Merge remote-tracking branch 'upstream/master' into master

Author: Matthias Klein

Makefile

@@ -8,7 +8,7 @@ VERSION       ?= $(shell git describe --tags --always --dirty)
 GOPKGS         = $(shell go list ./... | grep -v /vendor/)
 BUILD_FLAGS   ?=
 LDFLAGS       ?= -X github.com/grepplabs/kafka-proxy/config.Version=$(VERSION) -w -s
-TAG           ?= "v0.2.5"
+TAG           ?= "v0.2.6"
 GOARCH        ?= amd64
 GOOS          ?= linux
 

README.md

@@ -2,6 +2,7 @@ package server
 
 import (
 	"fmt"
+
 	"github.com/grepplabs/kafka-proxy/config"
 	"github.com/grepplabs/kafka-proxy/proxy"
 	"github.com/oklog/run"
@@ -20,13 +21,14 @@ import (
 	"time"
 
 	"errors"
+	"strings"
+
 	"github.com/grepplabs/kafka-proxy/pkg/apis"
 	localauth "github.com/grepplabs/kafka-proxy/plugin/local-auth/shared"
 	tokeninfo "github.com/grepplabs/kafka-proxy/plugin/token-info/shared"
 	tokenprovider "github.com/grepplabs/kafka-proxy/plugin/token-provider/shared"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
-	"strings"
 
 	"github.com/grepplabs/kafka-proxy/pkg/registry"
 	// built-in plugins
@@ -105,6 +107,14 @@ func initFlags() {
 	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCipherSuites, "proxy-listener-cipher-suites", []string{}, "List of supported cipher suites")
 	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCurvePreferences, "proxy-listener-curve-preferences", []string{}, "List of curve preferences")
 
+	Server.Flags().BoolVar(&c.Proxy.TLS.ClientCert.ValidateSubject, "proxy-listener-tls-client-cert-validate-subject", false, "Whether to validate client certificate subject")
+	Server.Flags().StringVar(&c.Proxy.TLS.ClientCert.Subject.CommonName, "proxy-listener-tls-required-client-subject-common-name", "", "Required client certificate subject common name")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subject.Country, "proxy-listener-tls-required-client-subject-country", []string{}, "Required client certificate subject country")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subject.Province, "proxy-listener-tls-required-client-subject-province", []string{}, "Required client certificate subject province")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subject.Locality, "proxy-listener-tls-required-client-subject-locality", []string{}, "Required client certificate subject locality")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subject.Organization, "proxy-listener-tls-required-client-subject-organization", []string{}, "Required client certificate subject organization")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subject.OrganizationalUnit, "proxy-listener-tls-required-client-subject-organizational-unit", []string{}, "Required client certificate subject organizational unit")
+
 	// local authentication plugin
 	Server.Flags().BoolVar(&c.Auth.Local.Enable, "auth-local-enable", false, "Enable local SASL/PLAIN authentication performed by listener - SASL handshake will not be passed to kafka brokers")
 	Server.Flags().StringVar(&c.Auth.Local.Command, "auth-local-command", "", "Path to authentication plugin binary")

cmd/kafka-proxy/server.go

@@ -252,12 +252,12 @@ func main() {
 		os.Exit(1)
 	}
 	if pluginMeta.bindDN != "" {
-		logrus.Infof("user-search-base='%s',user-filter='%s'", pluginMeta.userSearchBase,pluginMeta.userFilter)
+		logrus.Infof("user-search-base='%s',user-filter='%s'", pluginMeta.userSearchBase, pluginMeta.userFilter)
 
 		if pluginMeta.userSearchBase == "" {
 			logrus.Errorf("user-search-base is required")
 		}
-		if !strings.Contains(pluginMeta.userFilter,UsernamePlaceholder) {
+		if !strings.Contains(pluginMeta.userFilter, UsernamePlaceholder) {
 			logrus.Errorf("user-filter must contain '%s' as username placeholder", UsernamePlaceholder)
 		}
 

cmd/plugin-auth-ldap/main.go

@@ -2,12 +2,13 @@ package config
 
 import (
 	"fmt"
-	"github.com/grepplabs/kafka-proxy/pkg/libs/util"
-	"github.com/pkg/errors"
 	"net"
 	"net/url"
 	"strings"
 	"time"
+
+	"github.com/grepplabs/kafka-proxy/pkg/libs/util"
+	"github.com/pkg/errors"
 )
 
