5 月之前 · fe64596e8d
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
@@ -250,7 +250,7 @@ public class ZooKeeperSaslClient {
 
															                     l.startThreadIfNeeded();
														
 
															                 }
														
 
															             }
														
 
															-            return SecurityUtils.createSaslClient(loginRef.get().getSubject(),
														
 
															+            return SecurityUtils.createSaslClient(clientConfig, loginRef.get().getSubject(),
														
 
															                 servicePrincipal, "zookeeper", "zk-sasl-md5", LOG, "Client");
														
 
															         } catch (LoginException e) {
														
 
															             // We throw LoginExceptions...
														
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -73,7 +73,8 @@ public abstract class X509Util implements Closeable, AutoCloseable {
 
															     private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
														
 
															     private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY = "jdk.tls.rejectClientInitiatedRenegotiation";
														
 
															-    private static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
														
 
															+    public static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
														
 
															+    private static final boolean FIPS_MODE_DEFAULT = true;
														
 
															     public static final String TLS_1_1 = "TLSv1.1";
														
 
															     public static final String TLS_1_2 = "TLSv1.2";
														
 
															     public static final String TLS_1_3 = "TLSv1.3";
														
@@ -301,8 +302,8 @@ public abstract class X509Util implements Closeable, AutoCloseable {
 
															         return FIPS_MODE_PROPERTY;
														
 
															     }
														
 
															-    public boolean getFipsMode(ZKConfig config) {
														
 
															-        return config.getBoolean(FIPS_MODE_PROPERTY, true);
														
 
															+    public static boolean getFipsMode(ZKConfig config) {
														
 
															+        return config.getBoolean(FIPS_MODE_PROPERTY, FIPS_MODE_DEFAULT);
														
 
															     }
														
 
															     public boolean isServerHostnameVerificationEnabled(ZKConfig config) {
														
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
@@ -106,7 +106,7 @@ public class X509AuthenticationProvider implements AuthenticationProvider {
 
															                     x509Util.getSslTruststorePasswdProperty(),
														
 
															                     x509Util.getSslTruststorePasswdPathProperty());
														
 
															             String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty());
														
 
															-            boolean fipsMode = x509Util.getFipsMode(config);
														
 
															+            boolean fipsMode = X509Util.getFipsMode(config);
														
 
															             if (trustStoreLocation.isEmpty()) {
														
 
															                 LOG.warn("Truststore not specified for client connection");
														
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
@@ -94,6 +94,7 @@ public class SaslQuorumAuthLearner implements QuorumAuthLearner {
 
															             DataInputStream din = new DataInputStream(sock.getInputStream());
														
 
															             byte[] responseToken = new byte[0];
														
 
															             sc = SecurityUtils.createSaslClient(
														
 
															+                new ZKConfig(),
														
 
															                 learnerLogin.getSubject(),
														
 
															                 principalConfig,
														
 
															                 QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME,
														
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -28,6 +28,8 @@ import javax.security.sasl.SaslClient;
 
															 import javax.security.sasl.SaslException;
														
 
															 import javax.security.sasl.SaslServer;
														
 
															 import org.apache.zookeeper.SaslClientCallbackHandler;
														
 
															+import org.apache.zookeeper.common.X509Util;
														
 
															+import org.apache.zookeeper.common.ZKConfig;
														
 
															 import org.apache.zookeeper.server.auth.KerberosName;
														
 
															 import org.ietf.jgss.GSSContext;
														
 
															 import org.ietf.jgss.GSSCredential;
														
@@ -55,6 +57,7 @@ public final class SecurityUtils {
 
															      * @throws SaslException
														
 
															      */
														
 
															     public static SaslClient createSaslClient(
														
 
															+        ZKConfig config,
														
 
															         final Subject subject,
														
 
															         final String servicePrincipal,
														
 
															         final String protocol,
														
@@ -67,6 +70,11 @@ public final class SecurityUtils {
 
															         if (subject.getPrincipals().isEmpty()) {
														
 
															             // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism
														
 
															             // instead.
														
