From 3b3a9ad5cb5d0d869ca755052ccacd984d980aa1 Mon Sep 17 00:00:00 2001 From: Dana Powers Date: Wed, 18 Jun 2025 15:41:05 -0700 Subject: [PATCH 1/2] Fix construction of final GSSAPI authentication message --- kafka/sasl/gssapi.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kafka/sasl/gssapi.py b/kafka/sasl/gssapi.py index 6a4896585..c8e4f7cac 100644 --- a/kafka/sasl/gssapi.py +++ b/kafka/sasl/gssapi.py @@ -1,5 +1,7 @@ from __future__ import absolute_import +import struct + # needed for SASL_GSSAPI authentication: try: import gssapi @@ -68,8 +70,8 @@ def receive(self, auth_bytes): client_flags = self.SASL_QOP_AUTH server_flags = msg[0] message_parts = [ - bytes(client_flags & server_flags), - msg[:1], + struct.Struct('>b').pack(client_flags & server_flags), + msg[1:], self.auth_id.encode('utf-8'), ] # add authorization identity to the response, and GSS-wrap From e1ff73df3481f3f4fcb016fd9b74b57b34279a17 Mon Sep 17 00:00:00 2001 From: Dana Powers Date: Wed, 18 Jun 2025 15:53:46 -0700 Subject: [PATCH 2/2] fixup gssapi unit test --- test/sasl/test_gssapi.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sasl/test_gssapi.py b/test/sasl/test_gssapi.py index 893414e37..aa1d86b9e 100644 --- a/test/sasl/test_gssapi.py +++ b/test/sasl/test_gssapi.py @@ -32,7 +32,7 @@ def mocked_message_wrapper(msg, *args): while not gssapi.is_done(): send_token = gssapi.auth_bytes() receive_token = send_token # not realistic, but enough for testing - if send_token == b'\x00cbar@foo': # final wrapped message + if send_token == b'\x01ompletebar@foo': # final wrapped message receive_token = b'' # final message gets an empty response gssapi.receive(receive_token) if client_ctx.step.call_count == 3: