This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new df4cd8195 jwt: Additional test
df4cd8195 is described below
commit df4cd81953e70af53aa6fee436dbc81db6f1fe96
Author: Zoltan Chovan <zcho...@cloudera.com>
AuthorDate: Thu Sep 29 13:59:26 2022 +0200
jwt: Additional test
* Added JWT scenarios to the negiotiation test
* Updated the security-itest with JWT expiration scenario
* Updated MiniOidc to set expires_at and not_before properties of the
generated JWTs
* Added methods to be able to manually create JWT and JWKS files
Change-Id: I1977c80b70fd9628ac800671f6cf16e9fa96c0f0
Reviewed-on: http://gerrit.cloudera.org:8080/19156
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <ale...@apache.org>
---
src/kudu/integration-tests/security-itest.cc | 28 +-
src/kudu/mini-cluster/external_mini_cluster.cc | 6 +-
src/kudu/rpc/CMakeLists.txt | 4 +-
src/kudu/rpc/negotiation-test.cc | 396 +++++++++++++++++++++++--
src/kudu/rpc/negotiation.cc | 11 +-
src/kudu/rpc/rpc-test-base.h | 1 +
src/kudu/rpc/server_negotiation.cc | 1 -
src/kudu/server/server_base.cc | 2 +-
src/kudu/util/CMakeLists.txt | 19 +-
src/kudu/util/jwt-util-test.cc | 12 +-
src/kudu/util/jwt_test_certs.cc | 46 +++
src/kudu/util/jwt_test_certs.h | 11 +
src/kudu/util/mini_oidc.cc | 57 ++--
src/kudu/util/mini_oidc.h | 6 +-
14 files changed, 519 insertions(+), 81 deletions(-)
diff --git a/src/kudu/integration-tests/security-itest.cc
b/src/kudu/integration-tests/security-itest.cc
index 2d520e1b6..cdc642f18 100644
--- a/src/kudu/integration-tests/security-itest.cc
+++ b/src/kudu/integration-tests/security-itest.cc
@@ -513,28 +513,34 @@ void GetFullBinaryPath(string* binary) {
}
TEST_F(SecurityITest, TestJwtMiniCluster) {
+ SKIP_IF_SLOW_NOT_ALLOWED();
+
cluster_opts_.enable_kerberos = false;
cluster_opts_.num_tablet_servers = 0;
cluster_opts_.enable_client_jwt = true;
MiniOidcOptions oidc_opts;
const auto* const kValidAccount = "valid";
const auto* const kInvalidAccount = "invalid";
+ const uint64_t kLifetimeMs = 1000;
oidc_opts.account_ids = {
{ kValidAccount, true },
{ kInvalidAccount, false },
};
-
+ oidc_opts.lifetime_ms = kLifetimeMs;
cluster_opts_.mini_oidc_options = std::move(oidc_opts);
ASSERT_OK(StartCluster());
const auto* const kSubject = "kudu-user";
- const auto configure_builder_for = [&] (const string& account_id,
KuduClientBuilder* b) {
+ const auto configure_builder_for =
+ [&] (const string& account_id, KuduClientBuilder* b, const uint64_t
delay_ms) {
client::AuthenticationCredentialsPB pb;
security::JwtRawPB jwt = security::JwtRawPB();
- *jwt.mutable_jwt_data() = MiniOidc::CreateJwt(account_id, kSubject, true);
+ *jwt.mutable_jwt_data() = cluster_->oidc()->CreateJwt(account_id,
kSubject, true);
*pb.mutable_jwt() = std::move(jwt);
string creds;
CHECK(pb.SerializeToString(&creds));
+ SleepFor(MonoDelta::FromMilliseconds(delay_ms));
+
for (auto i = 0; i < cluster_->num_masters(); ++i) {
b->add_master_server_addr(cluster_->master(i)->bound_rpc_addr().ToString());
}
@@ -545,7 +551,7 @@ TEST_F(SecurityITest, TestJwtMiniCluster) {
{
KuduClientBuilder valid_builder;
shared_ptr<KuduClient> client;
- configure_builder_for(kValidAccount, &valid_builder);
+ configure_builder_for(kValidAccount, &valid_builder, 0);
ASSERT_OK(valid_builder.Build(&client));
vector<string> tables;
ASSERT_OK(client->ListTables(&tables));
@@ -553,11 +559,19 @@ TEST_F(SecurityITest, TestJwtMiniCluster) {
{
KuduClientBuilder invalid_builder;
shared_ptr<KuduClient> client;
- configure_builder_for(kInvalidAccount, &invalid_builder);
+ configure_builder_for(kInvalidAccount, &invalid_builder, 0);
Status s = invalid_builder.Build(&client);
- ASSERT_FALSE(s.ok()) << s.ToString();
+ ASSERT_TRUE(s.IsRuntimeError());
ASSERT_STR_CONTAINS(s.ToString(), "FATAL_INVALID_JWT");
}
+ {
+ KuduClientBuilder timeout_builder;
+ shared_ptr<KuduClient> client;
+ configure_builder_for(kValidAccount, &timeout_builder, 3 * kLifetimeMs);
+ Status s = timeout_builder.Build(&client);
+ ASSERT_TRUE(s.IsRuntimeError());
+ ASSERT_STR_CONTAINS(s.ToString(), "token expired");
+ }
{
KuduClientBuilder no_jwt_builder;
shared_ptr<KuduClient> client;
@@ -566,7 +580,7 @@ TEST_F(SecurityITest, TestJwtMiniCluster) {
}
no_jwt_builder.require_authentication(true);
Status s = no_jwt_builder.Build(&client);
- ASSERT_FALSE(s.ok()) << s.ToString();
+ ASSERT_TRUE(s. IsNotAuthorized());
ASSERT_STR_CONTAINS(s.ToString(), "Not authorized");
}
}
diff --git a/src/kudu/mini-cluster/external_mini_cluster.cc
b/src/kudu/mini-cluster/external_mini_cluster.cc
index 6db49b86e..948508e35 100644
--- a/src/kudu/mini-cluster/external_mini_cluster.cc
+++ b/src/kudu/mini-cluster/external_mini_cluster.cc
@@ -84,6 +84,10 @@
#include "kudu/util/subprocess.h"
#include "kudu/util/test_util.h"
+namespace kudu {
+class JwtVerifier;
+} // namespace kudu
+
using kudu::client::internal::ConnectToClusterRpc;
#if !defined(NO_CHRONY)
using kudu::clock::MiniChronyd;
@@ -269,7 +273,7 @@ Status ExternalMiniCluster::Start() {
gflags::FlagSaver saver;
FLAGS_dns_addr_resolution_override = dns_overrides_;
- std::shared_ptr<PerAccountKeyBasedJwtVerifier> jwt_verifier = nullptr;
+ std::shared_ptr<JwtVerifier> jwt_verifier = nullptr;
if (opts_.enable_client_jwt) {
oidc_.reset(new MiniOidc(opts_.mini_oidc_options));
RETURN_NOT_OK_PREPEND(oidc_->Start(), "Failed to start OIDC endpoints");
diff --git a/src/kudu/rpc/CMakeLists.txt b/src/kudu/rpc/CMakeLists.txt
index c8d831e64..6fb27b4c3 100644
--- a/src/kudu/rpc/CMakeLists.txt
+++ b/src/kudu/rpc/CMakeLists.txt
@@ -124,7 +124,9 @@ SET_KUDU_TEST_LINK_LIBS(
mini_kdc
rpc_header_proto
rtest_krpc
- security_test_util)
+ security_test_util
+ kudu_jwt_util
+ jwt_test_certs)
ADD_KUDU_TEST(exactly_once_rpc-test PROCESSORS 10)
ADD_KUDU_TEST(mt-rpc-test RUN_SERIAL true)
ADD_KUDU_TEST(negotiation-test)
diff --git a/src/kudu/rpc/negotiation-test.cc b/src/kudu/rpc/negotiation-test.cc
index 58d4b9cbb..9a635d3e8 100644
--- a/src/kudu/rpc/negotiation-test.cc
+++ b/src/kudu/rpc/negotiation-test.cc
@@ -59,9 +59,12 @@
#include "kudu/security/token_signing_key.h"
#include "kudu/security/token_verifier.h"
#include "kudu/util/env.h"
+#include "kudu/util/jwt-util.h"
+#include "kudu/util/jwt_test_certs.h"
#include "kudu/util/monotime.h"
#include "kudu/util/net/sockaddr.h"
#include "kudu/util/net/socket.h"
+#include "kudu/util/path_util.h"
#include "kudu/util/status.h"
#include "kudu/util/subprocess.h"
#include "kudu/util/test_macros.h"
@@ -69,6 +72,10 @@
#include "kudu/util/trace.h"
#include "kudu/util/user.h"
+namespace kudu {
+class JwtVerifier;
+} // namespace kudu
+
// HACK: MIT Kerberos doesn't have any way of determining its version number,
// but the error messages in krb5-1.10 and earlier are broken due to
// a bug: http://krbdev.mit.edu/rt/Ticket/Display.html?id=6973
@@ -121,6 +128,9 @@ struct EndpointConfig {
// For the client, whether the client has the token.
