Allow the exclusion of kerberos tests

In order to exclude running the testsuite with kerberos tests (also not starting the `kerberos` container) set the env variable `OAUTH_TESTSUITE_TEST_KERBEROS=false`

Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>

Author: mstruk

testsuite/keycloak-authz-zk-tests/src/test/java/io/strimzi/testsuite/oauth/authz/kraft/KeycloakZKAuthorizationTests.java

@@ -116,6 +116,7 @@ public void doTest() throws Exception {
 
         } catch (Throwable e) {
             log.error("Keycloak ZK Authorization Test failed: ", e);
+            e.printStackTrace();
             throw e;
         }
     }

testsuite/mockoauth-tests/docker-compose-kerberos.yml

@@ -0,0 +1,156 @@
+version: '3'
+
+services:
+  mockoauth:
+    image: testsuite/mock-oauth-server
+    ports:
+      - "8090:8090"
+      - "8091:8091"
+      - "5005:5005"
+    volumes:
+      - ${PWD}/../docker/certificates:/application/config
+
+    environment:
+      #- JAVA_DEBUG=y
+      #- DEBUG_SUSPEND_FLAG=y
+      #- JAVA_DEBUG_PORT=0.0.0.0:5005
+
+      - KEYSTORE_ONE_PATH=/application/config/mockoauth.server.keystore.p12
+      - KEYSTORE_ONE_PASSWORD=changeit
+      - KEYSTORE_TWO_PATH=/application/config/mockoauth.server.keystore_2.p12
+      - KEYSTORE_TWO_PASSWORD=changeit
+      - KEYSTORE_EXPIRED_PATH=/application/config/mockoauth.server.keystore_expired.p12
+      - KEYSTORE_EXPIRED_PASSWORD=changeit
+
+  kafka:
+    image: ${KAFKA_DOCKER_IMAGE}
+    ports:
+      - "9091:9091"
+      - "9092:9092"
+      - "9093:9093"
+      - "9094:9094"
+      - "9095:9095"
+      - "9096:9096"
+      - "9097:9097"
+      - "9098:9098"
+      - "9099:9099"
+      - "9404:9404"
+
+      # Debug port
+      - "5006:5006"
+    volumes:
+      - ${PWD}/../docker/target/kafka/libs:/opt/kafka/libs/strimzi
+      - ${PWD}/../docker/kafka/config:/opt/kafka/config/strimzi
+      - ${PWD}/../docker/target/kafka/certs:/opt/kafka/config/strimzi/certs
+      - ${PWD}/../docker/kafka/scripts:/opt/kafka/strimzi
+      - ${PWD}/../docker/kerberos/krb5.conf:/etc/krb5.conf
+      - ${PWD}/../docker/kerberos/kafka_server_jaas.conf:/opt/kafka/kafka_server_jaas.conf
+      - ${PWD}/../docker/kerberos/keys:/opt/kafka/keytabs
+    command:
+      - /bin/bash
+      - -c
+        #- sleep 10000
+      - cd /opt/kafka/strimzi && ./start_no_wait.sh
+    environment:
+      #- KAFKA_DEBUG=y
+      #- DEBUG_SUSPEND_FLAG=y
+      #- JAVA_DEBUG_PORT=0.0.0.0:5006
+
+      - KAFKA_BROKER_ID=1
+      - KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181
+      - KAFKA_LISTENERS=INTERBROKER://kafka:9091,JWT://kafka:9092,INTROSPECT://kafka:9093,JWTPLAIN://kafka:9094,PLAIN://kafka:9095,INTROSPECTTIMEOUT://kafka:9096,FAILINGINTROSPECT://kafka:9097,FAILINGJWT://kafka:9098,KERBEROS://kafka:9099
+      - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=INTERBROKER:PLAINTEXT,JWT:SASL_PLAINTEXT,INTROSPECT:SASL_PLAINTEXT,JWTPLAIN:SASL_PLAINTEXT,PLAIN:SASL_PLAINTEXT,INTROSPECTTIMEOUT:SASL_PLAINTEXT,FAILINGINTROSPECT:SASL_PLAINTEXT,FAILINGJWT:SASL_PLAINTEXT,KERBEROS:SASL_PLAINTEXT
+      - KAFKA_SASL_ENABLED_MECHANISMS=OAUTHBEARER
+      - KAFKA_INTER_BROKER_LISTENER_NAME=INTERBROKER
+
+      # Common settings for all the listeners
+      # username extraction from JWT token claim
+      - KAFKA_PRINCIPAL_BUILDER_CLASS=io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder
+      - KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1
+
+      # Configuration of individual listeners
