mockkerberos.go 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. package sarama
  2. import (
  3. "encoding/binary"
  4. "encoding/hex"
  5. "gopkg.in/jcmturner/gokrb5.v7/credentials"
  6. "gopkg.in/jcmturner/gokrb5.v7/gssapi"
  7. "gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
  8. "gopkg.in/jcmturner/gokrb5.v7/messages"
  9. "gopkg.in/jcmturner/gokrb5.v7/types"
  10. )
  11. type KafkaGSSAPIHandler struct {
  12. client *MockKerberosClient
  13. badResponse bool
  14. badKeyChecksum bool
  15. }
  16. func (h *KafkaGSSAPIHandler) MockKafkaGSSAPI(buffer []byte) []byte {
  17. // Default payload used for verify
  18. err := h.client.Login() // Mock client construct keys when login
  19. if err != nil {
  20. return nil
  21. }
  22. if h.badResponse { // Returns trash
  23. return []byte{0x00, 0x00, 0x00, 0x01, 0xAD}
  24. }
  25. var pack = gssapi.WrapToken{
  26. Flags: KRB5_USER_AUTH,
  27. EC: 12,
  28. RRC: 0,
  29. SndSeqNum: 3398292281,
  30. Payload: []byte{0x11, 0x00}, // 1100
  31. }
  32. // Compute checksum
  33. if h.badKeyChecksum {
  34. pack.CheckSum = []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}
  35. } else {
  36. err = pack.SetCheckSum(h.client.ASRep.DecryptedEncPart.Key, keyusage.GSSAPI_ACCEPTOR_SEAL)
  37. if err != nil {
  38. return nil
  39. }
  40. }
  41. packBytes, err := pack.Marshal()
  42. if err != nil {
  43. return nil
  44. }
  45. lenBytes := len(packBytes)
  46. response := make([]byte, lenBytes+4)
  47. copy(response[4:], packBytes)
  48. binary.BigEndian.PutUint32(response, uint32(lenBytes))
  49. return response
  50. }
  51. type MockKerberosClient struct {
  52. asReqBytes string
  53. asRepBytes string
  54. ASRep messages.ASRep
  55. credentials *credentials.Credentials
  56. mockError error
  57. errorStage string
  58. }
  59. func (c *MockKerberosClient) Login() error {
  60. if c.errorStage == "login" && c.mockError != nil {
  61. return c.mockError
  62. }
  63. c.asRepBytes = "6b8202e9308202e5a003020105a10302010ba22b30293027a103020113a220041e301c301aa003020112a1131b114" +
  64. "558414d504c452e434f4d636c69656e74a30d1b0b4558414d504c452e434f4da4133011a003020101a10a30081b06636c69656e7" +
  65. "4a5820156618201523082014ea003020105a10d1b0b4558414d504c452e434f4da220301ea003020102a11730151b066b7262746" +
  66. "7741b0b4558414d504c452e434f4da382011430820110a003020112a103020101a28201020481ffdb9891175d106818e61008c51" +
  67. "d0b3462bca92f3bf9d4cfa82de4c4d7aff9994ec87c573e3a3d54dcb2bb79618c76f2bf4a3d006f90d5bdbd049bc18f48be39203" +
  68. "549ca02acaf63f292b12404f9b74c34b83687119d8f56552ccc0c50ebee2a53bb114c1b4619bb1d5d31f0f49b4d40a08a9b4c046" +
  69. "2e1398d0b648be1c0e50c552ad16e1d8d8e74263dd0bf0ec591e4797dfd40a9a1be4ae830d03a306e053fd7586fef84ffc5e4a83" +
  70. "7c3122bf3e6a40fe87e84019f6283634461b955712b44a5f7386c278bff94ec2c2dc0403247e29c2450e853471ceababf9b8911f" +
  71. "997f2e3010b046d2c49eb438afb0f4c210821e80d4ffa4c9521eb895dcd68610b3feaa682012c30820128a003020112a282011f0" +
  72. "482011bce73cbce3f1dd17661c412005f0f2257c756fe8e98ff97e6ec24b7bab66e5fd3a3827aeeae4757af0c6e892948122d8b2" +
  73. "03c8df48df0ef5d142d0e416d688f11daa0fcd63d96bdd431d02b8e951c664eeff286a2be62383d274a04016d5f0e141da58cb86" +
  74. "331de64063062f4f885e8e9ce5b181ca2fdc67897c5995e0ae1ae0c171a64493ff7bd91bc6d89cd4fce1e2b3ea0a10e34b0d5eda" +
  75. "aa38ee727b50c5632ed1d2f2b457908e616178d0d80b72af209fb8ac9dbaa1768fa45931392b36b6d8c12400f8ded2efaa0654d0" +
  76. "da1db966e8b5aab4706c800f95d559664646041fdb38b411c62fc0fbe0d25083a28562b0e1c8df16e62e9d5626b0addee489835f" +
  77. "eedb0f26c05baa596b69b17f47920aa64b29dc77cfcc97ba47885"
  78. apRepBytes, err := hex.DecodeString(c.asRepBytes)
  79. if err != nil {
  80. return err
  81. }
  82. err = c.ASRep.Unmarshal(apRepBytes)
  83. if err != nil {
  84. return err
  85. }
  86. c.credentials = credentials.New("client", "EXAMPLE.COM").WithPassword("qwerty")
  87. _, err = c.ASRep.DecryptEncPart(c.credentials)
  88. if err != nil {
  89. return err
  90. }
  91. return nil
  92. }
  93. func (c *MockKerberosClient) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error) {
  94. if c.errorStage == "service_ticket" && c.mockError != nil {
  95. return messages.Ticket{}, types.EncryptionKey{}, c.mockError
  96. }
  97. return c.ASRep.Ticket, c.ASRep.DecryptedEncPart.Key, nil
  98. }
  99. func (c *MockKerberosClient) Domain() string {
  100. return "EXAMPLE.COM"
  101. }
  102. func (c *MockKerberosClient) CName() types.PrincipalName {
  103. var p = types.PrincipalName{
  104. NameType: KRB5_USER_AUTH,
  105. NameString: []string{
  106. "kafka",
  107. "kafka",
  108. },
  109. }
  110. return p
  111. }
  112. func (c *MockKerberosClient) Destroy() {
  113. // Do nothing.
  114. }