// For the server, whether the server has the TSK.
bool token;
+ // For the client, whether the client has the JWT.
+ // For the server, whether the server has a JWTVerifier
+ bool jwt;
RpcEncryption encryption;
};
std::ostream& operator<<(std::ostream& o, EndpointConfig config) {
@@ -128,6 +138,7 @@ std::ostream& operator<<(std::ostream& o, EndpointConfig
config) {
o << "{pki: " << config.pki
<< ", sasl-mechs: [" << JoinMapped(config.sasl_mechs,
SaslMechanism::name_of, ", ")
<< "], token: " << bool_string(config.token)
+ << ", jwt: " << bool_string(config.jwt)
<< ", encryption: ";
switch (config.encryption) {
@@ -232,6 +243,24 @@ TEST_P(TestNegotiation, TestNegotiation) {
ASSERT_OK(token_verifier.ImportKeys(token_signer.verifier().ExportKeys()));
}
+ // Create JWT token
+ // Create jwt_verifier
+ const string jwks_file_name = "keys.jwks";
+ const string jwt_test_dir = GetTestPath("jwt");
+ const string jwt_data = kudu::CreateTestJWT(true);
+ ASSERT_OK(kudu::CreateTestJWKSFile(jwt_test_dir, jwks_file_name));
+ std::shared_ptr<JwtVerifier> jwt_verifier;
+ if (desc.server.jwt) {
+ jwt_verifier = std::make_shared<kudu::KeyBasedJwtVerifier>(
+ JoinPathSegments(jwt_test_dir, jwks_file_name), /* is_local_file */
true);
+ ASSERT_OK(jwt_verifier-> Init());
+ }
+ optional<security::JwtRawPB> jwt_token;
+ if (desc.client.jwt) {
+ jwt_token = security::JwtRawPB();
+ jwt_token->set_jwt_data(jwt_data);
+ }
+
// Create the listening socket, client socket, and server socket.
Socket listening_socket;
Sockaddr server_addr = Sockaddr::Wildcard();
@@ -254,14 +283,14 @@ TEST_P(TestNegotiation, TestNegotiation) {
ClientNegotiation client_negotiation(std::move(client_socket),
&client_tls_context,
authn_token,
- std::nullopt,
+ jwt_token,
desc.client.encryption,
desc.rpc_encrypt_loopback,
"kudu");
ServerNegotiation server_negotiation(std::move(server_socket),
&server_tls_context,
&token_verifier,
- nullptr,
+ jwt_verifier.get(),
desc.server.encryption,
desc.rpc_encrypt_loopback,
"kudu");
@@ -416,12 +445,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{},
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{},
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -440,12 +471,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{},
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -464,12 +497,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL
},
EndpointConfig {
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -488,12 +523,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -512,12 +549,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::GSSAPI, SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{ SaslMechanism::GSSAPI, SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -536,12 +575,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::GSSAPI, SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -560,12 +601,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -585,12 +628,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SELF_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -611,12 +656,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SELF_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -635,12 +682,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SELF_SIGNED,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -659,12 +708,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -683,12 +734,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::TRUSTED,
{ },
true,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN },
true,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -710,12 +763,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
true,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN },
true,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -734,12 +789,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN, SaslMechanism::GSSAPI },
true,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN, SaslMechanism::GSSAPI },
true,
+ false,
RpcEncryption::OPTIONAL,
},
false,
@@ -758,12 +815,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::DISABLED,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -782,12 +841,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::REQUIRED,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::DISABLED,
},
false,
@@ -806,12 +867,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
EndpointConfig {
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -830,12 +893,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::OPTIONAL,
},
EndpointConfig {
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -854,12 +919,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::NONE,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
EndpointConfig {
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -878,12 +945,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI, SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::REQUIRED,
},
EndpointConfig {
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::PLAIN },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -902,12 +971,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::DISABLED,
},
EndpointConfig {
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -926,12 +997,14 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
PkiConfig::SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
EndpointConfig {
PkiConfig::EXTERNALLY_SIGNED,
{ SaslMechanism::GSSAPI },
false,
+ false,
RpcEncryption::REQUIRED,
},
false,
@@ -948,16 +1021,18 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
// connection from public routable IP
NegotiationDescriptor {
EndpointConfig {
- PkiConfig::NONE,
- { SaslMechanism::PLAIN },
- false,
- RpcEncryption::OPTIONAL
+ PkiConfig::NONE,
+ { SaslMechanism::PLAIN },
+ false,
+ false,
+ RpcEncryption::OPTIONAL
},
EndpointConfig {
- PkiConfig::NONE,
- { SaslMechanism::PLAIN },
- false,
- RpcEncryption::OPTIONAL
+ PkiConfig::NONE,
+ { SaslMechanism::PLAIN },
+ false,
+ false,
+ RpcEncryption::OPTIONAL
},
true,
false,
@@ -972,27 +1047,274 @@ INSTANTIATE_TEST_SUITE_P(NegotiationCombinations,
// server: GSSAPI, TLS required, externally-signed cert
// connection from public routable IP
NegotiationDescriptor {
- EndpointConfig {
- PkiConfig::EXTERNALLY_SIGNED,
- { SaslMechanism::GSSAPI },
- false,
- RpcEncryption::REQUIRED,
- },
- EndpointConfig {
- PkiConfig::EXTERNALLY_SIGNED,
- { SaslMechanism::GSSAPI },
- false,
- RpcEncryption::REQUIRED,
- },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ false,
+ RpcEncryption::REQUIRED,
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ false,
+ RpcEncryption::REQUIRED,
+ },
+ true,
+ // true as no longer a loopback connection.
