2 +1,21 @@
 # pulsar-client-plugin
 Pulsar client plugin for auth0, aws, and etc.
+
+# auth0
+
+Auth0 integration consists of the client side plugin and a broker auth plugin. The client plugin generates an auth0 jwt.
+
+``` java
+String domain = "https://<your auth0 domain>.auth0.com/oauth/token";
+String clientId = "";
+String clientSecret = "";
+String audience = "https://useast2.aws.kafkaesque.io";
+
+// Create client object
+PulsarClient client = PulsarClient.builder()
+                .serviceUrl(SERVICE_URL)
+                .authentication(
+                    AuthFactory.auth0(domain, clientId, clientSecret, audience)
+                )
+                .build();
+```

java/.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "java.configuration.updateBuildConfiguration": "automatic"
+}

java/.vscode/tasks.json

@@ -0,0 +1,25 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "verify",
+            "type": "shell",
+            "command": "mvn -B verify",
+            "group": "build"
+        },
+        {
+            "label": "compile",
+            "type": "shell",
+            "command": "mvn -B compile",
+            "group": "build"
+        },
+        {
+            "label": "test",
+            "type": "shell",
+            "command": "mvn -B test",
+            "group": "test"
+        }
+    ]
+}

java/pom.xml

@@ -0,0 +1,86 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.kq.pulsar.client</groupId>
+  <artifactId>SimpleClient</artifactId>
+  <packaging>jar</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <name>SimpleClient</name>
+  <url>http://maven.apache.org</url>
+  <properties>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <pulsar.version>2.4.1</pulsar.version>
+  </properties>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.1</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>3.8.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>3.9.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>jwks-rsa</artifactId>
+      <version>0.9.0</version>
+    </dependency>
+    <dependency>
+        <groupId>org.apache.pulsar</groupId>
+        <artifactId>pulsar-client</artifactId>
+        <version>${pulsar.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>21.0</version>
+    </dependency>
+    <!-- dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+      <version>1.1.3</version>
+    </dependency -->
+
+    <dependency>
+      <groupId>com.konghq</groupId>
+      <artifactId>unirest-java</artifactId>
+      <version>3.4.00</version>
+    </dependency>
+
+    <dependency>
+      <groupId>javax.ws.rs</groupId>
+      <artifactId>javax.ws.rs-api</artifactId>
+      <version>2.1.1</version>
+    </dependency>
+    
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-impl</artifactId>
+      <version>0.10.5</version>
+    </dependency>
+
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-jackson</artifactId>
+      <version>0.10.5</version>
+    </dependency>
+  </dependencies>
+</project>

java/src/main/java/com/kq/pulsar/client/auth/AuthFactory.java

@@ -0,0 +1,24 @@
+package com.kq.pulsar.client.auth;
+
+import com.kq.pulsar.client.auth.AuthenticationAuth0;
+import com.kq.pulsar.client.auth.auth0.Auth0JWT;
+
+import org.apache.pulsar.client.api.Authentication;
+
+public final class AuthFactory {
+
+    private AuthFactory() {}
+
+    /**
+     * Request JWT from autho and pass the JWT to pulsar broker.
+     * @param domain
+     * @param clientId
+     * @param clientSecret
+     * @param audience
+     * @return
+     */
+    public static Authentication auth0(String domain, String clientId, String clientSecret, String audience) {
+        return new AuthenticationAuth0(Auth0JWT.create(domain, clientId, clientSecret, audience).generateAndCheck());
+
+    }
+}

