github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/pkg/lorry/engines/kafka/auth.go (about) 1 /* 2 Copyright 2021 The Dapr Authors 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 http://www.apache.org/licenses/LICENSE-2.0 7 Unless required by applicable law or agreed to in writing, software 8 distributed under the License is distributed on an "AS IS" BASIS, 9 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 See the License for the specific language governing permissions and 11 limitations under the License. 12 */ 13 14 package kafka 15 16 import ( 17 "crypto/tls" 18 "crypto/x509" 19 "errors" 20 "fmt" 21 22 "github.com/Shopify/sarama" 23 ) 24 25 func updatePasswordAuthInfo(config *sarama.Config, metadata *kafkaMetadata, saslUsername, saslPassword string) { 26 config.Net.SASL.Enable = true 27 config.Net.SASL.User = saslUsername 28 config.Net.SASL.Password = saslPassword 29 switch metadata.SaslMechanism { 30 case "SHA-256": 31 config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA256} } 32 config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256 33 case "SHA-512": 34 config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA512} } 35 config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512 36 default: 37 config.Net.SASL.Mechanism = sarama.SASLTypePlaintext 38 } 39 } 40 41 func updateMTLSAuthInfo(config *sarama.Config, metadata *kafkaMetadata) error { 42 if metadata.TLSDisable { 43 return fmt.Errorf("kafka: cannot configure mTLS authentication when TLSDisable is 'true'") 44 } 45 cert, err := tls.X509KeyPair([]byte(metadata.TLSClientCert), []byte(metadata.TLSClientKey)) 46 if err != nil { 47 return fmt.Errorf("unable to load client certificate and key pair. Err: %w", err) 48 } 49 config.Net.TLS.Config.Certificates = []tls.Certificate{cert} 50 return nil 51 } 52 53 func updateTLSConfig(config *sarama.Config, metadata *kafkaMetadata) error { 54 if metadata.TLSDisable || metadata.AuthType == noAuthType { 55 config.Net.TLS.Enable = false 56 return nil 57 } 58 config.Net.TLS.Enable = true 59 60 if !metadata.TLSSkipVerify && metadata.TLSCaCert == "" { 61 return nil 62 } 63 //nolint:gosec 64 config.Net.TLS.Config = &tls.Config{InsecureSkipVerify: metadata.TLSSkipVerify, MinVersion: tls.VersionTLS12} 65 if metadata.TLSCaCert != "" { 66 caCertPool := x509.NewCertPool() 67 if ok := caCertPool.AppendCertsFromPEM([]byte(metadata.TLSCaCert)); !ok { 68 return errors.New("kafka error: unable to load ca certificate") 69 } 70 config.Net.TLS.Config.RootCAs = caCertPool 71 } 72 73 return nil 74 } 75 76 func updateOidcAuthInfo(config *sarama.Config, metadata *kafkaMetadata) error { 77 tokenProvider := newOAuthTokenSource(metadata.OidcTokenEndpoint, metadata.OidcClientID, metadata.OidcClientSecret, metadata.OidcScopes) 78 79 if metadata.TLSCaCert != "" { 80 err := tokenProvider.addCa(metadata.TLSCaCert) 81 if err != nil { 82 return fmt.Errorf("kafka: error setting oauth client trusted CA: %w", err) 83 } 84 } 85 86 tokenProvider.skipCaVerify = metadata.TLSSkipVerify 87 88 config.Net.SASL.Enable = true 89 config.Net.SASL.Mechanism = sarama.SASLTypeOAuth 90 config.Net.SASL.TokenProvider = &tokenProvider 91 92 return nil 93 }