Example 16 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class ConfigDefTest method testSslPasswords.
@Test
public void testSslPasswords() {
ConfigDef def = new ConfigDef();
SslConfigs.addClientSslSupport(def);
Properties props = new Properties();
props.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "key_password");
props.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "keystore_password");
props.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "truststore_password");
Map<String, Object> vals = def.parse(props);
assertEquals(new Password("key_password"), vals.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG).toString());
assertEquals(new Password("keystore_password"), vals.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG));
assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG).toString());
assertEquals(new Password("truststore_password"), vals.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG).toString());
}
Also used :
CaseInsensitiveValidString(org.apache.kafka.common.config.ConfigDef.CaseInsensitiveValidString)
ValidString(org.apache.kafka.common.config.ConfigDef.ValidString)
Properties(java.util.Properties)
Password(org.apache.kafka.common.config.types.Password)
Test(org.junit.jupiter.api.Test)
Example 17 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class SaslAuthenticatorTest method testClientDynamicJaasConfiguration.
/**
* Tests dynamic JAAS configuration property for SASL clients. Invalid client credentials
* are set in the static JVM-wide configuration instance to ensure that the dynamic
* property override is used during authentication.
*/
@Test
public void testClientDynamicJaasConfiguration() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
Map<String, Object> serverOptions = new HashMap<>();
serverOptions.put("user_user1", "user1-secret");
serverOptions.put("user_user2", "user2-secret");
TestJaasConfig staticJaasConfig = new TestJaasConfig();
staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), serverOptions);
staticJaasConfig.setClientOptions("PLAIN", "user1", "invalidpassword");
Configuration.setConfiguration(staticJaasConfig);
server = createEchoServer(securityProtocol);
// Check that client using static Jaas config does not connect since password is invalid
createAndCheckClientConnectionFailure(securityProtocol, "1");
// Check that 'user1' can connect with a Jaas config property override
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret"));
createAndCheckClientConnection(securityProtocol, "2");
// Check that invalid password specified as Jaas config property results in connection failure
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user2-secret"));
createAndCheckClientConnectionFailure(securityProtocol, "3");
// Check that another user 'user2' can also connect with a Jaas config override without any changes to static configuration
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
createAndCheckClientConnection(securityProtocol, "4");
// Check that clients specifying multiple login modules fail even if the credentials are valid
String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value();
String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value();
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2));
try {
createClientConnection(securityProtocol, "1");
fail("Connection created with multiple login modules in sasl.jaas.config");
} catch (IllegalArgumentException e) {
// Expected
}
}
Also used :
HashMap(java.util.HashMap)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule)
Password(org.apache.kafka.common.config.types.Password)
Test(org.junit.jupiter.api.Test)
Example 18 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class LoginManager method acquireLoginManager.
/**
* Returns an instance of `LoginManager` and increases its reference count.
*
* `release()` should be invoked when the `LoginManager` is no longer needed. This method will try to reuse an
* existing `LoginManager` for the provided context type. If `jaasContext` was loaded from a dynamic config,
* login managers are reused for the same dynamic config value. For `jaasContext` loaded from static JAAS
* configuration, login managers are reused for static contexts with the same login context name.
*
* This is a bit ugly and it would be nicer if we could pass the `LoginManager` to `ChannelBuilders.create` and
* shut it down when the broker or clients are closed. It's straightforward to do the former, but it's more
* complicated to do the latter without making the consumer API more complex.
*
* @param jaasContext Static or dynamic JAAS context. `jaasContext.dynamicJaasConfig()` is non-null for dynamic context.
* For static contexts, this may contain multiple login modules if the context type is SERVER.
* For CLIENT static contexts and dynamic contexts of CLIENT and SERVER, 'jaasContext` contains
* only one login module.
* @param saslMechanism SASL mechanism for which login manager is being acquired. For dynamic contexts, the single
* login module in `jaasContext` corresponds to this SASL mechanism. Hence `Login` class is
* chosen based on this mechanism.
* @param defaultLoginClass Default login class to use if an override is not specified in `configs`
* @param configs Config options used to configure `Login` if a new login manager is created.
*/
public static LoginManager acquireLoginManager(JaasContext jaasContext, String saslMechanism, Class<? extends Login> defaultLoginClass, Map<String, ?> configs) throws LoginException {
Class<? extends Login> loginClass = configuredClassOrDefault(configs, jaasContext, saslMechanism, SaslConfigs.SASL_LOGIN_CLASS, defaultLoginClass);
Class<? extends AuthenticateCallbackHandler> defaultLoginCallbackHandlerClass = OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(saslMechanism) ? OAuthBearerUnsecuredLoginCallbackHandler.class : AbstractLogin.DefaultLoginCallbackHandler.class;
Class<? extends AuthenticateCallbackHandler> loginCallbackClass = configuredClassOrDefault(configs, jaasContext, saslMechanism, SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, defaultLoginCallbackHandlerClass);
synchronized (LoginManager.class) {
LoginManager loginManager;
Password jaasConfigValue = jaasContext.dynamicJaasConfig();
if (jaasConfigValue != null) {
LoginMetadata<Password> loginMetadata = new LoginMetadata<>(jaasConfigValue, loginClass, loginCallbackClass);
loginManager = DYNAMIC_INSTANCES.get(loginMetadata);
if (loginManager == null) {
loginManager = new LoginManager(jaasContext, saslMechanism, configs, loginMetadata);
DYNAMIC_INSTANCES.put(loginMetadata, loginManager);
}
} else {
LoginMetadata<String> loginMetadata = new LoginMetadata<>(jaasContext.name(), loginClass, loginCallbackClass);
loginManager = STATIC_INSTANCES.get(loginMetadata);
if (loginManager == null) {
loginManager = new LoginManager(jaasContext, saslMechanism, configs, loginMetadata);
STATIC_INSTANCES.put(loginMetadata, loginManager);
}
}
SecurityUtils.addConfiguredSecurityProviders(configs);
return loginManager.acquire();
}
}
Also used :
Password(org.apache.kafka.common.config.types.Password)
Example 19 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class TestSslUtils method createSslConfig.
public static Map<String, Object> createSslConfig(boolean useClientCert, boolean trustStore, Mode mode, File trustStoreFile, String certAlias, String host) throws IOException, GeneralSecurityException {
Map<String, X509Certificate> certs = new HashMap<>();
File keyStoreFile = null;
Password password = mode == Mode.SERVER ? new Password("ServerPassword") : new Password("ClientPassword");
Password trustStorePassword = new Password("TrustStorePassword");
if (mode == Mode.CLIENT && useClientCert) {
keyStoreFile = File.createTempFile("clientKS", ".jks");
KeyPair cKP = generateKeyPair("RSA");
X509Certificate cCert = generateCertificate("CN=" + host + ", O=A client", cKP, 30, "SHA1withRSA");
createKeyStore(keyStoreFile.getPath(), password, "client", cKP.getPrivate(), cCert);
certs.put(certAlias, cCert);
keyStoreFile.deleteOnExit();
} else if (mode == Mode.SERVER) {
keyStoreFile = File.createTempFile("serverKS", ".jks");
KeyPair sKP = generateKeyPair("RSA");
X509Certificate sCert = generateCertificate("CN=" + host + ", O=A server", sKP, 30, "SHA1withRSA");
createKeyStore(keyStoreFile.getPath(), password, password, "server", sKP.getPrivate(), sCert);
certs.put(certAlias, sCert);
keyStoreFile.deleteOnExit();
}
if (trustStore) {
createTrustStore(trustStoreFile.getPath(), trustStorePassword, certs);
trustStoreFile.deleteOnExit();
}
return createSslConfig(mode, keyStoreFile, password, password, trustStoreFile, trustStorePassword);
}
Also used :
KeyPair(java.security.KeyPair)
HashMap(java.util.HashMap)
File(java.io.File)
X509Certificate(java.security.cert.X509Certificate)
Password(org.apache.kafka.common.config.types.Password)
Example 20 with Password
use of org.apache.kafka.common.config.types.Password in project kafka by apache.
the class SaslAuthenticatorTest method testDynamicJaasConfiguration.
/**
* Tests dynamic JAAS configuration property for SASL clients. Invalid client credentials
* are set in the static JVM-wide configuration instance to ensure that the dynamic
* property override is used during authentication.
*/
@Test
public void testDynamicJaasConfiguration() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
saslServerConfigs.put(SaslConfigs.SASL_ENABLED_MECHANISMS, Arrays.asList("PLAIN"));
Map<String, Object> serverOptions = new HashMap<>();
serverOptions.put("user_user1", "user1-secret");
serverOptions.put("user_user2", "user2-secret");
TestJaasConfig staticJaasConfig = new TestJaasConfig();
staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), serverOptions);
staticJaasConfig.setPlainClientOptions("user1", "invalidpassword");
Configuration.setConfiguration(staticJaasConfig);
server = createEchoServer(securityProtocol);
// Check that client using static Jaas config does not connect since password is invalid
createAndCheckClientConnectionFailure(securityProtocol, "1");
// Check that 'user1' can connect with a Jaas config property override
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret"));
createAndCheckClientConnection(securityProtocol, "2");
// Check that invalid password specified as Jaas config property results in connection failure
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user2-secret"));
createAndCheckClientConnectionFailure(securityProtocol, "3");
// Check that another user 'user2' can also connect with a Jaas config override without any changes to static configuration
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
createAndCheckClientConnection(securityProtocol, "4");
// Check that clients specifying multiple login modules fail even if the credentials are valid
String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value();
String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value();
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2));
try {
createClientConnection(securityProtocol, "1");
fail("Connection created with multiple login modules in sasl.jaas.config");
} catch (IllegalArgumentException e) {
// Expected
}
}
Also used :
HashMap(java.util.HashMap)
SecurityProtocol(org.apache.kafka.common.protocol.SecurityProtocol)
PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule)
Password(org.apache.kafka.common.config.types.Password)
Test(org.junit.Test)
Aggregations
Password (org.apache.kafka.common.config.types.Password)41
HashMap (java.util.HashMap)9
Properties (java.util.Properties)7
Test (org.junit.Test)7
TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)6
PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)6
Test (org.junit.jupiter.api.Test)6
InetSocketAddress (java.net.InetSocketAddress)5
SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)5
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
KeyStore (java.security.KeyStore)4
AppConfigurationEntry (javax.security.auth.login.AppConfigurationEntry)4
ValidString (org.apache.kafka.common.config.ConfigDef.ValidString)4
X509Certificate (java.security.cert.X509Certificate)3
LogContext (org.apache.kafka.common.utils.LogContext)3
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)3
ArgumentsSource (org.junit.jupiter.params.provider.ArgumentsSource)3
File (java.io.File)2
FileInputStream (java.io.FileInputStream)2
IOException (java.io.IOException)2
