[PDI-14988] - Add option to disable interactive GSSAPI authentication

- changed gssapi auth to be enabled depending on -D parameter
- added/fixed unit tests

engine/src/org/pentaho/di/job/entries/sftp/SFTPClient.java

@@ -59,6 +59,14 @@ public class SFTPClient {
   public static final String SOCKS5_DEFAULT_PORT = "1080";
   public static final int SSH_DEFAULT_PORT = 22;
 
+  // -D parameter telling whether we should use GSSAPI authentication or not
+  static final String ENV_PARAM_USERAUTH_GSSAPI = "userauth.gssapi.enabled";
+
+  private static final String PREFERRED_AUTH_CONFIG_NAME = "PreferredAuthentications";
+  private static final String PREFERRED_AUTH_DEFAULT = "publickey,keyboard-interactive,password";
+  // adding GSSAPI to be the last one
+  private static final String PREFERRED_AUTH_WITH_GSSAPI = PREFERRED_AUTH_DEFAULT + ",gssapi-with-mic";
+
   private InetAddress serverIP;
   private int serverPort;
   private String userName;
@@ -145,7 +153,7 @@ public SFTPClient( InetAddress serverIP, int serverPort, String userName, String
           passphrasebytes ); // byte[] passPhrase
       }
       s = jsch.getSession( userName, serverIP.getHostAddress(), serverPort );
-      s.setConfig( "PreferredAuthentications", "publickey,keyboard-interactive,password,gssapi-with-mic" );
+      s.setConfig( PREFERRED_AUTH_CONFIG_NAME, getPreferredAuthentications() );
     } catch ( IOException e ) {
       throw new KettleJobException( e );
     } catch ( KettleFileException e ) {
@@ -433,4 +441,12 @@ public String getCompression() {
   JSch createJSch() {
     return new JSch();
   }
+
+  /**
+   * Whether we should use GSSAPI when authenticating or not.
+   */
+  private String getPreferredAuthentications() {
+    String param = Const.getEnvironmentVariable( ENV_PARAM_USERAUTH_GSSAPI, null );
+    return Boolean.valueOf( param ) ? PREFERRED_AUTH_WITH_GSSAPI : PREFERRED_AUTH_DEFAULT;
+  }
 }

engine/test-src/org/pentaho/di/job/entries/sftp/SFTPClientTest.java

@@ -23,7 +23,10 @@
 package org.pentaho.di.job.entries.sftp;
 
 import com.jcraft.jsch.JSch;
+import com.jcraft.jsch.JSchException;
 import com.jcraft.jsch.Session;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
 
 import java.net.InetAddress;
@@ -34,22 +37,60 @@
 
 public class SFTPClientTest {
 
+  private int serverPort;
+  private String userName;
+  private Session session;
+  private InetAddress server;
+  private JSch jSch;
+
+  @Before
+  public void setUp() throws JSchException {
+    System.clearProperty( SFTPClient.ENV_PARAM_USERAUTH_GSSAPI );
+
+    String serverIp = "serverIp";
+    serverPort = 1;
+    userName = "userName";
+    session = mock( Session.class );
+    server = mock( InetAddress.class );
+    when( server.getHostAddress() ).thenReturn( serverIp );
+    jSch = mock( JSch.class );
+    when( jSch.getSession( userName, serverIp, serverPort ) ).thenReturn( session );
+  }
+
+  @After
+  public void tearDown() {
+    System.clearProperty( SFTPClient.ENV_PARAM_USERAUTH_GSSAPI );
+  }
+
   /**
-   * Given SFTP connection configuration.
+   * Given SFTP connection configuration, and -Duserauth.gssapi.enabled param was NOT passed on application start.
    * <br/>
-   * When SFTP Client is instantiated, then default preferred authentications list should be reordered,
-   * particularly, GSS API Authentication should be the last one.
+   * When SFTP Client is instantiated, then preferred authentications list should not contain
+   * GSS API Authentication.
    */
   @Test
-  public void shouldReorderDefaultPreferredAuthenticationsList() throws Exception {
-    String serverIp = "serverIp";
-    int serverPort = 1;
-    String userName = "userName";
-    Session session = mock( Session.class );
-    InetAddress server = mock( InetAddress.class );
-    final JSch jSch = mock( JSch.class );
-    when( server.getHostAddress() ).thenReturn( serverIp );
-    when( jSch.getSession( userName, serverIp, serverPort ) ).thenReturn( session );
+  public void shouldExcludeGssapiFromPreferredAuthenticationsByDefault() throws Exception {
+    new SFTPClient( server, serverPort, userName ) {
+      @Override
+      JSch createJSch() {
+        return jSch;
+      }
+    };
+
+    verify( session )
+      .setConfig( "PreferredAuthentications", "publickey,keyboard-interactive,password" );
+  }
+
+  /**
+   * Given SFTP connection configuration, and -Duserauth.gssapi.enabled param
+   * was passed on application start with correct value.
+   * <br/>
+   * When SFTP Client is instantiated, then preferred authentications list should contain
+   * GSS API Authentication as the last one.
+   */
+  @Test
+  public void shouldIncludeGssapiToPreferredAuthenticationsIfSpecified() throws Exception {
+    System.setProperty( SFTPClient.ENV_PARAM_USERAUTH_GSSAPI, "true" );
 
     new SFTPClient( server, serverPort, userName ) {
       @Override
@@ -61,4 +102,26 @@ JSch createJSch() {
     verify( session )
       .setConfig( "PreferredAuthentications", "publickey,keyboard-interactive,password,gssapi-with-mic" );
   }
+
+  /**
+   * Given SFTP connection configuration, and -Duserauth.gssapi.enabled param
+   * was passed on application start with incorrect value.
+   * <br/>
+   * When SFTP Client is instantiated, then preferred authentications list should not contain
+   * GSS API Authentication.
+   */
+  @Test
+  public void shouldIncludeGssapiToPreferredAuthenticationsIfOnlySpecifiedCorrectly() throws Exception {
+    System.setProperty( SFTPClient.ENV_PARAM_USERAUTH_GSSAPI, "yes" );
+
+    new SFTPClient( server, serverPort, userName ) {
+      @Override
+      JSch createJSch() {
+        return jSch;
+      }
+    };
+
+    verify( session )
+      .setConfig( "PreferredAuthentications", "publickey,keyboard-interactive,password" );
+  }
 }