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::SASL,
+ SaslMechanism::GSSAPI,
+ true,
+ },
+
+
+ // client: JWT, TLS required
+ // server: JWT, TLS required
+ // connecting with JWT only
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
true,
- // true as no longer a loopback connection.
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
true,
- Status::OK(),
- Status::OK(),
- AuthenticationType::SASL,
- SaslMechanism::GSSAPI,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: JWT, TLS required, self-signed cert
+ // server: JWT, TLS required, self-signed cert
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::SELF_SIGNED,
+ { },
+ false,
true,
- }
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::SELF_SIGNED,
+ { },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: GSSAPI, JWT, TLS required
+ // server: JWT, TLS required
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::PLAIN },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: JWT, TLS disabled
+ // server: JWT, TLS required
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
+ true,
+ RpcEncryption::DISABLED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::NotAuthorized(".*client does not support required TLS
encryption"),
+ Status::NotAuthorized(""),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: GSSAPI, JWT, TLS required
+ // server: JWT, TLS disabled
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::PLAIN },
+ false,
+ true,
+ RpcEncryption::DISABLED
+ },
+ true,
+ true,
+ Status::NotAuthorized(".*server does not support required TLS
encryption"),
+ Status::NetworkError(""),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: JWT, TLS required
+ // server: JWT, TLS optional
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { },
+ false,
+ true,
+ RpcEncryption::OPTIONAL
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: GSSAPI, JWT, TLS optional
+ // server: JWT, TLS required
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ true,
+ RpcEncryption::OPTIONAL
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::PLAIN },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::JWT,
+ SaslMechanism::INVALID,
+ true,
+ },
+
+
+ // client: GSSAPI, TLS required
+ // server: GSSAPI, JWT, TLS required
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ false,
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ true,
+ RpcEncryption::OPTIONAL
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::SASL,
+ SaslMechanism::GSSAPI,
+ true,
+ },
+
+
+ // client: GSSAPI, JWT, TLS required
+ // server: GSSAPI, TLS required
+ NegotiationDescriptor {
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ true,
+ RpcEncryption::REQUIRED
+ },
+ EndpointConfig {
+ PkiConfig::EXTERNALLY_SIGNED,
+ { SaslMechanism::GSSAPI },
+ false,
+ false,
+ RpcEncryption::REQUIRED
+ },
+ true,
+ true,
+ Status::OK(),
+ Status::OK(),
+ AuthenticationType::SASL,
+ SaslMechanism::GSSAPI,
+ true,
+ }
+
));
// A "Callable" that takes a socket for use with starting a thread.
