Local SaslHandshakeV1

Author: everesio

README.md

@@ -359,8 +359,8 @@ spec:
 * [X] Registry for built-in plugins
 * [X] Client cert check
 * [X] Set TLS server CipherSuites and CurvePreferences
-* [ ] Optional ApiVersionsRequest before Local SASL Authentication Sequence
-* [ ] SaslHandshakeRequest v1 - Kafka 1.1.0
+* [X] Optional ApiVersionsRequest before Local SASL Authentication Sequence
+* [X] SaslHandshakeRequest v1 - Kafka 1.0.0
 * [X] Connect to Kafka through SOCKS5 Proxy
 * [ ] Performance tests and tuning
 * [ ] Socket buffer sizing e.g. SO_RCVBUF = 32768, SO_SNDBUF = 131072

proxy/processor_default.go

@@ -53,9 +53,17 @@ func (handler *DefaultRequestHandler) handleRequest(dst DeadlineWriter, src Dead
 		} else {
 			switch requestKeyVersion.ApiKey {
 			case apiKeySaslHandshake:
-				//TODO: this is only V0 version
-				if err = ctx.localSasl.receiveAndSendSASLPlainAuth(src, keyVersionBuf); err != nil {
-					return true, err
+				switch requestKeyVersion.ApiVersion {
+				case 0:
+					if err = ctx.localSasl.receiveAndSendSASLPlainAuthV0(src, keyVersionBuf); err != nil {
+						return true, err
+					}
+				case 1:
+					if err = ctx.localSasl.receiveAndSendSASLPlainAuthV1(src, keyVersionBuf); err != nil {
+						return true, err
+					}
+				default:
+					return true, fmt.Errorf("only saslHandshake version 0 and 1 are supported, got version %d", requestKeyVersion.ApiVersion)
 				}
 				ctx.localSaslDone = true
 				src.SetDeadline(time.Time{})

proxy/protocol/packet_decoder.go

@@ -13,6 +13,7 @@ type packetDecoder interface {
 	getArrayLength() (int, error)
 	getBool() (bool, error)
 
+	getBytes() ([]byte, error)
 	getString() (string, error)
 	getNullableString() (*string, error)
 	getInt32Array() ([]int32, error)

proxy/protocol/packet_encoder.go

@@ -13,6 +13,7 @@ type packetEncoder interface {
 	putArrayLength(in int) error
 	putBool(in bool)
 
+	putBytes(in []byte) error
 	putString(in string) error
 	putNullableString(in *string) error
 	putStringArray(in []string) error

proxy/protocol/prep_encoder.go

@@ -46,6 +46,22 @@ func (pe *prepEncoder) putBool(in bool) {
 }
 
 // arrays
+func (pe *prepEncoder) putBytes(in []byte) error {
+	pe.length += 4
+	if in == nil {
+		return nil
+	}
+	return pe.putRawBytes(in)
+}
+
+func (pe *prepEncoder) putRawBytes(in []byte) error {
+	if len(in) > math.MaxInt32 {
+		return PacketEncodingError{fmt.Sprintf("byteslice too long (%d)", len(in))}
+	}
+	pe.length += len(in)
+	return nil
+}
+
 func (pe *prepEncoder) putNullableString(in *string) error {
 	if in == nil {
 		pe.length += 2

proxy/protocol/real_decoder.go

@@ -9,6 +9,7 @@ var errInvalidArrayLength = PacketDecodingError{"invalid array length"}
 var errInvalidStringLength = PacketDecodingError{"invalid string length"}
 var errVarintOverflow = PacketDecodingError{"varint overflow"}
 var errInvalidBool = PacketDecodingError{"invalid bool"}
+var errInvalidByteSliceLength = PacketDecodingError{"invalid byteslice length"}
 
 type realDecoder struct {
 	raw []byte
@@ -100,6 +101,31 @@ func (rd *realDecoder) getBool() (bool, error) {
 
 // collections
 
+func (rd *realDecoder) getBytes() ([]byte, error) {
+	tmp, err := rd.getInt32()
+	if err != nil {
+		return nil, err
+	}
+	if tmp == -1 {
+		return nil, nil
+	}
+
+	return rd.getRawBytes(int(tmp))
+}
+
+func (rd *realDecoder) getRawBytes(length int) ([]byte, error) {
+	if length < 0 {
+		return nil, errInvalidByteSliceLength
+	} else if length > rd.remaining() {
+		rd.off = len(rd.raw)
+		return nil, ErrInsufficientData
+	}
+
+	start := rd.off
+	rd.off += length
+	return rd.raw[start:rd.off], nil
+}
+
 func (rd *realDecoder) getStringLength() (int, error) {
 	length, err := rd.getInt16()
 	if err != nil {

proxy/protocol/real_encoder.go

@@ -50,6 +50,21 @@ func (re *realEncoder) putBool(in bool) {
 
 // collection
 
+func (re *realEncoder) putRawBytes(in []byte) error {
+	copy(re.raw[re.off:], in)
+	re.off += len(in)
+	return nil
+}
+
+func (re *realEncoder) putBytes(in []byte) error {
+	if in == nil {
+		re.putInt32(-1)
+		return nil
+	}
+	re.putInt32(int32(len(in)))
+	return re.putRawBytes(in)
+}
+
 func (re *realEncoder) putString(in string) error {
 	re.putInt16(int16(len(in)))
 	copy(re.raw[re.off:], in)

