feat: support encrypted password file during SASL authentication for ZooKeeper C client #2293
Conversation
empiredan
added
the
type/config-change
…ZooKeeper C client
empiredan
force-pushed
the
encrypted-zk-sasl-passwd
branch
from
d654b02 to
7605304
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for encrypted password files during SASL authentication for the ZooKeeper C client. The implementation adds a new configuration option sasl_password_encryption_scheme that supports "base64" encoding scheme, while maintaining backward compatibility with plaintext passwords.
Key changes include:
- Added password decryption functionality with base64 support using OpenSSL
- Refactored ZooKeeper session initialization to handle both encrypted and plaintext passwords
- Added comprehensive test coverage for SASL authentication scenarios
- Updated build and CI configuration to include new tests
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/zookeeper/zookeeper_session.h | Updated class interface with modern C++ practices and added copy/move protection |
| src/zookeeper/zookeeper_session.cpp | Added password decryption logic and refactored SASL initialization |
| src/zookeeper/test/zookeeper_session_test_base.h | New test base class for ZooKeeper session testing |
| src/zookeeper/test/zookeeper_session_test_base.cpp | Implementation of test base class with common test operations |
| src/zookeeper/test/zookeeper_session_test.h | Template-based test fixture for parameterized testing |
| src/zookeeper/test/zookeeper_session_no_auth_test.cpp | Test implementation for non-authenticated scenarios |
| src/zookeeper/test/sasl_auth/zookeeper_session_sasl_auth_test.cpp | SASL authentication tests including encrypted password scenarios |
| src/zookeeper/test/sasl_auth/run.sh | Test execution script for SASL auth tests |
| src/zookeeper/test/sasl_auth/main.cpp | Test application entry point |
| src/zookeeper/test/sasl_auth/config-test.ini | Configuration file for SASL auth tests |
| src/zookeeper/test/sasl_auth/CMakeLists.txt | Build configuration for SASL auth tests |
| src/zookeeper/test/config-test.ini | Minor whitespace cleanup in existing test config |
| src/zookeeper/test/CMakeLists.txt | Added subdirectory for SASL auth tests |
| run.sh | Added support for running SASL auth tests with ZooKeeper SASL configuration |
| admin_tools/start_zk.sh | Enhanced ZooKeeper startup script to support SASL authentication |
| .github/workflows/lint_and_test_cpp.yaml | Added new test to CI pipeline |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/zookeeper/zookeeper_session.cpp
Outdated
| zhandle_t *create_zookeeper_handle(watcher_fn watcher, void *context) | ||
| { | ||
| zoo_set_debug_level(enum_from_string(FLAGS_zoo_log_level, static_cast<ZooLogLevel>(0))); |
There was a problem hiding this comment.
The function enum_from_string may fail if FLAGS_zoo_log_level contains an invalid value, but there's no error handling. Consider adding validation or using a default fallback value explicitly.
Copilot uses AI. Check for mistakes.
src/zookeeper/zookeeper_session.cpp
Outdated
| sasl_errstring(err, nullptr, nullptr)); | ||
|
|
||
| CHECK(!dsn::utils::is_empty(FLAGS_sasl_password_file), | ||
| "sasl_password_file must be specified once SASL auth is enabled"); |
There was a problem hiding this comment.
The error message uses 'once' which is ambiguous. Consider changing to 'when SASL auth is enabled' for clarity.
| "sasl_password_file must be specified once SASL auth is enabled"); | |
| "sasl_password_file must be specified when SASL auth is enabled"); |
Copilot uses AI. Check for mistakes.
| ASSERT_NE(nullptr, f); | ||
| ASSERT_EQ(password.size(), fwrite(password.c_str(), 1, password.size(), f)); | ||
| ASSERT_EQ(0, fclose(f)); | ||
| f = nullptr; |
There was a problem hiding this comment.
Setting f = nullptr after fclose() is unnecessary since the variable goes out of scope immediately. The assignment can be removed.
| f = nullptr; |
Copilot uses AI. Check for mistakes.
| - restore_test | ||
| - security_test | ||
| - throttle_test | ||
| - zookeeper_sasl_auth_test |
There was a problem hiding this comment.
There are trailing spaces after 'zookeeper_sasl_auth_test' on lines 183 and 271. Remove the trailing whitespace for consistency.
| - zookeeper_sasl_auth_test | |
| - zookeeper_sasl_auth_test |
Copilot uses AI. Check for mistakes.
| # it has been optimized. | ||
| # - throttle_test | ||
| # - throttle_test | ||
| - zookeeper_sasl_auth_test |
There was a problem hiding this comment.
There are trailing spaces after 'zookeeper_sasl_auth_test' on lines 183 and 271. Remove the trailing whitespace for consistency.
| - zookeeper_sasl_auth_test | |
| - zookeeper_sasl_auth_test |
Copilot uses AI. Check for mistakes.
| # - restore_test | ||
| # - security_test | ||
| # - throttle_test | ||
| # - zookeeper_sasl_auth_test |
There was a problem hiding this comment.
There are trailing spaces after 'zookeeper_sasl_auth_test' on lines 183 and 271. Remove the trailing whitespace for consistency.
| # - zookeeper_sasl_auth_test | |
| # - zookeeper_sasl_auth_test |
Copilot uses AI. Check for mistakes.
#2292
Following configurations are newly added: