feat(krb): added test cases for kerberos authentication

2024-08-09 13:23:43 +08:00 · 2024-08-09 13:23:43 +08:00 · 579c28e9ab
parent f3008c74d8
commit 579c28e9ab
8 changed files with 46 additions and 27 deletions
--- a/.ci/docker-compose-file/docker-compose-kafka.yaml
+++ b/.ci/docker-compose-file/docker-compose-kafka.yaml
@ -16,24 +16,6 @@ services:
    user: "${DOCKER_USER:-root}"
    volumes:
      - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
-  kdc:
-    hostname: kdc.emqx.net
-    image:  ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04
-    container_name: kdc.emqx.net
-    expose:
-      - 88 # kdc
-      - 749 # admin server
-    # ports:
-    #   - 88:88
-    #   - 749:749
-    networks:
-      emqx_bridge:
-    volumes:
-      - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
-      - ./kerberos/krb5.conf:/etc/kdc/krb5.conf
-      - ./kerberos/krb5.conf:/etc/krb5.conf
-      - ./kerberos/run.sh:/usr/bin/run.sh
-    command: run.sh
  kafka_1:
    image: wurstmeister/kafka:2.13-2.8.1
    # ports:
@ -76,4 +58,3 @@ services:
      - ./kerberos/krb5.conf:/etc/kdc/krb5.conf
      - ./kerberos/krb5.conf:/etc/krb5.conf
    command: kafka-entrypoint.sh
-
--- a/.ci/docker-compose-file/docker-compose-kdc.yaml
+++ b/.ci/docker-compose-file/docker-compose-kdc.yaml
@ -0,0 +1,21 @@
+version: '3.9'
+
+services:
+  kdc:
+    hostname: kdc.emqx.net
+    image:  ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04
+    container_name: kdc.emqx.net
+    expose:
+      - 88 # kdc
+      - 749 # admin server
+    # ports:
+    #   - 88:88
+    #   - 749:749
+    networks:
+      emqx_bridge:
+    volumes:
+      - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
+      - ./kerberos/krb5.conf:/etc/kdc/krb5.conf
+      - ./kerberos/krb5.conf:/etc/krb5.conf
+      - ./kerberos/run.sh:/usr/bin/run.sh
+    command: run.sh
--- a/.ci/docker-compose-file/kerberos/krb5.conf
+++ b/.ci/docker-compose-file/kerberos/krb5.conf
@ -6,6 +6,7 @@
  rdns = false
  dns_lookup_kdc   = no
  dns_lookup_realm = no
+  default_keytab_name = /var/lib/secret/erlang.keytab

 [realms]
  KDC.EMQX.NET = {
--- a/.ci/docker-compose-file/kerberos/run.sh
+++ b/.ci/docker-compose-file/kerberos/run.sh
@ -6,20 +6,31 @@ echo "Remove old keytabs"
 rm -f /var/lib/secret/kafka.keytab > /dev/null 2>&1
 rm -f /var/lib/secret/rig.keytab > /dev/null 2>&1

+rm -f /var/lib/secret/erlang.keytab > /dev/null 2>&1
+rm -f /var/lib/secret/krb_authn_cli.keytab > /dev/null 2>&1
+
 echo "Create realm"

 kdb5_util -P emqx -r KDC.EMQX.NET create -s

 echo "Add principals"

-kadmin.local -w password -q "add_principal -randkey kafka/kafka-1.emqx.net@KDC.EMQX.NET"
+kadmin.local -w password -q "add_principal -randkey kafka/kafka-1.emqx.net@KDC.EMQX.NET" > /dev/null
 kadmin.local -w password -q "add_principal -randkey rig@KDC.EMQX.NET"  > /dev/null

+# For Kerberos Authn
+kadmin.local -w password -q "add_principal -randkey emqx/erlang.emqx.net@KDC.EMQX.NET" > /dev/null
+kadmin.local -w password -q "add_principal -randkey krb_authn_cli@KDC.EMQX.NET"  > /dev/null
+

 echo "Create keytabs"

 kadmin.local -w password -q "ktadd  -k /var/lib/secret/kafka.keytab -norandkey kafka/kafka-1.emqx.net@KDC.EMQX.NET " > /dev/null
 kadmin.local -w password -q "ktadd  -k /var/lib/secret/rig.keytab -norandkey rig@KDC.EMQX.NET " > /dev/null

+# For Kerberos Authn
+kadmin.local -w password -q "ktadd  -k /var/lib/secret/erlang.keytab -norandkey emqx/erlang.emqx.net@KDC.EMQX.NET " > /dev/null
+kadmin.local -w password -q "ktadd  -k /var/lib/secret/krb_authn_cli.keytab -norandkey krb_authn_cli@KDC.EMQX.NET " > /dev/null
+
 echo STARTING KDC
 /usr/sbin/krb5kdc -n
--- a/apps/emqx_auth_kerberos/docker-ct
+++ b/apps/emqx_auth_kerberos/docker-ct
@ -0,0 +1 @@
+kdc
--- a/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl
+++ b/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl
@ -16,15 +16,15 @@

 -define(PATH, [authentication]).

-define(INVALID_SVR_PRINCIPAL, <<"not-exists/emqx-full.test@KDC.EMQX.NET">>).
+-define(INVALID_SVR_PRINCIPAL, <<"not-exists/erlang.emqx.nett@KDC.EMQX.NET">>).

-define(SVR_HOST, "emqx.emqx.net").
-define(SVR_PRINCIPAL, <<"emqx/emqx.emqx.net@KDC.EMQX.NET">>).
-define(SVR_KEYTAB_FILE, <<"/home/firest/server.keytab">>).
+-define(SVR_HOST, "erlang.emqx.net").
+-define(SVR_PRINCIPAL, <<"emqx/erlang.emqx.net@KDC.EMQX.NET">>).
+-define(SVR_KEYTAB_FILE, <<"/var/lib/secret/erlang.keytab">>).

-define(CLI_NAME, "client").
-define(CLI_PRINCIPAL, <<"client@KDC.EMQX.NET">>).
-define(CLI_KEYTAB_FILE, <<"/home/firest/client.keytab">>).
+-define(CLI_NAME, "krb_authn_cli").
+-define(CLI_PRINCIPAL, <<"krb_authn_cli@KDC.EMQX.NET">>).
+-define(CLI_KEYTAB_FILE, <<"/var/lib/secret/krb_authn_cli.keytab">>).

 -define(HOST, "127.0.0.1").
 -define(PORT, 1883).
--- a/apps/emqx_bridge_kafka/docker-ct
+++ b/apps/emqx_bridge_kafka/docker-ct
@ -1,2 +1,3 @@
 toxiproxy
+kdc
 kafka
--- a/scripts/ct/run.sh
+++ b/scripts/ct/run.sh
@ -256,6 +256,9 @@ for dep in ${CT_DEPS}; do
 	couchbase)
 	    FILES+=( '.ci/docker-compose-file/docker-compose-couchbase.yaml' )
 	    ;;
+	kdc)
+	    FILES+=( '.ci/docker-compose-file/docker-compose-kdc.yaml' )
+	    ;;
        *)
            echo "unknown_ct_dependency $dep"
            exit 1