proxy/protocol/sasl_authenticate.go

@@ -0,0 +1,58 @@
+package protocol
+
+type SaslAuthenticateRequestV0 struct {
+	SaslAuthBytes []byte
+}
+
+func (r *SaslAuthenticateRequestV0) encode(pe packetEncoder) error {
+	if err := pe.putBytes(r.SaslAuthBytes); err != nil {
+		return err
+	}
+	return nil
+}
+func (r *SaslAuthenticateRequestV0) decode(pd packetDecoder) (err error) {
+	if r.SaslAuthBytes, err = pd.getBytes(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *SaslAuthenticateRequestV0) key() int16 {
+	return 36
+}
+
+func (r *SaslAuthenticateRequestV0) version() int16 {
+	return 0
+}
+
+type SaslAuthenticateResponseV0 struct {
+	Err           KError
+	ErrMsg        *string
+	SaslAuthBytes []byte
+}
+
+func (r *SaslAuthenticateResponseV0) encode(pe packetEncoder) error {
+	pe.putInt16(int16(r.Err))
+
+	if err := pe.putNullableString(r.ErrMsg); err != nil {
+		return err
+	}
+	return pe.putBytes(r.SaslAuthBytes)
+}
+
+func (r *SaslAuthenticateResponseV0) decode(pd packetDecoder) error {
+	kerr, err := pd.getInt16()
+	if err != nil {
+		return err
+	}
+	r.Err = KError(kerr)
+
+	if r.ErrMsg, err = pd.getNullableString(); err != nil {
+		return err
+	}
+	if r.SaslAuthBytes, err = pd.getBytes(); err != nil {
+		return err
+	}
+	return nil
+}

proxy/protocol/sasl_handshake.go

@@ -1,42 +1,52 @@
 package protocol
 
-type SaslHandshakeRequestV0 struct {
+import "github.com/pkg/errors"
+
+type SaslHandshakeRequestV0orV1 struct {
+	Version   int16 // not encoded / decoded
 	Mechanism string
 }
 
-func (r *SaslHandshakeRequestV0) encode(pe packetEncoder) error {
+func (r *SaslHandshakeRequestV0orV1) encode(pe packetEncoder) error {
+	if r.Version != 0 && r.Version != 1 {
+		return errors.New("SaslHandshakeRequestV0orV1 expects version 0 or 1")
+	}
+
 	if err := pe.putString(r.Mechanism); err != nil {
 		return err
 	}
 	return nil
 }
-func (r *SaslHandshakeRequestV0) decode(pd packetDecoder) (err error) {
+func (r *SaslHandshakeRequestV0orV1) decode(pd packetDecoder) (err error) {
+	if r.Version != 0 && r.Version != 1 {
+		return errors.New("SaslHandshakeRequestV0orV1 expects version 0 or 1")
+	}
 	if r.Mechanism, err = pd.getString(); err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (r *SaslHandshakeRequestV0) key() int16 {
+func (r *SaslHandshakeRequestV0orV1) key() int16 {
 	return 17
 }
 
-func (r *SaslHandshakeRequestV0) version() int16 {
-	return 0
+func (r *SaslHandshakeRequestV0orV1) version() int16 {
+	return r.Version
 }
 
-type SaslHandshakeResponseV0 struct {
+type SaslHandshakeResponseV0orV1 struct {
 	Err               KError
 	EnabledMechanisms []string
 }
 
-func (r *SaslHandshakeResponseV0) encode(pe packetEncoder) error {
+func (r *SaslHandshakeResponseV0orV1) encode(pe packetEncoder) error {
 	pe.putInt16(int16(r.Err))
 	return pe.putStringArray(r.EnabledMechanisms)
 }
 
-func (r *SaslHandshakeResponseV0) decode(pd packetDecoder) error {
+func (r *SaslHandshakeResponseV0orV1) decode(pd packetDecoder) error {
 	kerr, err := pd.getInt16()
 	if err != nil {
 		return err

proxy/sasl.go

@@ -81,7 +81,7 @@ func (b *SASLPlainAuth) sendAndReceiveSASLPlainHandshake(conn DeadlineReaderWrit
 
 	req := &protocol.Request{
 		ClientID: b.clientID,
-		Body:     &protocol.SaslHandshakeRequestV0{Mechanism: SASLPlain},
+		Body:     &protocol.SaslHandshakeRequestV0orV1{Version: 0, Mechanism: SASLPlain},
 	}
 	reqBuf, err := protocol.Encode(req)
 	if err != nil {
@@ -117,7 +117,7 @@ func (b *SASLPlainAuth) sendAndReceiveSASLPlainHandshake(conn DeadlineReaderWrit
 	if err != nil {
 		return errors.Wrap(err, "Failed to read SASL handshake payload")
 	}
-	res := &protocol.SaslHandshakeResponseV0{}
+	res := &protocol.SaslHandshakeResponseV0orV1{}
 	err = protocol.Decode(payload, res)
 	if err != nil {
 		return errors.Wrap(err, "Failed to parse SASL handshake")