Skip to content

Commit

Permalink
MINOR: Few cleanups to JaasContext/Utils classes
Browse files Browse the repository at this point in the history
Reviewers: Rajini Sivaram <rajinisivaram@googlemail.com>
  • Loading branch information
omkreddy committed Jan 25, 2023
1 parent 68d70cd commit ae22ec1
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;

import static org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG;
import static org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_DEFAULT;

public class JaasContext {

Expand Down Expand Up @@ -91,11 +96,25 @@ static JaasContext load(JaasContext.Type contextType, String listenerContextName
throw new IllegalArgumentException("JAAS config property does not contain any login modules");
else if (contextModules.length != 1)
throw new IllegalArgumentException("JAAS config property contains " + contextModules.length + " login modules, should be 1 module");

throwIfLoginModuleIsNotAllowed(contextModules[0]);
return new JaasContext(globalContextName, contextType, jaasConfig, dynamicJaasConfig);
} else
return defaultContext(contextType, listenerContextName, globalContextName);
}

private static void throwIfLoginModuleIsNotAllowed(AppConfigurationEntry appConfigurationEntry) {
Set<String> disallowedLoginModuleList = Arrays.stream(
System.getProperty(DISALLOWED_LOGIN_MODULES_CONFIG, DISALLOWED_LOGIN_MODULES_DEFAULT).split(","))
.map(String::trim)
.collect(Collectors.toSet());
String loginModuleName = appConfigurationEntry.getLoginModuleName().trim();
if (disallowedLoginModuleList.contains(loginModuleName)) {
throw new IllegalArgumentException(loginModuleName + " is not allowed. Update System property '"
+ DISALLOWED_LOGIN_MODULES_CONFIG + "' to allow " + loginModuleName);
}
}

private static JaasContext defaultContext(JaasContext.Type contextType, String listenerContextName,
String globalContextName) {
String jaasConfigFile = System.getProperty(JaasUtils.JAVA_LOGIN_CONFIG_PARAM);
Expand Down Expand Up @@ -131,6 +150,9 @@ private static JaasContext defaultContext(JaasContext.Type contextType, String l
throw new IllegalArgumentException(errorMessage);
}

for (AppConfigurationEntry appConfigurationEntry : configEntries) {
throwIfLoginModuleIsNotAllowed(appConfigurationEntry);
}
return new JaasContext(contextName, contextType, jaasConfig, null);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
public final class JaasUtils {
private static final Logger LOG = LoggerFactory.getLogger(JaasUtils.class);
public static final String JAVA_LOGIN_CONFIG_PARAM = "java.security.auth.login.config";

public static final String DISALLOWED_LOGIN_MODULES_CONFIG = "org.apache.kafka.disallowed.login.modules";
public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = "com.sun.security.auth.module.JndiLoginModule";
public static final String SERVICE_NAME = "serviceName";

public static final String ZK_SASL_CLIENT = "zookeeper.sasl.client";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.Configuration;

import static org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
Expand Down Expand Up @@ -61,6 +62,7 @@ public void setUp() throws IOException {
@AfterEach
public void tearDown() throws Exception {
Files.delete(jaasConfigFile.toPath());
System.clearProperty(DISALLOWED_LOGIN_MODULES_CONFIG);
}

@Test
Expand Down Expand Up @@ -180,6 +182,52 @@ public void testInvalidControlFlag() throws Exception {
checkInvalidConfiguration("test.testInvalidControlFlag { option1=3;");
}

@Test
public void testDisallowedLoginModulesSystemProperty() throws Exception {
//test JndiLoginModule is not allowed by default
String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule required;";
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));

//test ListenerName Override
writeConfiguration(Arrays.asList(
"KafkaServer { test.LoginModuleDefault required; };",
"plaintext.KafkaServer { com.sun.security.auth.module.JndiLoginModule requisite; };"
));
assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
"SOME-MECHANISM", Collections.emptyMap()));

//test org.apache.kafka.disallowed.login.modules system property with multiple modules
System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " com.ibm.security.auth.module.LdapLoginModule , com.ibm.security.auth.module.Krb5LoginModule ");

String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule required;";
assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));

//test ListenerName Override
writeConfiguration(Arrays.asList(
"KafkaServer { test.LoginModuleDefault required; };",
"plaintext.KafkaServer { com.ibm.security.auth.module.Krb5LoginModule requisite; };"
));
assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
"SOME-MECHANISM", Collections.emptyMap()));


//Remove default value for org.apache.kafka.disallowed.login.modules
System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");

checkConfiguration("com.sun.security.auth.module.JndiLoginModule", LoginModuleControlFlag.REQUIRED, new HashMap<>());

//test ListenerName Override
writeConfiguration(Arrays.asList(
"KafkaServer { com.ibm.security.auth.module.LdapLoginModule required; };",
"plaintext.KafkaServer { com.sun.security.auth.module.JndiLoginModule requisite; };"
));
JaasContext context = JaasContext.loadServerContext(new ListenerName("plaintext"),
"SOME-MECHANISM", Collections.emptyMap());
assertEquals(1, context.configurationEntries().size());
checkEntry(context.configurationEntries().get(0), "com.sun.security.auth.module.JndiLoginModule",
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
}

@Test
public void testNumericOptionWithQuotes() throws Exception {
Map<String, Object> options = new HashMap<>();
Expand Down

0 comments on commit ae22ec1

Please sign in to comment.