feat: support GSSAPI SASL authentication

Closes #12.

Author: kezhuw

Cargo.toml

@@ -35,6 +35,7 @@ derive-where = "1.2.7"
 tokio-rustls = "0.26.0"
 fastrand = "2.0.2"
 tracing = "0.1.40"
+rsasl = { version = "2.0.1", default-features = false, features = ["provider", "gssapi", "config_builder", "registry_static", "std"] }
 
 [dev-dependencies]
 test-log = { version = "0.2.15", features = ["log", "trace"] }

README.md

@@ -79,9 +79,6 @@ latch.create("/app/data", b"data", &zk::CreateMode::Ephemeral.with_acls(zk::Acls
 
 For more examples, see [zookeeper.rs](tests/zookeeper.rs).
 
-## TODO
-* [ ] Sasl authentication
-
 ## License
 The MIT License (MIT). See [LICENSE](LICENSE) for the full license text.
 

src/client/mod.rs

@@ -45,6 +45,7 @@ use crate::proto::{
 };
 pub use crate::proto::{EnsembleUpdate, Stat};
 use crate::record::{self, Record, StaticRecord};
+use crate::sasl::SaslOptions;
 use crate::session::StateReceiver;
 pub use crate::session::{EventType, SessionId, SessionInfo, SessionState, WatchedEvent};
 use crate::tls::TlsOptions;
@@ -1538,6 +1539,7 @@ pub(crate) struct Version(u32, u32, u32);
 #[derive(Clone, Debug)]
 pub struct Connector {
     tls: Option<TlsOptions>,
+    sasl: Option<SaslOptions>,
     authes: Vec<AuthPacket>,
     session: Option<SessionInfo>,
     readonly: bool,
@@ -1553,6 +1555,7 @@ impl Connector {
     fn new() -> Self {
         Self {
             tls: None,
+            sasl: None,
             authes: Default::default(),
             session: None,
             readonly: false,
@@ -1624,6 +1627,12 @@ impl Connector {
         self
     }
 
+    /// Specifies SASL options.
+    pub fn sasl(&mut self, options: impl Into<SaslOptions>) -> &mut Self {
+        self.sasl = Some(options.into());
+        self
+    }
+
     /// Fail session establishment eagerly with [Error::NoHosts] when all hosts has been tried.
     ///
     /// This permits fail-fast without wait up to [Self::session_timeout] in [Self::connect]. This
@@ -1657,6 +1666,7 @@ impl Connector {
             self.readonly,
             self.detached,
             tls_config,
+            self.sasl.take(),
             self.session_timeout,
             self.connection_timeout,
         );

src/lib.rs

@@ -6,6 +6,7 @@ mod endpoint;
 mod error;
 mod proto;
 mod record;
+mod sasl;
 mod session;
 mod tls;
 mod util;
@@ -14,3 +15,4 @@ pub use self::acl::{Acl, Acls, AuthId, AuthUser, Permission};
 pub use self::error::Error;
 pub use self::tls::TlsOptions;
 pub use crate::client::*;
+pub use crate::sasl::{GssapiSaslOptions, SaslOptions};

src/record.rs

@@ -422,16 +422,44 @@ impl<'a> DeserializableRecord<'a> for &'a [u8] {
     type Error = InsufficientBuf;
 
     fn deserialize(buf: &mut ReadingBuf<'a>) -> Result<&'a [u8], Self::Error> {
+        Option::<&[u8]>::deserialize(buf).map(|opt| opt.unwrap_or_default())
+    }
+}
+
+impl SerializableRecord for Option<&[u8]> {
+    fn serialize(&self, buf: &mut dyn BufMut) {
+        match self {
+            None => buf.put_i32(-1),
+            Some(bytes) => bytes.serialize(buf),
+        }
+    }
+}
+
+impl DynamicRecord for Option<&[u8]> {
+    fn serialized_len(&self) -> usize {
+        match self {
+            None => 4,
+            Some(bytes) => 4 + bytes.len(),
+        }
+    }
+}
+
+impl<'a> DeserializableRecord<'a> for Option<&'a [u8]> {
+    type Error = InsufficientBuf;
+
+    fn deserialize(buf: &mut ReadingBuf<'a>) -> Result<Option<&'a [u8]>, Self::Error> {
         let n = i32::deserialize(buf)?;
-        if n <= 0 {
-            return Ok(Default::default());
+        if n < 0 {
+            return Ok(None);
+        } else if n == 0 {
+            return Ok(Some(Default::default()));
         } else if n > buf.len() as i32 {
             return Err(InsufficientBuf);
         }
         let n = n as usize;
         let bytes = unsafe { buf.get_unchecked(..n) };
         unsafe { *buf = buf.get_unchecked(n..) };
-        Ok(bytes)
+        Ok(Some(bytes))
     }
 }
 

