aratno commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1444983375
##########
src/java/org/apache/cassandra/transport/messages/StartupMessage.java:
##########
@@ -118,8 +121,29 @@ else if (compression.equals("lz4"))
clientState.setDriverVersion(options.get(DRIVER_VERSION));
}
- if (DatabaseDescriptor.getAuthenticator().requireAuthentication())
+ IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+ if (authenticator.requireAuthentication()) {
+ // If the authenticator supports early certificate authentication,
attempt to authenticate with certificates.
+ if (authenticator.supportsEarlyCertificateAuthentication()) {
+ IAuthenticator.SaslNegotiator negotiator = ((ServerConnection)
connection).getSaslNegotiator(state);
+ // If the negotiator determines that certificate
authentication is required, attempt to authenticate on it.
+ if (negotiator.requiresCertificateAuthentication()) {
+ // Attempt to authenticate the user.
+ return AuthUtil.handleLogin(connection, state,
EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
+ {
+ if (negotiationComplete) {
+ // Authentication was successful, proceed.
+ return new ReadyMessage();
+ } else {
+ // It's expected that any negotiator that requires
a challenge will likely not support early
+ // certificate authentication, in this case we can
just go through the traditional auth flow.
+ return new
AuthenticateMessage(DatabaseDescriptor.getAuthenticator().getClass().getName());
Review Comment:
Just occurred to me - if we're in the "fallback" part of a
client-cert-fallback-to-credentials authenticator, shouldn't the client not
need to know that it's a custom authenticator, and just receive an AUTHENTICATE
with PasswordAuthenticator? Otherwise, we'd have to make sure all clients are
aware of a new authenticator.
Doesn't seem like a new issue with this code, just wondering how we handle
this.
##########
test/unit/org/apache/cassandra/transport/EarlyCertificateAuthenticationTest.java:
##########
@@ -0,0 +1,195 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.transport;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.concurrent.TimeoutException;
+import java.util.function.Consumer;
+
+import com.google.common.collect.ImmutableMap;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.auth.AuthCacheService;
+import org.apache.cassandra.auth.IAuthenticator;
+import org.apache.cassandra.auth.MutualTlsAuthenticator;
+import org.apache.cassandra.auth.SpiffeCertificateValidator;
+import org.apache.cassandra.config.EncryptionOptions;
+import org.apache.cassandra.config.ParameterizedClass;
+import org.apache.cassandra.cql3.CQLTester;
+import org.apache.cassandra.cql3.QueryProcessor;
+import org.apache.cassandra.exceptions.AuthenticationException;
+import org.apache.cassandra.transport.messages.ErrorMessage;
+import org.apache.cassandra.transport.messages.ReadyMessage;
+import org.apache.cassandra.transport.messages.StartupMessage;
+
+import static org.apache.cassandra.auth.AuthTestUtils.addIdentityToRole;
+import static
org.apache.cassandra.auth.AuthTestUtils.truncateIdentityRolesTable;
+import static
org.apache.cassandra.transport.messages.StartupMessage.CQL_VERSION;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+import static org.psjava.util.AssertStatus.assertTrue;
+
+/**
+ * Verifies the behavior of Cassandra given an authenticator returning
+ * {@link IAuthenticator#supportsEarlyCertificateAuthentication()} as
<code>true</code>.
+ */
+public class EarlyCertificateAuthenticationTest extends CQLTester
+{
+
+ // configures server with client encryption enabled.
+ static final Consumer<Server.Builder> serverConfigurator = server ->
server.withTlsEncryptionPolicy(EncryptionOptions.TlsEncryptionPolicy.ENCRYPTED);
+
+ static final Map<String, String> authenticatorParams =
ImmutableMap.of("validator_class_name",
SpiffeCertificateValidator.class.getSimpleName());
+
+ // identity present in the client cert being used.
+ static final String spiffeIdentity =
"spiffe://test.cassandra.apache.org/unitTest/mtls";
+
+ @BeforeClass
+ public static void setup()
+ {
+ setupWithAuthenticator(new
MutualTlsAuthenticator(authenticatorParams));
+ }
+
+ static void setupWithAuthenticator(IAuthenticator authenticator)
+ {
+ requireNativeProtocolClientEncryption();
+ requireNetwork(serverConfigurator, cluster -> {
+ });
+ requireAuthentication(authenticator);
+ }
+
+ @Before
+ public void initNetwork() throws IOException, TimeoutException
+ {
+ truncateIdentityRolesTable();
+ AuthCacheService.instance.invalidateCaches();
+ AuthCacheService.instance.warmCaches();
+ reinitializeNetwork(serverConfigurator, cluster -> {
+ });
+ }
+
+ private EncryptionOptions clientEncryptionOptions(boolean
presentClientCertificate)
+ {
+ // To regenerate:
+ // 1. generate keystore
+ // keytool -genkeypair -keystore
test/conf/cassandra_ssl_test_spiffe.keystore -validity 100000 -keyalg RSA
-dname "CN=Apache Cassandra, OU=ssl_test, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown" -keypass cassandra -storepass cassandra -alias spiffecert -ext
SAN=URI:spiffe://test.cassandra.apache.org/unitTest/mtls -storetype jks
+ // 2. export cert
+ // keytool -export -alias spiffecert -file spiffecert.cer -keystore
test/conf/cassandra_ssl_test_spiffe.keystore
+ // 3. import cert into truststore
+ // keytool -import -v -trustcacerts -alias spiffecert -file
spiffecert.cer -keystore test/conf/cassandra_ssl_test.truststore
Review Comment:
Thanks for including this!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
