Examples with SecurityProtocol org.apache.kafka.common.security.auth.SecurityProtocol used on opensource projects

Example 76 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testSaslHandshakeRequestWithUnsupportedVersion.

/**
 * Tests that unsupported version of SASL handshake request returns error
 * response and fails authentication. This test is similar to
 * {@link #testUnauthenticatedApiVersionsRequest(SecurityProtocol, short)}
 * where a non-SASL client is used to send requests that are processed by
 * {@link SaslServerAuthenticator} of the server prior to client authentication.
 */
@Test
public void testSaslHandshakeRequestWithUnsupportedVersion() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send SaslHandshakeRequest and validate that connection is closed by server.
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    SaslHandshakeRequest request = buildSaslHandshakeRequest("PLAIN", ApiKeys.SASL_HANDSHAKE.latestVersion());
    RequestHeader header = new RequestHeader(ApiKeys.SASL_HANDSHAKE, Short.MAX_VALUE, "someclient", 2);
    selector.send(new NetworkSend(node1, request.toSend(header)));
    // This test uses a non-SASL PLAINTEXT client in order to do manual handshake.
    // So the channel is in READY state.
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
}

Example 77 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testTokenReauthenticationOverSaslScram.

@Test
public void testTokenReauthenticationOverSaslScram() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    // create jaas config for token auth
    Map<String, Object> options = new HashMap<>();
    String tokenId = "token1";
    String tokenHmac = "abcdefghijkl";
    // tokenId
    options.put("username", tokenId);
    // token hmac
    options.put("password", tokenHmac);
    // enable token authentication
    options.put(ScramLoginModule.TOKEN_AUTH_CONFIG, "true");
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    // ensure re-authentication based on token expiry rather than a default value
    saslServerConfigs.put(BrokerSecurityConfigs.CONNECTIONS_MAX_REAUTH_MS, Long.MAX_VALUE);
    /*
         * create a token cache that adjusts the token expiration dynamically so that
         * the first time the expiry is read during authentication we use it to define a
         * session expiration time that we can then sleep through; then the second time
         * the value is read (during re-authentication) it will be in the future.
         */
    Function<Integer, Long> tokenLifetime = callNum -> 10 * callNum * CONNECTIONS_MAX_REAUTH_MS_VALUE;
    DelegationTokenCache tokenCache = new DelegationTokenCache(ScramMechanism.mechanismNames()) {

        int callNum = 0;

        @Override
        public TokenInformation token(String tokenId) {
            TokenInformation baseTokenInfo = super.token(tokenId);
            long thisLifetimeMs = System.currentTimeMillis() + tokenLifetime.apply(++callNum).longValue();
            TokenInformation retvalTokenInfo = new TokenInformation(baseTokenInfo.tokenId(), baseTokenInfo.owner(), baseTokenInfo.renewers(), baseTokenInfo.issueTimestamp(), thisLifetimeMs, thisLifetimeMs);
            return retvalTokenInfo;
        }
    };
    server = createEchoServer(ListenerName.forSecurityProtocol(securityProtocol), securityProtocol, tokenCache);
    KafkaPrincipal owner = SecurityUtils.parseKafkaPrincipal("User:Owner");
    KafkaPrincipal renewer = SecurityUtils.parseKafkaPrincipal("User:Renewer1");
    TokenInformation tokenInfo = new TokenInformation(tokenId, owner, Collections.singleton(renewer), System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    server.tokenCache().addToken(tokenId, tokenInfo);
    updateTokenCredentialCache(tokenId, tokenHmac);
    // initial authentication must succeed
    createClientConnection(securityProtocol, "0");
    checkClientConnection("0");
    // ensure metrics are as expected before trying to re-authenticate
    server.verifyAuthenticationMetrics(1, 0);
    server.verifyReauthenticationMetrics(0, 0);
    /*
         * Now re-authenticate and ensure it succeeds. We have to sleep long enough so
         * that the current delegation token will be expired when the next write occurs;
         * this will trigger a re-authentication. Then the second time the delegation
         * token is read and transmitted to the server it will again have an expiration
         * date in the future.
         */
    delay(tokenLifetime.apply(1));
    checkClientConnection("0");
    server.verifyReauthenticationMetrics(1, 0);
}

Example 78 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testInvalidPasswordSaslScram.

/**
 * Tests that SASL/SCRAM clients fail authentication if password is invalid.
 */
@Test
public void testInvalidPasswordSaslScram() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    Map<String, Object> options = new HashMap<>();
    options.put("username", TestJaasConfig.USERNAME);
    options.put("password", "invalidpassword");
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    String node = "0";
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
    createAndCheckClientAuthenticationFailure(securityProtocol, node, "SCRAM-SHA-256", null);
    server.verifyAuthenticationMetrics(0, 1);
    server.verifyReauthenticationMetrics(0, 0);
}

Example 79 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testValidSaslOauthBearerMechanismWithoutServerTokens.

/**
 * Tests OAUTHBEARER client channels without tokens for the server.
 */
@Test
public void testValidSaslOauthBearerMechanismWithoutServerTokens() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "OAUTHBEARER");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("OAUTHBEARER"));
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("OAUTHBEARER", Collections.singletonMap("unsecuredLoginStringClaim_sub", TestJaasConfig.USERNAME)));
    saslServerConfigs.put("listener.name.sasl_ssl.oauthbearer." + SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("OAUTHBEARER", Collections.emptyMap()));
    // Server without a token should start up successfully and authenticate clients.
    server = createEchoServer(securityProtocol);
    createAndCheckClientConnection(securityProtocol, node);
    // Client without a token should fail to connect
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("OAUTHBEARER", Collections.emptyMap()));
    createAndCheckClientConnectionFailure(securityProtocol, node);
    // Server with extensions, but without a token should fail to start up since it could indicate a configuration error
    saslServerConfigs.put("listener.name.sasl_ssl.oauthbearer." + SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("OAUTHBEARER", Collections.singletonMap("unsecuredLoginExtension_test", "something")));
    try {
        createEchoServer(securityProtocol);
        fail("Server created with invalid login config containing extensions without a token");
    } catch (Throwable e) {
        assertTrue(e.getCause() instanceof LoginException, "Unexpected exception " + Utils.stackTrace(e));
    }
}

Example 80 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testValidSaslPlainOverSsl.

/**
 * Tests good path SASL/PLAIN client and server channels using SSL transport layer.
 * Also tests successful re-authentication.
 */
@Test
public void testValidSaslPlainOverSsl() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    checkAuthenticationAndReauthentication(securityProtocol, node);
}