Search in sources :

Example 41 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testPacketSizeTooBig.

/**
 * Tests that packets that are too big during Kafka SASL handshake request flow
 * or the actual SASL authentication flow result in authentication failure
 * and do not cause any failures in the server.
 */
@Test
public void testPacketSizeTooBig() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send SASL packet with large size after valid handshake request
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    sendHandshakeRequestReceiveResponse(node1, (short) 1);
    ByteBuffer buffer = ByteBuffer.allocate(1024);
    buffer.putInt(Integer.MAX_VALUE);
    buffer.put(new byte[buffer.capacity() - 4]);
    buffer.rewind();
    selector.send(new NetworkSend(node1, buffer));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
    // Send packet with large size before handshake request
    String node2 = "invalid2";
    createClientConnection(SecurityProtocol.PLAINTEXT, node2);
    buffer.clear();
    buffer.putInt(Integer.MAX_VALUE);
    buffer.put(new byte[buffer.capacity() - 4]);
    buffer.rewind();
    selector.send(new NetworkSend(node2, buffer));
    NetworkTestUtils.waitForChannelClose(selector, node2, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good2");
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) NetworkSend(org.apache.kafka.common.network.NetworkSend) ByteBuffer(java.nio.ByteBuffer) Test(org.junit.Test)

Example 42 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testApiVersionsRequestWithUnsupportedVersion.

/**
 * Tests that unsupported version of ApiVersionsRequest before SASL handshake request
 * returns error response and does not result in authentication failure. This test
 * is similar to {@link #testUnauthenticatedApiVersionsRequest(SecurityProtocol, short)}
 * where a non-SASL client is used to send requests that are processed by
 * {@link SaslServerAuthenticator} of the server prior to client authentication.
 */
@Test
public void testApiVersionsRequestWithUnsupportedVersion() throws Exception {
    short handshakeVersion = ApiKeys.SASL_HANDSHAKE.latestVersion();
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send ApiVersionsRequest with unsupported version and validate error response.
    String node = "1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node);
    RequestHeader header = new RequestHeader(ApiKeys.API_VERSIONS, Short.MAX_VALUE, "someclient", 1);
    ApiVersionsRequest request = new ApiVersionsRequest.Builder().build();
    selector.send(request.toSend(node, header));
    ByteBuffer responseBuffer = waitForResponse();
    ResponseHeader.parse(responseBuffer);
    ApiVersionsResponse response = ApiVersionsResponse.parse(responseBuffer, (short) 0);
    assertEquals(Errors.UNSUPPORTED_VERSION, response.error());
    // Send ApiVersionsRequest with a supported version. This should succeed.
    sendVersionRequestReceiveResponse(node);
    // Test that client can authenticate successfully
    sendHandshakeRequestReceiveResponse(node, handshakeVersion);
    authenticateUsingSaslPlainAndCheckConnection(node, handshakeVersion > 0);
}
Also used : ApiVersionsResponse(org.apache.kafka.common.requests.ApiVersionsResponse) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) RequestHeader(org.apache.kafka.common.requests.RequestHeader) ApiVersionsRequest(org.apache.kafka.common.requests.ApiVersionsRequest) ByteBuffer(java.nio.ByteBuffer) Test(org.junit.Test)

Example 43 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testTokenAuthenticationOverSaslScram.

@Test
public void testTokenAuthenticationOverSaslScram() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    // create jaas config for token auth
    Map<String, Object> options = new HashMap<>();
    String tokenId = "token1";
    String tokenHmac = "abcdefghijkl";
    // tokenId
    options.put("username", tokenId);
    // token hmac
    options.put("password", tokenHmac);
    // enable token authentication
    options.put(ScramLoginModule.TOKEN_AUTH_CONFIG, "true");
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    server = createEchoServer(securityProtocol);
    // Check invalid tokenId/tokenInfo in tokenCache
    createAndCheckClientConnectionFailure(securityProtocol, "0");
    // Check valid token Info and invalid credentials
    KafkaPrincipal owner = SecurityUtils.parseKafkaPrincipal("User:Owner");
    KafkaPrincipal renewer = SecurityUtils.parseKafkaPrincipal("User:Renewer1");
    TokenInformation tokenInfo = new TokenInformation(tokenId, owner, Collections.singleton(renewer), System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    server.tokenCache().addToken(tokenId, tokenInfo);
    createAndCheckClientConnectionFailure(securityProtocol, "0");
    // Check with valid token Info and credentials
    updateTokenCredentialCache(tokenId, tokenHmac);
    createAndCheckClientConnection(securityProtocol, "0");
}
Also used : HashMap(java.util.HashMap) ScramLoginModule(org.apache.kafka.common.security.scram.ScramLoginModule) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) Test(org.junit.Test)

Example 44 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testValidSaslPlainOverPlaintext.

/**
 * Tests good path SASL/PLAIN client and server channels using PLAINTEXT transport layer.
 */
@Test
public void testValidSaslPlainOverPlaintext() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    createAndCheckClientConnection(securityProtocol, node);
    server.verifyAuthenticationMetrics(1, 0);
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Example 45 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testInvalidUsernameSaslPlain.

/**
 * Tests that SASL/PLAIN clients with invalid username fail authentication.
 */
@Test
public void testInvalidUsernameSaslPlain() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    jaasConfig.setClientOptions("PLAIN", "invaliduser", TestJaasConfig.PASSWORD);
    server = createEchoServer(securityProtocol);
    createAndCheckClientAuthenticationFailure(securityProtocol, node, "PLAIN", "Authentication failed: Invalid username or password");
    server.verifyAuthenticationMetrics(0, 1);
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Aggregations

SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)106 Test (org.junit.jupiter.api.Test)50 Test (org.junit.Test)29 HashMap (java.util.HashMap)22 InetSocketAddress (java.net.InetSocketAddress)14 NetworkSend (org.apache.kafka.common.network.NetworkSend)11 RequestHeader (org.apache.kafka.common.requests.RequestHeader)11 IOException (java.io.IOException)10 PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)10 TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)9 ScramLoginModule (org.apache.kafka.common.security.scram.ScramLoginModule)9 File (java.io.File)8 ByteBuffer (java.nio.ByteBuffer)8 Properties (java.util.Properties)8 ApiVersionsRequest (org.apache.kafka.common.requests.ApiVersionsRequest)7 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)7 LogContext (org.apache.kafka.common.utils.LogContext)6 Random (java.util.Random)5 Password (org.apache.kafka.common.config.types.Password)5 ListenerName (org.apache.kafka.common.network.ListenerName)5