filebeat: add testcase for SASL PLAIN and SCRAM-SHA-256 in kafka input

mauri870 · mauri870 · commit ebe1f6c58429 · 2025-12-10T12:59:36.000-03:00
diff --git a/filebeat/input/kafka/kafka_integration_test.go b/filebeat/input/kafka/kafka_integration_test.go
@@ -337,89 +337,113 @@ func TestInputWithJsonPayloadAndMultipleEvents(t *testing.T) {
 
 func TestSASLAuthentication(t *testing.T) {
 	testutils.SkipIfFIPSOnly(t, "SASL disabled when in fips140=only mode.")
-	testTopic := createTestTopicName()
-	groupID := "filebeat"
-
-	// Send test messages to the topic for the input to read.
-	messages := []testMessage{
-		{message: "testing"},
-		{message: "sasl and stuff"},
-	}
-	for _, m := range messages {
-		writeToKafkaTopic(t, testTopic, m.message, m.headers)
-	}
 
-	// Setup the input config
-	config := conf.MustNewConfigFrom(mapstr.M{
-		"hosts":          []string{getTestSASLKafkaHost()},
-		"protocol":       "https",
-		"sasl.mechanism": "SCRAM-SHA-512",
-		// Disable hostname verification since we are likely writing to localhost.
-		"ssl.verification_mode": "certificate",
-		"ssl.certificate_authorities": []string{
-			"../../../testing/environments/docker/kafka/certs/ca-cert",
+	testCases := []struct {
+		name      string
+		mechanism string
+		message   string
+	}{
+		{
+			name:      "SCRAM-SHA-256",
+			mechanism: sarama.SASLTypeSCRAMSHA256,
 		},
-		"username": "beats",
-		"password": "KafkaTest",
-
-		"topics":     []string{testTopic},
-		"group_id":   groupID,
-		"wait_close": 0,
-	})
+		{
+			name:      "SCRAM-SHA-512",
+			mechanism: sarama.SASLTypeSCRAMSHA512,
+		},
+		{
+			name:      "PLAIN",
+			mechanism: sarama.SASLTypePlaintext,
+		},
+	}
 
-	client := beattest.NewChanClient(100)
-	defer client.Close()
-	events := client.Channel
-	input, cancel := run(t, config, client)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testTopic := createTestTopicName()
+			groupID := "filebeat"
 
-	timeout := time.After(30 * time.Second)
-	for range messages {
-		select {
-		case event := <-events:
-			v, err := event.Fields.GetValue("message")
-			if err != nil {
-				t.Fatal(err)
+			// Send test messages to the topic for the input to read.
+			messages := []testMessage{
+				{message: "testing"},
+				{message: "testing" + tc.mechanism},
 			}
-			text, ok := v.(string)
-			if !ok {
-				t.Fatal("could not get message text from event")
+			for _, m := range messages {
+				writeToKafkaTopic(t, testTopic, m.message, m.headers)
 			}
-			msg := findMessage(t, text, messages)
-			assert.Equal(t, text, msg.message)
 
-			checkMatchingHeaders(t, event, msg.headers)
-
-			// emulating the pipeline (kafkaInput.Run)
-			meta, ok := event.Private.(eventMeta)
-			if !ok {
-				t.Fatal("could not get eventMeta and ack the message")
+			// Setup the input config
+			config := conf.MustNewConfigFrom(mapstr.M{
+				"hosts":          []string{getTestSASLKafkaHost()},
+				"protocol":       "https",
+				"sasl.mechanism": tc.mechanism,
+				// Disable hostname verification since we are likely writing to localhost.
+				"ssl.verification_mode": "certificate",
+				"ssl.certificate_authorities": []string{
+					"../../../testing/environments/docker/kafka/certs/ca-cert",
+				},
+				"username": "beats",
+				"password": "KafkaTest",
+
+				"topics":     []string{testTopic},
+				"group_id":   groupID,
+				"wait_close": 0,
+			})
+
+			client := beattest.NewChanClient(100)
+			defer client.Close()
+			events := client.Channel
+			input, cancel := run(t, config, client)
+
+			timeout := time.After(30 * time.Second)
+			for range messages {
+				select {
+				case event := <-events:
+					v, err := event.Fields.GetValue("message")
+					if err != nil {
+						t.Fatal(err)
+					}
+					text, ok := v.(string)
+					if !ok {
+						t.Fatal("could not get message text from event")
+					}
+					msg := findMessage(t, text, messages)
+					assert.Equal(t, text, msg.message)
+
+					checkMatchingHeaders(t, event, msg.headers)
+
+					// emulating the pipeline (kafkaInput.Run)
+					meta, ok := event.Private.(eventMeta)
+					if !ok {
+						t.Fatal("could not get eventMeta and ack the message")
+					}
+					meta.ackHandler()
+				case <-timeout:
+					t.Fatal("timeout waiting for incoming events")
+				}
 			}
-			meta.ackHandler()
-		case <-timeout:
-			t.Fatal("timeout waiting for incoming events")
-		}
-	}
 
-	// sarama commits every second, we need to make sure
-	// all message acks are committed before the rest of the checks
-	<-time.After(2 * time.Second)
-
-	// Close the done channel and make sure the beat shuts down in a reasonable
-	// amount of time.
-	cancel()
-	didClose := make(chan struct{})
-	go func() {
-		input.Wait()
-		close(didClose)
-	}()
+			// sarama commits every second, we need to make sure
+			// all message acks are committed before the rest of the checks
+			<-time.After(2 * time.Second)
+
+			// Close the done channel and make sure the beat shuts down in a reasonable
+			// amount of time.
+			cancel()
+			didClose := make(chan struct{})
+			go func() {
+				input.Wait()
+				close(didClose)
+			}()
+
+			select {
+			case <-time.After(30 * time.Second):
+				t.Fatal("timeout waiting for beat to shut down")
+			case <-didClose:
+			}
 
-	select {
-	case <-time.After(30 * time.Second):
-		t.Fatal("timeout waiting for beat to shut down")
-	case <-didClose:
+			assertOffset(t, groupID, testTopic, int64(len(messages)))
+		})
 	}
-
-	assertOffset(t, groupID, testTopic, int64(len(messages)))
 }
 
 func TestTest(t *testing.T) {
diff --git a/testing/environments/docker/kafka/run.sh b/testing/environments/docker/kafka/run.sh
@@ -27,8 +27,10 @@ ${KAFKA_HOME}/bin/kafka-server-start.sh ${KAFKA_HOME}/config/server.properties \
     --override listeners=INSIDE://0.0.0.0:9092,OUTSIDE://0.0.0.0:9094,SASL_SSL://0.0.0.0:9093 \
     --override advertised.listeners=INSIDE://${KAFKA_ADVERTISED_HOST}:9092,OUTSIDE://localhost:9094,SASL_SSL://localhost:9093 \
     --override inter.broker.listener.name=INSIDE \
-    --override sasl.enabled.mechanisms=SCRAM-SHA-512 \
+    --override sasl.enabled.mechanisms=SCRAM-SHA-512,SCRAM-SHA-256,PLAIN \
     --override listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required;" \
+    --override listener.name.sasl_ssl.scram-sha-256.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required;" \
+    --override listener.name.sasl_ssl.plain.sasl.jaas.config="org.apache.kafka.common.security.plain.PlainLoginModule required user_beats=\"KafkaTest\";" \
     --override logs.dir=${KAFKA_LOGS_DIR} \
     --override log4j.logger.kafka=DEBUG,kafkaAppender \
     --override log.flush.interval.ms=200 \
@@ -42,12 +44,18 @@ wait_for_port 9092
 
 echo "Kafka load status code $?"
 
-# create a user beats with password KafkaTest, for use in client SASL authentication
+# create users beats with password KafkaTest, for use in client SASL authentication
 /kafka/bin/kafka-configs.sh \
 	--bootstrap-server localhost:9092 \
 	--alter --add-config 'SCRAM-SHA-512=[password=KafkaTest]' \
 	--entity-type users \
 	--entity-name beats
 
+/kafka/bin/kafka-configs.sh \
+	--bootstrap-server localhost:9092 \
+	--alter --add-config 'SCRAM-SHA-256=[password=KafkaTest]' \
+	--entity-type users \
+	--entity-name beats
+
 # Make sure the container keeps running
 tail -f /dev/null
