#419 - Add authentication switches to traffic-gen + docs

[cristian-porta]

Add a selectable authentication mechanism with username/password options, validate credential handling, and apply those credentials to both SMTP (including STARTTLS re-EHLO and AUTH PLAIN negotiation) and HTTP injection requests in traffic-gen

• cli: new --auth option (ValueEnum) with plain value, --auth-username and --auth-password.
• SMTP flow: stable EHLO domain, STARTTLS + re-EHLO per RFC 3207, check AUTH capability post-TLS, perform AUTH PLAIN
• New helpers in mod smtp_auth:
  • require_auth_mech_in(mechs: &str, mech: AuthMechanism); verify server advertises requested mech
  • do_smtp_auth(client, mech, mechs, creds); central dispatch for mechanism specific auth logic (currently handles PLAIN)
    Helpers are intentionally isolated to avoid impacting the HTTP path
• HTTP: uses auth_credentials()? for reqwest basic_auth
• Documented the new authentication workflow, including the requirement to pair credentials with --starttls and support for HTTP basic auth

Locally tested with both:

kumo.on('smtp_server_auth_plain', function(authz, authc, password, conn_meta)
  local password_database = {
    ['daniel'] = 'tiger',
  }
  if password == '' then
    return false
  end
  return password_database[authc] == password
end)

-- Use this to lookup and confirm a user/password credential
-- used with the http endpoint
kumo.on('http_server_validate_auth_basic', function(user, password)
  local password_database = {
    ['daniel'] = 'tiger',
  }
  if password == '' then
    return false
  end
  return password_database[user] == password
end)

via:

./target/release/traffic-gen --target http://<your.sink.server>:8000 --concurrency 1 --message-count 1 --body-size 1000 --domain example.com --domain-suffix '' --header "$(echo -e 'X-Test: a\r\n b\r\n')" --header "X-Tenant: 7006175" --auth plain --auth-username daniel --auth-password tiger --starttls --http

./target/release/traffic-gen --target <your.sink.server>:25 --concurrency 1 --message-count 1 --body-size 1000 --domain example.com --domain-suffix '' --header "$(echo -e 'X-Test: a\r\n b\r\n')" --header "X-Tenant: 7006175" --auth plain --auth-username daniel --auth-password tiger --starttls

and other combinations

[wez]

Thanks for this! I think making it a bit simpler is the way to go for now; we don't support other mechanisms yet, and I feel like if/when we do add other mechanisms, we'll want to change the code around a bit to accommodate those.

For now taking out the explicit mechanism selection helps keep things a bit lighter and easier to read.

[wez]

This is actually a server side policy and I think it is overly restrictive to encode this check here. For example, we often find that folks use traffic-gen against their existing non-kumo infrastructure when evaluating and performing comparisons, and those non-kumo deployments may have no such policy in place.

It feels more flexible to me to avoid encoding this sort of policy in this particular client

Suggested change

	if requested_auth.is_some() && !self.starttls {
	anyhow::bail!("--starttls must be specified when authenticating to SMTP targets");
	}

[cristian-porta]

So... I've simplified the SMTP auth and connection flow as you suggested ( keep it simple crx :) )

• STARTTLS handling now just upgrades when advertised, without enforcing any client-side policy following your point that this is a server-side decision
• AUTH has been reduced to PLAIN implementation, if it's advertised I use it, otherwise I continue without authentication and print a warning
• I also tightened up the error handling on authenticaion without dumping the full SMTP response
• Added a small runtime guard for username/password pairing
• Doc in testing.md updated

hope this keeps the code much cleaner and behaviorally consistent with your feedback

[wez]

I think we can simplify this a bit more; there's more code than I think is strictly necessary here!