Example 81 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.
the class SaslAuthenticatorTest method testScramUsernameWithSpecialCharacters.
/**
* Tests SASL/SCRAM with username containing characters that need
* to be encoded.
*/
@Test
public void testScramUsernameWithSpecialCharacters() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
String username = "special user= test,scram";
String password = username + "-password";
TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
Map<String, Object> options = new HashMap<>();
options.put("username", username);
options.put("password", password);
jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
server = createEchoServer(securityProtocol);
updateScramCredentialCache(username, password);
createAndCheckClientConnection(securityProtocol, "0");
}
Also used :
HashMap(java.util.HashMap)
ScramLoginModule(org.apache.kafka.common.security.scram.ScramLoginModule)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.jupiter.api.Test)
Example 82 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.
the class SaslAuthenticatorTest method testMissingPasswordSaslPlain.
/**
* Tests that SASL/PLAIN clients with missing password in JAAS configuration fail authentication.
*/
@Test
public void testMissingPasswordSaslPlain() throws Exception {
String node = "0";
TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
jaasConfig.setClientOptions("PLAIN", "myuser", null);
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
server = createEchoServer(securityProtocol);
createSelector(securityProtocol, saslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
try {
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
fail("SASL/PLAIN channel created without password");
} catch (IOException e) {
// Expected exception
}
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
IOException(java.io.IOException)
Test(org.junit.jupiter.api.Test)
Example 83 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.
the class SaslAuthenticatorTest method testDisabledMechanism.
/**
* Tests that mechanisms with default implementation in Kafka may be disabled in
* the Kafka server by removing from the enabled mechanism list.
*/
@Test
public void testDisabledMechanism() throws Exception {
String node = "0";
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
configureMechanisms("PLAIN", Arrays.asList("DIGEST-MD5"));
server = createEchoServer(securityProtocol);
createAndCheckClientConnectionFailure(securityProtocol, node);
server.verifyAuthenticationMetrics(0, 1);
server.verifyReauthenticationMetrics(0, 0);
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.jupiter.api.Test)
Example 84 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.
the class SaslAuthenticatorTest method testCannotReauthenticateWithDifferentPrincipal.
/**
* Re-authentication must fail if principal changes
*/
@Test
public void testCannotReauthenticateWithDifferentPrincipal() throws Exception {
String node = "0";
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
saslClientConfigs.put(SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, AlternateLoginCallbackHandler.class.getName());
configureMechanisms(OAuthBearerLoginModule.OAUTHBEARER_MECHANISM, Arrays.asList(OAuthBearerLoginModule.OAUTHBEARER_MECHANISM));
server = createEchoServer(securityProtocol);
// initial authentication must succeed
createClientConnection(securityProtocol, node);
checkClientConnection(node);
// ensure metrics are as expected before trying to re-authenticate
server.verifyAuthenticationMetrics(1, 0);
server.verifyReauthenticationMetrics(0, 0);
/*
* Now re-authenticate with a different principal and ensure it fails. We first
* have to sleep long enough for the background refresh thread to replace the
* original token with a new one.
*/
delay(1000L);
assertThrows(AssertionFailedError.class, () -> checkClientConnection(node));
server.verifyReauthenticationMetrics(0, 1);
}
Also used :
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
Test(org.junit.jupiter.api.Test)
Example 85 with SecurityProtocol
use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.
the class SaslAuthenticatorTest method testCannotReauthenticateWithDifferentMechanism.
/**
* Re-authentication must fail if mechanism changes
*/
@Test
public void testCannotReauthenticateWithDifferentMechanism() throws Exception {
String node = "0";
SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5", "PLAIN"));
configureDigestMd5ServerCallback(securityProtocol);
server = createEchoServer(securityProtocol);
String saslMechanism = (String) saslClientConfigs.get(SaslConfigs.SASL_MECHANISM);
Map<String, ?> configs = new TestSecurityConfig(saslClientConfigs).values();
this.channelBuilder = new AlternateSaslChannelBuilder(Mode.CLIENT, Collections.singletonMap(saslMechanism, JaasContext.loadClientContext(configs)), securityProtocol, null, false, saslMechanism, true, credentialCache, null, time);
this.channelBuilder.configure(configs);
// initial authentication must succeed
this.selector = NetworkTestUtils.createSelector(channelBuilder, time);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
checkClientConnection(node);
// ensure metrics are as expected before trying to re-authenticate
server.verifyAuthenticationMetrics(1, 0);
server.verifyReauthenticationMetrics(0, 0);
/*
* Now re-authenticate with a different mechanism and ensure it fails. We have
* to sleep long enough so that the next write will trigger a re-authentication.
*/
delay((long) (CONNECTIONS_MAX_REAUTH_MS_VALUE * 1.1));
assertThrows(AssertionFailedError.class, () -> checkClientConnection(node));
server.verifyAuthenticationMetrics(1, 0);
server.verifyReauthenticationMetrics(0, 1);
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol)
TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig)
Test(org.junit.jupiter.api.Test)
Aggregations
SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)106
Test (org.junit.jupiter.api.Test)50
Test (org.junit.Test)29
HashMap (java.util.HashMap)22
InetSocketAddress (java.net.InetSocketAddress)14
NetworkSend (org.apache.kafka.common.network.NetworkSend)11
RequestHeader (org.apache.kafka.common.requests.RequestHeader)11
IOException (java.io.IOException)10
PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)10
TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)9
ScramLoginModule (org.apache.kafka.common.security.scram.ScramLoginModule)9
File (java.io.File)8
ByteBuffer (java.nio.ByteBuffer)8
Properties (java.util.Properties)8
ApiVersionsRequest (org.apache.kafka.common.requests.ApiVersionsRequest)7
ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)7
LogContext (org.apache.kafka.common.utils.LogContext)6
Random (java.util.Random)5
Password (org.apache.kafka.common.config.types.Password)5
ListenerName (org.apache.kafka.common.network.ListenerName)5
