Examples with TestSecurityConfig org.apache.kafka.common.security.TestSecurityConfig used on opensource projects

Search in sources :

Example 6 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslTransportLayerTest method testServerKeystoreDynamicUpdateWithNewSubjectAltName.

@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testServerKeystoreDynamicUpdateWithNewSubjectAltName(Args args) throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    TestSecurityConfig config = new TestSecurityConfig(args.sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(listenerName, false, securityProtocol, config, null, null, time, new LogContext(), defaultApiVersionsSupplier());
    server = new NioEchoServer(listenerName, securityProtocol, config, "localhost", serverChannelBuilder, null, time);
    server.start();
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    Selector selector = createSelector(args.sslClientConfigs);
    String node1 = "1";
    selector.connect(node1, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node1, 100, 10);
    selector.close();
    TestSslUtils.CertificateBuilder certBuilder = new TestSslUtils.CertificateBuilder().sanDnsNames("localhost", "*.example.com");
    String truststorePath = (String) args.sslClientConfigs.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG);
    File truststoreFile = truststorePath != null ? new File(truststorePath) : null;
    TestSslUtils.SslConfigsBuilder builder = new TestSslUtils.SslConfigsBuilder(Mode.SERVER).useClientCert(false).certAlias("server").cn("server").certBuilder(certBuilder).createNewTrustStore(truststoreFile).usePem(args.useInlinePem);
    Map<String, Object> newConfigs = builder.build();
    Map<String, Object> newKeystoreConfigs = new HashMap<>();
    for (String propName : CertStores.KEYSTORE_PROPS) {
        newKeystoreConfigs.put(propName, newConfigs.get(propName));
    }
    ListenerReconfigurable reconfigurableBuilder = (ListenerReconfigurable) serverChannelBuilder;
    reconfigurableBuilder.validateReconfiguration(newKeystoreConfigs);
    reconfigurableBuilder.reconfigure(newKeystoreConfigs);
    for (String propName : CertStores.TRUSTSTORE_PROPS) {
        args.sslClientConfigs.put(propName, newConfigs.get(propName));
    }
    selector = createSelector(args.sslClientConfigs);
    String node2 = "2";
    selector.connect(node2, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node2, 100, 10);
    TestSslUtils.CertificateBuilder invalidBuilder = new TestSslUtils.CertificateBuilder().sanDnsNames("localhost");
    if (!args.useInlinePem)
        builder.useExistingTrustStore(truststoreFile);
    Map<String, Object> invalidConfig = builder.certBuilder(invalidBuilder).build();
    Map<String, Object> invalidKeystoreConfigs = new HashMap<>();
    for (String propName : CertStores.KEYSTORE_PROPS) {
        invalidKeystoreConfigs.put(propName, invalidConfig.get(propName));
    }
    verifyInvalidReconfigure(reconfigurableBuilder, invalidKeystoreConfigs, "keystore without existing SubjectAltName");
    String node3 = "3";
    selector.connect(node3, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node3, 100, 10);
}
Also used : HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) LogContext(org.apache.kafka.common.utils.LogContext) TestSslUtils(org.apache.kafka.test.TestSslUtils) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) File(java.io.File) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)

Example 7 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslTransportLayerTest method testInterBrokerSslConfigValidationFailure.

/**
 * Verifies that inter-broker listener with validation of truststore against keystore
 * fails if certs from keystore are not trusted.
 */
@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testInterBrokerSslConfigValidationFailure(Args args) {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    args.sslServerConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, "required");
    TestSecurityConfig config = new TestSecurityConfig(args.sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    assertThrows(KafkaException.class, () -> ChannelBuilders.serverChannelBuilder(listenerName, true, securityProtocol, config, null, null, time, new LogContext(), defaultApiVersionsSupplier()));
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) LogContext(org.apache.kafka.common.utils.LogContext) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)

Example 8 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslVersionsTransportLayerTest method testTlsDefaults.

