Examples with TestSecurityConfig org.apache.kafka.common.security.TestSecurityConfig used on opensource projects

Search in sources :

Example 16 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayerTest method testEndpointIdentificationDisabled.

/**
 * Tests that server certificate with invalid IP address is accepted by
 * a client that has disabled endpoint validation
 */
@Test
public void testEndpointIdentificationDisabled() throws Exception {
    String node = "0";
    String serverHost = InetAddress.getLocalHost().getHostAddress();
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    server = new NioEchoServer(ListenerName.forSecurityProtocol(securityProtocol), securityProtocol, new TestSecurityConfig(sslServerConfigs), serverHost, null, null);
    server.start();
    sslClientConfigs.remove(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress(serverHost, server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Test(org.junit.Test)

Example 17 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayerTest method testServerKeystoreDynamicUpdate.

/**
 * Tests reconfiguration of server keystore. Verifies that existing connections continue
 * to work with old keystore and new connections work with new keystore.
 */
@Test
public void testServerKeystoreDynamicUpdate() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    TestSecurityConfig config = new TestSecurityConfig(sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(listenerName, false, securityProtocol, config, null, null);
    server = new NioEchoServer(listenerName, securityProtocol, config, "localhost", serverChannelBuilder, null);
    server.start();
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    // Verify that client with matching truststore can authenticate, send and receive
    String oldNode = "0";
    Selector oldClientSelector = createSelector(sslClientConfigs);
    oldClientSelector.connect(oldNode, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, oldNode, 100, 10);
    CertStores newServerCertStores = new CertStores(true, "server", "localhost");
    sslServerConfigs = newServerCertStores.getTrustingConfig(clientCertStores);
    assertTrue("SslChannelBuilder not reconfigurable", serverChannelBuilder instanceof ListenerReconfigurable);
    ListenerReconfigurable reconfigurableBuilder = (ListenerReconfigurable) serverChannelBuilder;
    assertEquals(listenerName, reconfigurableBuilder.listenerName());
    reconfigurableBuilder.validateReconfiguration(sslServerConfigs);
    reconfigurableBuilder.reconfigure(sslServerConfigs);
    // Verify that new client with old truststore fails
    oldClientSelector.connect("1", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.waitForChannelClose(oldClientSelector, "1", ChannelState.State.AUTHENTICATION_FAILED);
    // Verify that new client with new truststore can authenticate, send and receive
    sslClientConfigs = clientCertStores.getTrustingConfig(newServerCertStores);
    Selector newClientSelector = createSelector(sslClientConfigs);
    newClientSelector.connect("2", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "2", 100, 10);
    // Verify that old client continues to work
    NetworkTestUtils.checkClientConnection(oldClientSelector, oldNode, 100, 10);
    CertStores invalidCertStores = new CertStores(true, "server", "127.0.0.1");
    Map<String, Object> invalidConfigs = invalidCertStores.getTrustingConfig(clientCertStores);
    try {
        reconfigurableBuilder.validateReconfiguration(invalidConfigs);
        fail("Should have failed validation with an exception with different SubjectAltName");
    } catch (KafkaException e) {
    // expected exception
    }
    try {
        reconfigurableBuilder.reconfigure(invalidConfigs);
        fail("Should have failed to reconfigure with different SubjectAltName");
    } catch (KafkaException e) {
    // expected exception
    }
    // Verify that new connections continue to work with the server with previously configured keystore after failed reconfiguration
    newClientSelector.connect("3", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "3", 100, 10);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) KafkaException(org.apache.kafka.common.KafkaException) Test(org.junit.Test)

Example 18 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslTransportLayerTest method testServerKeystoreDynamicUpdate.

