Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KAFKA-18064: SASL mechanisms that do support neihter integrity nor co… #17901

Open
wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

KAFKA-18064: SASL mechanisms that do support neihter integrity nor co… #17901

wants to merge 2 commits into from

Conversation

stoty
Copy link

@stoty stoty commented Nov 21, 2024

…nfidentality should throw exception on wrap/unwrap

The current implementation does not implement wrap/unwrap correctly.
This may cause security issues, if the code using the mechanisms does
not check for QOP correctly.

No testing done, if this breaks something, then calling code must be fixed.

Committer Checklist (excluded from commit message)

  • Verify design and implementation
  • Verify test coverage and CI build status
  • Verify documentation (including upgrade notes)

@github-actions github-actions bot added clients small Small PRs labels Nov 21, 2024
gaurav-narula
gaurav-narula reviewed Nov 21, 2024
View reviewed changes
Copy link
Collaborator

@gaurav-narula gaurav-narula left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Left some comments

.../main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java Outdated
if (!isComplete())
throw new IllegalStateException("Authentication exchange has not completed");
return Arrays.copyOfRange(incoming, offset, offset + len);
throw new IllegalStateException("Mechanism does not support integrity nor confidentality");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we perhaps alter the message within IllegalStateException depending on whether the authentication is completed or not and add the name of the mechanism as well? Similar to how the JDK implementation does it for PlainClient

Copy link
Author

@stoty stoty Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, re-written to match the JDK behaviour and be more consistent with the existing code.

.../main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java Outdated
if (!isComplete())
throw new IllegalStateException("Authentication exchange has not completed");
return Arrays.copyOfRange(outgoing, offset, offset + len);
throw new IllegalStateException("Mechanism does not support integrity nor confidentality");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you missed the change in OAuthBearerSaslServer

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, fixed.

gaurav-narula
gaurav-narula approved these changes Nov 22, 2024
View reviewed changes
Copy link
Collaborator

@gaurav-narula gaurav-narula left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gaurav-narula gaurav-narula gaurav-narula approved these changes

@rajinisivaram rajinisivaram Awaiting requested review from rajinisivaram

Assignees
No one assigned
Labels
clients small Small PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stoty @gaurav-narula