[security] Proxy to broker and broker to broker hostname verification (#57)

Author: michaeljmarshall

kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelInitializer.java

@@ -16,13 +16,15 @@
 import static io.streamnative.pulsar.handlers.kop.KafkaChannelInitializer.MAX_FRAME_LENGTH;
 import static io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler.TLS_HANDLER;
 
+import io.netty.channel.Channel;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.socket.SocketChannel;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
 import io.netty.handler.codec.LengthFieldPrepender;
 import io.netty.handler.ssl.SslHandler;
 import io.streamnative.pulsar.handlers.kop.KafkaServiceConfiguration;
 import io.streamnative.pulsar.handlers.kop.utils.ssl.SSLUtils;
+import java.util.concurrent.CompletableFuture;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 /**
@@ -50,13 +52,27 @@ public TransactionMarkerChannelInitializer(KafkaServiceConfiguration kafkaConfig
 
     @Override
     protected void initChannel(SocketChannel ch) throws Exception {
-        if (this.enableTls) {
-            ch.pipeline().addLast(TLS_HANDLER,
-                    new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory)));
-        }
         ch.pipeline().addLast(lengthFieldPrepender);
         ch.pipeline().addLast("frameDecoder",
                 new LengthFieldBasedFrameDecoder(MAX_FRAME_LENGTH, 0, 4, 0, 4));
         ch.pipeline().addLast("txnHandler", new TransactionMarkerChannelHandler(transactionMarkerChannelManager));
     }
+
+    protected CompletableFuture<Channel> initTls(Channel ch, String host, int port) {
+        if (this.enableTls) {
+            CompletableFuture<Channel> initTlsFuture = new CompletableFuture<>();
+            ch.eventLoop().execute(() -> {
+                try {
+                    ch.pipeline().addFirst(TLS_HANDLER,
+                            new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory, host, port)));
+                    initTlsFuture.complete(ch);
+                } catch (Throwable t) {
+                    initTlsFuture.completeExceptionally(t);
+                }
+            });
+            return initTlsFuture;
+        } else {
+            return CompletableFuture.completedFuture(ch);
+        }
+    }
 }

kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelManager.java

@@ -78,6 +78,8 @@ public class TransactionMarkerChannelManager {
 
     private final Bootstrap bootstrap;
 
+    private final TransactionMarkerChannelInitializer transactionMarkerChannelInitializer;
+
     private final Map<InetSocketAddress, CompletableFuture<TransactionMarkerChannelHandler>> handlerMap =
             new ConcurrentHashMap<>();
 
@@ -183,7 +185,9 @@ public TransactionMarkerChannelManager(String tenant,
         bootstrap = new Bootstrap();
         bootstrap.group(eventLoopGroup);
         bootstrap.channel(EventLoopUtil.getClientSocketChannelClass(eventLoopGroup));
-        bootstrap.handler(new TransactionMarkerChannelInitializer(kafkaConfig, enableTls, this));
+        transactionMarkerChannelInitializer =
+                new TransactionMarkerChannelInitializer(kafkaConfig, enableTls, this);
+        bootstrap.handler(transactionMarkerChannelInitializer);
     }
 
     public CompletableFuture<TransactionMarkerChannelHandler> getChannel(InetSocketAddress socketAddress) {
@@ -193,7 +197,10 @@ public CompletableFuture<TransactionMarkerChannelHandler> getChannel(InetSocketA
         ensureDrainQueuedTransactionMarkersActivity();
         return handlerMap.computeIfAbsent(socketAddress, address -> {
             CompletableFuture<TransactionMarkerChannelHandler> handlerFuture = new CompletableFuture<>();
-            ChannelFutures.toCompletableFuture(bootstrap.connect(socketAddress))
+            ChannelFutures.toCompletableFuture(bootstrap.register())
+                    .thenCompose(ch -> transactionMarkerChannelInitializer
+                            .initTls(ch, socketAddress.getHostString(), socketAddress.getPort()))
+                    .thenCompose(ch -> ChannelFutures.toCompletableFuture(ch.connect(socketAddress)))
                     .thenAccept(channel -> {
                         handlerFuture.complete(
                                 (TransactionMarkerChannelHandler) channel.pipeline().get("txnHandler"));

kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/utils/ssl/SSLUtils.java

@@ -266,9 +266,10 @@ public static SSLEngine createSslEngine(SslContextFactory.Server sslContextFacto
         return engine;
     }
 
-    public static SSLEngine createClientSslEngine(SslContextFactory.Client sslContextFactory) throws Exception {
+    public static SSLEngine createClientSslEngine(SslContextFactory.Client sslContextFactory,
+                                                  String host, int port) throws Exception {
         sslContextFactory.start();
-        SSLEngine engine  = sslContextFactory.newSSLEngine();
+        SSLEngine engine  = sslContextFactory.newSSLEngine(host, port);
         engine.setUseClientMode(true);
 
         return engine;

proxy/src/main/java/io/streamnative/pulsar/handlers/kop/ConnectionToBroker.java

@@ -117,7 +117,7 @@ private synchronized CompletableFuture<Channel> ensureConnection() {
             public void initChannel(SocketChannel ch) throws Exception {
                 if (enableTls) {
                     ch.pipeline().addLast(TLS_HANDLER,
-                            new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory)));
+                            new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory, brokerHost, brokerPort)));
                 }
                 ch.pipeline().addLast(new LengthFieldPrepender(4));
                 ch.pipeline().addLast("frameDecoder",

tests/src/test/java/io/streamnative/pulsar/handlers/kop/KafkaSSLChannelTest.java

@@ -85,20 +85,22 @@ public KafkaSSLChannelTest(final String entryFormat, boolean withCertHost, boole
      * @param withCertHost the keystore with certHost or not.
      */
     private void setSslConfigurations(boolean withCertHost) {
-        String path = "./src/test/resources/ssl/certificate" + (withCertHost ? "2" : "") + "/";
-        if (!withCertHost) {
+        String path = "./src/test/resources/ssl/certificate" + (withCertHost ? "" : "2") + "/";
+        if (withCertHost) {
             this.kopSslKeystoreLocation = path + "broker.keystore.jks";
             this.kopSslKeystorePassword = "broker";
             this.kopSslTruststoreLocation = path + "broker.truststore.jks";
             this.kopSslTruststorePassword = "broker";
+            this.kopClientTruststoreLocation = path + "broker.truststore.jks";
+            this.kopClientTruststorePassword = "broker";
         } else {
             this.kopSslKeystoreLocation = path + "server.keystore.jks";
             this.kopSslKeystorePassword = "server";
             this.kopSslTruststoreLocation = path + "server.truststore.jks";
             this.kopSslTruststorePassword = "server";
+            kopClientTruststorePassword = "client";
+            kopClientTruststoreLocation = path + "client.truststore.jks";
         }
-        kopClientTruststoreLocation = path + "client.truststore.jks";
-        kopClientTruststorePassword = "client";
     }
 
     @Factory
@@ -114,6 +116,10 @@ public static Object[] instances() {
     }
 
     protected void sslSetUpForBroker() throws Exception {
+
+        // require TLS verification when hostname is on certificate
+        conf.setTlsHostnameVerificationEnabled(withCertHost);
+
         conf.setKafkaTransactionCoordinatorEnabled(true);
         conf.setKopTlsEnabledWithBroker(true);
         conf.setKopSslKeystoreType("JKS");
@@ -161,7 +167,7 @@ public void testKafkaProduceSSL() throws Exception {
         String messageStrPrefix = "Message_Kop_KafkaProduceKafkaConsume_" + partitionNumber + "_";
 
         @Cleanup
-        SslProducer kProducer = new SslProducer(topicName, getKafkaBrokerPortTls(),
+        SslProducer kProducer = new SslProducer(topicName, getKafkaBrokerPortTls(), withCertHost,
                 kopClientTruststoreLocation, kopClientTruststorePassword);
 
         for (int i = 0; i < totalMsgs; i++) {
@@ -196,7 +202,8 @@ public static class SslProducer implements Closeable {
         private final KafkaProducer<Integer, String> producer;
         private final String topic;
 
-        public SslProducer(String topic, int port, String truststoreLocation, String truststorePassword) {
+        public SslProducer(String topic, int port, boolean withCertHost, String truststoreLocation,
+                           String truststorePassword) {
             Properties props = new Properties();
             props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost" + ":" + port);
             props.put(ProducerConfig.CLIENT_ID_CONFIG, "DemoKafkaOnPulsarProducerSSL");
@@ -209,7 +216,7 @@ public SslProducer(String topic, int port, String truststoreLocation, String tru
             props.put("ssl.truststore.password", truststorePassword);
 
             // default is https, here need to set empty.
-            props.put("ssl.endpoint.identification.algorithm", "");
+            props.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
             producer = new KafkaProducer<>(props);
             this.topic = topic;
@@ -241,7 +248,7 @@ public void basicProduceAndConsumeWithTxTest() throws Exception {
         producerProps.put("ssl.truststore.password", kopClientTruststorePassword);
 
         // default is https, here need to set empty.
-        producerProps.put("ssl.endpoint.identification.algorithm", "");
+        producerProps.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
         @Cleanup
         KafkaProducer<Integer, String> producer = new KafkaProducer<>(producerProps);
@@ -294,7 +301,7 @@ public void basicProduceAndConsumeWithTxTest() throws Exception {
         consumerProps.put("ssl.truststore.password", kopClientTruststorePassword);
 
         // default is https, here need to set empty.
-        consumerProps.put("ssl.endpoint.identification.algorithm", "");
+        consumerProps.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
         final int totalMessageCount = totalTxnCount * messageCountPerTxn;
 

tests/src/test/java/io/streamnative/pulsar/handlers/kop/KafkaSSLChannelWithClientAuthTest.java

@@ -159,9 +159,6 @@ public SslProducer(String topic, int port) {
             props.put("ssl.keystore.location", "./src/test/resources/ssl/certificate/client.keystore.jks");
             props.put("ssl.keystore.password", "client");
 
-            // default is https, here need to set empty.
-            props.put("ssl.endpoint.identification.algorithm", "");
-
             producer = new KafkaProducer<>(props);
             this.topic = topic;
         }

tests/src/test/java/io/streamnative/pulsar/handlers/kop/KopProtocolHandlerTestBase.java

@@ -122,6 +122,8 @@ public abstract class KopProtocolHandlerTestBase {
     @Getter
     protected int kafkaProxyPort = PortManager.nextFreePort();
     @Getter
+    protected int kafkaProxyPortTls = PortManager.nextFreePort();
+    @Getter
     protected int kafkaBrokerPortTls = PortManager.nextFreePort();
     @Getter
     protected int kafkaSchemaRegistryPort = PortManager.nextFreePort();
@@ -886,7 +888,7 @@ protected void startProxy() throws Exception {
         ProxyConfiguration proxyConfiguration = ConfigurationUtils.create(config, ProxyConfiguration.class);
 
         proxyConfiguration.getProperties().put("kafkaListeners",
-                PLAINTEXT_PREFIX + "localhost:" + kafkaProxyPort + ",");
+                PLAINTEXT_PREFIX + "localhost:" + kafkaProxyPort + "," + SSL_PREFIX + "localhost:" + kafkaProxyPortTls);
         proxyConfiguration.setBrokerWebServiceURL("http://localhost:" + getBrokerWebservicePort());
 