java/src/main/java/com/kq/pulsar/client/auth/AuthenticationAuth0.java

@@ -0,0 +1,83 @@
+package com.kq.pulsar.client.auth;
+
+import com.google.common.base.Charsets;
+
+import java.io.IOException;
+import java.net.URI;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Map;
+import java.util.function.Supplier;
+
+import org.apache.pulsar.client.api.Authentication;
+import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.client.api.EncodedAuthenticationParameterSupport;
+import org.apache.pulsar.client.api.PulsarClientException;
+
+/**
+ * JWT based authentication provider.
+ */
+public class AuthenticationAuth0 implements Authentication, EncodedAuthenticationParameterSupport {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 1L;
+    private Supplier<String> tokenSupplier;
+
+    public AuthenticationAuth0(String token) {
+        this(() -> token);
+    }
+
+    public AuthenticationAuth0(Supplier<String> tokenSupplier) {
+        this.tokenSupplier = tokenSupplier;
+    }
+
+    @Override
+    public void close() throws IOException {
+        // noop
+    }
+
+    @Override
+    public String getAuthMethodName() {
+        return "token";
+    }
+
+    @Override
+    public AuthenticationDataProvider getAuthData() throws PulsarClientException {
+        // return new AuthenticationDataToken(tokenSupplier);
+        return new AuthenticationDataAuth0(tokenSupplier);
+    }
+
+    @Override
+    public void configure(String encodedAuthParamString) {
+        // Interpret the whole param string as the token. If the string contains the notation `token:xxxxx` then strip
+        // the prefix
+        if (encodedAuthParamString.startsWith("token:")) {
+            this.tokenSupplier = () -> encodedAuthParamString.substring("token:".length());
+        } else if (encodedAuthParamString.startsWith("file:")) {
+            // Read token from a file
+            URI filePath = URI.create(encodedAuthParamString);
+            this.tokenSupplier = () -> {
+                try {
+                    return new String(Files.readAllBytes(Paths.get(filePath)), Charsets.UTF_8).trim();
+                } catch (IOException e) {
+                    throw new RuntimeException("Failed to read token from file", e);
+                }
+            };
+        } else {
+            this.tokenSupplier = () -> encodedAuthParamString;
+        }
+    }
+
+    @Override
+    public void configure(Map<String, String> authParams) {
+        // noop
+    }
+
+    @Override
+    public void start() throws PulsarClientException {
+        // noop
+    }
+
+}

java/src/main/java/com/kq/pulsar/client/auth/AuthenticationDataAuth0.java

@@ -0,0 +1,93 @@
+package com.kq.pulsar.client.auth;
+
+import java.util.Map;
+
+import java.util.Set;
+import java.util.function.Supplier;
+
+import javax.naming.AuthenticationException;
+
+import org.apache.pulsar.common.api.AuthData;
+
+import org.apache.pulsar.client.api.AuthenticationDataProvider;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+/**
+ * This plugin requires auth0 token.
+ */
+public class AuthenticationDataAuth0 implements AuthenticationDataProvider {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = 1L;
+
+    private final Supplier<String> auth0Token;
+
+    public AuthenticationDataAuth0(Supplier<String> token) {
+        auth0Token = token;
+	}
+
+    /*
+     * HTTP
+     */
+
+    /**
+     * Check if data for HTTP are available.
+     *
+     * @return true if this authentication data contain data for HTTP
+     */
+    public boolean hasDataForHttp() {
+        return true;
+    }
+
+    /**
+     *
+     * @return a authentication scheme, or {@code null} if the request will not be authenticated.
+     */
+    public String getHttpAuthType() {
+        return null;
+    }
+
+    /**
+     *
+     * @return an enumeration of all the header names
+     */
+    public Set<Map.Entry<String, String>> getHttpHeaders() throws Exception {
+        return null;
+    }
+
+    /*
+     * Command
+     */
+
+    /**
+     * Check if data from Pulsar protocol are available.
+     *
+     * @return true if this authentication data contain data from Pulsar protocol
+     */
+    public boolean hasDataFromCommand() {
+        return auth0Token.get() != null;
+    }
+
+    /**
+     *
+     * @return authentication data which will be stored in a command
+     */
+    public String getCommandData() {
+        return auth0Token.get();
+    }
+
+    /**
+     * For mutual authentication, This method use passed in `data` to evaluate and challenge,
+     * then returns null if authentication has completed;
+     * returns authenticated data back to server side, if authentication has not completed.
+     *
+     * <p>Mainly used for mutual authentication like sasl.
+     */
+    public AuthData authenticate(AuthData data) throws AuthenticationException {
+        byte[] bytes = (hasDataFromCommand() ? this.getCommandData() : "").getBytes(UTF_8);
+        return AuthData.of(bytes);
+    }
+    
+}