public static Password jaasConfigProperty(String mechanism, String username, String password) { return new Password(loginModule(mechanism) + " required username=" + username + " password=" + password + ";"); }
static JaasContext load(JaasContext.Type contextType, String listenerContextName, String globalContextName, Password dynamicJaasConfig) { if (dynamicJaasConfig != null) { JaasConfig jaasConfig = new JaasConfig(globalContextName, dynamicJaasConfig.value()); AppConfigurationEntry[] contextModules = jaasConfig.getAppConfigurationEntry(globalContextName); if (contextModules == null || contextModules.length == 0) throw new IllegalArgumentException("JAAS config property does not contain any login modules"); else if (contextModules.length != 1) throw new IllegalArgumentException("JAAS config property contains " + contextModules.length + " login modules, should be 1 module"); return new JaasContext(globalContextName, contextType, jaasConfig, dynamicJaasConfig); } else return defaultContext(contextType, listenerContextName, globalContextName); }
@Test public void testValuesWithSecondaryPrefix() { String prefix = "listener.name.listener1."; Password saslJaasConfig1 = new Password("test.myLoginModule1 required;"); Password saslJaasConfig2 = new Password("test.myLoginModule2 required;"); Password saslJaasConfig3 = new Password("test.myLoginModule3 required;"); Properties props = new Properties(); props.put("listener.name.listener1.test-mechanism.sasl.jaas.config", saslJaasConfig1.value()); props.put("test-mechanism.sasl.jaas.config", saslJaasConfig2.value()); props.put("sasl.jaas.config", saslJaasConfig3.value()); props.put("listener.name.listener1.gssapi.sasl.kerberos.kinit.cmd", "/usr/bin/kinit2"); props.put("listener.name.listener1.gssapi.sasl.kerberos.service.name", "testkafka");
/** * Converts a map of config (key, value) pairs to a map of strings where each value * is converted to a string. This method should be used with care since it stores * actual password values to String. Values from this map should never be used in log entries. */ public static Map<String, String> convertToStringMapWithPasswordValues(Map<String, ?> configs) { Map<String, String> result = new HashMap<>(); for (Map.Entry<String, ?> entry : configs.entrySet()) { Object value = entry.getValue(); String strValue; if (value instanceof Password) strValue = ((Password) value).value(); else if (value instanceof List) strValue = convertToString(value, Type.LIST); else if (value instanceof Class) strValue = convertToString(value, Type.CLASS); else strValue = convertToString(value, null); if (strValue != null) result.put(entry.getKey(), strValue); } return result; }
String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value(); String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value(); saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2)); try { createClientConnection(securityProtocol, "1");
public static Password jaasConfigProperty(String mechanism, Map<String, Object> options) { StringBuilder builder = new StringBuilder(); builder.append(loginModule(mechanism)); builder.append(" required"); for (Map.Entry<String, Object> option : options.entrySet()) { builder.append(' '); builder.append(option.getKey()); builder.append('='); builder.append(option.getValue()); } builder.append(';'); return new Password(builder.toString()); }
private static void saveKeyStore(KeyStore ks, String filename, Password password) throws GeneralSecurityException, IOException { try (OutputStream out = Files.newOutputStream(Paths.get(filename))) { ks.store(out, password.value().toCharArray()); } }
@Before public void setUp() { dynamicPlainContext = new Password(PlainLoginModule.class.getName() + " required user=\"plainuser\" password=\"plain-secret\";"); dynamicDigestContext = new Password(TestDigestLoginModule.class.getName() + " required user=\"digestuser\" password=\"digest-secret\";"); TestJaasConfig.createConfiguration("SCRAM-SHA-256", Collections.singletonList("SCRAM-SHA-256")); }
/** * Loads this keystore * @return the keystore * @throws KafkaException if the file could not be read or if the keystore could not be loaded * using the specified configs (e.g. if the password or keystore type is invalid) */ KeyStore load() { try (InputStream in = Files.newInputStream(Paths.get(path))) { KeyStore ks = KeyStore.getInstance(type); // If a password is not set access to the truststore is still available, but integrity checking is disabled. char[] passwordChars = password != null ? password.value().toCharArray() : null; ks.load(in, passwordChars); fileLastModifiedMs = lastModifiedMs(path); log.debug("Loaded key store with path {} modification time {}", path, fileLastModifiedMs == null ? null : new Date(fileLastModifiedMs)); return ks; } catch (GeneralSecurityException | IOException e) { throw new KafkaException("Failed to load SSL keystore " + path + " of type " + type, e); } }
private AppConfigurationEntry configurationEntry(JaasContext.Type contextType, String jaasConfigProp) { Password saslJaasConfig = jaasConfigProp == null ? null : new Password(jaasConfigProp); JaasContext context = JaasContext.load(contextType, null, contextType.name(), saslJaasConfig); List<AppConfigurationEntry> entries = context.configurationEntries(); assertEquals(1, entries.size()); return entries.get(0); }
