Local SaslAuthV0

everesio · everesio · commit 2e0561ecb1c4 · 2018-05-10T12:12:22.000+02:00
diff --git a/proxy/processor.go b/proxy/processor.go
@@ -16,7 +16,8 @@ const (
 	defaultReadTimeout        = 30 * time.Second
 	minOpenRequests           = 16
 
-	apiKeySaslHandshake = int16(17)
+	apiKeySaslHandshake  = int16(17)
+	apiKeyApiApiVersions = int16(18)
 
 	minRequestApiKey = int16(0)   // 0 - Produce
 	maxRequestApiKey = int16(100) // so far 42 is the last (reserve some for the feature)
@@ -81,8 +82,7 @@ func newProcessor(cfg ProcessorConfig, brokerAddress string) *processor {
 	if readTimeout <= 0 {
 		readTimeout = defaultReadTimeout
 	}
-	// in most use cases there will be only one entry in the nextRequestHandlerChannel channel
-	nextRequestHandlerChannel := make(chan RequestHandler, minOpenRequests)
+	nextRequestHandlerChannel := make(chan RequestHandler, 1)
 	nextResponseHandlerChannel := make(chan ResponseHandler, maxOpenRequests+1)
 
 	// initial handlers -> standard kafka message arrives always as first
@@ -112,14 +112,6 @@ func (p *processor) RequestsLoop(dst DeadlineWriter, src DeadlineReaderWriter) (
 			return true, err
 		}
 	}
-	if p.localSasl.enabled {
-		//TODO: when localSasl is enabled SASL is mandadory - we need authorized e.g. in RequestsLoopContext (mutex ?)
-		//TODO: before SASL only ApiVersions is required
-		//TODO: SASL can be done only once
-		if err = p.localSasl.receiveAndSendSASLPlainAuth(src); err != nil {
-			return true, err
-		}
-	}
 	src.SetDeadline(time.Time{})
 
 	ctx := &RequestsLoopContext{
@@ -130,6 +122,8 @@ func (p *processor) RequestsLoop(dst DeadlineWriter, src DeadlineReaderWriter) (
 		brokerAddress:              p.brokerAddress,
 		forbiddenApiKeys:           p.forbiddenApiKeys,
 		buf:                        make([]byte, p.requestBufferSize),
+		localSasl:                  p.localSasl,
+		localSaslDone:              false, // sequential processing - mutex is required
 	}
 
 	return ctx.requestsLoop(dst, src)
@@ -144,9 +138,23 @@ type RequestsLoopContext struct {
 	brokerAddress    string
 	forbiddenApiKeys map[int16]struct{}
 	buf              []byte // bufSize
+
+	localSasl     *LocalSasl
+	localSaslDone bool
+}
+
+// used by local authentication
+func (ctx *RequestsLoopContext) putNextRequestHandler(nextRequestHandler RequestHandler) error {
+
+	select {
+	case ctx.nextRequestHandlerChannel <- nextRequestHandler:
+	default:
+		return errors.New("next request handler channel is full")
+	}
+	return nil
 }
 
-func (ctx *RequestsLoopContext) nextHandlers(nextRequestHandler RequestHandler, nextResponseHandler ResponseHandler) error {
+func (ctx *RequestsLoopContext) putNextHandlers(nextRequestHandler RequestHandler, nextResponseHandler ResponseHandler) error {
 
 	select {
 	case ctx.nextRequestHandlerChannel <- nextRequestHandler:
@@ -157,8 +165,7 @@ func (ctx *RequestsLoopContext) nextHandlers(nextRequestHandler RequestHandler,
 	select {
 	case ctx.nextResponseHandlerChannel <- nextResponseHandler:
 	default:
-		// timer.Stop() will be invoked only after nextHandlers is finished
-		timer := time.NewTimer(openRequestReceiveTimeout) // reuse openRequestReceiveTimeout
+		timer := time.NewTimer(openRequestSendTimeout)
 		defer timer.Stop()
 
 		select {
@@ -170,19 +177,27 @@ func (ctx *RequestsLoopContext) nextHandlers(nextRequestHandler RequestHandler,
 	return nil
 }
 
+func (r *RequestsLoopContext) getNextRequestHandler() (RequestHandler, error) {
+	select {
+	case nextRequestHandler := <-r.nextRequestHandlerChannel:
+		return nextRequestHandler, nil
+	default:
+		return nil, errors.New("next request handler is missing")
+	}
+}
+
 type RequestHandler interface {
-	handleRequest(dst DeadlineWriter, src DeadlineReader, ctx *RequestsLoopContext) (readErr bool, err error)
+	handleRequest(dst DeadlineWriter, src DeadlineReaderWriter, ctx *RequestsLoopContext) (readErr bool, err error)
 }
 
-func (r *RequestsLoopContext) requestsLoop(dst DeadlineWriter, src DeadlineReader) (readErr bool, err error) {
+func (r *RequestsLoopContext) requestsLoop(dst DeadlineWriter, src DeadlineReaderWriter) (readErr bool, err error) {
+	var nextRequestHandler RequestHandler
 	for {
-		select {
-		case nextRequestHandler := <-r.nextRequestHandlerChannel:
-			if readErr, err = nextRequestHandler.handleRequest(dst, src, r); err != nil {
-				return readErr, err
-			}
-		default:
-			return false, errors.New("internal error: next request handler expected")
+		if nextRequestHandler, err = r.getNextRequestHandler(); err != nil {
+			return false, nil
+		}
+		if readErr, err = nextRequestHandler.handleRequest(dst, src, r); err != nil {
+			return readErr, err
 		}
 	}
 }
@@ -213,11 +228,30 @@ type ResponseHandler interface {
 }
 
 func (r *ResponsesLoopContext) responsesLoop(dst DeadlineWriter, src DeadlineReader) (readErr bool, err error) {
+	var nextResponseHandler ResponseHandler
 	for {
-		//TODO: timeout noting was received
-		nextResponseHandler := <-r.nextResponseHandlerChannel
+		if nextResponseHandler, err = r.getNextResponseHandler(); err != nil {
+			return false, err
+		}
 		if readErr, err = nextResponseHandler.handleResponse(dst, src, r); err != nil {
 			return readErr, err
 		}
 	}
 }
+
+func (r *ResponsesLoopContext) getNextResponseHandler() (ResponseHandler, error) {
+	select {
+	case handler := <-r.nextResponseHandlerChannel:
+		return handler, nil
+	default:
+		timer := time.NewTimer(openRequestReceiveTimeout)
+		defer timer.Stop()
+
+		select {
+		case handler := <-r.nextResponseHandlerChannel:
+			return handler, nil
+		case <-timer.C:
+			return nil, errors.New("next response handler is missing")
+		}
+	}
+}
diff --git a/proxy/processor_default.go b/proxy/processor_default.go
@@ -15,7 +15,7 @@ type DefaultRequestHandler struct {
 type DefaultResponseHandler struct {
 }
 
-func (handler *DefaultRequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReader, ctx *RequestsLoopContext) (readErr bool, err error) {
+func (handler *DefaultRequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReaderWriter, ctx *RequestsLoopContext) (readErr bool, err error) {
 	// logrus.Println("Await Kafka request")
 
 	// waiting for first bytes or EOF - reset deadlines
@@ -45,6 +45,31 @@ func (handler *DefaultRequestHandler) handleRequest(dst DeadlineWriter, src Dead
 		return true, fmt.Errorf("api key %d is forbidden", requestKeyVersion.ApiKey)
 	}
 
+	if ctx.localSasl.enabled {
+		if ctx.localSaslDone {
+			if requestKeyVersion.ApiKey == apiKeySaslHandshake {
+				return false, errors.New("SASL Auth was already done")
+			}
+		} else {
+			switch requestKeyVersion.ApiKey {
+			case apiKeySaslHandshake:
+				//TODO: this is only V0 version
+				if err = ctx.localSasl.receiveAndSendSASLPlainAuth(src, keyVersionBuf); err != nil {
+					return true, err
+				}
+				ctx.localSaslDone = true
+				src.SetDeadline(time.Time{})
+
+				// defaultRequestHandler was consumed but due to local handling enqueued defaultResponseHandler will not be.
+				return false, ctx.putNextRequestHandler(defaultRequestHandler)
+			case apiKeyApiApiVersions:
+				// continue processing
+			default:
+				return false, errors.New("SASL Auth is required. Only SaslHandshake or ApiVersions requests are allowed")
+			}
+		}
+	}
+
 	// send inFlightRequest to channel before myCopyN to prevent race condition in proxyResponses
 	if err = sendRequestKeyVersion(ctx.openRequestsChannel, openRequestSendTimeout, requestKeyVersion); err != nil {
 		return true, err
@@ -69,19 +94,12 @@ func (handler *DefaultRequestHandler) handleRequest(dst DeadlineWriter, src Dead
 		return readErr, err
 	}
 	if requestKeyVersion.ApiKey == apiKeySaslHandshake {
-		if requestKeyVersion.ApiVersion == 0 {
-			if err = ctx.nextHandlers(saslAuthV0RequestHandler, saslAuthV0ResponseHandler); err != nil {
-				return false, err
-			}
-			return false, nil
-		} else {
+		if requestKeyVersion.ApiVersion != 0 {
 			return false, errors.New("only SASL V0 Handshake is supported")
 		}
+		return false, ctx.putNextHandlers(saslAuthV0RequestHandler, saslAuthV0ResponseHandler)
 	}
-	if err = ctx.nextHandlers(defaultRequestHandler, defaultResponseHandler); err != nil {
-		return false, err
-	}
-	return false, nil
+	return false, ctx.putNextHandlers(defaultRequestHandler, defaultResponseHandler)
 }
 
 func (handler *DefaultResponseHandler) handleResponse(dst DeadlineWriter, src DeadlineReader, ctx *ResponsesLoopContext) (readErr bool, err error) {
diff --git a/proxy/processor_sasl_auth_v0.go b/proxy/processor_sasl_auth_v0.go
@@ -14,11 +14,11 @@ type SaslAuthV0RequestHandler struct {
 type SaslAuthV0ResponseHandler struct {
 }
 
-func (handler *SaslAuthV0RequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReader, ctx *RequestsLoopContext) (readErr bool, err error) {
+func (handler *SaslAuthV0RequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReaderWriter, ctx *RequestsLoopContext) (readErr bool, err error) {
 	if readErr, err = copySaslAuthRequest(dst, src, ctx.timeout, ctx.buf); err != nil {
 		return readErr, err
 	}
-	if err = ctx.nextHandlers(defaultRequestHandler, defaultResponseHandler); err != nil {
+	if err = ctx.putNextHandlers(defaultRequestHandler, defaultResponseHandler); err != nil {
 		return false, err
 	}
 	return false, nil
diff --git a/proxy/sasl_local.go b/proxy/sasl_local.go
@@ -19,8 +19,8 @@ type LocalSasl struct {
 	localAuthenticator apis.PasswordAuthenticator
 }
 
-func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter) (err error) {
-	if err = p.receiveAndSendSasl(conn); err != nil {
+func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter, readKeyVersionBuf []byte) (err error) {
+	if err = p.receiveAndSendSasl(conn, readKeyVersionBuf); err != nil {
 		return err
 	}
 	if err = p.receiveAndSendAuth(conn); err != nil {
@@ -29,17 +29,17 @@ func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter) (err
 	return nil
 }
 
-func (p *LocalSasl) receiveAndSendSasl(conn DeadlineReaderWriter) (err error) {
+func (p *LocalSasl) receiveAndSendSasl(conn DeadlineReaderWriter, keyVersionBuf []byte) (err error) {
 	requestDeadline := time.Now().Add(p.timeout)
 	err = conn.SetDeadline(requestDeadline)
 	if err != nil {
 		return err
 	}
 
-	keyVersionBuf := make([]byte, 8) // Size => int32 + ApiKey => int16 + ApiVersion => int16
-	if _, err = io.ReadFull(conn, keyVersionBuf); err != nil {
-		return err
+	if len(keyVersionBuf) != 8 {
+		return errors.New("length of keyVersionBuf should be 8")
 	}
+	// keyVersionBuf has already been read from connection
 	requestKeyVersion := &protocol.RequestKeyVersion{}
 	if err = protocol.Decode(keyVersionBuf, requestKeyVersion); err != nil {
 		return err

Original file line number	Diff line number	Diff line change
`@@ -14,11 +14,11 @@ type SaslAuthV0RequestHandler struct {`
`14`	`14`	`type SaslAuthV0ResponseHandler struct {`
`15`	`15`	`}`
`16`	`16`
`17`		`-func (handler SaslAuthV0RequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReader, ctx RequestsLoopContext) (readErr bool, err error) {`
	`17`	`+func (handler SaslAuthV0RequestHandler) handleRequest(dst DeadlineWriter, src DeadlineReaderWriter, ctx RequestsLoopContext) (readErr bool, err error) {`
`18`	`18`	`if readErr, err = copySaslAuthRequest(dst, src, ctx.timeout, ctx.buf); err != nil {`
`19`	`19`	`return readErr, err`
`20`	`20`	`}`
`21`		`- if err = ctx.nextHandlers(defaultRequestHandler, defaultResponseHandler); err != nil {`
	`21`	`+ if err = ctx.putNextHandlers(defaultRequestHandler, defaultResponseHandler); err != nil {`
`22`	`22`	`return false, err`
`23`	`23`	`}`
`24`	`24`	`return false, nil`
Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ type LocalSasl struct {`
`19`	`19`	`localAuthenticator apis.PasswordAuthenticator`
`20`	`20`	`}`
`21`	`21`
`22`		`-func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter) (err error) {`
`23`		`- if err = p.receiveAndSendSasl(conn); err != nil {`
	`22`	`+func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter, readKeyVersionBuf []byte) (err error) {`
	`23`	`+ if err = p.receiveAndSendSasl(conn, readKeyVersionBuf); err != nil {`
`24`	`24`	`return err`
`25`	`25`	`}`
`26`	`26`	`if err = p.receiveAndSendAuth(conn); err != nil {`
`@@ -29,17 +29,17 @@ func (p *LocalSasl) receiveAndSendSASLPlainAuth(conn DeadlineReaderWriter) (err`
`29`	`29`	`return nil`
`30`	`30`	`}`
`31`	`31`
`32`		`-func (p *LocalSasl) receiveAndSendSasl(conn DeadlineReaderWriter) (err error) {`
	`32`	`+func (p *LocalSasl) receiveAndSendSasl(conn DeadlineReaderWriter, keyVersionBuf []byte) (err error) {`
`33`	`33`	`requestDeadline := time.Now().Add(p.timeout)`
`34`	`34`	`err = conn.SetDeadline(requestDeadline)`
`35`	`35`	`if err != nil {`
`36`	`36`	`return err`
`37`	`37`	`}`
`38`	`38`
`39`		`- keyVersionBuf := make([]byte, 8) // Size => int32 + ApiKey => int16 + ApiVersion => int16`
`40`		`- if _, err = io.ReadFull(conn, keyVersionBuf); err != nil {`
`41`		`- return err`
	`39`	`+ if len(keyVersionBuf) != 8 {`
	`40`	`+ return errors.New("length of keyVersionBuf should be 8")`
`42`	`41`	`}`
	`42`	`+ // keyVersionBuf has already been read from connection`
`43`	`43`	`requestKeyVersion := &protocol.RequestKeyVersion{}`
`44`	`44`	`if err = protocol.Decode(keyVersionBuf, requestKeyVersion); err != nil {`
`45`	`45`	`return err`