ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be disabled i…

…n Fips mode (apache#2213)

zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java

@@ -250,7 +250,7 @@ private SaslClient createSaslClient(
                     l.startThreadIfNeeded();
                 }
             }
-            return SecurityUtils.createSaslClient(loginRef.get().getSubject(),
+            return SecurityUtils.createSaslClient(clientConfig, loginRef.get().getSubject(),
                 servicePrincipal, "zookeeper", "zk-sasl-md5", LOG, "Client");
         } catch (LoginException e) {
             // We throw LoginExceptions...

zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java

@@ -73,7 +73,8 @@ public abstract class X509Util implements Closeable, AutoCloseable {
     private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
 
     private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY = "jdk.tls.rejectClientInitiatedRenegotiation";
-    private static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
+    public static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
+    private static final boolean FIPS_MODE_DEFAULT = true;
     public static final String TLS_1_1 = "TLSv1.1";
     public static final String TLS_1_2 = "TLSv1.2";
     public static final String TLS_1_3 = "TLSv1.3";
@@ -301,8 +302,8 @@ public String getFipsModeProperty() {
         return FIPS_MODE_PROPERTY;
     }
 
-    public boolean getFipsMode(ZKConfig config) {
-        return config.getBoolean(FIPS_MODE_PROPERTY, true);
+    public static boolean getFipsMode(ZKConfig config) {
+        return config.getBoolean(FIPS_MODE_PROPERTY, FIPS_MODE_DEFAULT);
     }
 
     public boolean isServerHostnameVerificationEnabled(ZKConfig config) {

zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java

@@ -106,7 +106,7 @@ public X509AuthenticationProvider() throws X509Exception {
                     x509Util.getSslTruststorePasswdProperty(),
                     x509Util.getSslTruststorePasswdPathProperty());
             String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty());
-            boolean fipsMode = x509Util.getFipsMode(config);
+            boolean fipsMode = X509Util.getFipsMode(config);
 
             if (trustStoreLocation.isEmpty()) {
                 LOG.warn("Truststore not specified for client connection");

zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java

@@ -94,6 +94,7 @@ public void authenticate(Socket sock, String hostName) throws IOException {
             DataInputStream din = new DataInputStream(sock.getInputStream());
             byte[] responseToken = new byte[0];
             sc = SecurityUtils.createSaslClient(
+                new ZKConfig(),
                 learnerLogin.getSubject(),
                 principalConfig,
                 QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME,

zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java

@@ -28,6 +28,8 @@
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
 import org.apache.zookeeper.SaslClientCallbackHandler;
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.server.auth.KerberosName;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
@@ -55,6 +57,7 @@ public final class SecurityUtils {
      * @throws SaslException
      */
     public static SaslClient createSaslClient(
+        ZKConfig config,
         final Subject subject,
         final String servicePrincipal,
         final String protocol,
@@ -67,6 +70,11 @@ public static SaslClient createSaslClient(
         if (subject.getPrincipals().isEmpty()) {
             // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism
             // instead.
+            // FIPS-mode: don't try DIGEST-MD5, just return error
+            if (X509Util.getFipsMode(config)) {
+                LOG.warn("{} will not use DIGEST-MD5 as SASL mechanism, because FIPS mode is enabled.", entity);
+                return null;
+            }
             LOG.info("{} will use DIGEST-MD5 as SASL mechanism.", entity);
             String[] mechs = {"DIGEST-MD5"};
             String username = (String) (subject.getPublicCredentials().toArray()[0]);

zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java

@@ -39,12 +39,12 @@
 import org.apache.zookeeper.client.ZooKeeperSaslClient;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
-import org.apache.zookeeper.test.ClientBase;
+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthTest extends ClientBase {
+public class SaslAuthTest extends SaslAuthDigestTestBase {
 
     @BeforeAll
     public static void init() {

zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java

@@ -26,6 +26,7 @@
 import java.util.Properties;
 import javax.security.auth.login.Configuration;
 import org.apache.zookeeper.PortAssignment;
+import org.apache.zookeeper.common.X509Util;
 import org.apache.zookeeper.test.ClientBase;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
@@ -39,6 +40,8 @@ public class ZookeeperServerClusterMutualAuthTest {
 
     @BeforeAll
     public static void setUpEnvironment() {
+        // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+        System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
         System.setProperty("java.security.auth.login.config", new File("src/test/resources/embedded/test_jaas_server_auth.conf")
                 .getAbsolutePath());
         Configuration.getConfiguration().refresh();
@@ -52,6 +55,7 @@ public static void cleanUpEnvironment() throws InterruptedException, IOException
         System.clearProperty("zookeeper.4lw.commands.whitelist");
         System.clearProperty("java.security.auth.login.config");
         Configuration.getConfiguration().refresh();
+        System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
     }
 