 
															+            // FIPS-mode: don't try DIGEST-MD5, just return error
														
 
															+            if (X509Util.getFipsMode(config)) {
														
 
															+                LOG.warn("{} will not use DIGEST-MD5 as SASL mechanism, because FIPS mode is enabled.", entity);
														
 
															+                return null;
														
 
															+            }
														
 
															             LOG.info("{} will use DIGEST-MD5 as SASL mechanism.", entity);
														
 
															             String[] mechs = {"DIGEST-MD5"};
														
 
															             String username = (String) (subject.getPublicCredentials().toArray()[0]);
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
@@ -39,12 +39,12 @@ import org.apache.zookeeper.ZooDefs.Ids;
 
															 import org.apache.zookeeper.client.ZooKeeperSaslClient;
														
 
															 import org.apache.zookeeper.data.ACL;
														
 
															 import org.apache.zookeeper.data.Id;
														
 
															-import org.apache.zookeeper.test.ClientBase;
														
 
															+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
														
 
															 import org.junit.jupiter.api.AfterAll;
														
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthTest extends ClientBase {
														
 
															+public class SaslAuthTest extends SaslAuthDigestTestBase {
														
 
															     @BeforeAll
														
 
															     public static void init() {
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
@@ -26,6 +26,7 @@ import java.nio.file.Path;
 
															 import java.util.Properties;
														
 
															 import javax.security.auth.login.Configuration;
														
 
															 import org.apache.zookeeper.PortAssignment;
														
 
															+import org.apache.zookeeper.common.X509Util;
														
 
															 import org.apache.zookeeper.test.ClientBase;
														
 
															 import org.junit.jupiter.api.AfterAll;
														
 
															 import org.junit.jupiter.api.BeforeAll;
														
@@ -39,6 +40,8 @@ public class ZookeeperServerClusterMutualAuthTest {
 
															     @BeforeAll
														
 
															     public static void setUpEnvironment() {
														
 
															+        // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
														
 
															+        System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
														
 
															         System.setProperty("java.security.auth.login.config", new File("src/test/resources/embedded/test_jaas_server_auth.conf")
														
 
															                 .getAbsolutePath());
														
 
															         Configuration.getConfiguration().refresh();
														
@@ -52,6 +55,7 @@ public class ZookeeperServerClusterMutualAuthTest {
 
															         System.clearProperty("zookeeper.4lw.commands.whitelist");
														
 
															         System.clearProperty("java.security.auth.login.config");
														
 
															         Configuration.getConfiguration().refresh();
														
 
															+        System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
														
 
															     }
														
 
															     @TempDir
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java
@@ -0,0 +1,44 @@
 
															+/*
														
 
															+ * Licensed to the Apache Software Foundation (ASF) under one
														
 
															+ * or more contributor license agreements.  See the NOTICE file
														
 
															+ * distributed with this work for additional information
														
 
															+ * regarding copyright ownership.  The ASF licenses this file
														
 
															+ * to you under the Apache License, Version 2.0 (the
														
 
															+ * "License"); you may not use this file except in compliance
														
 
															+ * with the License.  You may obtain a copy of the License at
														
 
															+ *
														
 
															+ *     http://www.apache.org/licenses/LICENSE-2.0
														
 
															+ *
														
 
															+ * Unless required by applicable law or agreed to in writing, software
														
 
															+ * distributed under the License is distributed on an "AS IS" BASIS,
														
 
															+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
														
 
															+ * See the License for the specific language governing permissions and
														
 
															+ * limitations under the License.
														
 
															+ */
														
 
															+
														
 
															+package org.apache.zookeeper.server.quorum.auth;
														
 
															+
														
 
															+import org.apache.zookeeper.common.X509Util;
														
 
															+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
														
 
															+import org.junit.jupiter.api.AfterAll;
														
 
															+import org.junit.jupiter.api.BeforeAll;
														
 
															+
														
 
															+/**
														
 
															+ * Created for test cases which use Digest Auth mech for SASL.
														