/**
 * Tests reconfiguration of server keystore. Verifies that existing connections continue
 * to work with old keystore and new connections work with new keystore.
 */
@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testServerKeystoreDynamicUpdate(Args args) throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    TestSecurityConfig config = new TestSecurityConfig(args.sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(listenerName, false, securityProtocol, config, null, null, time, new LogContext(), defaultApiVersionsSupplier());
    server = new NioEchoServer(listenerName, securityProtocol, config, "localhost", serverChannelBuilder, null, time);
    server.start();
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    // Verify that client with matching truststore can authenticate, send and receive
    String oldNode = "0";
    Selector oldClientSelector = createSelector(args.sslClientConfigs);
    oldClientSelector.connect(oldNode, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, oldNode, 100, 10);
    CertStores newServerCertStores = certBuilder(true, "server", args.useInlinePem).addHostName("localhost").build();
    Map<String, Object> newKeystoreConfigs = newServerCertStores.keyStoreProps();
    assertTrue(serverChannelBuilder instanceof ListenerReconfigurable, "SslChannelBuilder not reconfigurable");
    ListenerReconfigurable reconfigurableBuilder = (ListenerReconfigurable) serverChannelBuilder;
    assertEquals(listenerName, reconfigurableBuilder.listenerName());
    reconfigurableBuilder.validateReconfiguration(newKeystoreConfigs);
    reconfigurableBuilder.reconfigure(newKeystoreConfigs);
    // Verify that new client with old truststore fails
    oldClientSelector.connect("1", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.waitForChannelClose(oldClientSelector, "1", ChannelState.State.AUTHENTICATION_FAILED);
    // Verify that new client with new truststore can authenticate, send and receive
    args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, newServerCertStores);
    Selector newClientSelector = createSelector(args.sslClientConfigs);
    newClientSelector.connect("2", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "2", 100, 10);
    // Verify that old client continues to work
    NetworkTestUtils.checkClientConnection(oldClientSelector, oldNode, 100, 10);
    CertStores invalidCertStores = certBuilder(true, "server", args.useInlinePem).addHostName("127.0.0.1").build();
    Map<String, Object> invalidConfigs = args.getTrustingConfig(invalidCertStores, args.clientCertStores);
    verifyInvalidReconfigure(reconfigurableBuilder, invalidConfigs, "keystore with different SubjectAltName");
    Map<String, Object> missingStoreConfigs = new HashMap<>();
    missingStoreConfigs.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "PKCS12");
    missingStoreConfigs.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, "some.keystore.path");
    missingStoreConfigs.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, new Password("some.keystore.password"));
    missingStoreConfigs.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, new Password("some.key.password"));
    verifyInvalidReconfigure(reconfigurableBuilder, missingStoreConfigs, "keystore not found");
    // Verify that new connections continue to work with the server with previously configured keystore after failed reconfiguration
    newClientSelector.connect("3", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "3", 100, 10);
}
Also used : HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) LogContext(org.apache.kafka.common.utils.LogContext) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Password(org.apache.kafka.common.config.types.Password) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)

Example 19 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslTransportLayerTest method testServerTruststoreDynamicUpdate.

/**
 * Tests reconfiguration of server truststore. Verifies that existing connections continue
 * to work with old truststore and new connections work with new truststore.
 */
@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testServerTruststoreDynamicUpdate(Args args) throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    args.sslServerConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, "required");
    TestSecurityConfig config = new TestSecurityConfig(args.sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(listenerName, false, securityProtocol, config, null, null, time, new LogContext(), defaultApiVersionsSupplier());
    server = new NioEchoServer(listenerName, securityProtocol, config, "localhost", serverChannelBuilder, null, time);
    server.start();
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    // Verify that client with matching keystore can authenticate, send and receive
    String oldNode = "0";
    Selector oldClientSelector = createSelector(args.sslClientConfigs);
    oldClientSelector.connect(oldNode, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, oldNode, 100, 10);
    CertStores newClientCertStores = certBuilder(true, "client", args.useInlinePem).addHostName("localhost").build();
    args.sslClientConfigs = args.getTrustingConfig(newClientCertStores, args.serverCertStores);
    Map<String, Object> newTruststoreConfigs = newClientCertStores.trustStoreProps();
    assertTrue(serverChannelBuilder instanceof ListenerReconfigurable, "SslChannelBuilder not reconfigurable");
    ListenerReconfigurable reconfigurableBuilder = (ListenerReconfigurable) serverChannelBuilder;
    assertEquals(listenerName, reconfigurableBuilder.listenerName());
    reconfigurableBuilder.validateReconfiguration(newTruststoreConfigs);
    reconfigurableBuilder.reconfigure(newTruststoreConfigs);
    // Verify that new client with old truststore fails
    oldClientSelector.connect("1", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.waitForChannelClose(oldClientSelector, "1", ChannelState.State.AUTHENTICATION_FAILED);
    // Verify that new client with new truststore can authenticate, send and receive
    Selector newClientSelector = createSelector(args.sslClientConfigs);
    newClientSelector.connect("2", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "2", 100, 10);
    // Verify that old client continues to work
    NetworkTestUtils.checkClientConnection(oldClientSelector, oldNode, 100, 10);
    Map<String, Object> invalidConfigs = new HashMap<>(newTruststoreConfigs);
    invalidConfigs.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "INVALID_TYPE");
    verifyInvalidReconfigure(reconfigurableBuilder, invalidConfigs, "invalid truststore type");
    Map<String, Object> missingStoreConfigs = new HashMap<>();
    missingStoreConfigs.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "PKCS12");
    missingStoreConfigs.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "some.truststore.path");
    missingStoreConfigs.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, new Password("some.truststore.password"));
    verifyInvalidReconfigure(reconfigurableBuilder, missingStoreConfigs, "truststore not found");
    // Verify that new connections continue to work with the server with previously configured keystore after failed reconfiguration
    newClientSelector.connect("3", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(newClientSelector, "3", 100, 10);
}
Also used : HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) LogContext(org.apache.kafka.common.utils.LogContext) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Password(org.apache.kafka.common.config.types.Password) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)

Example 20 with TestSecurityConfig

use of org.apache.kafka.common.security.TestSecurityConfig in project kafka by apache.

the class SslTransportLayerTest method testInterBrokerSslConfigValidation.

/**
 * Verifies that inter-broker listener with validation of truststore against keystore works
 * with configs including mutual authentication and hostname verification.
 */
@ParameterizedTest
@ArgumentsSource(SslTransportLayerArgumentsProvider.class)
public void testInterBrokerSslConfigValidation(Args args) throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    args.sslServerConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, "required");
    args.sslServerConfigs.put(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, "HTTPS");
    args.sslServerConfigs.putAll(args.serverCertStores.keyStoreProps());
    args.sslServerConfigs.putAll(args.serverCertStores.trustStoreProps());
    args.sslClientConfigs.putAll(args.serverCertStores.keyStoreProps());
    args.sslClientConfigs.putAll(args.serverCertStores.trustStoreProps());
    TestSecurityConfig config = new TestSecurityConfig(args.sslServerConfigs);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(listenerName, true, securityProtocol, config, null, null, time, new LogContext(), defaultApiVersionsSupplier());
    server = new NioEchoServer(listenerName, securityProtocol, config, "localhost", serverChannelBuilder, null, time);
    server.start();
    this.selector = createSelector(args.sslClientConfigs, null, null, null);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect("0", addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, "0", 100, 10);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) LogContext(org.apache.kafka.common.utils.LogContext) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) ArgumentsSource(org.junit.jupiter.params.provider.ArgumentsSource)

Aggregations

TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)27 InetSocketAddress (java.net.InetSocketAddress)13 Properties (java.util.Properties)8 SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)8 LogContext (org.apache.kafka.common.utils.LogContext)8 Test (org.junit.Test)8 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)8 Test (org.junit.jupiter.api.Test)7 ArgumentsSource (org.junit.jupiter.params.provider.ArgumentsSource)7 HashMap (java.util.HashMap)5 Password (org.apache.kafka.common.config.types.Password)5 ListenerName (org.apache.kafka.common.network.ListenerName)3 NioEchoServer (org.apache.kafka.common.network.NioEchoServer)3 SaslChannelBuilder (org.apache.kafka.common.network.SaslChannelBuilder)3 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)3 JaasContext (org.apache.kafka.common.security.JaasContext)3 SelectionKey (java.nio.channels.SelectionKey)2 Map (java.util.Map)2 SSLEngine (javax.net.ssl.SSLEngine)2 SSLParameters (javax.net.ssl.SSLParameters)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial