WIP: Add Sasl authentication - PLAIN

[ramrengaswamy]

Closes #125

Describe your proposed changes here.

• Added support for PLAIN SASL auth.
• Added a couple of new requests SaslHandshakeRequest and SaslAuthenticateRequest
• Added a couple of primitives Bytes (not used) and CompactBytes.
• Added a SaslConfig struct and that can be set in the ClientBuilder and used during connection establishment.
• I've read the contributing section of the project CONTRIBUTING.md.
• Signed CLA (if not already signed).

[crepererum]

This is not in line w/ API_VERSION_RANGE: you don't support version 0.

[crepererum]

Why is version 1 not supported?

Edit: reading https://kafka.apache.org/protocol#sasl_handshake again I think we can also support version 0 for the SaslAuthenticate message.

[ramrengaswamy]

I am not super familiar with the protocol.
Based on this:
If SaslHandshakeRequest version is v0, a series of SASL client and server tokens corresponding to the mechanism are sent as opaque packets without wrapping the messages with Kafka protocol headers.
I wasn't sure if this library could handle messages without Kafka protocol headers.

[crepererum]

The sentence you're quoting is about the SaslHandshakeRequest (for which I agree that we should only support version 1), not about the SaslAuthenticateRequest. The versions for these two request-response types are different. The version selection will be done by the Messenger.

[ramrengaswamy]

I realize that your comment was regarding SaslAuthenticate. The issue I ran in to here was that the type of the fields got modified through the different versions. For e.g. auth_bytes was BYTES in version 0 but become COMPACT_BYTES from version 1 onwards. Is there an example for this is handled anywhere else in the library?

[crepererum]

I see. TBH we don't have a beautiful solution of it. I would go for Bytes as a type within the struct and then do some type conversion during read/write. See this example:

rskafka/src/protocol/messages/delete_records.rs

Lines 63 to 66 in ad8de3c

	#[derive(Debug)]
	pub struct DeleteRequestTopic {
	/// The topic name.
	pub name: String_,

Here the name is an ordinary string, but is compact after a certain version. This is then handled here:

rskafka/src/protocol/messages/delete_records.rs

Lines 89 to 93 in ad8de3c

	if v >= 2 {
	CompactStringRef(&self.name.0).write(writer)?
	} else {
	self.name.write(writer)?;
	}

I think you might want to introduce CompactBytesRef for that, so you don't have to copy the payload during type conversion. This is similar how it is done for CompactString:

rskafka/src/protocol/primitives.rs

Lines 362 to 365 in ad8de3c

	/// Represents a string whose length is expressed as a variable-length integer rather than a fixed 2-byte length.
	#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Default)]
	#[cfg_attr(test, derive(proptest_derive::Arbitrary))]
	pub struct CompactString(pub String);

rskafka/src/protocol/primitives.rs

Lines 392 to 399 in ad8de3c

	impl<W> WriteType<W> for CompactString
	where
	W: Write,
	{
	fn write(&self, writer: &mut W) -> Result<(), WriteError> {
	CompactStringRef(&self.0).write(writer)
	}
	}

(note how the "write" operation is only implemented once, because CompactString can use CompactStringRef)

rskafka/src/protocol/primitives.rs

Lines 401 to 417 in ad8de3c

	/// Same as [`CompactString`] but contains referenced data.
	///
	/// This only supports writing.
	#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
	pub struct CompactStringRef<'a>(pub &'a str);
	impl<'a, W> WriteType<W> for CompactStringRef<'a>
	where
	W: Write,
	{
	fn write(&self, writer: &mut W) -> Result<(), WriteError> {
	let len = u64::try_from(self.0.len() + 1).map_err(WriteError::Overflow)?;
	UnsignedVarint(len).write(writer)?;
	writer.write_all(self.0.as_bytes())?;
	Ok(())
	}
	}

[ramrengaswamy]

Neat! I will follow a similar pattern.

[crepererum]

Would be nice if you could copy over the docstrings for the official message description. If a field was added at a specific version, this should also be documented, e.g.

/// Some description as written in <https://kafka.apache.org/protocol>
///
/// Added in version X.
pub my_field: String_,

[crepererum]

Looks good. Please copy over the docs from https://kafka.apache.org/protocol#protocol_types and add a roundtrip test.

[crepererum]

This is not really a part of the underlying protocol but our own API. Should probably go to src/connection/transport/sasl.rs. This would also allow you to use this type in CliendBuilder::sasl_config w/o leaking protocol details. I would expect that a struct/enum instead of username+password parameters are also more future-proof (in light of all the different SASL auth methods).

[crepererum]

So if there is a SaslConfig, then we need to call this each time after sync_versions. I think you can just grep throw the code and see where is this done. Maybe you wanna make the two methods private and instead offer a setup method that does both, so we don't forget to call one or the other a certain callsides.

[crepererum]

@ramrengaswamy this is a good start 👍

[ramrengaswamy]

@crepererum I didn't refactor this into a separate setup function because I wasn't sure SaslConfig should leak into the Messenger. Right now SaslConfig is known to transport, connection and ClientBuilder.

[crepererum]

Looks good to me. I've just checked: this is the only place where we call sync_versions and also the place where we set up SOCKS5 and TLS. So I think this is a good spot to call sasl_handshake 👍

[ramrengaswamy]

@crepererum ... Ready for another look.
This is my first real rust program so also let me know if some code doesn't look "rusty" :)
I will fix those.

[crepererum]

Looks solid 👍

Now how do we test this? 😁

[crepererum]

I would take SaslConfig as an argument here so we can extend the config in the future w/o overloading the ClientBuilder w/ too many methods.

[ramrengaswamy]

Had to pub use crate::connection::SaslConfig in client/mod.rs to publicly expose SaslConfig

[crepererum]

Can you add a link/reference for this binary format?

I think for PLAIN it's OK to hand-roll this, in the future however I would like to offload this to another crate because I don't wanna deal w/ all the SASL crypto stuff in rskafka.

[ramrengaswamy]

Are you okay depending on a pure rust crate such as this one? https://docs.rs/sasl/latest/sasl/
The other SASL packages are rust wrappers around C implementations.

[crepererum]

I think you don't have to mention that a field was always there ("Added in version 0."), but it's OK.

[ramrengaswamy]

Got rid of it to keep it consistent with the rest of the codebase.

[crepererum]

Suggested change

	pub fn auth_bytes(&self) -> Vec<u8> {
	pub(crate) fn auth_bytes(&self) -> Vec<u8> {

This is not a public API that falls under semantic versioning and that users should rely on. Same goes for fn mechanism.

[ramrengaswamy]

I am currently testing these changes against a simple application that I am running against a Confluent stream.
I am not sure if it is possible to run a local Kafka instance with SASL auth enabled. Will look into it.

[ramrengaswamy]

@crepererum - Seems that the local Kafka and Redpanda have sasl enabled. So I added a test_sasl that will trigger the SASL handshake and authenticate exchanges in the integration tests.

[crepererum]

I was really surprised that this "just works" in our CI tests. In short: It doesn't. You have to check the error codes within the messages (SaslHandshakeResponse::error_code and SaslAuthenticateResponse::error_code) and return an error if the codes are set.

You may wonder how I found that out that quickly: Wireshark:

[ramrengaswamy]

Ugh, can't believe I missed that! Fixing.

[ramrengaswamy]

@crepererum tl;dr - I got the sasl integration test working locally but ran into an issue getting to work on CircleCI.

The following command will run all Kafka integration tests (including sasl)
TEST_INTEGRATION=1 TEST_DELETE_RECORDS=1 KAFKA_CONNECT=localhost:9094 KAFKA_SASL_CONNECT=localhost:9097 cargo test

To get Sasl integration test to work I made the following changes:

1. Added a new SECURE listener to all the brokers and configured its security to SASL_PLAINTEXT.
2. Added a kafka_jaas.conf file to get the brokers to boot up successfully and handle simple password auth.
3. Introduced a new environment variable KAFKA_SASL_CONNECT that is used by test_sasl to connect to the SECURE listener.

I have not used CircleCI before. It seems there is no way to volume mount into a Docker container.
So we would have to use this workaround to copy kafka_jaas.conf into CircleCI and make it accessible to the brokers.

[crepererum]

@ramrengaswamy Didn't have time to look into this today, sorry. I'll be out of office for two weeks, I'll get back to this on the 16th of May.

[crepererum]

BTW: we're testing against Kafka and really redpanda. Could you have a look if you can get SASL to work with redpanda as well?

[crepererum]

@ramrengaswamy any progress on this?

[seijik42]

I tried to contribute this by fixing the test for Redpanda but seems like they don't support SASL/PLAIN at the moment. (only SASL/SCRAM)
https://docs.redpanda.com/docs/manage/security/authentication/#saslscram
Is it ok to simply skip test_sasl when envvar TEST_BROKER_IMPL=redpanda ?

My PR will be like this. #198

[toondaey]

Is there any progress on this? Or is there anything that can be done to help with this?

[crepererum]

@toondaey I think the latest attempt is #198 . If you could pick that one up (just create a new PR) and make sure that the tests also run in CircleCI, I think we could easily drive it to completion.

[toondaey]

@toondaey I think the latest attempt is #198 . If you could pick that one up (just create a new PR) and make sure that the tests also run in CircleCI, I think we could easily drive it to completion.

Sure. I'll give it a whirl.

[crepererum]

This is now supported, see #216.

[Neustradamus]

Linked to:

• State of Play scram-sasl/info#1
• @ramrengaswamy: WIP: Add Sasl authentication - PLAIN #129
• @seijik42: WIP: Add Sasl authentication - PLAIN (No Redpand test) #198
• @toondaey: feat: sasl auth impl #216