 
															+ * Primary reason is that we have to disable FIPS mode, otherwise DIGEST-MD5 cannot be used.
														
 
															+ *
														
 
															+ * @see SaslAuthDigestTestBase
														
 
															+ */
														
 
															+public class DigestSecurityTestcase extends QuorumAuthTestBase {
														
 
															+
														
 
															+  @BeforeAll
														
 
															+  public static void setUpClass() throws Exception {
														
 
															+    // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
														
 
															+    System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
														
 
															+  }
														
 
															+
														
 
															+  @AfterAll
														
 
															+  public static void tearDownClass() throws Exception {
														
 
															+    System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
														
 
															+  }
														
 
															+}
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
@@ -52,7 +52,7 @@ import org.junit.jupiter.api.Timeout;
 
															  * quorum.auth.enableSasl=true, quorum.auth.learnerRequireSasl=true and quorum.auth.serverRequireSasl=true
														
 
															  * Now, all the servers are fully upgraded and running in secured mode.
														
 
															  */
														
 
															-public class QuorumAuthUpgradeTest extends QuorumAuthTestBase {
														
 
															+public class QuorumAuthUpgradeTest extends DigestSecurityTestcase {
														
 
															     static {
														
 
															         String jaasEntries = "QuorumServer {\n"
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
@@ -39,7 +39,7 @@ import org.junit.jupiter.api.AfterEach;
 
															 import org.junit.jupiter.api.Test;
														
 
															 import org.junit.jupiter.api.Timeout;
														
 
															-public class QuorumDigestAuthTest extends QuorumAuthTestBase {
														
 
															+public class QuorumDigestAuthTest extends DigestSecurityTestcase {
														
 
															     static {
														
 
															         String jaasEntries = "QuorumServer {\n"
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
@@ -40,7 +40,7 @@ import org.apache.zookeeper.data.ACL;
 
															 import org.apache.zookeeper.data.Id;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthDesignatedClientTest extends ClientBase {
														
 
															+public class SaslAuthDesignatedClientTest extends SaslAuthDigestTestBase {
														
 
															     static {
														
 
															         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
@@ -33,7 +33,7 @@ import org.apache.zookeeper.ZooKeeper;
 
															 import org.apache.zookeeper.server.ZooKeeperSaslServer;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthDesignatedServerTest extends ClientBase {
														
 
															+public class SaslAuthDesignatedServerTest extends SaslAuthDigestTestBase {
														
 
															     public static int AUTHENTICATION_TIMEOUT = 30000;
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java
@@ -0,0 +1,44 @@
 
															+/*
														
 
															+ * Licensed to the Apache Software Foundation (ASF) under one
														
 
															+ * or more contributor license agreements.  See the NOTICE file
														
 
															+ * distributed with this work for additional information
														
 
															+ * regarding copyright ownership.  The ASF licenses this file
														
 
															+ * to you under the Apache License, Version 2.0 (the
														
 
															+ * "License"); you may not use this file except in compliance
														
 
															+ * with the License.  You may obtain a copy of the License at
														
 
															+ *
														
 
															+ *     http://www.apache.org/licenses/LICENSE-2.0
														
 
															+ *
														
 
															+ * Unless required by applicable law or agreed to in writing, software
														
 
															+ * distributed under the License is distributed on an "AS IS" BASIS,
														
 
															+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
														
 
															+ * See the License for the specific language governing permissions and
														
 
															+ * limitations under the License.
														
 
															+ */
														
 
															+
														
 
															+package org.apache.zookeeper.test;
														
 
															+
														
 
															+import org.apache.zookeeper.common.X509Util;
														
 
															+import org.junit.jupiter.api.AfterAll;
														
 
															+import org.junit.jupiter.api.BeforeAll;
														
 
															+
														
 
															+/**
														
 
															+ * Created as a base class for Digest Auth based SASL authentication tests.
														