src/sasl.rs

@@ -0,0 +1,149 @@
+use std::borrow::Cow;
+
+use rsasl::callback::{Context, Request, SessionCallback, SessionData};
+use rsasl::mechanisms::gssapi::properties::GssService;
+use rsasl::prelude::*;
+use rsasl::property::Hostname;
+
+use crate::error::Error;
+
+pub(crate) type Result<T, E = crate::error::Error> = std::result::Result<T, E>;
+
+#[derive(Clone, Debug)]
+enum SaslInnerOptions {
+    Gssapi(GssapiSaslOptions),
+}
+
+impl From<GssapiSaslOptions> for SaslOptions {
+    fn from(options: GssapiSaslOptions) -> Self {
+        Self(SaslInnerOptions::Gssapi(options))
+    }
+}
+
+/// Client side SASL options.
+#[derive(Clone, Debug)]
+pub struct SaslOptions(SaslInnerOptions);
+
+impl SaslOptions {
+    /// Constructs a default [GssapiSaslOptions] for further customization.
+    ///
+    /// Make sure localhost is granted by Kerberos KDC, unlike Java counterpart this library
+    /// provides no mean to grant ticket from KDC but simply utilizes whatever the ticket cache
+    /// have.
+    pub fn gssapi() -> GssapiSaslOptions {
+        GssapiSaslOptions::new()
+    }
+
+    pub(crate) fn new_session(&self, hostname: &str) -> Result<SaslSession> {
+        match &self.0 {
+            SaslInnerOptions::Gssapi(options) => {
+                struct GssapiOptionsProvider {
+                    username: Cow<'static, str>,
+                    hostname: Cow<'static, str>,
+                }
+                impl SessionCallback for GssapiOptionsProvider {
+                    fn callback(
+                        &self,
+                        _session_data: &SessionData,
+                        _context: &Context,
+                        request: &mut Request<'_>,
+                    ) -> Result<(), SessionError> {
+                        if request.is::<Hostname>() {
+                            request.satisfy::<Hostname>(&self.hostname)?;
+                        } else if request.is::<GssService>() {
+                            request.satisfy::<GssService>(&self.username)?;
+                        }
+                        Ok(())
+                    }
+                }
+                let provider = GssapiOptionsProvider {
+                    username: options.username.clone(),
+                    hostname: options.hostname_or(hostname),
+                };
+                let config = SASLConfig::builder().with_defaults().with_callback(provider).unwrap();
+                let client = SASLClient::new(config);
+                let session = client.start_suggested(&[Mechname::parse(b"GSSAPI").unwrap()]).unwrap();
+                SaslSession::new(session)
+            },
+        }
+    }
+}
+
+pub struct SaslSession {
+    output: Vec<u8>,
+    session: Session,
+    finished: bool,
+}
+
+impl SaslSession {
+    fn new(session: Session) -> Result<Self> {
+        let mut session = Self { session, output: Default::default(), finished: false };
+        if session.session.are_we_first() {
+            session.step(Default::default())?;
+        }
+        Ok(session)
+    }
+
+    pub fn name(&self) -> &str {
+        self.session.get_mechname().as_str()
+    }
+
+    pub fn initial(&self) -> &[u8] {
+        &self.output
+    }
+
+    pub fn step(&mut self, challenge: &[u8]) -> Result<Option<&[u8]>> {
+        if self.finished {
+            return Err(Error::UnexpectedError(format!("SASL {} session already finished", self.name())));
+        }
+        self.output.clear();
+        match self.session.step(Some(challenge), &mut self.output).map_err(|e| Error::other(format!("{e}"), e))? {
+            State::Running => Ok(Some(&self.output)),
+            State::Finished(MessageSent::Yes) => {
+                self.finished = true;
+                Ok(Some(&self.output))
+            },
+            State::Finished(MessageSent::No) => {
+                self.finished = true;
+                Ok(None)
+            },
+        }
+    }
+}
+
+/// GSSAPI SASL options.
+#[derive(Clone, Debug)]
+pub struct GssapiSaslOptions {
+    username: Cow<'static, str>,
+    hostname: Option<Cow<'static, str>>,
+}
+
+impl GssapiSaslOptions {
+    fn new() -> Self {
+        Self { username: Cow::from("zookeeper"), hostname: None }
+    }
+
+    /// Specifies the primary part of Kerberos principal.
+    ///
+    /// It is `zookeeper.sasl.client.username` in Java client, but the word "client" is misleading
+    /// as it is the username of targeting server.
+    ///
+    /// Defaults to "zookeeper".
+    pub fn with_username(self, username: impl Into<Cow<'static, str>>) -> Self {
+        Self { username: username.into(), ..self }
+    }
+
+    /// Specifies the instance part of Kerberos principal.
+    ///
+    /// Defaults to hostname or ip of targeting server in connecting string.
+    pub fn with_hostname(self, hostname: impl Into<Cow<'static, str>>) -> Self {
+        Self { hostname: Some(hostname.into()), ..self }
+    }
+
+    fn hostname_or(&self, hostname: &str) -> Cow<'static, str> {
+        match self.hostname.as_ref() {
+            None => Cow::Owned(hostname.to_string()),
+            Some(hostname) => hostname.clone(),
+        }
+    }
+}

src/session/depot.rs

@@ -22,6 +22,9 @@ pub struct Depot {
     writing_operations: VecDeque<Operation>,
     written_operations: HashMap<i32, SessionOperation>,
 
+    sasl: bool,
+    pending_operations: VecDeque<SessionOperation>,
+
     watching_paths: HashMap<(&'static str, WatchMode), usize>,
     unwatching_paths: HashMap<(&'static str, WatchMode), SessionOperation>,
 }
@@ -31,10 +34,12 @@ impl Depot {
         let writing_capacity = 128usize;
         Depot {
             xid: Default::default(),
+            sasl: false,
             pending_authes: Vec::with_capacity(5),
             writing_slices: Vec::with_capacity(writing_capacity),
             writing_operations: VecDeque::with_capacity(writing_capacity),
             written_operations: HashMap::with_capacity(128),
+            pending_operations: Default::default(),
             watching_paths: HashMap::with_capacity(32),
             unwatching_paths: HashMap::with_capacity(32),
         }
@@ -43,23 +48,30 @@ impl Depot {
     pub fn for_connecting() -> Depot {
         Depot {
             xid: Default::default(),
+            sasl: false,
             pending_authes: Default::default(),
             writing_slices: Vec::with_capacity(10),
             writing_operations: VecDeque::with_capacity(10),
             written_operations: HashMap::with_capacity(10),
+            pending_operations: VecDeque::with_capacity(10),
             watching_paths: HashMap::new(),
             unwatching_paths: HashMap::new(),
         }
     }
 
     /// Clear all buffered operations from previous run.
     pub fn clear(&mut self) {
+        self.xid = Default::default();
+        self.sasl = false;
         self.pending_authes.clear();
         self.writing_slices.clear();
         self.watching_paths.clear();
         self.unwatching_paths.clear();
         self.writing_operations.clear();
         self.written_operations.clear();
+        self.pending_operations.clear();
+        self.watching_paths.clear();
+        self.unwatching_paths.clear();
     }
 
     /// Error out ongoing operations except authes.
@@ -97,7 +109,7 @@ impl Depot {
 
     /// Check whether there is any ongoing operations.
     pub fn is_empty(&self) -> bool {
-        self.writing_operations.is_empty() && self.written_operations.is_empty()
+        self.writing_operations.is_empty() && self.written_operations.is_empty() && self.pending_operations.is_empty()
     }
 
     pub fn pop_request(&mut self, xid: i32) -> Result<SessionOperation, Error> {
@@ -107,11 +119,21 @@ impl Depot {
         }
     }
 
-    fn push_request(&mut self, mut operation: SessionOperation) {
-        operation.request.set_xid(self.xid.next());
+    fn write_session(&mut self, mut operation: SessionOperation) {
+        if operation.request.get_xid() == 0 {
+            operation.request.set_xid(self.xid.next());
+        }
         self.push_operation(Operation::Session(operation));
     }
 
+    fn push_request(&mut self, operation: SessionOperation) {
+        if self.sasl {
+            self.pending_operations.push_back(operation);
+            return;
+        }
+        self.write_session(operation);
+    }
+
     pub fn pop_ping(&mut self) -> Result<(), Error> {
         self.pop_request(PredefinedXid::Ping.into()).map(|_| ())
     }
@@ -122,6 +144,19 @@ impl Depot {
         self.writing_slices.push(IoSlice::new(buf));
     }
 
+    pub fn push_sasl(&mut self, token: &[u8]) {
+        let operation = SessionOperation::new(OpCode::Sasl, &Some(token));
+        self.write_session(operation);
+        self.sasl = true;
+    }
+
+    pub fn complete_sasl(&mut self) {
+        self.sasl = false;
+        while let Some(operation) = self.pending_operations.pop_front() {
+            self.write_session(operation);
+        }
+    }
+
     pub fn has_pending_writes(&self) -> bool {
         !self.writing_slices.is_empty()
     }