@@ -1220,8 +1542,15 @@ static void RunTimeoutExpectingServer(unique_ptr<Socket>
socket) {
TlsContext tls_context;
CHECK_OK(tls_context.Init());
TokenVerifier token_verifier;
+ string jwks_file_name = "keys.jwks";
+ string jwt_test_dir = JoinPathSegments(kudu::GetTestDataDirectory(), "jwt");
+ string jwt_data = kudu::CreateTestJWT(true);
+ ASSERT_OK(kudu::CreateTestJWKSFile(jwt_test_dir, jwks_file_name));
+ kudu::KeyBasedJwtVerifier jwt_verifier(
+ JoinPathSegments(jwt_test_dir, jwks_file_name), true);
+ CHECK_OK(jwt_verifier.Init());
ServerNegotiation server_negotiation(std::move(socket), &tls_context,
- &token_verifier, nullptr,
RpcEncryption::OPTIONAL,
+ &token_verifier, &jwt_verifier,
RpcEncryption::OPTIONAL,
/* encrypt_loopback */ false, "kudu");
CHECK_OK(server_negotiation.EnablePlain());
Status s = server_negotiation.Negotiate();
@@ -1254,8 +1583,15 @@ static void
RunTimeoutNegotiationServer(unique_ptr<Socket> socket) {
TlsContext tls_context;
CHECK_OK(tls_context.Init());
TokenVerifier token_verifier;
+ string jwks_file_name = "keys.jwks";
+ string jwt_test_dir = JoinPathSegments(kudu::GetTestDataDirectory(), "jwt");
+ string jwt_data = kudu::CreateTestJWT(true);
+ ASSERT_OK(kudu::CreateTestJWKSFile(jwt_test_dir, jwks_file_name));
+ kudu::KeyBasedJwtVerifier jwt_verifier(
+ JoinPathSegments(jwt_test_dir, jwks_file_name), true);
+ CHECK_OK(jwt_verifier.Init());
ServerNegotiation server_negotiation(std::move(socket), &tls_context,
- &token_verifier, nullptr,
RpcEncryption::OPTIONAL,
+ &token_verifier, &jwt_verifier,
RpcEncryption::OPTIONAL,
/* encrypt_loopback */ false, "kudu");
CHECK_OK(server_negotiation.EnablePlain());
MonoTime deadline = MonoTime::Now() - MonoDelta::FromMilliseconds(100L);
diff --git a/src/kudu/rpc/negotiation.cc b/src/kudu/rpc/negotiation.cc
index 07430c8d9..dd7f7005b 100644
--- a/src/kudu/rpc/negotiation.cc
+++ b/src/kudu/rpc/negotiation.cc
@@ -175,6 +175,7 @@ static Status DoClientNegotiation(Connection* conn,
// Prefer secondary credentials (such as authn token) if permitted by policy.
const auto authn_token = (conn->credentials_policy() ==
CredentialsPolicy::PRIMARY_CREDENTIALS)
? std::nullopt : messenger->authn_token();
+ const auto jwt = messenger->jwt();
ClientNegotiation client_negotiation(conn->release_socket(),
&messenger->tls_context(),
authn_token,
@@ -203,9 +204,10 @@ static Status DoClientNegotiation(Connection* conn,
if (authentication == RpcAuthentication::REQUIRED &&
!authn_token &&
- !messenger->tls_context().has_signed_cert()) {
+ !messenger->tls_context().has_signed_cert() &&
+ !jwt) {
return Status::InvalidArgument(
- "Kerberos, token, or PKI certificate credentials must be provided
in order to "
+ "Kerberos, token, JWT, or PKI certificate credentials must be
provided in order to "
"require authentication for a client");
}
}
@@ -234,6 +236,11 @@ static Status DoClientNegotiation(Connection* conn,
DCHECK(!(!authn_token &&
client_negotiation.negotiated_authn() ==
AuthenticationType::TOKEN));
+ // Sanity check: if no JWT token was supplied as user credentials,
+ // the negotiated authentication type cannot be AuthenticationType::JWT.
+ DCHECK(!(!jwt &&
+ client_negotiation.negotiated_authn() == AuthenticationType::JWT));
+
return Status::OK();
}
diff --git a/src/kudu/rpc/rpc-test-base.h b/src/kudu/rpc/rpc-test-base.h
index 0aa46ceb2..745ece846 100644
--- a/src/kudu/rpc/rpc-test-base.h
+++ b/src/kudu/rpc/rpc-test-base.h
@@ -42,6 +42,7 @@
#include "kudu/util/crc.h"
#include "kudu/util/env.h"
#include "kudu/util/faststring.h"
+#include "kudu/util/jwt.h"
#include "kudu/util/mem_tracker.h"
#include "kudu/util/monotime.h"
#include "kudu/util/net/sockaddr.h"
diff --git a/src/kudu/rpc/server_negotiation.cc
b/src/kudu/rpc/server_negotiation.cc
index f0eb9fef5..91c636595 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -206,7 +206,6 @@ Status ServerNegotiation::Negotiate() {
// Wait until starting negotiation to check that the socket, tls_context, and
// token_verifier are not null, since they do not need to be set for
- // PreflightCheckGSSAPI.