/**
 * Tests that connection success with the default TLS version.
 * Note that debug mode for javax.net.ssl can be enabled via {@code System.setProperty("javax.net.debug", "ssl:handshake");}
 */
@ParameterizedTest(name = "tlsServerProtocol = {0}, tlsClientProtocol = {1}")
@MethodSource("parameters")
public void testTlsDefaults(List<String> serverProtocols, List<String> clientProtocols) throws Exception {
    // Create certificates for use by client and server. Add server cert to client truststore and vice versa.
    CertStores serverCertStores = new CertStores(true, "server", "localhost");
    CertStores clientCertStores = new CertStores(false, "client", "localhost");
    Map<String, Object> sslClientConfigs = getTrustingConfig(clientCertStores, serverCertStores, clientProtocols);
    Map<String, Object> sslServerConfigs = getTrustingConfig(serverCertStores, clientCertStores, serverProtocols);
    NioEchoServer server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), null, TIME);
    Selector selector = createClientSelector(sslClientConfigs);
    String node = "0";
    selector.connect(node, new InetSocketAddress("localhost", server.port()), BUFFER_SIZE, BUFFER_SIZE);
    if (isCompatible(serverProtocols, clientProtocols)) {
        NetworkTestUtils.waitForChannelReady(selector, node);
        int msgSz = 1024 * 1024;
        String message = TestUtils.randomString(msgSz);
        selector.send(new NetworkSend(node, ByteBufferSend.sizePrefixed(ByteBuffer.wrap(message.getBytes()))));
        while (selector.completedReceives().isEmpty()) {
            selector.poll(100L);
        }
        // including 4-byte size
        int totalBytes = msgSz + 4;
        server.waitForMetric("incoming-byte", totalBytes);
        server.waitForMetric("outgoing-byte", totalBytes);
        server.waitForMetric("request", 1);
        server.waitForMetric("response", 1);
    } else {
        NetworkTestUtils.waitForChannelClose(selector, node, ChannelState.State.AUTHENTICATION_FAILED);
        server.verifyAuthenticationMetrics(0, 1);
    }
}
Also used : InetSocketAddress(java.net.InetSocketAddress) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) MethodSource(org.junit.jupiter.params.provider.MethodSource)

Example 9 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class AbstractConfigTest method testValuesWithSecondaryPrefix.

@Test
public void testValuesWithSecondaryPrefix() {
    String prefix = "listener.name.listener1.";
    Password saslJaasConfig1 = new Password("test.myLoginModule1 required;");
    Password saslJaasConfig2 = new Password("test.myLoginModule2 required;");
    Password saslJaasConfig3 = new Password("test.myLoginModule3 required;");
    Properties props = new Properties();
    props.put("listener.name.listener1.test-mechanism.sasl.jaas.config", saslJaasConfig1.value());
    props.put("test-mechanism.sasl.jaas.config", saslJaasConfig2.value());
    props.put("sasl.jaas.config", saslJaasConfig3.value());
    props.put("listener.name.listener1.gssapi.sasl.kerberos.kinit.cmd", "/usr/bin/kinit2");
    props.put("listener.name.listener1.gssapi.sasl.kerberos.service.name", "testkafka");
    props.put("listener.name.listener1.gssapi.sasl.kerberos.min.time.before.relogin", "60000");
    props.put("ssl.provider", "TEST");
    TestSecurityConfig config = new TestSecurityConfig(props);
    Map<String, Object> valuesWithPrefixOverride = config.valuesWithPrefixOverride(prefix);
    // prefix with mechanism overrides global
    assertTrue(config.unused().contains("listener.name.listener1.test-mechanism.sasl.jaas.config"));
    assertTrue(config.unused().contains("test-mechanism.sasl.jaas.config"));
    assertEquals(saslJaasConfig1, valuesWithPrefixOverride.get("test-mechanism.sasl.jaas.config"));
    assertEquals(saslJaasConfig3, valuesWithPrefixOverride.get("sasl.jaas.config"));
    assertFalse(config.unused().contains("listener.name.listener1.test-mechanism.sasl.jaas.config"));
    assertFalse(config.unused().contains("test-mechanism.sasl.jaas.config"));
    assertFalse(config.unused().contains("sasl.jaas.config"));
    // prefix with mechanism overrides default
    assertFalse(config.unused().contains("sasl.kerberos.kinit.cmd"));
    assertTrue(config.unused().contains("listener.name.listener1.gssapi.sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("gssapi.sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("sasl.kerberos.kinit.cmd"));
    assertEquals("/usr/bin/kinit2", valuesWithPrefixOverride.get("gssapi.sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("listener.name.listener1.sasl.kerberos.kinit.cmd"));
    // prefix override for mechanism with no default
    assertFalse(config.unused().contains("sasl.kerberos.service.name"));
    assertTrue(config.unused().contains("listener.name.listener1.gssapi.sasl.kerberos.service.name"));
    assertFalse(config.unused().contains("gssapi.sasl.kerberos.service.name"));
    assertFalse(config.unused().contains("sasl.kerberos.service.name"));
    assertEquals("testkafka", valuesWithPrefixOverride.get("gssapi.sasl.kerberos.service.name"));
    assertFalse(config.unused().contains("listener.name.listener1.gssapi.sasl.kerberos.service.name"));
    // unset with no default
    assertTrue(config.unused().contains("ssl.provider"));
    assertNull(valuesWithPrefixOverride.get("gssapi.ssl.provider"));
    assertTrue(config.unused().contains("ssl.provider"));
}
Also used : TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Properties(java.util.Properties) Password(org.apache.kafka.common.config.types.Password) Test(org.junit.jupiter.api.Test)

Example 10 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class AbstractConfigTest method testValuesWithPrefixOverride.

