Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix the scope for oauthbearer OIDC #3912

Merged
merged 2 commits into from
Jul 14, 2022
Merged

fix the scope for oauthbearer OIDC #3912

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2f9dd7b
fix the scope for oauthbearer OIDC
jliunyu Jul 14, 2022
c5dd8a1
style fix
Jul 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 91 additions & 14 deletions src/rdkafka_sasl_oauthbearer_oidc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,33 @@ static const char *rd_kafka_jwt_b64_decode_payload(const char *src,
return errstr;
}

/**
* @brief Build post_fields with \p scope.
* The format of the post_fields is
* `grant_type=client_credentials&scope=scope`
* The post_fields will be returned in \p *post_fields.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe document these two as @param i think?

* The post_fields_size will be returned in \p post_fields_size.
*
*/
static void rd_kafka_oidc_build_post_fields(const char *scope,
char **post_fields,
size_t *post_fields_size) {
size_t scope_size = 0;

if (scope)
scope_size = strlen(scope);
if (scope_size == 0) {
*post_fields = rd_strdup("grant_type=client_credentials");
*post_fields_size = strlen("grant_type=client_credentials");
} else {
*post_fields_size =
strlen("grant_type=client_credentials&scope=") + scope_size;
*post_fields = rd_malloc(*post_fields_size + 1);
rd_snprintf(*post_fields, *post_fields_size + 1,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"grant_type=client_credentials&scope=%s", scope);
}
}


/**
* @brief Implementation of Oauth/OIDC token refresh callback function,
Expand Down Expand Up @@ -240,7 +267,6 @@ void rd_kafka_oidc_token_refresh_cb(rd_kafka_t *rk,
size_t post_fields_size;
size_t extension_cnt;
size_t extension_key_value_cnt = 0;
size_t scope_size = 0;

char set_token_errstr[512];
char decode_payload_errstr[512];
Expand All @@ -256,19 +282,8 @@ void rd_kafka_oidc_token_refresh_cb(rd_kafka_t *rk,
&headers);

/* Build post fields */
if (rk->rk_conf.sasl.oauthbearer.scope)
scope_size = strlen(rk->rk_conf.sasl.oauthbearer.scope);
if (scope_size == 0) {
post_fields = rd_strdup("grant_type=client_credentials");
post_fields_size = strlen("grant_type=client_credentials");
} else {
post_fields_size =
strlen("grant_type=client_credentials&scope=") + scope_size;
post_fields = rd_malloc(post_fields_size + 1);
rd_snprintf(post_fields, post_fields_size,
"grant_type=client_credentials&scope=%s",
rk->rk_conf.sasl.oauthbearer.scope);
}
rd_kafka_oidc_build_post_fields(rk->rk_conf.sasl.oauthbearer.scope,
&post_fields, &post_fields_size);

token_url = rk->rk_conf.sasl.oauthbearer.token_endpoint_url;

Expand Down Expand Up @@ -510,6 +525,66 @@ static int ut_sasl_oauthbearer_oidc_with_empty_key(void) {
RD_UT_PASS();
}

/**
* @brief Make sure the post_fields return correct with the scope.
*/
static int ut_sasl_oauthbearer_oidc_post_fields(void) {
static const char *scope = "test-scope";
static const char *expected_post_fields =
"grant_type=client_credentials&scope=test-scope";

size_t expected_post_fields_size = strlen(expected_post_fields);

size_t post_fields_size;

char *post_fields;

RD_UT_BEGIN();

rd_kafka_oidc_build_post_fields(scope, &post_fields, &post_fields_size);

RD_UT_ASSERT(expected_post_fields_size == post_fields_size,
"Expected expected_post_fields_size is %zu"
"received post_fields_size is %zu",
expected_post_fields_size, post_fields_size);
RD_UT_ASSERT(!strcmp(expected_post_fields, post_fields),
"Expected expected_post_fields is %s"
"received post_fields is %s",
expected_post_fields, post_fields);

RD_UT_PASS();
}

/**
* @brief Make sure the post_fields return correct with the empty scope.
*/
static int ut_sasl_oauthbearer_oidc_post_fields_with_empty_scope(void) {
static const char *scope = NULL;
static const char *expected_post_fields =
"grant_type=client_credentials";

size_t expected_post_fields_size = strlen(expected_post_fields);

size_t post_fields_size;

char *post_fields;

RD_UT_BEGIN();

rd_kafka_oidc_build_post_fields(scope, &post_fields, &post_fields_size);

RD_UT_ASSERT(expected_post_fields_size == post_fields_size,
"Expected expected_post_fields_size is %zu"
"received post_fields_size is %zu",
expected_post_fields_size, post_fields_size);
RD_UT_ASSERT(!strcmp(expected_post_fields, post_fields),
"Expected expected_post_fields is %s"
"received post_fields is %s",
expected_post_fields, post_fields);

RD_UT_PASS();
}


/**
* @brief make sure the jwt is able to be extracted from HTTP(S) requests
Expand All @@ -519,5 +594,7 @@ int unittest_sasl_oauthbearer_oidc(void) {
int fails = 0;
fails += ut_sasl_oauthbearer_oidc_should_succeed();
fails += ut_sasl_oauthbearer_oidc_with_empty_key();
fails += ut_sasl_oauthbearer_oidc_post_fields();
fails += ut_sasl_oauthbearer_oidc_post_fields_with_empty_scope();
return fails;
}