github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/pkg/lorry/engines/kafka/auth.go (about)

     1  /*
     2  Copyright 2021 The Dapr Authors
     3  Licensed under the Apache License, Version 2.0 (the "License");
     4  you may not use this file except in compliance with the License.
     5  You may obtain a copy of the License at
     6      http://www.apache.org/licenses/LICENSE-2.0
     7  Unless required by applicable law or agreed to in writing, software
     8  distributed under the License is distributed on an "AS IS" BASIS,
     9  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    10  See the License for the specific language governing permissions and
    11  limitations under the License.
    12  */
    13  
    14  package kafka
    15  
    16  import (
    17  	"crypto/tls"
    18  	"crypto/x509"
    19  	"errors"
    20  	"fmt"
    21  
    22  	"github.com/Shopify/sarama"
    23  )
    24  
    25  func updatePasswordAuthInfo(config *sarama.Config, metadata *kafkaMetadata, saslUsername, saslPassword string) {
    26  	config.Net.SASL.Enable = true
    27  	config.Net.SASL.User = saslUsername
    28  	config.Net.SASL.Password = saslPassword
    29  	switch metadata.SaslMechanism {
    30  	case "SHA-256":
    31  		config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA256} }
    32  		config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256
    33  	case "SHA-512":
    34  		config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA512} }
    35  		config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512
    36  	default:
    37  		config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
    38  	}
    39  }
    40  
    41  func updateMTLSAuthInfo(config *sarama.Config, metadata *kafkaMetadata) error {
    42  	if metadata.TLSDisable {
    43  		return fmt.Errorf("kafka: cannot configure mTLS authentication when TLSDisable is 'true'")
    44  	}
    45  	cert, err := tls.X509KeyPair([]byte(metadata.TLSClientCert), []byte(metadata.TLSClientKey))
    46  	if err != nil {
    47  		return fmt.Errorf("unable to load client certificate and key pair. Err: %w", err)
    48  	}
    49  	config.Net.TLS.Config.Certificates = []tls.Certificate{cert}
    50  	return nil
    51  }
    52  
    53  func updateTLSConfig(config *sarama.Config, metadata *kafkaMetadata) error {
    54  	if metadata.TLSDisable || metadata.AuthType == noAuthType {
    55  		config.Net.TLS.Enable = false
    56  		return nil
    57  	}
    58  	config.Net.TLS.Enable = true
    59  
    60  	if !metadata.TLSSkipVerify && metadata.TLSCaCert == "" {
    61  		return nil
    62  	}
    63  	//nolint:gosec
    64  	config.Net.TLS.Config = &tls.Config{InsecureSkipVerify: metadata.TLSSkipVerify, MinVersion: tls.VersionTLS12}
    65  	if metadata.TLSCaCert != "" {
    66  		caCertPool := x509.NewCertPool()
    67  		if ok := caCertPool.AppendCertsFromPEM([]byte(metadata.TLSCaCert)); !ok {
    68  			return errors.New("kafka error: unable to load ca certificate")
    69  		}
    70  		config.Net.TLS.Config.RootCAs = caCertPool
    71  	}
    72  
    73  	return nil
    74  }
    75  
    76  func updateOidcAuthInfo(config *sarama.Config, metadata *kafkaMetadata) error {
    77  	tokenProvider := newOAuthTokenSource(metadata.OidcTokenEndpoint, metadata.OidcClientID, metadata.OidcClientSecret, metadata.OidcScopes)
    78  
    79  	if metadata.TLSCaCert != "" {
    80  		err := tokenProvider.addCa(metadata.TLSCaCert)
    81  		if err != nil {
    82  			return fmt.Errorf("kafka: error setting oauth client trusted CA: %w", err)
    83  		}
    84  	}
    85  
    86  	tokenProvider.skipCaVerify = metadata.TLSSkipVerify
    87  
    88  	config.Net.SASL.Enable = true
    89  	config.Net.SASL.Mechanism = sarama.SASLTypeOAuth
    90  	config.Net.SASL.TokenProvider = &tokenProvider
    91  
    92  	return nil
    93  }