         // Map Pulsar port to KOP port

tests/src/test/java/io/streamnative/pulsar/handlers/kop/docker/PulsarContainer.java

@@ -140,18 +140,21 @@ public void start() throws Exception {
 
         // for KOP broker to broker communications via TLS
         pulsarContainer.withEnv("PULSAR_PREFIX_kopSslTruststoreLocation", "/pulsar/conf/ca.jks");
-        pulsarContainer.withEnv("PULSAR_PREFIX_kopSslTruststorePassword", "");
+        pulsarContainer.withEnv("PULSAR_PREFIX_kopSslTruststorePassword", "pulsar");
 
         pulsarContainer.withEnv("PULSAR_PREFIX_brokerServiceURLTLS", "pulsar+ssl://pulsar:6651");
         pulsarContainer.withEnv("PULSAR_PREFIX_brokerWebServiceURLTLS", "https://pulsar:8443");
         pulsarContainer.withEnv("PULSAR_PREFIX_brokerServicePortTls", "6651");
         pulsarContainer.withEnv("PULSAR_PREFIX_webServicePortTls", "8443");
 
-        pulsarContainer.withEnv("PULSAR_PREFIX_tlsAllowInsecureConnection", "true");
-        pulsarContainer.withEnv("PULSAR_PREFIX_tlsHostnameVerificationEnabled", "false");
+        pulsarContainer.withEnv("PULSAR_PREFIX_tlsAllowInsecureConnection", "false");
+        pulsarContainer.withEnv("PULSAR_PREFIX_tlsHostnameVerificationEnabled", "true");
 
         pulsarContainer.withEnv("PULSAR_PREFIX_kopTlsEnabledWithBroker", "true");
         pulsarContainer.withEnv("PULSAR_PREFIX_tlsEnabledWithBroker", "true");
+        pulsarContainer.withEnv("PULSAR_PREFIX_brokerClientTlsEnabledWithKeyStore", "true");
+        pulsarContainer.withEnv("PULSAR_PREFIX_brokerClientTlsTrustStore", "/pulsar/conf/ca.jks");
+        pulsarContainer.withEnv("PULSAR_PREFIX_brokerClientTlsTrustStorePassword", "pulsar");
         pulsarContainer.withEnv("PULSAR_PREFIX_brokerServiceURLTLS", "pulsar+ssl://pulsar:6651");
         pulsarContainer.withEnv("PULSAR_PREFIX_brokerWebServiceURLTLS", "https://pulsar:8443");
     }
@@ -246,10 +249,13 @@ public void start() throws Exception {
             // Proxy to broker communication
             proxyContainer.withEnv("PULSAR_PREFIX_kopTlsEnabledWithBroker", "true");
             proxyContainer.withEnv("PULSAR_PREFIX_tlsEnabledWithBroker", "true");
+            proxyContainer.withEnv("PULSAR_PREFIX_brokerClientTlsEnabledWithKeyStore", "true");
+            proxyContainer.withEnv("PULSAR_PREFIX_brokerClientTlsTrustStore", "/pulsar/conf/ca.jks");
+            proxyContainer.withEnv("PULSAR_PREFIX_brokerClientTlsTrustStorePassword", "pulsar");
             proxyContainer.withEnv("PULSAR_PREFIX_kopSslTruststoreLocation", "/pulsar/conf/ca.jks");
             proxyContainer.withEnv("PULSAR_PREFIX_kopSslTruststorePassword", "pulsar");
-            proxyContainer.withEnv("PULSAR_PREFIX_tlsAllowInsecureConnection", "true");
-            proxyContainer.withEnv("PULSAR_PREFIX_tlsHostnameVerificationEnabled", "false");
+            proxyContainer.withEnv("PULSAR_PREFIX_tlsAllowInsecureConnection", "false");
+            proxyContainer.withEnv("PULSAR_PREFIX_tlsHostnameVerificationEnabled", "true");
         }
 
         proxyContainer.start();