DCHECK(socket_);
DCHECK(tls_context_);
DCHECK(token_verifier_);
diff --git a/src/kudu/server/server_base.cc b/src/kudu/server/server_base.cc
index a20cbfb7e..51045eee0 100644
--- a/src/kudu/server/server_base.cc
+++ b/src/kudu/server/server_base.cc
@@ -797,7 +797,7 @@ Status ServerBase::Init() {
// Create the Messenger.
rpc::MessengerBuilder builder(name_);
- std::shared_ptr<JwtVerifier> jwt_verifier;
+ shared_ptr<JwtVerifier> jwt_verifier = nullptr;
if (FLAGS_enable_jwt_token_auth) {
if (!FLAGS_jwks_url.empty()) {
jwt_verifier =
std::make_shared<PerAccountKeyBasedJwtVerifier>(FLAGS_jwks_url);
diff --git a/src/kudu/util/CMakeLists.txt b/src/kudu/util/CMakeLists.txt
index 51ba95ef1..77e01fe95 100644
--- a/src/kudu/util/CMakeLists.txt
+++ b/src/kudu/util/CMakeLists.txt
@@ -356,19 +356,24 @@ target_link_libraries(kudu_curl_util
#######################################
# mini_oidc
#######################################
-set (MINI_OIDC_SRCS mini_oidc.cc jwt_test_certs.cc)
-add_library(mini_oidc ${MINI_OIDC_SRCS})
+add_library(mini_oidc mini_oidc.cc)
target_link_libraries(mini_oidc
server_process
gutil
kudu_test_util
- kudu_util)
+ kudu_util
+ jwt_test_certs)
+
+#######################################
+# jwt_test_certs
+#######################################
+add_library(jwt_test_certs jwt_test_certs.cc)
+target_link_libraries(jwt_test_certs)
#######################################
# kudu_jwt_util
#######################################
-add_library(kudu_jwt_util
- jwt-util.cc)
+add_library(kudu_jwt_util jwt-util.cc)
target_link_libraries(kudu_jwt_util
gutil
security
@@ -640,9 +645,9 @@ endif()
ADD_KUDU_TEST(jwt-util-test)
if(NOT NO_TESTS)
target_link_libraries(jwt-util-test
- kudu_jwt_util
mini_oidc
- server_process)
+ server_process
+ jwt_test_certs)
endif()
#######################################
diff --git a/src/kudu/util/jwt-util-test.cc b/src/kudu/util/jwt-util-test.cc
index bb7cc2dbe..ddc210f18 100644
--- a/src/kudu/util/jwt-util-test.cc
+++ b/src/kudu/util/jwt-util-test.cc
@@ -952,18 +952,18 @@ TEST(JwtUtilTest, VerifyOIDCDiscoveryEndpoint) {
// Create and verify a token on the happy path.
const string kSubject = "kudu";
auto valid_user_token =
- MiniOidc::CreateJwt(kValidAccount, kSubject, /*is_valid*/true);
+ oidc.CreateJwt(kValidAccount, kSubject, /*is_valid*/true);
string subject;
ASSERT_OK(jwt_verifier.VerifyToken(valid_user_token, &subject));
ASSERT_EQ(kSubject, subject);
// Verify some expected failure scenarios.
const unordered_map<string, string> invalid_jwts {
- { MiniOidc::CreateJwt(kInvalidAccount, kSubject, false), "invalid issuer
with invalid "
+ { oidc.CreateJwt(kInvalidAccount, kSubject, false), "invalid issuer with
invalid "
"subject" },
- { MiniOidc::CreateJwt(kInvalidAccount, kSubject, true), "invalid issuer
with valid subject" },
- { MiniOidc::CreateJwt(kValidAccount, kSubject, false), "valid issuer with
invalid key id" },
- { MiniOidc::CreateJwt(kMissingAccount, kSubject, true), "missing account"
},
+ { oidc.CreateJwt(kInvalidAccount, kSubject, true), "invalid issuer with
valid subject" },
+ { oidc.CreateJwt(kValidAccount, kSubject, false), "valid issuer with
invalid key id" },
+ { oidc.CreateJwt(kMissingAccount, kSubject, true), "missing account" },
};
for (const auto& [jwt, msg] : invalid_jwts) {
@@ -985,7 +985,7 @@ TEST(JwtUtilTest,
VerifyJWKSDiscoveryEndpointMultipleClients) {
{
const string kSubject = "kudu";
auto valid_user_token =
- MiniOidc::CreateJwt(kValidAccount, kSubject, /*is_valid*/true);
+ oidc.CreateJwt(kValidAccount, kSubject, /*is_valid*/true);
string subject;
ASSERT_OK(jwt_verifier.VerifyToken(valid_user_token, &subject));
ASSERT_EQ(kSubject, subject);
diff --git a/src/kudu/util/jwt_test_certs.cc b/src/kudu/util/jwt_test_certs.cc
index 3f1311d0d..b79a1a150 100644
--- a/src/kudu/util/jwt_test_certs.cc
+++ b/src/kudu/util/jwt_test_certs.cc
@@ -16,6 +16,22 @@
// under the License.
