MINOR: Few cleanups

omkreddy · omkreddy · commit 746ab4dc1e3e · 2025-01-08T16:01:40.000+05:30
diff --git a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
@@ -148,7 +148,7 @@ public byte[] evaluateResponse(byte[] response) throws SaslException, SaslAuthen
                 case RECEIVE_CLIENT_FINAL_MESSAGE:
                     try {
                         ClientFinalMessage clientFinalMessage = new ClientFinalMessage(response);
-                        if (!clientFinalMessage.nonce().endsWith(serverFirstMessage.nonce())) {
+                        if (!clientFinalMessage.nonce().equals(serverFirstMessage.nonce())) {
                             throw new SaslException("Invalid client nonce in the final client message.");
                         }
                         verifyClientProof(clientFinalMessage);
diff --git a/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java b/clients/src/test/java/org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.java
@@ -123,6 +123,28 @@ public void validateFailedNonceExchange() throws SaslException {
             "Failure message: " + saslException.getMessage());
     }
 
+    @Test
+    public void validateFailedNonceExchangeWithPrependingClientNonce() throws SaslException {
+        ScramSaslServer spySaslServer = Mockito.spy(saslServer);
+        byte[] clientFirstMsgBytes = clientFirstMessage(USER_A, USER_A);
+        ClientFirstMessage clientFirstMessage = new ClientFirstMessage(clientFirstMsgBytes);
+
+        byte[] serverFirstMsgBytes = spySaslServer.evaluateResponse(clientFirstMsgBytes);
+        ServerFirstMessage serverFirstMessage = new ServerFirstMessage(serverFirstMsgBytes);
+        assertTrue(serverFirstMessage.nonce().startsWith(clientFirstMessage.nonce()),
+                "Nonce in server message should start with client first message's nonce");
+
+        //send client final message with nonce prepended with clientFirstMessage's nonce
+        byte[] clientFinalMessage = clientFinalMessage(clientFirstMessage.nonce() + serverFirstMessage.nonce());
+        Mockito.doNothing()
+                .when(spySaslServer).verifyClientProof(Mockito.any(ScramMessages.ClientFinalMessage.class));
+        SaslException saslException = assertThrows(SaslException.class,
+                () -> spySaslServer.evaluateResponse(clientFinalMessage));
+        assertEquals("Invalid client nonce in the final client message.",
+                saslException.getMessage(),
+                "Failure message: " + saslException.getMessage());
+    }
+
     private byte[] clientFirstMessage(String userName, String authorizationId) {
         String nonce = formatter.secureRandomString();
         String authorizationField = authorizationId != null ? "a=" + authorizationId : "";

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ public byte[] evaluateResponse(byte[] response) throws SaslException, SaslAuthen`
`148`	`148`	`case RECEIVE_CLIENT_FINAL_MESSAGE:`
`149`	`149`	`try {`
`150`	`150`	`ClientFinalMessage clientFinalMessage = new ClientFinalMessage(response);`
`151`		`- if (!clientFinalMessage.nonce().endsWith(serverFirstMessage.nonce())) {`
	`151`	`+ if (!clientFinalMessage.nonce().equals(serverFirstMessage.nonce())) {`
`152`	`152`	`throw new SaslException("Invalid client nonce in the final client message.");`
`153`	`153`	`}`
`154`	`154`	`verifyClientProof(clientFinalMessage);`