@Test
public void testValuesWithPrefixOverride() {
    String prefix = "prefix.";
    Properties props = new Properties();
    props.put("sasl.mechanism", "PLAIN");
    props.put("prefix.sasl.mechanism", "GSSAPI");
    props.put("prefix.sasl.kerberos.kinit.cmd", "/usr/bin/kinit2");
    props.put("prefix.ssl.truststore.location", "my location");
    props.put("sasl.kerberos.service.name", "service name");
    props.put("ssl.keymanager.algorithm", "algorithm");
    TestSecurityConfig config = new TestSecurityConfig(props);
    Map<String, Object> valuesWithPrefixOverride = config.valuesWithPrefixOverride(prefix);
    // prefix overrides global
    assertTrue(config.unused().contains("prefix.sasl.mechanism"));
    assertTrue(config.unused().contains("sasl.mechanism"));
    assertEquals("GSSAPI", valuesWithPrefixOverride.get("sasl.mechanism"));
    assertFalse(config.unused().contains("sasl.mechanism"));
    assertFalse(config.unused().contains("prefix.sasl.mechanism"));
    // prefix overrides default
    assertTrue(config.unused().contains("prefix.sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("sasl.kerberos.kinit.cmd"));
    assertEquals("/usr/bin/kinit2", valuesWithPrefixOverride.get("sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("sasl.kerberos.kinit.cmd"));
    assertFalse(config.unused().contains("prefix.sasl.kerberos.kinit.cmd"));
    // prefix override with no default
    assertTrue(config.unused().contains("prefix.ssl.truststore.location"));
    assertFalse(config.unused().contains("ssl.truststore.location"));
    assertEquals("my location", valuesWithPrefixOverride.get("ssl.truststore.location"));
    assertFalse(config.unused().contains("ssl.truststore.location"));
    assertFalse(config.unused().contains("prefix.ssl.truststore.location"));
    // global overrides default
    assertTrue(config.unused().contains("ssl.keymanager.algorithm"));
    assertEquals("algorithm", valuesWithPrefixOverride.get("ssl.keymanager.algorithm"));
    assertFalse(config.unused().contains("ssl.keymanager.algorithm"));
    // global with no default
    assertTrue(config.unused().contains("sasl.kerberos.service.name"));
    assertEquals("service name", valuesWithPrefixOverride.get("sasl.kerberos.service.name"));
    assertFalse(config.unused().contains("sasl.kerberos.service.name"));
    // unset with default
    assertFalse(config.unused().contains("sasl.kerberos.min.time.before.relogin"));
    assertEquals(SaslConfigs.DEFAULT_KERBEROS_MIN_TIME_BEFORE_RELOGIN, valuesWithPrefixOverride.get("sasl.kerberos.min.time.before.relogin"));
    assertFalse(config.unused().contains("sasl.kerberos.min.time.before.relogin"));
    // unset with no default
    assertFalse(config.unused().contains("ssl.key.password"));
    assertNull(valuesWithPrefixOverride.get("ssl.key.password"));
    assertFalse(config.unused().contains("ssl.key.password"));
}
Also used : TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Properties(java.util.Properties) Test(org.junit.jupiter.api.Test)

Aggregations

TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)27 InetSocketAddress (java.net.InetSocketAddress)13 Properties (java.util.Properties)8 SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)8 LogContext (org.apache.kafka.common.utils.LogContext)8 Test (org.junit.Test)8 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)8 Test (org.junit.jupiter.api.Test)7 ArgumentsSource (org.junit.jupiter.params.provider.ArgumentsSource)7 HashMap (java.util.HashMap)5 Password (org.apache.kafka.common.config.types.Password)5 ListenerName (org.apache.kafka.common.network.ListenerName)3 NioEchoServer (org.apache.kafka.common.network.NioEchoServer)3 SaslChannelBuilder (org.apache.kafka.common.network.SaslChannelBuilder)3 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)3 JaasContext (org.apache.kafka.common.security.JaasContext)3 SelectionKey (java.nio.channels.SelectionKey)2 Map (java.util.Map)2 SSLEngine (javax.net.ssl.SSLEngine)2 SSLParameters (javax.net.ssl.SSLParameters)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial