Example 6 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class SaslAuthenticatorTest method testDynamicJaasConfiguration.
/**
* Tests dynamic JAAS configuration property for SASL clients. Invalid client credentials
* are set in the static JVM-wide configuration instance to ensure that the dynamic
* property override is used during authentication.
*/
@Test
public void testDynamicJaasConfiguration() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
saslServerConfigs.put(SaslConfigs.SASL_ENABLED_MECHANISMS, Arrays.asList("PLAIN"));
Map<String, Object> serverOptions = new HashMap<>();
serverOptions.put("user_user1", "user1-secret");
serverOptions.put("user_user2", "user2-secret");
TestJaasConfig staticJaasConfig = new TestJaasConfig();
staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), serverOptions);
staticJaasConfig.setPlainClientOptions("user1", "invalidpassword");
Configuration.setConfiguration(staticJaasConfig);
server = createEchoServer(securityProtocol);
// Check that client using static Jaas config does not connect since password is invalid
createAndCheckClientConnectionFailure(securityProtocol, "1");
// Check that 'user1' can connect with a Jaas config property override
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret"));
createAndCheckClientConnection(securityProtocol, "2");
// Check that invalid password specified as Jaas config property results in connection failure
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user2-secret"));
createAndCheckClientConnectionFailure(securityProtocol, "3");
// Check that another user 'user2' can also connect with a Jaas config override without any changes to static configuration
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
createAndCheckClientConnection(securityProtocol, "4");
// Check that clients specifying multiple login modules fail even if the credentials are valid
String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value();
String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value();
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2));
try {
createClientConnection(securityProtocol, "1");
fail("Connection created with multiple login modules in sasl.jaas.config");
} catch (IllegalArgumentException e) {
// Expected
}
}
Also used :
HashMap(java.util.HashMap)
SecurityProtocol(org.apache.kafka.common.protocol.SecurityProtocol)
PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule)
Password(org.apache.kafka.common.config.types.Password)
Test(org.junit.Test)
Example 7 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class SslTransportLayerTest method testInvalidKeyPassword.
/**
* Tests that client connections cannot be created to a server
* if key password is invalid
*/
@Test
public void testInvalidKeyPassword() throws Exception {
String node = "0";
sslServerConfigs.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, new Password("invalid"));
server = createEchoServer(SecurityProtocol.SSL);
createSelector(sslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
NetworkTestUtils.waitForChannelClose(selector, node);
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
Password(org.apache.kafka.common.config.types.Password)
Test(org.junit.Test)
Example 8 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class SslFactory method createSSLContext.
private SSLContext createSSLContext() throws GeneralSecurityException, IOException {
SSLContext sslContext;
if (provider != null)
sslContext = SSLContext.getInstance(protocol, provider);
else
sslContext = SSLContext.getInstance(protocol);
KeyManager[] keyManagers = null;
if (keystore != null) {
String kmfAlgorithm = this.kmfAlgorithm != null ? this.kmfAlgorithm : KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfAlgorithm);
KeyStore ks = keystore.load();
Password keyPassword = this.keyPassword != null ? this.keyPassword : keystore.password;
kmf.init(ks, keyPassword.value().toCharArray());
keyManagers = kmf.getKeyManagers();
}
String tmfAlgorithm = this.tmfAlgorithm != null ? this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
KeyStore ts = truststore == null ? null : truststore.load();
tmf.init(ts);
sslContext.init(keyManagers, tmf.getTrustManagers(), this.secureRandomImplementation);
return sslContext;
}
Also used :
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
SSLContext(javax.net.ssl.SSLContext)
KeyManager(javax.net.ssl.KeyManager)
KeyStore(java.security.KeyStore)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
Password(org.apache.kafka.common.config.types.Password)
Aggregations
Password (org.apache.kafka.common.config.types.Password)8
Test (org.junit.Test)4
HashMap (java.util.HashMap)2
Properties (java.util.Properties)2
ValidString (org.apache.kafka.common.config.ConfigDef.ValidString)2
File (java.io.File)1
InetSocketAddress (java.net.InetSocketAddress)1
KeyPair (java.security.KeyPair)1
KeyStore (java.security.KeyStore)1
X509Certificate (java.security.cert.X509Certificate)1
KeyManager (javax.net.ssl.KeyManager)1
KeyManagerFactory (javax.net.ssl.KeyManagerFactory)1
SSLContext (javax.net.ssl.SSLContext)1
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)1
AppConfigurationEntry (javax.security.auth.login.AppConfigurationEntry)1
SecurityProtocol (org.apache.kafka.common.protocol.SecurityProtocol)1
PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)1
