Add Confluent Kafka examples using SASL/SCRAM auth

Author: eddumelendez

modules/kafka/src/test/java/org/testcontainers/AbstractKafka.java

@@ -19,6 +19,7 @@
 import java.time.Duration;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Map;
 import java.util.Properties;
 import java.util.UUID;
 import java.util.concurrent.TimeUnit;
@@ -28,7 +29,7 @@
 
 public class AbstractKafka {
 
-    private final ImmutableMap<String, String> properties = ImmutableMap.of(
+    private static final ImmutableMap<String, String> PLAIN_PROPERTIES = ImmutableMap.of(
         AdminClientConfig.SECURITY_PROTOCOL_CONFIG,
         "SASL_PLAINTEXT",
         SaslConfigs.SASL_MECHANISM,
@@ -37,16 +38,39 @@ public class AbstractKafka {
         "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"admin\";"
     );
 
+    private static final ImmutableMap<String, String> SCRAM_PROPERTIES = ImmutableMap.of(
+        AdminClientConfig.SECURITY_PROTOCOL_CONFIG,
+        "SASL_PLAINTEXT",
+        SaslConfigs.SASL_MECHANISM,
+        "SCRAM-SHA-256",
+        SaslConfigs.SASL_JAAS_CONFIG,
+        "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"admin\";"
+    );
+
     protected void testKafkaFunctionality(String bootstrapServers) throws Exception {
         testKafkaFunctionality(bootstrapServers, false, 1, 1);
     }
 
-    protected void testSecureKafkaFunctionality(String bootstrapServers) throws Exception {
-        testKafkaFunctionality(bootstrapServers, true, 1, 1);
+    protected void testSecurePlainKafkaFunctionality(String bootstrapServers) throws Exception {
+        testKafkaFunctionality(bootstrapServers, true, PLAIN_PROPERTIES, 1, 1);
+    }
+
+    protected void testSecureScramKafkaFunctionality(String bootstrapServers) throws Exception {
+        testKafkaFunctionality(bootstrapServers, true, SCRAM_PROPERTIES, 1, 1);
     }
 
     protected void testKafkaFunctionality(String bootstrapServers, boolean authenticated, int partitions, int rf)
         throws Exception {
+        testKafkaFunctionality(bootstrapServers, authenticated, Collections.emptyMap(), partitions, rf);
+    }
+
+    protected void testKafkaFunctionality(
+        String bootstrapServers,
+        boolean authenticated,
+        Map<String, String> authProperties,
+        int partitions,
+        int rf
+    ) throws Exception {
         ImmutableMap<String, String> adminClientDefaultProperties = ImmutableMap.of(
             AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG,
             bootstrapServers
@@ -75,9 +99,9 @@ protected void testKafkaFunctionality(String bootstrapServers, boolean authentic
         producerProperties.putAll(producerDefaultProperties);
 
         if (authenticated) {
-            adminClientProperties.putAll(this.properties);
-            consumerProperties.putAll(this.properties);
-            producerProperties.putAll(this.properties);
+            adminClientProperties.putAll(authProperties);
+            consumerProperties.putAll(authProperties);
+            producerProperties.putAll(authProperties);
         }
         try (
             AdminClient adminClient = AdminClient.create(adminClientProperties);
@@ -116,4 +140,14 @@ protected void testKafkaFunctionality(String bootstrapServers, boolean authentic
             consumer.unsubscribe();
         }
     }
+
+    protected static String getJaasConfig() {
+        String jaasConfig =
+            "org.apache.kafka.common.security.plain.PlainLoginModule required " +
+            "username=\"admin\" " +
+            "password=\"admin\" " +
+            "user_admin=\"admin\" " +
+            "user_test=\"secret\";";
+        return jaasConfig;
+    }
 }

modules/kafka/src/test/java/org/testcontainers/containers/KafkaContainerTest.java

@@ -14,6 +14,7 @@
 import org.testcontainers.Testcontainers;
 import org.testcontainers.images.builder.Transferable;
 import org.testcontainers.utility.DockerImageName;
+import org.testcontainers.utility.MountableFile;
 
 import java.util.Collection;
 import java.util.Collections;
@@ -229,7 +230,38 @@ public void shouldConfigureAuthenticationWithSaslUsingJaas() {
         ) {
             kafka.start();
 
-            testSecureKafkaFunctionality(kafka.getBootstrapServers());
+            testSecurePlainKafkaFunctionality(kafka.getBootstrapServers());
+        }
+    }
+
+    @SneakyThrows
+    @Test
+    public void shouldConfigureAuthenticationWithSaslScramUsingJaas() {
+        try (
+            KafkaContainer kafka = new KafkaContainer(DockerImageName.parse("confluentinc/cp-kafka:7.7.0")) {
+                protected String commandKraft() {
+                    String command = "sed -i '/KAFKA_ZOOKEEPER_CONNECT/d' /etc/confluent/docker/configure\n";
+                    command +=
+                        "echo 'kafka-storage format --ignore-formatted -t \"" +
+                        "$CLUSTER_ID" +
+                        "\" --add-scram SCRAM-SHA-256=[name=admin,password=admin] -c /etc/kafka/kafka.properties' >> /etc/confluent/docker/configure\n";
+                    return command;
+                }
+            }
+                .withKraft()
+                .withEnv("KAFKA_LISTENER_SECURITY_PROTOCOL_MAP", "PLAINTEXT:SASL_PLAINTEXT,BROKER:SASL_PLAINTEXT")
+                .withEnv("KAFKA_LISTENER_NAME_PLAINTEXT_SASL_ENABLED_MECHANISMS", "SCRAM-SHA-256")
+                .withEnv("KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL", "SCRAM-SHA-256")
+                .withEnv("KAFKA_SASL_ENABLED_MECHANISMS", "SCRAM-SHA-256")
+                .withEnv("KAFKA_OPTS", "-Djava.security.auth.login.config=/etc/kafka/secrets/kafka_server_jaas.conf")
+                .withCopyFileToContainer(
+                    MountableFile.forClasspathResource("kafka_server_jaas.conf"),
+                    "/etc/kafka/secrets/kafka_server_jaas.conf"
+                )
+        ) {
+            kafka.start();
+
+            testSecureScramKafkaFunctionality(kafka.getBootstrapServers());
         }
     }
 
@@ -313,14 +345,4 @@ public void enableSaslAndWithAuthenticationError() {
                 });
         }
     }
-
-    private static String getJaasConfig() {
-        String jaasConfig =
-            "org.apache.kafka.common.security.plain.PlainLoginModule required " +
-            "username=\"admin\" " +
-            "password=\"admin\" " +
-            "user_admin=\"admin\" " +
-            "user_test=\"secret\";";
-        return jaasConfig;
-    }
 }

modules/kafka/src/test/java/org/testcontainers/kafka/ConfluentKafkaContainerTest.java

@@ -1,10 +1,13 @@
 package org.testcontainers.kafka;
 
+import com.github.dockerjava.api.command.InspectContainerResponse;
+import lombok.SneakyThrows;
 import org.junit.Test;
 import org.testcontainers.AbstractKafka;
 import org.testcontainers.KCatContainer;
 import org.testcontainers.containers.Network;
 import org.testcontainers.containers.SocatContainer;
+import org.testcontainers.utility.MountableFile;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -62,4 +65,60 @@ public void testUsageWithListenerFromProxy() throws Exception {
             testKafkaFunctionality(bootstrapServers);
         }
     }
+
+    @SneakyThrows
+    @Test
+    public void shouldConfigureAuthenticationWithSaslUsingJaas() {
+        try (
+            ConfluentKafkaContainer kafka = new ConfluentKafkaContainer("confluentinc/cp-kafka:7.7.0")
+                .withEnv(
+                    "KAFKA_LISTENER_SECURITY_PROTOCOL_MAP",
+                    "PLAINTEXT:SASL_PLAINTEXT,BROKER:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT"
+                )
+                .withEnv("KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL", "PLAIN")
+                .withEnv("KAFKA_LISTENER_NAME_PLAINTEXT_SASL_ENABLED_MECHANISMS", "PLAIN")
+                .withEnv("KAFKA_LISTENER_NAME_BROKER_SASL_ENABLED_MECHANISMS", "PLAIN")
+                .withEnv("KAFKA_LISTENER_NAME_BROKER_PLAIN_SASL_JAAS_CONFIG", getJaasConfig())
+                .withEnv("KAFKA_LISTENER_NAME_PLAINTEXT_PLAIN_SASL_JAAS_CONFIG", getJaasConfig())
+        ) {
+            kafka.start();
+
+            testSecurePlainKafkaFunctionality(kafka.getBootstrapServers());
+        }
+    }
+
+    @SneakyThrows
+    @Test
+    public void shouldConfigureAuthenticationWithSaslScramUsingJaas() {
+        try (
+            ConfluentKafkaContainer kafka = new ConfluentKafkaContainer("confluentinc/cp-kafka:7.7.0") {
+                @SneakyThrows
+                @Override
+                protected void containerIsStarting(InspectContainerResponse containerInfo) {
+                    String command =
+                        "echo 'kafka-storage format --ignore-formatted -t \"" +
+                        "$CLUSTER_ID" +
+                        "\" --add-scram SCRAM-SHA-256=[name=admin,password=admin] -c /etc/kafka/kafka.properties' >> /etc/confluent/docker/configure";
+                    execInContainer("bash", "-c", command);
+                    super.containerIsStarting(containerInfo);
+                }
+            }
+                .withEnv(
+                    "KAFKA_LISTENER_SECURITY_PROTOCOL_MAP",
+                    "PLAINTEXT:SASL_PLAINTEXT,BROKER:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT"
+                )
+                .withEnv("KAFKA_LISTENER_NAME_PLAINTEXT_SASL_ENABLED_MECHANISMS", "SCRAM-SHA-256")
+                .withEnv("KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL", "SCRAM-SHA-256")
+                .withEnv("KAFKA_SASL_ENABLED_MECHANISMS", "SCRAM-SHA-256")
+                .withEnv("KAFKA_OPTS", "-Djava.security.auth.login.config=/etc/kafka/secrets/kafka_server_jaas.conf")
+                .withCopyFileToContainer(
+                    MountableFile.forClasspathResource("kafka_server_jaas.conf"),
+                    "/etc/kafka/secrets/kafka_server_jaas.conf"
+                )
+        ) {
+            kafka.start();
+
+            testSecureScramKafkaFunctionality(kafka.getBootstrapServers());
+        }
+    }
 }

modules/kafka/src/test/resources/kafka_server_jaas.conf

@@ -0,0 +1,5 @@
+KafkaServer {
+  org.apache.kafka.common.security.scram.ScramLoginModule required
+  username="admin"
+  password="admin";
+};