 const defaultClientID = "kafka-proxy"
@@ -70,6 +71,17 @@ type Config struct {
 			CAChainCertFile          string
 			ListenerCipherSuites     []string
 			ListenerCurvePreferences []string
+			ClientCert               struct {
+				ValidateSubject bool
+				Subject         struct {
+					CommonName         string
+					Country            []string
+					Province           []string
+					Locality           []string
+					Organization       []string
+					OrganizationalUnit []string
+				}
+			}
 		}
 	}
 	Auth struct {

config/config.go

@@ -250,19 +250,14 @@ func (rd *realDecoder) getInt64Array() ([]int64, error) {
 }
 
 func (rd *realDecoder) getStringArray() ([]string, error) {
-	if rd.remaining() < 4 {
-		rd.off = len(rd.raw)
-		return nil, ErrInsufficientData
-	}
-	n := int(binary.BigEndian.Uint32(rd.raw[rd.off:]))
-	rd.off += 4
+	n, err := rd.getArrayLength()
 
-	if n == 0 {
-		return nil, nil
+	if err != nil {
+		return nil, err
 	}
 
-	if n < 0 {
-		return nil, errInvalidArrayLength
+	if n == -1 {
+		return nil, nil
 	}
 
 	ret := make([]string, n)

proxy/protocol/real_decoder.go

@@ -258,6 +258,10 @@ func (r *RequestKeyVersion) ResponseHeaderVersion() int16 {
 		return 0
 	case 49: // AlterClientQuotas
 		return 0
+	case 50: // DescribeUserScramCredentials
+		return 1
+	case 51: // AlterUserScramCredentials
+		return 1
 	default:
 		// throw new UnsupportedVersionException("Unsupported API key " + apiKey);
 		return -1

proxy/protocol/request_key_version.go

@@ -3,11 +3,12 @@ package proxy
 import (
 	"crypto/tls"
 	"fmt"
+	"net"
+	"sync"
+
 	"github.com/grepplabs/kafka-proxy/config"
 	"github.com/grepplabs/kafka-proxy/pkg/libs/util"
 	"github.com/sirupsen/logrus"
-	"net"
-	"sync"
 )
 
 type ListenFunc func(cfg config.ListenerConfig) (l net.Listener, err error)

proxy/proxy.go

@@ -4,8 +4,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 	"io/ioutil"
 	"net"
+	"sort"
 	"strings"
 	"time"
 
@@ -14,6 +16,22 @@ import (
 	"github.com/pkg/errors"
 )
 
+type clientCertSubjectField string
+
+const (
+	clientCertSubjectCommonName         = "CN"
+	clientCertSubjectCountry            = "C"
+	clientCertSubjectProvince           = "S"
+	clientCertSubjectLocality           = "L"
+	clientCertSubjectOrganization       = "O"
+	clientCertSubjectOrganizationalUnit = "OU"
+)
+
+type clientCertExpectedData struct {
+	fields map[clientCertSubjectField]string
+	parts  []string
+}
+
 var (
 	defaultCurvePreferences = []tls.CurveID{
 		tls.CurveP256,
@@ -120,9 +138,142 @@ func newTLSListenerConfig(conf *config.Config) (*tls.Config, error) {
 		cfg.ClientCAs = clientCAs
 		cfg.ClientAuth = tls.RequireAndVerifyClientCert
 	}
+
+	cfg.VerifyPeerCertificate = tlsClientCertVerificationFunc(conf)
+
 	return cfg, nil
 }
 
+func tlsClientCertVerificationFunc(conf *config.Config) func([][]byte, [][]*x509.Certificate) error {
+	expectedData := getClientCertExpectedData(conf)
+	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		if conf.Proxy.TLS.ClientCert.ValidateSubject {
+
+			if len(expectedData.fields) == 0 {
+				return nil // nothing to validate
+			}
+
+			for _, chain := range verifiedChains {
+				for _, cert := range chain {
+
+					certificateAcceptable := true
+
+					for k, v := range expectedData.fields {
+						switch k {
+						case clientCertSubjectCommonName:
+							if v != cert.Subject.CommonName {
+								certificateAcceptable = false
+								break
+							}
+						case clientCertSubjectCountry:
+							currentValues := cert.Subject.Country
+							sort.Strings(currentValues)
+							if fmt.Sprintf("%v", currentValues) != v {
+								certificateAcceptable = false
+								break
+							}
+						case clientCertSubjectProvince:
+							currentValues := cert.Subject.Province
+							sort.Strings(currentValues)
+							if fmt.Sprintf("%v", currentValues) != v {
+								certificateAcceptable = false
+								break
+							}
+						case clientCertSubjectLocality:
+							currentValues := cert.Subject.Locality
+							sort.Strings(currentValues)
+							if fmt.Sprintf("%v", currentValues) != v {
+								certificateAcceptable = false
+								break
+							}
+						case clientCertSubjectOrganization:
+							currentValues := cert.Subject.Organization
+							sort.Strings(currentValues)
+							if fmt.Sprintf("%v", currentValues) != v {
+								certificateAcceptable = false
+								break
+							}
+						case clientCertSubjectOrganizationalUnit:
+							currentValues := cert.Subject.OrganizationalUnit
+							sort.Strings(currentValues)
+							if fmt.Sprintf("%v", currentValues) != v {
+								certificateAcceptable = false
+								break
+							}
+						}
+					}
+
+					if certificateAcceptable {
+						return nil
+					}
+
+				}
+			}
+
+			return fmt.Errorf("tls: no client certificate presented required subject '%s'", strings.Join(expectedData.parts, "/"))
+
+		}
+		return nil
+	}
+}
+
+func getClientCertExpectedData(conf *config.Config) *clientCertExpectedData {
+
+	expectedFields := map[clientCertSubjectField]string{}
+	expectedParts := []string{"s:"} // these are calculated here because the order is relevant to us
+	values := []string{}
+
+	if conf.Proxy.TLS.ClientCert.Subject.CommonName != "" {
+		expectedFields[clientCertSubjectCommonName] = conf.Proxy.TLS.ClientCert.Subject.CommonName
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectCommonName, expectedFields[clientCertSubjectCommonName]))
+	}
+	values = removeEmptyStrings(conf.Proxy.TLS.ClientCert.Subject.Country)
+	if len(values) > 0 {
+		sort.Strings(values)
+		expectedFields[clientCertSubjectCountry] = fmt.Sprintf("%v", values)
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectCountry, expectedFields[clientCertSubjectCountry]))
+	}
+	values = removeEmptyStrings(conf.Proxy.TLS.ClientCert.Subject.Province)
+	if len(values) > 0 {
+		sort.Strings(values)
+		expectedFields[clientCertSubjectProvince] = fmt.Sprintf("%v", values)
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectProvince, expectedFields[clientCertSubjectProvince]))
+	}
+	values = removeEmptyStrings(conf.Proxy.TLS.ClientCert.Subject.Locality)
+	if len(values) > 0 {
+		sort.Strings(values)
+		expectedFields[clientCertSubjectLocality] = fmt.Sprintf("%v", values)
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectLocality, expectedFields[clientCertSubjectLocality]))
+	}
+	values = removeEmptyStrings(conf.Proxy.TLS.ClientCert.Subject.Organization)
+	if len(values) > 0 {
+		sort.Strings(values)
+		expectedFields[clientCertSubjectOrganization] = fmt.Sprintf("%v", values)
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectOrganization, expectedFields[clientCertSubjectOrganization]))
+	}
+	values = removeEmptyStrings(conf.Proxy.TLS.ClientCert.Subject.OrganizationalUnit)
+	if len(values) > 0 {
+		sort.Strings(values)
+		expectedFields[clientCertSubjectOrganizationalUnit] = fmt.Sprintf("%v", values)
+		expectedParts = append(expectedParts, fmt.Sprintf("%s=%s", clientCertSubjectOrganizationalUnit, expectedFields[clientCertSubjectOrganizationalUnit]))
+	}
+	return &clientCertExpectedData{
+		parts:  expectedParts,
+		fields: expectedFields,
+	}
+}
+
+func removeEmptyStrings(input []string) []string {
+	output := []string{}
+	for _, value := range input {
+		if value == "" {
+			continue
+		}
+		output = append(output, value)
+	}
+	return output
+}
+
 func getCipherSuites(enabledCipherSuites []string) ([]uint16, error) {
 	suites := make([]uint16, 0)
 	for _, suite := range enabledCipherSuites {