This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new 746ab4dc1e3 MINOR: Few cleanups
746ab4dc1e3 is described below
commit 746ab4dc1e3ebccf2fd91ab59d3185319127bfe7
Author: Manikumar Reddy <[email protected]>
AuthorDate: Sat Dec 21 00:48:58 2024 +0530
MINOR: Few cleanups
---
.../security/scram/internals/ScramSaslServer.java | 2 +-
.../scram/internals/ScramSaslServerTest.java | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
index 8be920d9827..2be4c4e24b6 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
@@ -148,7 +148,7 @@ public class ScramSaslServer implements SaslServer {
case RECEIVE_CLIENT_FINAL_MESSAGE:
try {
ClientFinalMessage clientFinalMessage = new
ClientFinalMessage(response);
- if
(!clientFinalMessage.nonce().endsWith(serverFirstMessage.nonce())) {
+ if
(!clientFinalMessage.nonce().equals(serverFirstMessage.nonce())) {
throw new SaslException("Invalid client nonce in
the final client message.");
}
verifyClientProof(clientFinalMessage);
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java
b/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java
index 94b95b0cfdf..e113957d404 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java
@@ -123,6 +123,28 @@ public class ScramSaslServerTest {
"Failure message: " + saslException.getMessage());
}
+ @Test
+ public void validateFailedNonceExchangeWithPrependingClientNonce() throws
SaslException {
+ ScramSaslServer spySaslServer = Mockito.spy(saslServer);
+ byte[] clientFirstMsgBytes = clientFirstMessage(USER_A, USER_A);
+ ClientFirstMessage clientFirstMessage = new
ClientFirstMessage(clientFirstMsgBytes);
+
+ byte[] serverFirstMsgBytes =
spySaslServer.evaluateResponse(clientFirstMsgBytes);
+ ServerFirstMessage serverFirstMessage = new
ServerFirstMessage(serverFirstMsgBytes);
+
assertTrue(serverFirstMessage.nonce().startsWith(clientFirstMessage.nonce()),
+ "Nonce in server message should start with client first
message's nonce");
+
+ //send client final message with nonce prepended with
clientFirstMessage's nonce
+ byte[] clientFinalMessage =
clientFinalMessage(clientFirstMessage.nonce() + serverFirstMessage.nonce());
+ Mockito.doNothing()
+
.when(spySaslServer).verifyClientProof(Mockito.any(ScramMessages.ClientFinalMessage.class));
+ SaslException saslException = assertThrows(SaslException.class,
+ () -> spySaslServer.evaluateResponse(clientFinalMessage));
+ assertEquals("Invalid client nonce in the final client message.",
+ saslException.getMessage(),
+ "Failure message: " + saslException.getMessage());
+ }
+
private byte[] clientFirstMessage(String userName, String authorizationId)
{
String nonce = formatter.secureRandomString();
String authorizationField = authorizationId != null ? "a=" +
authorizationId : "";