#include "kudu/util/jwt_test_certs.h"
+#include <string>
+
+#include <jwt-cpp/jwt.h>
+#include <jwt-cpp/traits/kazuho-picojson/defaults.h>
+#include <jwt-cpp/traits/kazuho-picojson/traits.h>
+
+#include "kudu/gutil/strings/substitute.h"
+#include "kudu/util/env.h"
+#include "kudu/util/path_util.h"
+#include "kudu/util/slice.h"
+#include "kudu/util/status.h"
+
+using strings::Substitute;
+
+namespace kudu {
+
const char* kRsaPrivKeyPem = R"(-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4ZtdaIrd1BPIJ
tfnF0TjIK5inQAXZ3XlCrUlJdP+XHwIRxdv1FsN12XyMYO/6ymLmo9ryoQeIrsXB
@@ -329,3 +345,33 @@ const char* kJwksEcFileFormat = R"(
]
})";
+std::string CreateTestJWT(bool is_valid) {
+ return jwt::create()
+ .set_issuer(Substitute("auth0/$0", "test_account_id"))
+ .set_type("JWT")
+ .set_algorithm("RS256")
+ .set_key_id(is_valid ? kKid1 : kKid2)
+ .set_subject("test_subject")
+ .sign(jwt::algorithm::rs256(kRsaPubKeyPem, kRsaPrivKeyPem, "", ""));
+}
+
+Status CreateTestJWKSFile(const std::string& dir, const std::string&
file_name) {
+ //"keys": [
+ // { "kty": "RSA", "kid": "$0", "alg": "$1", "n": "$2", "e": "$3" },
+ // { "kty": "RSA", "kid": "$4", "alg": "$5", "n": "$6", "e": "$7" }
+ // ]
+ const std::string jwks_content = Substitute(kJwksRsaFileFormat,
+ /* kid */ kKid1,
+ /* alg */ "RS256",
+ /* n */ kRsaPubKeyJwkN,
+ /* e */ kRsaPubKeyJwkE,
+ /* kid */ kKid2,
+ /* alg */ "RS512",
+ /* n */ kRsa512PubKeyJwkN,
+ /* e */ kRsa512PubKeyJwkE);
+ RETURN_NOT_OK(Env::Default()->CreateDir(dir));
+
+ return WriteStringToFile(Env::Default(), jwks_content,
+ JoinPathSegments(dir, file_name));
+}
+} // namespace kudu
diff --git a/src/kudu/util/jwt_test_certs.h b/src/kudu/util/jwt_test_certs.h
index 1c59855f4..67c2a7413 100644
--- a/src/kudu/util/jwt_test_certs.h
+++ b/src/kudu/util/jwt_test_certs.h
@@ -16,6 +16,12 @@
// under the License.
#pragma once
+#include <string>
+
+#include "kudu/util/status.h"
+
+namespace kudu {
+
extern const char* kRsaPrivKeyPem;
extern const char* kRsaPubKeyPem;
// The public keys in JWK format were converted from PEM formatted crypto keys
with
@@ -66,3 +72,8 @@ extern const char* kKid2;
extern const char* kJwksHsFileFormat;
extern const char* kJwksRsaFileFormat;
extern const char* kJwksEcFileFormat;
+
+std::string CreateTestJWT(bool is_valid);
+Status CreateTestJWKSFile(const std::string& dir, const std::string&
file_name);
+
+} // namespace kudu
diff --git a/src/kudu/util/mini_oidc.cc b/src/kudu/util/mini_oidc.cc
index d3e077722..1672f33a5 100644
--- a/src/kudu/util/mini_oidc.cc
+++ b/src/kudu/util/mini_oidc.cc
@@ -16,6 +16,7 @@
// under the License.
#include "kudu/util/mini_oidc.h"
+#include <chrono>
#include <functional>
#include <ostream>
#include <string>
@@ -74,12 +75,12 @@ void OidcDiscoveryHandler(const Webserver::WebRequest& req,
resp->status_code = HttpStatusCode::BadRequest;
return;
}
- resp->output << Substitute(kDiscoveryFormat, *account_id,
- Substitute("$0/$1", jwks_server_url,
*account_id));
+ resp->output << Substitute(
+ kDiscoveryFormat, *account_id, Substitute("$0/$1", jwks_server_url,
*account_id));
resp->status_code = HttpStatusCode::Ok;
}
-} // anonymous namespace
+} // anonymous namespace
MiniOidc::MiniOidc(MiniOidcOptions options) : options_(std::move(options)) {
if (options_.lifetime_ms == 0) {
@@ -102,17 +103,23 @@ Status MiniOidc::Start() {
jwks_server_.reset(new Webserver(jwks_opts));
for (const auto& [account_id, valid] : options_.account_ids) {
- jwks_server_->RegisterPrerenderedPathHandler(Substitute("/jwks/$0",
account_id), account_id,
- [account_id = account_id, valid = valid] (const Webserver::WebRequest&
/*req*/,
-
Webserver::PrerenderedWebResponse* resp) {
+ jwks_server_->RegisterPrerenderedPathHandler(
+ Substitute("/jwks/$0", account_id),
+ account_id,
+ [account_id = account_id, valid = valid](const Webserver::WebRequest&
/*req*/,
+
Webserver::PrerenderedWebResponse* resp) {
// NOTE: 'kKid1' points at a valid key, while 'kKid2' points at an
// invalid key.