     @TempDir

zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.server.quorum.auth;
+
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+
+/**
+ * Created for test cases which use Digest Auth mech for SASL.
+ * Primary reason is that we have to disable FIPS mode, otherwise DIGEST-MD5 cannot be used.
+ *
+ * @see SaslAuthDigestTestBase
+ */
+public class DigestSecurityTestcase extends QuorumAuthTestBase {
+
+  @BeforeAll
+  public static void setUpClass() throws Exception {
+    // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+    System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
+  }
+
+  @AfterAll
+  public static void tearDownClass() throws Exception {
+    System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
+  }
+}

zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java

@@ -52,7 +52,7 @@
  * quorum.auth.enableSasl=true, quorum.auth.learnerRequireSasl=true and quorum.auth.serverRequireSasl=true
  * Now, all the servers are fully upgraded and running in secured mode.
  */
-public class QuorumAuthUpgradeTest extends QuorumAuthTestBase {
+public class QuorumAuthUpgradeTest extends DigestSecurityTestcase {
 
     static {
         String jaasEntries = "QuorumServer {\n"

zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java

@@ -39,7 +39,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.Timeout;
 
-public class QuorumDigestAuthTest extends QuorumAuthTestBase {
+public class QuorumDigestAuthTest extends DigestSecurityTestcase {
 
     static {
         String jaasEntries = "QuorumServer {\n"

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java

@@ -40,7 +40,7 @@
 import org.apache.zookeeper.data.Id;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthDesignatedClientTest extends ClientBase {
+public class SaslAuthDesignatedClientTest extends SaslAuthDigestTestBase {
 
     static {
         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java

@@ -33,7 +33,7 @@
 import org.apache.zookeeper.server.ZooKeeperSaslServer;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthDesignatedServerTest extends ClientBase {
+public class SaslAuthDesignatedServerTest extends SaslAuthDigestTestBase {
 
     public static int AUTHENTICATION_TIMEOUT = 30000;
 

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.test;
+
+import org.apache.zookeeper.common.X509Util;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+
+/**
+ * Created as a base class for Digest Auth based SASL authentication tests.
+ * We need to disable Fips mode, otherwise DIGEST-MD5 cannot be used.
+ *
+ * @see org.apache.zookeeper.server.quorum.auth.DigestSecurityTestcase
+ */
+public class SaslAuthDigestTestBase extends ClientBase {
+
+  @BeforeAll
+  public static void beforeClass() throws Exception {
+    // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+    System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
+  }
+
+  @AfterAll
+  public static void afterClass() throws Exception {
+    System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
+  }
+
+}

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java

@@ -30,7 +30,7 @@
 import org.apache.zookeeper.client.ZKClientConfig;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthFailDesignatedClientTest extends ClientBase {
+public class SaslAuthFailDesignatedClientTest extends SaslAuthDigestTestBase {
 
     static {
         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java

@@ -30,7 +30,7 @@
 import org.apache.zookeeper.ZooKeeper;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthFailTest extends ClientBase {
+public class SaslAuthFailTest extends SaslAuthDigestTestBase {
 
     static {
         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java

@@ -29,7 +29,7 @@
 import org.apache.zookeeper.client.ZKClientConfig;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthMissingClientConfigTest extends ClientBase {
+public class SaslAuthMissingClientConfigTest extends SaslAuthDigestTestBase {
 
     static {
         System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java

@@ -28,7 +28,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthRequiredFailNoSASLTest extends ClientBase {
+public class SaslAuthRequiredFailNoSASLTest extends SaslAuthDigestTestBase {
 
     @BeforeAll
     public static void setup() {

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java

@@ -28,7 +28,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthRequiredFailWrongSASLTest extends ClientBase {
+public class SaslAuthRequiredFailWrongSASLTest extends SaslAuthDigestTestBase {
 
     @BeforeAll
     public static void setUpBeforeClass() {

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java

@@ -29,7 +29,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthRequiredMultiClientTest extends ClientBase {
+public class SaslAuthRequiredMultiClientTest extends SaslAuthDigestTestBase {
 
     @BeforeAll
     public static void setUpBeforeClass() {

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java

@@ -27,7 +27,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslAuthRequiredTest extends ClientBase {
+public class SaslAuthRequiredTest extends SaslAuthDigestTestBase {
 
     @BeforeAll
     public static void setUpBeforeClass() {

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java

@@ -41,7 +41,7 @@
 import org.junit.jupiter.api.Test;
 
 
-public class SaslDigestAuthOverSSLTest extends ClientBase {
+public class SaslDigestAuthOverSSLTest extends SaslAuthDigestTestBase {
 
     private ClientX509Util clientX509Util;
     private File saslConfFile;

zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java

@@ -39,7 +39,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-public class SaslSuperUserTest extends ClientBase {
+public class SaslSuperUserTest extends SaslAuthDigestTestBase {
 
     private static Id otherSaslUser = new Id("sasl", "joe");
     private static Id otherDigestUser;