Java SecurityProtocol.SSL属性代码示例

/**
 * Tests that server certificate with invalid IP address is accepted by
 * a client that has disabled endpoint validation
 */
@Test
public void testEndpointIdentificationDisabled() throws Exception {
    String node = "0";
    String serverHost = InetAddress.getLocalHost().getHostAddress();
    SecurityProtocol securityProtocol = SecurityProtocol.SSL;
    server = new NioEchoServer(ListenerName.forSecurityProtocol(securityProtocol), securityProtocol,
            new TestSecurityConfig(sslServerConfigs), serverHost, null);
    server.start();
    sslClientConfigs.remove(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress(serverHost, server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);

    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
 

/**
 * returns the list of broker configs for all brokers created by this test
 * (as determined by clusterSize()
 * @return list of broker configs, one config map per broker to be created
 */
protected List<Map<Object, Object>> buildBrokerConfigs() {
  List<Map<Object, Object>> configs = new ArrayList<>();
  for (int i = 0; i < clusterSize(); i++) {
    EmbeddedBrokerBuilder builder = new EmbeddedBrokerBuilder();
    builder.zkConnect(zookeeper());
    builder.nodeId(i);
    builder.enable(securityProtocol());
    if (securityProtocol() == SecurityProtocol.SSL) {
      if (trustStoreFile() != null) {
        builder.trustStore(trustStoreFile());
      }
    } else {
      if (trustStoreFile() != null) {
        throw new AssertionError("security protocol not set yet trust store file provided");
      }
    }
    Map<Object, Object> config = builder.buildConfig();
    config.putAll(overridingProps());
    configs.add(config);
  }
  return configs;
}
 

/**
 * Tests that Kafka ApiVersionsRequests are handled by the SASL server authenticator
 * prior to SASL handshake flow and that subsequent authentication succeeds
 * when transport layer is PLAINTEXT/SSL. This test uses a non-SASL client that simulates
 * SASL authentication after ApiVersionsRequest.
 * <p>
 * Test sequence (using <tt>securityProtocol=PLAINTEXT</tt> as an example):
 * <ol>
 *   <li>Starts a SASL_PLAINTEXT test server that simply echoes back client requests after authentication.</li>
 *   <li>A (non-SASL) PLAINTEXT test client connects to the SASL server port. Client is now unauthenticated.<./li>
 *   <li>The unauthenticated non-SASL client sends an ApiVersionsRequest and validates the response.
 *       A valid response indicates that {@link SaslServerAuthenticator} of the test server responded to
 *       the ApiVersionsRequest even though the client is not yet authenticated.</li>
 *   <li>The unauthenticated non-SASL client sends a SaslHandshakeRequest and validates the response. A valid response
 *       indicates that {@link SaslServerAuthenticator} of the test server responded to the SaslHandshakeRequest
 *       after processing ApiVersionsRequest.</li>
 *   <li>The unauthenticated non-SASL client sends the SASL/PLAIN packet containing username/password to authenticate
 *       itself. The client is now authenticated by the server. At this point this test client is at the
 *       same state as a regular SASL_PLAINTEXT client that is <tt>ready</tt>.</li>
 *   <li>The authenticated client sends random data to the server and checks that the data is echoed
 *       back by the test server (ie, not Kafka request-response) to ensure that the client now
 *       behaves exactly as a regular SASL_PLAINTEXT client that has completed authentication.</li>
 * </ol>
 */
private void testUnauthenticatedApiVersionsRequest(SecurityProtocol securityProtocol) throws Exception {
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);

    // Create non-SASL connection to manually authenticate after ApiVersionsRequest
    String node = "1";
    SecurityProtocol clientProtocol;
    switch (securityProtocol) {
        case SASL_PLAINTEXT:
            clientProtocol = SecurityProtocol.PLAINTEXT;
            break;
        case SASL_SSL:
            clientProtocol = SecurityProtocol.SSL;
            break;
        default:
            throw new IllegalArgumentException("Server protocol " + securityProtocol + " is not SASL");
    }
    createClientConnection(clientProtocol, node);
    NetworkTestUtils.waitForChannelReady(selector, node);

    // Send ApiVersionsRequest and check response
    ApiVersionsResponse versionsResponse = sendVersionRequestReceiveResponse(node);
    assertEquals(ApiKeys.SASL_HANDSHAKE.oldestVersion(), versionsResponse.apiVersion(ApiKeys.SASL_HANDSHAKE.id).minVersion);
    assertEquals(ApiKeys.SASL_HANDSHAKE.latestVersion(), versionsResponse.apiVersion(ApiKeys.SASL_HANDSHAKE.id).maxVersion);

    // Send SaslHandshakeRequest and check response
    SaslHandshakeResponse handshakeResponse = sendHandshakeRequestReceiveResponse(node);
    assertEquals(Collections.singletonList("PLAIN"), handshakeResponse.enabledMechanisms());

