Example 56 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.
the class SaslAuthenticatorTest method testDisallowedKafkaRequestsBeforeAuthentication.
/**
* Tests that Kafka requests that are forbidden until successful authentication result
* in authentication failure and do not cause any failures in the server.
*/
@Test
public void testDisallowedKafkaRequestsBeforeAuthentication() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
server = createEchoServer(securityProtocol);
// Send metadata request before Kafka SASL handshake request
String node1 = "invalid1";
createClientConnection(SecurityProtocol.PLAINTEXT, node1);
MetadataRequest metadataRequest1 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
RequestHeader metadataRequestHeader1 = new RequestHeader(ApiKeys.METADATA, metadataRequest1.version(), "someclient", 1);
selector.send(metadataRequest1.toSend(node1, metadataRequestHeader1));
NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
selector.close();
// Test good connection still works
createAndCheckClientConnection(securityProtocol, "good1");
// Send metadata request after Kafka SASL handshake request
String node2 = "invalid2";
createClientConnection(SecurityProtocol.PLAINTEXT, node2);
sendHandshakeRequestReceiveResponse(node2, (short) 1);
MetadataRequest metadataRequest2 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
RequestHeader metadataRequestHeader2 = new RequestHeader(ApiKeys.METADATA, metadataRequest2.version(), "someclient", 2);
selector.send(metadataRequest2.toSend(node2, metadataRequestHeader2));
NetworkTestUtils.waitForChannelClose(selector, node2, ChannelState.READY.state());
selector.close();
// Test good connection still works
createAndCheckClientConnection(securityProtocol, "good2");
}
Also used :
MetadataRequest(org.apache.kafka.common.requests.MetadataRequest)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
RequestHeader(org.apache.kafka.common.requests.RequestHeader)
Test(org.junit.Test)
Example 57 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.
the class SaslAuthenticatorTest method testMechanismPluggability.
/**
* Tests that mechanisms that are not supported in Kafka can be plugged in without modifying
* Kafka code if Sasl client and server providers are available.
*/
@Test
public void testMechanismPluggability() throws Exception {
String node = "0";
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5"));
server = createEchoServer(securityProtocol);
createAndCheckClientConnection(securityProtocol, node);
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.Test)
Example 58 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.
the class SaslAuthenticatorTest method testInvalidPasswordSaslPlain.
/**
* Tests that SASL/PLAIN clients with invalid password fail authentication.
*/
@Test
public void testInvalidPasswordSaslPlain() throws Exception {
String node = "0";
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
jaasConfig.setClientOptions("PLAIN", TestJaasConfig.USERNAME, "invalidpassword");
server = createEchoServer(securityProtocol);
createAndCheckClientAuthenticationFailure(securityProtocol, node, "PLAIN", "Authentication failed: Invalid username or password");
server.verifyAuthenticationMetrics(0, 1);
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.Test)
Example 59 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.
the class SaslAuthenticatorTest method testSaslHandshakeRequestWithUnsupportedVersion.
/**
* Tests that unsupported version of SASL handshake request returns error
* response and fails authentication. This test is similar to
* {@link #testUnauthenticatedApiVersionsRequest(SecurityProtocol, short)}
* where a non-SASL client is used to send requests that are processed by
* {@link SaslServerAuthenticator} of the server prior to client authentication.
*/
@Test
public void testSaslHandshakeRequestWithUnsupportedVersion() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
server = createEchoServer(securityProtocol);
// Send SaslHandshakeRequest and validate that connection is closed by server.
String node1 = "invalid1";
createClientConnection(SecurityProtocol.PLAINTEXT, node1);
SaslHandshakeRequest request = new SaslHandshakeRequest("PLAIN");
RequestHeader header = new RequestHeader(ApiKeys.SASL_HANDSHAKE, Short.MAX_VALUE, "someclient", 2);
selector.send(request.toSend(node1, header));
// This test uses a non-SASL PLAINTEXT client in order to do manual handshake.
// So the channel is in READY state.
NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
selector.close();
// Test good connection still works
createAndCheckClientConnection(securityProtocol, "good1");
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
RequestHeader(org.apache.kafka.common.requests.RequestHeader)
SaslHandshakeRequest(org.apache.kafka.common.requests.SaslHandshakeRequest)
Test(org.junit.Test)
Example 60 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.
the class SaslAuthenticatorTest method testValidSaslScramSha256.
/**
* Tests good path SASL/SCRAM-SHA-256 client and server channels.
*/
@Test
public void testValidSaslScramSha256() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
server = createEchoServer(securityProtocol);
updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
createAndCheckClientConnection(securityProtocol, "0");
server.verifyAuthenticationMetrics(1, 0);
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.Test)
Aggregations
SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)106
Test (org.junit.jupiter.api.Test)50
Test (org.junit.Test)29
HashMap (java.util.HashMap)22
InetSocketAddress (java.net.InetSocketAddress)14
NetworkSend (org.apache.kafka.common.network.NetworkSend)11
RequestHeader (org.apache.kafka.common.requests.RequestHeader)11
IOException (java.io.IOException)10
PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)10
TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)9
ScramLoginModule (org.apache.kafka.common.security.scram.ScramLoginModule)9
File (java.io.File)8
ByteBuffer (java.nio.ByteBuffer)8
Properties (java.util.Properties)8
ApiVersionsRequest (org.apache.kafka.common.requests.ApiVersionsRequest)7
ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)7
LogContext (org.apache.kafka.common.utils.LogContext)6
Random (java.util.Random)5
Password (org.apache.kafka.common.config.types.Password)5
ListenerName (org.apache.kafka.common.network.ListenerName)5
