Remove dead SASL offload code from initializer and state machine

This code was the experimental foundation for having the proxy handle
SASL termination and making the authorizedId available to the NetFilter
at backend connection time. It was never enabled and we have since
evolved our thinking around authentication and identity-oriented
filters. We now envision Filters being responsible for SASL termination.
Therefore we are removing the code.

Signed-off-by: Robert Young <[email protected]>

Author: robobario

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/KafkaProxy.java

@@ -200,9 +200,9 @@ public KafkaProxy startup() {
             this.filterChainFactory = new FilterChainFactory(pfr, config.filterDefinitions());
 
             var tlsServerBootstrap = buildServerBootstrap(proxyEventGroup,
-                    new KafkaProxyInitializer(filterChainFactory, pfr, true, endpointRegistry, endpointRegistry, false, Map.of(), apiVersionsService));
+                    new KafkaProxyInitializer(filterChainFactory, pfr, true, endpointRegistry, endpointRegistry, false, apiVersionsService));
             var plainServerBootstrap = buildServerBootstrap(proxyEventGroup,
-                    new KafkaProxyInitializer(filterChainFactory, pfr, false, endpointRegistry, endpointRegistry, false, Map.of(), apiVersionsService));
+                    new KafkaProxyInitializer(filterChainFactory, pfr, false, endpointRegistry, endpointRegistry, false, apiVersionsService));
 
             bindingOperationProcessor.start(plainServerBootstrap, tlsServerBootstrap);
 

…/proxy/internal/SaslDecodePredicate.java …/internal/DelegatingDecodePredicate.javakroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/SaslDecodePredicate.java renamed to kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/DelegatingDecodePredicate.java kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/SaslDecodePredicate.java renamed to kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/DelegatingDecodePredicate.java

@@ -13,32 +13,38 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
-class SaslDecodePredicate implements DecodePredicate {
+/**
+ * DecodePredicate that:
+ * <ol>
+ *     <li>Always decodes ApiVersions</li>
+ *     <li>Decodes all RPCs initially, until a delegate is installed</li>
+ *     <li>After the delegate is installed, use that to determine if non-ApiVersions RPCs should be decoded</li>
+ * </ol>
+ * The problem this class is solving is:
+ * <ol>
+ *     <li>We want the proxy to avoid deserializing requests and responses "when it doesn't have to".
+ *     So when there isn't a filter which is interested in that request/response API, or API version
+ *     And when the proxy infra itself doesn't need to.</li>
+ *     <li>But it doesn't know, until it's got to the invoking the {@link io.kroxylicious.proxy.filter.NetFilter NetFilter}
+ *     impl and that having called back on the {@link io.kroxylicious.proxy.filter.NetFilter.NetFilterContext NetFilterContext},
+ *     what protocol filters are to be used.</li>
+ *     <li>But it's the {@link io.kroxylicious.proxy.internal.codec.KafkaRequestDecoder KafkaRequestDecoder}
+ *     which needs to know about decodability, and that sits in front of the {@link KafkaProxyFrontendHandler},
+ *     so there's a cyclic dependency.</li>
+ *     <li>It's easier to use this delegation pattern than it is to try to reconfigure
+ *      the predicate on the {@link io.kroxylicious.proxy.internal.codec.KafkaRequestDecoder KafkaRequestDecoder}.</li>
+ * </ol>
+ */
+class DelegatingDecodePredicate implements DecodePredicate {
 
-    private static final Logger LOGGER = LoggerFactory.getLogger(SaslDecodePredicate.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatingDecodePredicate.class);
 
-    private final boolean handleSasl;
     private @Nullable DecodePredicate delegate = null;
 
-    SaslDecodePredicate(boolean handleSasl) {
-        this.handleSasl = handleSasl;
+    DelegatingDecodePredicate() {
     }
 
     public void setDelegate(DecodePredicate delegate) {
-        /*
-         * This delegate is ugly. The problem it is solving is:
-         *
-         * 1. We want the proxy to avoid deserializing requests and responses "when it doesn't have to"
-         * * So when there isn't a filter which is interested in that request/response API, or API version
-         * * And when the proxy infra itself doesn't need to
-         * 2. With the SASL offload support the proxy itself (when configured) is interested in the SASL APIs.
-         * 3. But it doesn't know, until it's got to the invoking the `NetFilter` impl and that having called
-         * back on the `NetFilterContext`, what protocol filters are to be used.
-         * 4. But it's the `KafkaDecodeFilter` which needs to know about decodability, and that sits in front
-         * of the `KafkaProxyFrontendHandler`, so there's a cyclic dependency.
-         * 5. It's easier to use this delegation pattern than it is to try to reconfigure
-         * the predicate on the `KafkaDecodeFilter`.
-         */
         LOGGER.debug("Setting delegate {}", delegate);
         this.delegate = delegate;
     }
@@ -56,15 +62,7 @@ public boolean shouldDecodeRequest(ApiKeys apiKey, short apiVersion) {
             // to intercept it
             return true;
         }
-        return isAuthenticationOffloaded(apiKey) || delegate.shouldDecodeRequest(apiKey, apiVersion);
-    }
-
-    private boolean isAuthenticationOffloaded(ApiKeys apiKey) {
-        return isAuthenticationOffloadEnabled() && (apiKey == ApiKeys.SASL_HANDSHAKE || apiKey == ApiKeys.SASL_AUTHENTICATE);
-    }
-
-    public boolean isAuthenticationOffloadEnabled() {
-        return handleSasl;
+        return delegate.shouldDecodeRequest(apiKey, apiVersion);
     }
 
     @Override
@@ -75,7 +73,6 @@ public boolean shouldDecodeResponse(ApiKeys apiKey, short apiVersion) {
     @Override
     public String toString() {
         return "SaslDecodePredicate(" +
-                "handleSasl=" + handleSasl +
                 ", delegate=" + delegate +
                 ')';
     }

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/KafkaProxyFrontendHandler.java

@@ -85,7 +85,7 @@ public class KafkaProxyFrontendHandler
     private final VirtualClusterModel virtualClusterModel;
     private final EndpointBinding endpointBinding;
     private final NetFilter netFilter;
-    private final SaslDecodePredicate dp;
+    private final DelegatingDecodePredicate dp;
     private final ProxyChannelStateMachine proxyChannelStateMachine;
     private final TransportSubjectBuilder subjectBuilder;
 
@@ -131,7 +131,7 @@ SSLSession sslSession() {
 
     KafkaProxyFrontendHandler(
                               NetFilter netFilter,
-                              SaslDecodePredicate dp,
+                              DelegatingDecodePredicate dp,
                               TransportSubjectBuilder subjectBuilder,
                               EndpointBinding endpointBinding,
                               ProxyChannelStateMachine proxyChannelStateMachine) {
@@ -245,7 +245,7 @@ public void channelWritabilityChanged(
     public void channelRead(
                             ChannelHandlerContext ctx,
                             Object msg) {
-        proxyChannelStateMachine.onClientRequest(dp, msg);
+        proxyChannelStateMachine.onClientRequest(msg);
     }
 
     /**

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/KafkaProxyInitializer.java

@@ -7,9 +7,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
 
-import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -58,7 +56,6 @@ public class KafkaProxyInitializer extends ChannelInitializer<Channel> {
     static final String LOGGING_INBOUND_ERROR_HANDLER_NAME = "loggingInboundErrorHandler";
 
     private final boolean haproxyProtocol;
-    private final Map<KafkaAuthnHandler.SaslMechanism, AuthenticateCallbackHandler> authnHandlers;
     private final boolean tls;
     private final EndpointBindingResolver bindingResolver;
     private final EndpointReconciler endpointReconciler;
@@ -73,12 +70,10 @@ public KafkaProxyInitializer(FilterChainFactory filterChainFactory,
                                  EndpointBindingResolver bindingResolver,
                                  EndpointReconciler endpointReconciler,
                                  boolean haproxyProtocol,
-                                 Map<KafkaAuthnHandler.SaslMechanism, AuthenticateCallbackHandler> authnMechanismHandlers,
                                  ApiVersionsServiceImpl apiVersionsService) {
         this.pfr = pfr;
         this.endpointReconciler = endpointReconciler;
         this.haproxyProtocol = haproxyProtocol;
-        this.authnHandlers = authnMechanismHandlers != null ? authnMechanismHandlers : Map.of();
         this.tls = tls;
         this.bindingResolver = bindingResolver;
         this.filterChainFactory = filterChainFactory;
@@ -198,7 +193,7 @@ void addHandlers(Channel ch, EndpointBinding binding) {
             pipeline.addLast("HAProxyMessageDecoder", new HAProxyMessageDecoder());
         }
 
-        var dp = new SaslDecodePredicate(!authnHandlers.isEmpty());
+        var dp = new DelegatingDecodePredicate();
         // The decoder, this only cares about the filters
         // because it needs to know whether to decode requests
 
@@ -214,12 +209,7 @@ void addHandlers(Channel ch, EndpointBinding binding) {
             pipeline.addLast("frameLogger", new LoggingHandler("io.kroxylicious.proxy.internal.DownstreamFrameLogger", LogLevel.INFO));
         }
 
-        if (!authnHandlers.isEmpty()) {
-            LOGGER.debug("Adding authn handler for handlers {}", authnHandlers);
-            pipeline.addLast(new KafkaAuthnHandler(ch, authnHandlers));
-        }
-
-        final NetFilter netFilter = new InitalizerNetFilter(dp,
+        final NetFilter netFilter = new InitalizerNetFilter(
                 ch,
                 binding,
                 pfr,
@@ -263,7 +253,6 @@ private static void addLoggingErrorHandler(ChannelPipeline pipeline) {
     @VisibleForTesting
     static class InitalizerNetFilter implements NetFilter {
 
-        private final SaslDecodePredicate decodePredicate;
         private final Channel ch;
         private final EndpointGateway gateway;
         private final EndpointBinding binding;
@@ -274,16 +263,14 @@ static class InitalizerNetFilter implements NetFilter {
         private final ApiVersionsIntersectFilter apiVersionsIntersectFilter;
         private final ApiVersionsDowngradeFilter apiVersionsDowngradeFilter;
 
-        InitalizerNetFilter(SaslDecodePredicate decodePredicate,
-                            Channel ch,
+        InitalizerNetFilter(Channel ch,
                             EndpointBinding binding,
                             PluginFactoryRegistry pfr,
                             FilterChainFactory filterChainFactory,
                             List<NamedFilterDefinition> filterDefinitions,
                             EndpointReconciler endpointReconciler,
                             ApiVersionsIntersectFilter apiVersionsIntersectFilter,
                             ApiVersionsDowngradeFilter apiVersionsDowngradeFilter) {
-            this.decodePredicate = decodePredicate;
             this.ch = ch;
             this.gateway = binding.endpointGateway();
             this.binding = binding;
@@ -297,8 +284,7 @@ static class InitalizerNetFilter implements NetFilter {
 
         @Override
         public void selectServer(NetFilter.NetFilterContext context) {
-            List<FilterAndInvoker> apiVersionFilters = decodePredicate.isAuthenticationOffloadEnabled() ? List.of()
-                    : FilterAndInvoker.build("ApiVersionsIntersect (internal)", apiVersionsIntersectFilter);
+            List<FilterAndInvoker> apiVersionFilters = FilterAndInvoker.build("ApiVersionsIntersect (internal)", apiVersionsIntersectFilter);
 
             NettyFilterContext filterContext = new NettyFilterContext(ch.eventLoop(), pfr);
             List<FilterAndInvoker> filterChain = filterChainFactory.createFilters(filterContext, filterDefinitions);

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/ProxyChannelStateMachine.java

@@ -358,17 +358,15 @@ void clientReadComplete() {
 
     /**
      * The proxy has received something from the client. The current state of the session determines what happens to it.
-     * @param dp the decode predicate to be used if the session is still being negotiated
      * @param msg the RPC received from the downstream client
      */
     void onClientRequest(
-                         SaslDecodePredicate dp,
                          Object msg) {
         Objects.requireNonNull(frontendHandler);
         if (state() instanceof Forwarding) { // post-backend connection
             messageFromClient(msg);
         }
-        else if (!onClientRequestBeforeForwarding(dp, msg)) {
+        else if (!onClientRequestBeforeForwarding(msg)) {
             illegalState("Unexpected message received: " + (msg == null ? "null" : "message class=" + msg.getClass()));
         }
     }
@@ -515,20 +513,19 @@ private void toForwarding(Forwarding forwarding) {
 
     /**
      * handle a message received from the client prior to connecting to the upstream node
-     * @param dp DecodePredicate to cope with SASL offload
      * @param msg Message received from the downstream client.
      * @return <code>false</code> for unsupported message types
      */
-    private boolean onClientRequestBeforeForwarding(SaslDecodePredicate dp, Object msg) {
+    private boolean onClientRequestBeforeForwarding(Object msg) {
         Objects.requireNonNull(frontendHandler).bufferMsg(msg);
         if (state() instanceof ProxyChannelState.ClientActive clientActive) {
-            return onClientRequestInClientActiveState(dp, msg, clientActive);
+            return onClientRequestInClientActiveState(msg, clientActive);
         }
         else if (state() instanceof ProxyChannelState.HaProxy haProxy) {
-            return onClientRequestInHaProxyState(dp, msg, haProxy);
+            return onClientRequestInHaProxyState(msg, haProxy);
         }
         else if (state() instanceof ProxyChannelState.ApiVersions apiVersions) {
-            return onClientRequestInApiVersionsState(dp, msg, apiVersions);
+            return onClientRequestInApiVersionsState(msg, apiVersions);
         }
         else if (state() instanceof ProxyChannelState.SelectingServer) {
             return msg instanceof RequestFrame;
@@ -540,35 +537,27 @@ else if (state() instanceof ProxyChannelState.SelectingServer) {
 
     @SuppressWarnings({ "java:S1172", "java:S1135" })
     // We keep dp as we should need it and it gives consistency with the other onClientRequestIn methods (sue me)
-    private boolean onClientRequestInApiVersionsState(SaslDecodePredicate dp, Object msg, ProxyChannelState.ApiVersions apiVersions) {
+    private boolean onClientRequestInApiVersionsState(Object msg, ProxyChannelState.ApiVersions apiVersions) {
         if (msg instanceof RequestFrame) {
-            // TODO if dp.isAuthenticationOffloadEnabled() then we need to forward to that handler
-            // TODO we only do the connection once we know the authenticated identity
             toSelectingServer(apiVersions.toSelectingServer());
             return true;
         }
         return false;
     }
 
-    private boolean onClientRequestInHaProxyState(SaslDecodePredicate dp, Object msg, ProxyChannelState.HaProxy haProxy) {
-        return transitionClientRequest(dp, msg, haProxy::toApiVersions, haProxy::toSelectingServer);
+    private boolean onClientRequestInHaProxyState(Object msg, ProxyChannelState.HaProxy haProxy) {
+        return transitionClientRequest(msg, haProxy::toApiVersions, haProxy::toSelectingServer);
     }
 
     private boolean transitionClientRequest(
-                                            SaslDecodePredicate dp,
                                             Object msg,
                                             Function<DecodedRequestFrame<ApiVersionsRequestData>, ProxyChannelState.ApiVersions> apiVersionsFactory,
                                             Function<DecodedRequestFrame<ApiVersionsRequestData>, ProxyChannelState.SelectingServer> selectingServerFactory) {
         if (isMessageApiVersionsRequest(msg)) {
             // We know it's an API Versions request even if the compiler doesn't
             @SuppressWarnings("unchecked")
             DecodedRequestFrame<ApiVersionsRequestData> apiVersionsFrame = (DecodedRequestFrame<ApiVersionsRequestData>) msg;
-            if (dp.isAuthenticationOffloadEnabled()) {
-                toApiVersions(apiVersionsFactory.apply(apiVersionsFrame), apiVersionsFrame);
-            }
-            else {
-                toSelectingServer(selectingServerFactory.apply(apiVersionsFrame));
-            }
+            toSelectingServer(selectingServerFactory.apply(apiVersionsFrame));
             return true;
         }
         else if (msg instanceof RequestFrame) {
@@ -578,13 +567,13 @@ else if (msg instanceof RequestFrame) {
         return false;
     }
 
-    private boolean onClientRequestInClientActiveState(SaslDecodePredicate dp, Object msg, ProxyChannelState.ClientActive clientActive) {
+    private boolean onClientRequestInClientActiveState(Object msg, ProxyChannelState.ClientActive clientActive) {
         if (msg instanceof HAProxyMessage haProxyMessage) {
             toHaProxy(clientActive.toHaProxy(haProxyMessage));
             return true;
         }
         else {
-            return transitionClientRequest(dp, msg, clientActive::toApiVersions, clientActive::toSelectingServer);
+            return transitionClientRequest(msg, clientActive::toApiVersions, clientActive::toSelectingServer);
         }
     }