    // Complete manual authentication and check send/receive succeed
    authenticateUsingSaslPlainAndCheckConnection(node);
}
 

/**
 * According to RFC 2818:
 * <blockquote>Typically, the server has no external knowledge of what the client's
 * identity ought to be and so checks (other than that the client has a
 * certificate chain rooted in an appropriate CA) are not possible. If a
 * server has such knowledge (typically from some source external to
 * HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
 *
 * However, Java SSL engine does not perform any endpoint validation for client IP address.
 * Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
 * that client validation does not fail even if the client certificate has an invalid hostname.
 * This test is to ensure that if client endpoint validation is added to Java in future, we can detect
 * and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
 */
@Test
public void testClientEndpointNotValidated() throws Exception {
    String node = "0";

    // Create client certificate with an invalid hostname
    clientCertStores = new CertStores(false, "non-existent.com");
    serverCertStores = new CertStores(true, "localhost");
    sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
    sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);

    // Create a server with endpoint validation enabled on the server SSL engine
    SslChannelBuilder serverChannelBuilder = new SslChannelBuilder(Mode.SERVER) {
        @Override
        protected SslTransportLayer buildTransportLayer(SslFactory sslFactory, String id, SelectionKey key, String host) throws IOException {
            SocketChannel socketChannel = (SocketChannel) key.channel();
            SSLEngine sslEngine = sslFactory.createSslEngine(host, socketChannel.socket().getPort());
            SSLParameters sslParams = sslEngine.getSSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            sslEngine.setSSLParameters(sslParams);
            TestSslTransportLayer transportLayer = new TestSslTransportLayer(id, key, sslEngine, BUFFER_SIZE, BUFFER_SIZE, BUFFER_SIZE);
            transportLayer.startHandshake();
            return transportLayer;
        }
    };
    serverChannelBuilder.configure(sslServerConfigs);
    server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL,
            new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder);
    server.start();

    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);

    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
 

@Before
public void setUp() throws Exception {
    File trustStoreFile = File.createTempFile("truststore", ".jks");

    Map<String, Object> sslServerConfigs = TestSslUtils.createSslConfig(false, true, Mode.SERVER, trustStoreFile, "server");
    sslServerConfigs.put(SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
    this.server = new EchoServer(SecurityProtocol.SSL, sslServerConfigs);
    this.server.start();
    this.time = new MockTime();
    sslClientConfigs = TestSslUtils.createSslConfig(false, false, Mode.CLIENT, trustStoreFile, "client");
    this.channelBuilder = new SslChannelBuilder(Mode.CLIENT);
    this.channelBuilder.configure(sslClientConfigs);
    this.metrics = new Metrics();
    this.selector = new Selector(5000, metrics, time, "MetricGroup", channelBuilder);
}
 

private UpdateMetadataRequest createUpdateMetadataRequest(int version, String rack) {
    Map<TopicPartition, PartitionState> partitionStates = new HashMap<>();
    List<Integer> isr = asList(1, 2);
    List<Integer> replicas = asList(1, 2, 3, 4);
    partitionStates.put(new TopicPartition("topic5", 105),
            new PartitionState(0, 2, 1, new ArrayList<>(isr), 2, replicas));
    partitionStates.put(new TopicPartition("topic5", 1),
            new PartitionState(1, 1, 1, new ArrayList<>(isr), 2, replicas));
    partitionStates.put(new TopicPartition("topic20", 1),
            new PartitionState(1, 0, 1, new ArrayList<>(isr), 2, replicas));

    SecurityProtocol plaintext = SecurityProtocol.PLAINTEXT;
    List<UpdateMetadataRequest.EndPoint> endPoints1 = new ArrayList<>();
    endPoints1.add(new UpdateMetadataRequest.EndPoint("host1", 1223, plaintext,
            ListenerName.forSecurityProtocol(plaintext)));

    List<UpdateMetadataRequest.EndPoint> endPoints2 = new ArrayList<>();
    endPoints2.add(new UpdateMetadataRequest.EndPoint("host1", 1244, plaintext,
            ListenerName.forSecurityProtocol(plaintext)));
    if (version > 0) {
        SecurityProtocol ssl = SecurityProtocol.SSL;
        endPoints2.add(new UpdateMetadataRequest.EndPoint("host2", 1234, ssl,
                ListenerName.forSecurityProtocol(ssl)));
        endPoints2.add(new UpdateMetadataRequest.EndPoint("host2", 1334, ssl,
                new ListenerName("CLIENT")));
    }

    Set<UpdateMetadataRequest.Broker> liveBrokers = Utils.mkSet(
            new UpdateMetadataRequest.Broker(0, endPoints1, rack),
            new UpdateMetadataRequest.Broker(1, endPoints2, rack)
    );
    return new UpdateMetadataRequest.Builder((short) version, 1, 10, partitionStates,
            liveBrokers).build();
}
 

/**
 * Tests that Kafka ApiVersionsRequests are handled by the SASL server authenticator
 * prior to SASL handshake flow and that subsequent authentication succeeds
 * when transport layer is PLAINTEXT/SSL. This test uses a non-SASL client that simulates
 * SASL authentication after ApiVersionsRequest.
 * <p>
 * Test sequence (using <tt>securityProtocol=PLAINTEXT</tt> as an example):
 * <ol>
 *   <li>Starts a SASL_PLAINTEXT test server that simply echoes back client requests after authentication.</li>
 *   <li>A (non-SASL) PLAINTEXT test client connects to the SASL server port. Client is now unauthenticated.<./li>
 *   <li>The unauthenticated non-SASL client sends an ApiVersionsRequest and validates the response.
 *       A valid response indicates that {@link SaslServerAuthenticator} of the test server responded to
 *       the ApiVersionsRequest even though the client is not yet authenticated.</li>
 *   <li>The unauthenticated non-SASL client sends a SaslHandshakeRequest and validates the response. A valid response
 *       indicates that {@link SaslServerAuthenticator} of the test server responded to the SaslHandshakeRequest
 *       after processing ApiVersionsRequest.</li>
 *   <li>The unauthenticated non-SASL client sends the SASL/PLAIN packet containing username/password to authenticate
 *       itself. The client is now authenticated by the server. At this point this test client is at the
 *       same state as a regular SASL_PLAINTEXT client that is <tt>ready</tt>.</li>
 *   <li>The authenticated client sends random data to the server and checks that the data is echoed
 *       back by the test server (ie, not Kafka request-response) to ensure that the client now
 *       behaves exactly as a regular SASL_PLAINTEXT client that has completed authentication.</li>
 * </ol>
 */
private void testUnauthenticatedApiVersionsRequest(SecurityProtocol securityProtocol) throws Exception {
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = NetworkTestUtils.createEchoServer(securityProtocol, saslServerConfigs);

    // Create non-SASL connection to manually authenticate after ApiVersionsRequest
    String node = "1";
    SecurityProtocol clientProtocol;
    switch (securityProtocol) {
        case SASL_PLAINTEXT:
            clientProtocol = SecurityProtocol.PLAINTEXT;
            break;
        case SASL_SSL:
            clientProtocol = SecurityProtocol.SSL;
            break;
        default:
            throw new IllegalArgumentException("Server protocol " + securityProtocol + " is not SASL");
    }
    createClientConnection(clientProtocol, node);
    NetworkTestUtils.waitForChannelReady(selector, node);

    // Send ApiVersionsRequest and check response
    ApiVersionsResponse versionsResponse = sendVersionRequestReceiveResponse(node);
    assertEquals(Protocol.MIN_VERSIONS[ApiKeys.SASL_HANDSHAKE.id], versionsResponse.apiVersion(ApiKeys.SASL_HANDSHAKE.id).minVersion);
    assertEquals(Protocol.CURR_VERSION[ApiKeys.SASL_HANDSHAKE.id], versionsResponse.apiVersion(ApiKeys.SASL_HANDSHAKE.id).maxVersion);

    // Send SaslHandshakeRequest and check response
    SaslHandshakeResponse handshakeResponse = sendHandshakeRequestReceiveResponse(node);
    assertEquals(Collections.singletonList("PLAIN"), handshakeResponse.enabledMechanisms());

    // Complete manual authentication and check send/receive succeed
    authenticateUsingSaslPlainAndCheckConnection(node);
}
 

/**
 * Tests that server certificate with invalid IP address is accepted by
 * a client that has disabled endpoint validation
 */
@Test
public void testEndpointIdentificationDisabled() throws Exception {
    String node = "0";
    String serverHost = InetAddress.getLocalHost().getHostAddress();
    server = new NioEchoServer(SecurityProtocol.SSL, sslServerConfigs, serverHost);
    server.start();
    sslClientConfigs.remove(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress(serverHost, server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);

    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
 

protected void setSecurityConfigs(Properties clientProps, String certAlias) {
  SecurityProtocol protocol = securityProtocol();
  if (protocol == SecurityProtocol.SSL) {
    File trustStoreFile = trustStoreFile();
    if (trustStoreFile == null) {
      throw new AssertionError("ssl set but no trust store provided");
    }
    clientProps.setProperty(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, protocol.name);
    try {
      clientProps.putAll(TestSslUtils.createSslConfig(true, true, Mode.CLIENT, trustStoreFile, certAlias));
    } catch (Exception e) {
      throw new IllegalStateException(e);
    }
  }
}
 

@Override
public SecurityProtocol securityProtocol() {
  return SecurityProtocol.SSL;
}