public static void createKeyStore(String filename, Password password, String alias, Key privateKey, Certificate cert) throws GeneralSecurityException, IOException { KeyStore ks = createEmptyKeyStore(); ks.setKeyEntry(alias, privateKey, password.value().toCharArray(), new Certificate[]{cert}); saveKeyStore(ks, filename, password); }
@Test public void testSslPasswords() { ConfigDef def = new ConfigDef(); SslConfigs.addClientSslSupport(def); Properties props = new Properties(); props.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "key_password"); props.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "keystore_password"); props.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "truststore_password"); Map<String, Object> vals = def.parse(props); assertEquals(new Password("key_password"), vals.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG)); assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG).toString()); assertEquals(new Password("keystore_password"), vals.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG)); assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG).toString()); assertEquals(new Password("truststore_password"), vals.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG)); assertEquals(Password.HIDDEN, vals.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG).toString()); }
/** * Creates a keystore with a single key and saves it to a file. * * @param filename String file to save * @param password String store password to set on keystore * @param keyPassword String key password to set on key * @param alias String alias to use for the key * @param privateKey Key to save in keystore * @param cert Certificate to use as certificate chain associated to key * @throws GeneralSecurityException for any error with the security APIs * @throws IOException if there is an I/O error saving the file */ public static void createKeyStore(String filename, Password password, Password keyPassword, String alias, Key privateKey, Certificate cert) throws GeneralSecurityException, IOException { KeyStore ks = createEmptyKeyStore(); ks.setKeyEntry(alias, privateKey, keyPassword.value().toCharArray(), new Certificate[]{cert}); saveKeyStore(ks, filename, password); }
public static Map<String, Object> createSslConfig(boolean useClientCert, boolean trustStore, Mode mode, File trustStoreFile, String certAlias, String cn, CertificateBuilder certBuilder) throws IOException, GeneralSecurityException { Map<String, X509Certificate> certs = new HashMap<>(); File keyStoreFile = null; Password password = mode == Mode.SERVER ? new Password("ServerPassword") : new Password("ClientPassword"); Password trustStorePassword = new Password("TrustStorePassword"); if (mode == Mode.CLIENT && useClientCert) { keyStoreFile = File.createTempFile("clientKS", ".jks"); KeyPair cKP = generateKeyPair("RSA"); X509Certificate cCert = certBuilder.generate("CN=" + cn + ", O=A client", cKP); createKeyStore(keyStoreFile.getPath(), password, "client", cKP.getPrivate(), cCert); certs.put(certAlias, cCert); keyStoreFile.deleteOnExit(); } else if (mode == Mode.SERVER) { keyStoreFile = File.createTempFile("serverKS", ".jks"); KeyPair sKP = generateKeyPair("RSA"); X509Certificate sCert = certBuilder.generate("CN=" + cn + ", O=A server", sKP); createKeyStore(keyStoreFile.getPath(), password, password, "server", sKP.getPrivate(), sCert); certs.put(certAlias, sCert); keyStoreFile.deleteOnExit(); } if (trustStore) { createTrustStore(trustStoreFile.getPath(), trustStorePassword, certs); trustStoreFile.deleteOnExit(); } return createSslConfig(mode, keyStoreFile, password, password, trustStoreFile, trustStorePassword); }
public static <T extends Certificate> void createTrustStore( String filename, Password password, Map<String, T> certs) throws GeneralSecurityException, IOException { KeyStore ks = KeyStore.getInstance("JKS"); try (InputStream in = Files.newInputStream(Paths.get(filename))) { ks.load(in, password.value().toCharArray()); } catch (EOFException e) { ks = createEmptyKeyStore(); } for (Map.Entry<String, T> cert : certs.entrySet()) { ks.setCertificateEntry(cert.getKey(), cert.getValue()); } saveKeyStore(ks, filename, password); }
@Test public void shouldResolvePasswordToPassword() { assertThat(RESOLVED_PASSWORD.parseValue("Sensitive"), is(new Password("Sensitive"))); }
KeyStore ks = keystore.load(); Password keyPassword = keystore.keyPassword != null ? keystore.keyPassword : keystore.password; kmf.init(ks, keyPassword.value().toCharArray()); keyManagers = kmf.getKeyManagers();
@Test public void testConvertValueToStringPassword() { assertEquals(Password.HIDDEN, ConfigDef.convertToString(new Password("foobar"), Type.PASSWORD)); assertEquals("foobar", ConfigDef.convertToString("foobar", Type.PASSWORD)); assertNull(ConfigDef.convertToString(null, Type.PASSWORD)); }
/** * Tests that client connections cannot be created to a server * if key password is invalid */ @Test public void testInvalidKeyPassword() throws Exception { String node = "0"; sslServerConfigs.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, new Password("invalid")); server = createEchoServer(SecurityProtocol.SSL); createSelector(sslClientConfigs); InetSocketAddress addr = new InetSocketAddress("localhost", server.port()); selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE); NetworkTestUtils.waitForChannelClose(selector, node, ChannelState.State.AUTHENTICATION_FAILED); server.verifyAuthenticationMetrics(0, 1); }
assertEquals(false, vals.get("h")); assertEquals(true, vals.get("i")); assertEquals(new Password("password"), vals.get("j")); assertEquals(Password.HIDDEN, vals.get("j").toString());