diff --git a/libbeat/common/kafka/sasl.go b/libbeat/common/kafka/sasl.go index ca9df078ebcd..2f0d2ea79e43 100644 --- a/libbeat/common/kafka/sasl.go +++ b/libbeat/common/kafka/sasl.go @@ -44,26 +44,13 @@ func (c *SaslConfig) ConfigureSarama(config *sarama.Config) { case saslTypeSCRAMSHA256: config.Net.SASL.Handshake = true config.Net.SASL.Mechanism = sarama.SASLMechanism(sarama.SASLTypeSCRAMSHA256) - config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { - return &XDGSCRAMClient{HashGeneratorFcn: SHA256} - } + config.Net.SASL.SCRAMClientGeneratorFunc = scramClient(saslTypeSCRAMSHA256) case saslTypeSCRAMSHA512: config.Net.SASL.Handshake = true config.Net.SASL.Mechanism = sarama.SASLMechanism(sarama.SASLTypeSCRAMSHA512) - config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { - return &XDGSCRAMClient{HashGeneratorFcn: SHA512} - } + config.Net.SASL.SCRAMClientGeneratorFunc = scramClient(saslTypeSCRAMSHA512) default: // This should never happen because `SaslMechanism` is checked on `Validate()`, keeping a panic to detect it earlier if it happens. panic(fmt.Sprintf("not valid SASL mechanism '%v', only supported with PLAIN|SCRAM-SHA-512|SCRAM-SHA-256", c.SaslMechanism)) } } - -func (c *SaslConfig) Validate() error { - switch strings.ToUpper(c.SaslMechanism) { // try not to force users to use all upper case - case "", saslTypePlaintext, saslTypeSCRAMSHA256, saslTypeSCRAMSHA512: - default: - return fmt.Errorf("not valid SASL mechanism '%v', only supported with PLAIN|SCRAM-SHA-512|SCRAM-SHA-256", c.SaslMechanism) - } - return nil -} diff --git a/libbeat/common/kafka/sasl_fips.go b/libbeat/common/kafka/sasl_fips.go new file mode 100644 index 000000000000..414854cb9e33 --- /dev/null +++ b/libbeat/common/kafka/sasl_fips.go @@ -0,0 +1,41 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build requirefips + +package kafka + +import ( + "fmt" + "strings" + + "github.com/elastic/sarama" +) + +func (c *SaslConfig) Validate() error { + switch strings.ToUpper(c.SaslMechanism) { // try not to force users to use all upper case + case "", saslTypePlaintext: + default: + return fmt.Errorf("not valid SASL mechanism '%v', only supported with PLAIN", c.SaslMechanism) + } + return nil +} + +func scramClient(mechanism string) func() sarama.SCRAMClient { + // This should never happen because `SaslMechanism` is checked on `Validate()`, keeping a panic to detect it earlier if it happens. + panic("scram sasl auth not supported in fips mode") +} diff --git a/libbeat/common/kafka/sasl_fips_test.go b/libbeat/common/kafka/sasl_fips_test.go new file mode 100644 index 000000000000..a3fc1be53a39 --- /dev/null +++ b/libbeat/common/kafka/sasl_fips_test.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build requirefips + +package kafka + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestValidate(t *testing.T) { + cfg := SaslConfig{ + SaslMechanism: saslTypeSCRAMSHA512, + } + require.Error(t, cfg.Validate()) + + cfg.SaslMechanism = saslTypeSCRAMSHA256 + require.Error(t, cfg.Validate()) +} diff --git a/libbeat/common/kafka/sasl_nofips.go b/libbeat/common/kafka/sasl_nofips.go new file mode 100644 index 000000000000..5a3f927571f5 --- /dev/null +++ b/libbeat/common/kafka/sasl_nofips.go @@ -0,0 +1,47 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build !requirefips + +package kafka + +import ( + "fmt" + "strings" + + "github.com/elastic/sarama" +) + +func (c *SaslConfig) Validate() error { + switch strings.ToUpper(c.SaslMechanism) { // try not to force users to use all upper case + case "", saslTypePlaintext, saslTypeSCRAMSHA256, saslTypeSCRAMSHA512: + default: + return fmt.Errorf("not valid SASL mechanism '%v', only supported with PLAIN|SCRAM-SHA-512|SCRAM-SHA-256", c.SaslMechanism) + } + return nil +} + +func scramClient(mechanism string) func() sarama.SCRAMClient { + if mechanism == saslTypeSCRAMSHA512 { + return func() sarama.SCRAMClient { + return &XDGSCRAMClient{HashGeneratorFcn: SHA512} + } + } + return func() sarama.SCRAMClient { + return &XDGSCRAMClient{HashGeneratorFcn: SHA256} + } +} diff --git a/libbeat/common/kafka/sasl_nofips_test.go b/libbeat/common/kafka/sasl_nofips_test.go new file mode 100644 index 000000000000..507054789868 --- /dev/null +++ b/libbeat/common/kafka/sasl_nofips_test.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build !requirefips + +package kafka + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestValidate(t *testing.T) { + cfg := SaslConfig{ + SaslMechanism: saslTypeSCRAMSHA512, + } + require.NoError(t, cfg.Validate()) + + cfg.SaslMechanism = saslTypeSCRAMSHA256 + require.NoError(t, cfg.Validate()) +} diff --git a/libbeat/common/kafka/scram.go b/libbeat/common/kafka/scram.go index e87ed11f756e..af85f2df9831 100644 --- a/libbeat/common/kafka/scram.go +++ b/libbeat/common/kafka/scram.go @@ -15,6 +15,8 @@ // specific language governing permissions and limitations // under the License. +//go:build !requirefips + // https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/scram_client.go package kafka