Example 1 with TestSecurityConfig
use of org.apache.kafka.common.security.TestSecurityConfig in project apache-kafka-on-k8s by banzaicloud.
the class SslTransportLayerTest method testClientEndpointNotValidated.
/**
* According to RFC 2818:
* <blockquote>Typically, the server has no external knowledge of what the client's
* identity ought to be and so checks (other than that the client has a
* certificate chain rooted in an appropriate CA) are not possible. If a
* server has such knowledge (typically from some source external to
* HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
*
* However, Java SSL engine does not perform any endpoint validation for client IP address.
* Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
* that client validation does not fail even if the client certificate has an invalid hostname.
* This test is to ensure that if client endpoint validation is added to Java in future, we can detect
* and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
*/
@Test
public void testClientEndpointNotValidated() throws Exception {
String node = "0";
// Create client certificate with an invalid hostname
clientCertStores = new CertStores(false, "non-existent.com");
serverCertStores = new CertStores(true, "localhost");
sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
// Create a server with endpoint validation enabled on the server SSL engine
SslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER) {
@Override
protected TestSslTransportLayer newTransportLayer(String id, SelectionKey key, SSLEngine sslEngine) throws IOException {
SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);
return super.newTransportLayer(id, key, sslEngine);
}
};
serverChannelBuilder.configure(sslServerConfigs);
server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
server.start();
createSelector(sslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
Also used :
SelectionKey(java.nio.channels.SelectionKey)
SSLParameters(javax.net.ssl.SSLParameters)
SSLEngine(javax.net.ssl.SSLEngine)
InetSocketAddress(java.net.InetSocketAddress)
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
Test(org.junit.Test)
Example 2 with TestSecurityConfig
use of org.apache.kafka.common.security.TestSecurityConfig in project apache-kafka-on-k8s by banzaicloud.
the class SslTransportLayerTest method testPeerNotifiedOfHandshakeFailure.
/**
* Tests that handshake failures are propagated only after writes complete, even when
* there are delays in writes to ensure that clients see an authentication exception
* rather than a connection failure.
*/
@Test
public void testPeerNotifiedOfHandshakeFailure() throws Exception {
sslServerConfigs = serverCertStores.getUntrustingConfig();
sslServerConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, "required");
// Test without delay and a couple of delay counts to ensure delay applies to handshake failure
for (int i = 0; i < 3; i++) {
String node = "0";
TestSslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER);
serverChannelBuilder.configure(sslServerConfigs);
serverChannelBuilder.flushDelayCount = i;
server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
server.start();
createSelector(sslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
NetworkTestUtils.waitForChannelClose(selector, node, ChannelState.State.AUTHENTICATION_FAILED);
server.close();
selector.close();
}
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
Test(org.junit.Test)
Example 3 with TestSecurityConfig
use of org.apache.kafka.common.security.TestSecurityConfig in project apache-kafka-on-k8s by banzaicloud.
the class AbstractConfigTest method testValuesWithPrefixAllOrNothing.
@Test
public void testValuesWithPrefixAllOrNothing() {
String prefix1 = "prefix1.";
String prefix2 = "prefix2.";
Properties props = new Properties();
props.put("sasl.mechanism", "PLAIN");
props.put("prefix1.sasl.mechanism", "GSSAPI");
props.put("prefix1.sasl.kerberos.kinit.cmd", "/usr/bin/kinit2");
props.put("prefix1.ssl.truststore.location", "my location");
props.put("sasl.kerberos.service.name", "service name");
props.put("ssl.keymanager.algorithm", "algorithm");
TestSecurityConfig config = new TestSecurityConfig(props);
Map<String, Object> valuesWithPrefixAllOrNothing1 = config.valuesWithPrefixAllOrNothing(prefix1);
// All prefixed values are there
assertEquals("GSSAPI", valuesWithPrefixAllOrNothing1.get("sasl.mechanism"));
assertEquals("/usr/bin/kinit2", valuesWithPrefixAllOrNothing1.get("sasl.kerberos.kinit.cmd"));
assertEquals("my location", valuesWithPrefixAllOrNothing1.get("ssl.truststore.location"));
// Non-prefixed values are missing
assertFalse(valuesWithPrefixAllOrNothing1.containsKey("sasl.kerberos.service.name"));
assertFalse(valuesWithPrefixAllOrNothing1.containsKey("ssl.keymanager.algorithm"));
Map<String, Object> valuesWithPrefixAllOrNothing2 = config.valuesWithPrefixAllOrNothing(prefix2);
assertTrue(valuesWithPrefixAllOrNothing2.containsKey("sasl.kerberos.service.name"));
assertTrue(valuesWithPrefixAllOrNothing2.containsKey("ssl.keymanager.algorithm"));
}
Also used :
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
Properties(java.util.Properties)
Test(org.junit.Test)
Example 4 with TestSecurityConfig
use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.
the class SaslChannelBuilderTest method createGssapiChannelBuilder.
private SaslChannelBuilder createGssapiChannelBuilder(Map<String, JaasContext> jaasContexts, GSSManager gssManager) {
SaslChannelBuilder channelBuilder = new SaslChannelBuilder(Mode.SERVER, jaasContexts, SecurityProtocol.SASL_PLAINTEXT, new ListenerName("GSSAPI"), false, "GSSAPI", true, null, null, null, Time.SYSTEM, new LogContext(), defaultApiVersionsSupplier()) {
@Override
protected GSSManager gssManager() {
return gssManager;
}
};
Map<String, Object> props = Collections.singletonMap(SaslConfigs.SASL_KERBEROS_SERVICE_NAME, "kafka");
channelBuilder.configure(new TestSecurityConfig(props).values());
return channelBuilder;
}
Also used :
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
LogContext(org.apache.kafka.common.utils.LogContext)
Example 5 with TestSecurityConfig
use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.
the class SslTransportLayerTest method testPeerNotifiedOfHandshakeFailure.
/**
* Tests that handshake failures are propagated only after writes complete, even when
* there are delays in writes to ensure that clients see an authentication exception
* rather than a connection failure.
*/
@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testPeerNotifiedOfHandshakeFailure(Args args) throws Exception {
args.sslServerConfigs = args.serverCertStores.getUntrustingConfig();
args.sslServerConfigs.putAll(args.sslConfigOverrides);
args.sslServerConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, "required");
// Test without delay and a couple of delay counts to ensure delay applies to handshake failure
for (int i = 0; i < 3; i++) {
String node = String.valueOf(i);
TestSslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER);
serverChannelBuilder.configure(args.sslServerConfigs);
serverChannelBuilder.flushDelayCount = i;
server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(args.sslServerConfigs), "localhost", serverChannelBuilder, null, time);
server.start();
createSelector(args.sslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
NetworkTestUtils.waitForChannelClose(selector, node, ChannelState.State.AUTHENTICATION_FAILED);
server.close();
selector.close();
serverChannelBuilder.close();
}
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)
Aggregations
TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)27
InetSocketAddress (java.net.InetSocketAddress)13
Properties (java.util.Properties)8
SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)8
LogContext (org.apache.kafka.common.utils.LogContext)8
Test (org.junit.Test)8
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)8
Test (org.junit.jupiter.api.Test)7
ArgumentsSource (org.junit.jupiter.params.provider.ArgumentsSource)7
HashMap (java.util.HashMap)5
Password (org.apache.kafka.common.config.types.Password)5
ListenerName (org.apache.kafka.common.network.ListenerName)3
NioEchoServer (org.apache.kafka.common.network.NioEchoServer)3
SaslChannelBuilder (org.apache.kafka.common.network.SaslChannelBuilder)3
ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)3
JaasContext (org.apache.kafka.common.security.JaasContext)3
SelectionKey (java.nio.channels.SelectionKey)2
Map (java.util.Map)2
SSLEngine (javax.net.ssl.SSLEngine)2
SSLParameters (javax.net.ssl.SSLParameters)2