 
															+ * We need to disable Fips mode, otherwise DIGEST-MD5 cannot be used.
														
 
															+ *
														
 
															+ * @see org.apache.zookeeper.server.quorum.auth.DigestSecurityTestcase
														
 
															+ */
														
 
															+public class SaslAuthDigestTestBase extends ClientBase {
														
 
															+
														
 
															+  @BeforeAll
														
 
															+  public static void beforeClass() throws Exception {
														
 
															+    // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
														
 
															+    System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
														
 
															+  }
														
 
															+
														
 
															+  @AfterAll
														
 
															+  public static void afterClass() throws Exception {
														
 
															+    System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
														
 
															+  }
														
 
															+
														
 
															+}
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
@@ -30,7 +30,7 @@ import org.apache.zookeeper.ZooDefs.Ids;
 
															 import org.apache.zookeeper.client.ZKClientConfig;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthFailDesignatedClientTest extends ClientBase {
														
 
															+public class SaslAuthFailDesignatedClientTest extends SaslAuthDigestTestBase {
														
 
															     static {
														
 
															         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
@@ -30,7 +30,7 @@ import org.apache.zookeeper.ZooDefs.Ids;
 
															 import org.apache.zookeeper.ZooKeeper;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthFailTest extends ClientBase {
														
 
															+public class SaslAuthFailTest extends SaslAuthDigestTestBase {
														
 
															     static {
														
 
															         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
@@ -29,7 +29,7 @@ import org.apache.zookeeper.ZooKeeper;
 
															 import org.apache.zookeeper.client.ZKClientConfig;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthMissingClientConfigTest extends ClientBase {
														
 
															+public class SaslAuthMissingClientConfigTest extends SaslAuthDigestTestBase {
														
 
															     static {
														
 
															         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.AfterAll;
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthRequiredFailNoSASLTest extends ClientBase {
														
 
															+public class SaslAuthRequiredFailNoSASLTest extends SaslAuthDigestTestBase {
														
 
															     @BeforeAll
														
 
															     public static void setup() {
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.AfterAll;
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthRequiredFailWrongSASLTest extends ClientBase {
														
 
															+public class SaslAuthRequiredFailWrongSASLTest extends SaslAuthDigestTestBase {
														
 
															     @BeforeAll
														
 
															     public static void setUpBeforeClass() {
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
@@ -29,7 +29,7 @@ import org.junit.jupiter.api.AfterAll;
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthRequiredMultiClientTest extends ClientBase {
														
 
															+public class SaslAuthRequiredMultiClientTest extends SaslAuthDigestTestBase {
														
 
															     @BeforeAll
														
 
															     public static void setUpBeforeClass() {
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
@@ -27,7 +27,7 @@ import org.junit.jupiter.api.AfterAll;
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslAuthRequiredTest extends ClientBase {
														
 
															+public class SaslAuthRequiredTest extends SaslAuthDigestTestBase {
														
 
															     @BeforeAll
														
 
															     public static void setUpBeforeClass() {
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
@@ -41,7 +41,7 @@ import org.junit.jupiter.api.BeforeEach;
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslDigestAuthOverSSLTest extends ClientBase {
														
 
															+public class SaslDigestAuthOverSSLTest extends SaslAuthDigestTestBase {
														
 
															     private ClientX509Util clientX509Util;
														
 
															     private File saslConfFile;
														
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
@@ -39,7 +39,7 @@ import org.junit.jupiter.api.AfterAll;
 
															 import org.junit.jupiter.api.BeforeAll;
														
 
															 import org.junit.jupiter.api.Test;
														
 
															-public class SaslSuperUserTest extends ClientBase {
														
 
															+public class SaslSuperUserTest extends SaslAuthDigestTestBase {
														
 
															     private static Id otherSaslUser = new Id("sasl", "joe");
														
 
															     private static Id otherDigestUser;