+      - KAFKA_LISTENER_NAME_INTROSPECT_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"INTROSPECT\"    oauth.introspection.endpoint.uri=\"https://mockoauth:8090/introspect\"    oauth.client.id=\"unused\"    oauth.client.secret=\"unused-secret\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_INTROSPECT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+      #- KAFKA_LISTENER_NAME_INTROSPECT_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
+
+      - KAFKA_LISTENER_NAME_JWT_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"JWT\"    oauth.fail.fast=\"false\"    oauth.jwks.endpoint.uri=\"https://mockoauth:8090/jwks\"    oauth.jwks.refresh.seconds=\"10\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    oauth.check.access.token.type=\"false\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_JWT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_JWTPLAIN_SASL_ENABLED_MECHANISMS=OAUTHBEARER,PLAIN
+      - KAFKA_LISTENER_NAME_JWTPLAIN_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"JWTPLAIN\"    oauth.fail.fast=\"false\"    oauth.jwks.endpoint.uri=\"https://mockoauth:8090/jwks\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_JWTPLAIN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_JWTPLAIN_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required    oauth.config.id=\"JWTPLAIN\"    oauth.token.endpoint.uri=\"https://mockoauth:8090/token\"    oauth.fail.fast=\"false\"    oauth.jwks.endpoint.uri=\"https://mockoauth:8090/jwks\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_JWTPLAIN_PLAIN_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.plain.JaasServerOauthOverPlainValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_PLAIN_SASL_ENABLED_MECHANISMS=PLAIN
+      - KAFKA_LISTENER_NAME_PLAIN_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required    username=\"admin\"    password=\"admin-password\"    user_admin=\"admin-password\" ;
+
+      # The 'oauth.connect.timeout.seconds' should be overridden by env var OAUTH_CONNECT_TIMEOUT_SECONDS, so it should be 10 seconds
+      - KAFKA_LISTENER_NAME_INTROSPECTTIMEOUT_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"INTROSPECTTIMEOUT\"    oauth.connect.timeout.seconds=\"5\"    oauth.introspection.endpoint.uri=\"https://mockoauth:8090/introspect\"    oauth.client.id=\"kafka\"    oauth.client.secret=\"kafka-secret\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_INTROSPECTTIMEOUT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_FAILINGINTROSPECT_SASL_ENABLED_MECHANISMS=OAUTHBEARER,PLAIN
+      - KAFKA_LISTENER_NAME_FAILINGINTROSPECT_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"FAILINGINTROSPECT\"    oauth.introspection.endpoint.uri=\"https://mockoauth:8090/failing_introspect\"    oauth.userinfo.endpoint.uri=\"https://mockoauth:8090/failing_userinfo\"    oauth.username.claim=\"uid\"    oauth.client.id=\"kafka\"    oauth.client.secret=\"kafka-secret\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    oauth.http.retries=\"1\"    oauth.http.retry.pause.millis=\"3000\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_FAILINGINTROSPECT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_FAILINGINTROSPECT_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required    oauth.config.id=\"FAILINGINTROSPECT\"    oauth.token.endpoint.uri=\"https://mockoauth:8090/failing_token\"    oauth.introspection.endpoint.uri=\"https://mockoauth:8090/failing_introspect\"    oauth.userinfo.endpoint.uri=\"https://mockoauth:8090/failing_userinfo\"    oauth.username.claim=\"uid\"    oauth.client.id=\"kafka\"    oauth.client.secret=\"kafka-secret\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    oauth.http.retries=\"1\"    oauth.http.retry.pause.millis=\"3000\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_FAILINGINTROSPECT_PLAIN_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.plain.JaasServerOauthOverPlainValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_FAILINGJWT_SASL_ENABLED_MECHANISMS=OAUTHBEARER,PLAIN
+      - KAFKA_LISTENER_NAME_FAILINGJWT_OAUTHBEARER_SASL_JAAS_CONFIG=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required    oauth.config.id=\"FAILINGJWT\"    oauth.fail.fast=\"false\"    oauth.check.access.token.type=\"false\"    oauth.jwks.endpoint.uri=\"https://mockoauth:8090/jwks\"    oauth.jwks.refresh.seconds=\"10\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_FAILINGJWT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      - KAFKA_LISTENER_NAME_FAILINGJWT_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required    oauth.config.id=\"FAILINGJWT\"    oauth.fail.fast=\"false\"    oauth.check.access.token.type=\"false\"    oauth.jwks.endpoint.uri=\"https://mockoauth:8090/jwks\"    oauth.jwks.refresh.seconds=\"10\"    oauth.valid.issuer.uri=\"https://mockoauth:8090\"    oauth.token.endpoint.uri=\"https://mockoauth:8090/failing_token\"    oauth.http.retries=\"1\"    oauth.http.retry.pause.millis=\"3000\"    unsecuredLoginStringClaim_sub=\"admin\" ;
+      - KAFKA_LISTENER_NAME_FAILINGJWT_PLAIN_SASL_SERVER_CALLBACK_HANDLER_CLASS=io.strimzi.kafka.oauth.server.plain.JaasServerOauthOverPlainValidatorCallbackHandler
+
+
+      # Truststore config for connecting to secured authorization server
+      - OAUTH_SSL_TRUSTSTORE_LOCATION=/opt/kafka/config/strimzi/certs/ca-truststore.p12
+      - OAUTH_SSL_TRUSTSTORE_PASSWORD=changeit
+      - OAUTH_SSL_TRUSTSTORE_TYPE=pkcs12
+      - OAUTH_CONNECT_TIMEOUT_SECONDS=10
+      - OAUTH_READ_TIMEOUT_SECONDS=10
+
+
+      # OAuth metrics configuration
+
+      - OAUTH_ENABLE_METRICS=true
+      #   When enabling metrics we also have to explicitly configure JmxReporter to have metrics available in JMX
+      #   The following value will be available as env var STRIMZI_OAUTH_METRIC_REPORTERS
+      - STRIMZI_OAUTH_METRIC_REPORTERS=org.apache.kafka.common.metrics.JmxReporter
+
+      #   The following value will turn into 'strimzi.oauth.metric.reporters=...' in 'strimzi.properties' file
+      #   However, that won't work as the value may be filtered to the component that happens to initialise OAuthMetrics
+      #- KAFKA_STRIMZI_OAUTH_METRIC_REPORTERS=org.apache.kafka.common.metrics.JmxReporter
+      - KAFKA_LISTENER_NAME_KERBEROS_SASL_KERBEROS_SERVICE_NAME=kafka
+      - KAFKA_LISTENER_NAME_KERBEROS_SASL_ENABLED_MECHANISMS=GSSAPI
+      - KAFKA_OPTS=-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/opt/kafka/kafka_server_jaas.conf
+
+  zookeeper:
+    image: ${KAFKA_DOCKER_IMAGE}
+    ports:
+      - "2181:2181"
+    volumes:
+      - ${PWD}/../docker/zookeeper/scripts:/opt/kafka/strimzi
+      - ${PWD}/../docker/kafka/kerberos/keys:/keytabs
+    command:
+      - /bin/bash
+      - -c
+      - cd /opt/kafka/strimzi && ./start.sh
+    environment:
+      - LOG_DIR=/tmp/logs
+  kerberos:
+    build: ${PWD}/../docker/kerberos
+    hostname: 'kerberos'
+    environment:
+      - REALM=KERBEROS
+      - DOMAIN_REALM=kerberos
+      - KERB_MASTER_KEY=masterkey
+      - KERB_ADMIN_USER=admin
+      - KERB_ADMIN_PASS=admin
+    volumes:
+      - ${PWD}/../docker/kerberos/keys:/keytabs
+    ports:
+      - "749:749"
+      - "88:88/udp"

testsuite/mockoauth-tests/docker-compose.yml

@@ -43,9 +43,6 @@ services:
       - ${PWD}/../docker/kafka/config:/opt/kafka/config/strimzi
       - ${PWD}/../docker/target/kafka/certs:/opt/kafka/config/strimzi/certs
       - ${PWD}/../docker/kafka/scripts:/opt/kafka/strimzi
-      - ${PWD}/../docker/kerberos/krb5.conf:/etc/krb5.conf
-      - ${PWD}/../docker/kerberos/kafka_server_jaas.conf:/opt/kafka/kafka_server_jaas.conf
-      - ${PWD}/../docker/kerberos/keys:/opt/kafka/keytabs
     command:
       - /bin/bash
       - -c
@@ -58,8 +55,8 @@ services:
 
       - KAFKA_BROKER_ID=1
       - KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181
-      - KAFKA_LISTENERS=INTERBROKER://kafka:9091,JWT://kafka:9092,INTROSPECT://kafka:9093,JWTPLAIN://kafka:9094,PLAIN://kafka:9095,INTROSPECTTIMEOUT://kafka:9096,FAILINGINTROSPECT://kafka:9097,FAILINGJWT://kafka:9098,KERBEROS://kafka:9099
-      - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=INTERBROKER:PLAINTEXT,JWT:SASL_PLAINTEXT,INTROSPECT:SASL_PLAINTEXT,JWTPLAIN:SASL_PLAINTEXT,PLAIN:SASL_PLAINTEXT,INTROSPECTTIMEOUT:SASL_PLAINTEXT,FAILINGINTROSPECT:SASL_PLAINTEXT,FAILINGJWT:SASL_PLAINTEXT,KERBEROS:SASL_PLAINTEXT
+      - KAFKA_LISTENERS=INTERBROKER://kafka:9091,JWT://kafka:9092,INTROSPECT://kafka:9093,JWTPLAIN://kafka:9094,PLAIN://kafka:9095,INTROSPECTTIMEOUT://kafka:9096,FAILINGINTROSPECT://kafka:9097,FAILINGJWT://kafka:9098
+      - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=INTERBROKER:PLAINTEXT,JWT:SASL_PLAINTEXT,INTROSPECT:SASL_PLAINTEXT,JWTPLAIN:SASL_PLAINTEXT,PLAIN:SASL_PLAINTEXT,INTROSPECTTIMEOUT:SASL_PLAINTEXT,FAILINGINTROSPECT:SASL_PLAINTEXT,FAILINGJWT:SASL_PLAINTEXT
       - KAFKA_SASL_ENABLED_MECHANISMS=OAUTHBEARER
       - KAFKA_INTER_BROKER_LISTENER_NAME=INTERBROKER
 
@@ -123,34 +120,16 @@ services:
       #   The following value will turn into 'strimzi.oauth.metric.reporters=...' in 'strimzi.properties' file
       #   However, that won't work as the value may be filtered to the component that happens to initialise OAuthMetrics
       #- KAFKA_STRIMZI_OAUTH_METRIC_REPORTERS=org.apache.kafka.common.metrics.JmxReporter
-      - KAFKA_LISTENER_NAME_KERBEROS_SASL_KERBEROS_SERVICE_NAME=kafka
-      - KAFKA_LISTENER_NAME_KERBEROS_SASL_ENABLED_MECHANISMS=GSSAPI
-      - KAFKA_OPTS=-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/opt/kafka/kafka_server_jaas.conf
 
   zookeeper:
     image: ${KAFKA_DOCKER_IMAGE}
     ports:
       - "2181:2181"
     volumes:
       - ${PWD}/../docker/zookeeper/scripts:/opt/kafka/strimzi
-      - ${PWD}/../docker/kafka/kerberos/keys:/keytabs
     command:
       - /bin/bash
       - -c
       - cd /opt/kafka/strimzi && ./start.sh
     environment:
       - LOG_DIR=/tmp/logs
-  kerberos:
-    build: ${PWD}/../docker/kerberos
-    hostname: 'kerberos'
-    environment:
-      - REALM=KERBEROS
-      - DOMAIN_REALM=kerberos
-      - KERB_MASTER_KEY=masterkey
-      - KERB_ADMIN_USER=admin
-      - KERB_ADMIN_PASS=admin
-    volumes:
-      - ${PWD}/../docker/kerberos/keys:/keytabs
-    ports:
-      - "749:749"
-      - "88:88/udp"

testsuite/mockoauth-tests/src/test/java/io/strimzi/testsuite/oauth/MockOAuthTests.java

@@ -4,6 +4,7 @@
  */
 package io.strimzi.testsuite.oauth;
 
+import io.strimzi.kafka.oauth.common.Config;
 import io.strimzi.testsuite.oauth.common.TestContainersLogCollector;
 import io.strimzi.testsuite.oauth.common.TestContainersWatcher;
 import io.strimzi.testsuite.oauth.mockoauth.AuthorizationEndpointsTest;
@@ -38,16 +39,28 @@
  */
 public class MockOAuthTests {
 
+    static boolean includeKerberosTests = new Config(System.getProperties()).getValueAsBoolean("oauth.testsuite.test.kerberos", true);
+
     @ClassRule
     public static TestContainersWatcher environment =
-            new TestContainersWatcher(new File("docker-compose.yml"))
-                    .withServices("mockoauth", "kerberos", "kafka", "zookeeper")
-                    .waitingFor("mockoauth", Wait.forLogMessage(".*Succeeded in deploying verticle.*", 1)
-                            .withStartupTimeout(Duration.ofSeconds(180)))
+            initWatcher();
+
+    private static TestContainersWatcher initWatcher() {
+        TestContainersWatcher watcher = new TestContainersWatcher(new File(includeKerberosTests ? "docker-compose-kerberos.yml" : "docker-compose.yml"));
+        if (includeKerberosTests) {
+            watcher.withServices("mockoauth", "kerberos", "kafka", "zookeeper")
                     .waitingFor("kerberos", Wait.forLogMessage(".*commencing operation.*", 1)
-                            .withStartupTimeout(Duration.ofSeconds(45)))
-                    .waitingFor("kafka", Wait.forLogMessage(".*started \\(kafka.server.KafkaServer\\).*", 1)
-                            .withStartupTimeout(Duration.ofSeconds(180)));
+                            .withStartupTimeout(Duration.ofSeconds(45)));
+        } else {
+            watcher.withServices("mockoauth", "kafka", "zookeeper");
+        }
+        watcher.waitingFor("mockoauth", Wait.forLogMessage(".*Succeeded in deploying verticle.*", 1)
+                        .withStartupTimeout(Duration.ofSeconds(180)))
+                .waitingFor("kafka", Wait.forLogMessage(".*started \\(kafka.server.KafkaServer\\).*", 1)
+                        .withStartupTimeout(Duration.ofSeconds(180)));
+
+        return watcher;
+    }
 
     @Rule
     public TestRule logCollector = new TestContainersLogCollector(environment);
@@ -98,8 +111,10 @@ public void runTests() throws Exception {
             logStart("ClientAssertionAuthTest :: Client Assertion Tests");
             new ClientAssertionAuthTest().doTest();
 
-            logStart("KerberosTests :: Test authentication with Kerberos");
-            new KerberosListenerTest().doTests();
+            if (includeKerberosTests) {
+                logStart("KerberosTests :: Test authentication with Kerberos");
+                new KerberosListenerTest().doTests();
+            }
 
         } catch (Throwable e) {
             log.error("Exception has occurred: ", e);