- resp->output << Substitute(kJwksRsaFileFormat, kKid1, "RS256",
- valid ? kRsaPubKeyJwkN : kRsaInvalidPubKeyJwkN,
- kRsaPubKeyJwkE, kKid2, "RS256", kRsaInvalidPubKeyJwkN,
kRsaPubKeyJwkE),
- resp->status_code = HttpStatusCode::Ok;
+ resp->output << Substitute(kJwksRsaFileFormat, kKid1,
+ "RS256",
+ valid ? kRsaPubKeyJwkN :
kRsaInvalidPubKeyJwkN,
+ kRsaPubKeyJwkE, kKid2,
+ "RS256",
+ kRsaInvalidPubKeyJwkN, kRsaPubKeyJwkE),
+ resp->status_code = HttpStatusCode::Ok;
},
- /*is_styled*/false, /*is_on_nav_bar*/false);
+ /*is_styled*/ false,
+ /*is_on_nav_bar*/ false);
}
RETURN_NOT_OK(jwks_server_->Start());
vector<Sockaddr> bound_addrs;
@@ -126,13 +133,15 @@ Status MiniOidc::Start() {
oidc_opts.port = 0;
oidc_server_.reset(new Webserver(oidc_opts));
oidc_server_->RegisterPrerenderedPathHandler(
- "/.well-known/openid-configuration", "openid-configuration",
+ "/.well-known/openid-configuration",
+ "openid-configuration",
// Pass the 'accountId' query arguments to return a response that
// points to the JWKS endpoint for the account.
- [jwks_url] (const Webserver::WebRequest& req,
Webserver::PrerenderedWebResponse* resp) {
+ [jwks_url](const Webserver::WebRequest& req,
Webserver::PrerenderedWebResponse* resp) {
OidcDiscoveryHandler(req, resp, jwks_url);
},
- /*is_styled*/false, /*is_on_nav_bar*/false);
+ /*is_styled*/ false,
+ /*is_on_nav_bar*/ false);
RETURN_NOT_OK(oidc_server_->Start());
bound_addrs.clear();
RETURN_NOT_OK(oidc_server_->GetBoundAddresses(&bound_addrs));
@@ -151,13 +160,17 @@ void MiniOidc::Stop() {
}
string MiniOidc::CreateJwt(const string& account_id, const string& subject,
bool is_valid) {
- return jwt::create()
- .set_issuer(Substitute("auth0/$0", account_id))
- .set_type("JWT")
- .set_algorithm("RS256")
- .set_key_id(is_valid ? kKid1 : kKid2)
- .set_subject(subject)
- .sign(jwt::algorithm::rs256(kRsaPubKeyPem, kRsaPrivKeyPem, "", ""));
+ auto lifetime = std::chrono::milliseconds(options_.lifetime_ms);
+
+ return jwt::create()
+ .set_issuer(Substitute("auth0/$0", account_id))
+ .set_type("JWT")
+ .set_algorithm("RS256")
+ .set_key_id(is_valid ? kKid1 : kKid2)
+ .set_subject(subject)
+ .set_not_before(std::chrono::system_clock::now())
+ .set_expires_at(std::chrono::system_clock::now() + lifetime)
+ .sign(jwt::algorithm::rs256(kRsaPubKeyPem, kRsaPrivKeyPem, "", ""));
}
-} // namespace kudu
+} // namespace kudu
diff --git a/src/kudu/util/mini_oidc.h b/src/kudu/util/mini_oidc.h
index 82f09ba35..74dfbfefd 100644
--- a/src/kudu/util/mini_oidc.h
+++ b/src/kudu/util/mini_oidc.h
@@ -74,9 +74,9 @@ class MiniOidc {
// Creates a JWT with the given `account_id` and `subject`. If `is_valid` is
set to false, the
// created token will be invalid.
- static std::string CreateJwt(const std::string& account_id,
- const std::string& subject,
- bool is_valid);
+ std::string CreateJwt(const std::string& account_id,
+ const std::string& subject,
+ bool is_valid);
const std::string& url() const {
return oidc_url_;
}
