github.com/pingcap/tiflow@v0.0.0-20240520035814-5bf52d54e205/pkg/security/sasl.go

github.com/pingcap/tiflow@v0.0.0-20240520035814-5bf52d54e205/pkg/security/sasl.go (about)

     1  // Copyright 2020 PingCAP, Inc.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // See the License for the specific language governing permissions and
    12  // limitations under the License.
    13  
    14  package security
    15  
    16  import (
    17  	"strings"
    18  
    19  	"github.com/IBM/sarama"
    20  	"github.com/pingcap/errors"
    21  )
    22  
    23  // SASLMechanism defines SASL mechanism.
    24  type SASLMechanism string
    25  
    26  // The mechanisms we currently support.
    27  const (
    28  	// UnknownMechanism means the SASL mechanism is unknown.
    29  	UnknownMechanism SASLMechanism = ""
    30  	// PlainMechanism means the SASL mechanism is plain.
    31  	PlainMechanism SASLMechanism = sarama.SASLTypePlaintext
    32  	// SCRAM256Mechanism means the SASL mechanism is SCRAM-SHA-256.
    33  	SCRAM256Mechanism SASLMechanism = sarama.SASLTypeSCRAMSHA256
    34  	// SCRAM512Mechanism means the SASL mechanism is SCRAM-SHA-512.
    35  	SCRAM512Mechanism SASLMechanism = sarama.SASLTypeSCRAMSHA512
    36  	// GSSAPIMechanism means the SASL mechanism is GSSAPI.
    37  	GSSAPIMechanism SASLMechanism = sarama.SASLTypeGSSAPI
    38  	// OAuthMechanism means the SASL mechanism is OAuth2.
    39  	OAuthMechanism SASLMechanism = sarama.SASLTypeOAuth
    40  )
    41  
    42  // SASLMechanismFromString converts the string to SASL mechanism.
    43  func SASLMechanismFromString(s string) (SASLMechanism, error) {
    44  	switch strings.ToLower(s) {
    45  	case "plain":
    46  		return PlainMechanism, nil
    47  	case "scram-sha-256":
    48  		return SCRAM256Mechanism, nil
    49  	case "scram-sha-512":
    50  		return SCRAM512Mechanism, nil
    51  	case "gssapi":
    52  		return GSSAPIMechanism, nil
    53  	case "oauthbearer":
    54  		return OAuthMechanism, nil
    55  	default:
    56  		return UnknownMechanism, errors.Errorf("unknown %s SASL mechanism", s)
    57  	}
    58  }
    59  
    60  // SASL holds necessary path parameter to support sasl-scram
    61  type SASL struct {
    62  	SASLUser      string
    63  	SASLPassword  string
    64  	SASLMechanism SASLMechanism
    65  	GSSAPI        GSSAPI
    66  	OAuth2        OAuth2
    67  }
    68  
    69  // OAuth2 holds necessary parameters to support sasl-oauth2.
    70  type OAuth2 struct {
    71  	ClientID     string
    72  	ClientSecret string
    73  	TokenURL     string
    74  	Scopes       []string
    75  	GrantType    string
    76  	Audience     string
    77  }
    78  
    79  // Validate validates the parameters of OAuth2.
    80  // Some parameters are required, some are optional.
    81  func (o *OAuth2) Validate() error {
    82  	if len(o.ClientID) == 0 {
    83  		return errors.New("OAuth2 client id is empty")
    84  	}
    85  	if len(o.ClientSecret) == 0 {
    86  		return errors.New("OAuth2 client secret is empty")
    87  	}
    88  	if len(o.TokenURL) == 0 {
    89  		return errors.New("OAuth2 token url is empty")
    90  	}
    91  	return nil
    92  }
    93  
    94  // SetDefault sets the default value of OAuth2.
    95  func (o *OAuth2) SetDefault() {
    96  	o.GrantType = "client_credentials"
    97  }
    98  
    99  // IsEnable checks whether the OAuth2 is enabled.
   100  // One of values of ClientID, ClientSecret and TokenURL is not empty means enabled.
   101  func (o *OAuth2) IsEnable() bool {
   102  	return len(o.ClientID) > 0 || len(o.ClientSecret) > 0 || len(o.TokenURL) > 0
   103  }
   104  
   105  // GSSAPIAuthType defines the type of GSSAPI authentication.
   106  type GSSAPIAuthType int
   107  
   108  const (
   109  	// UnknownAuth means the auth type is unknown.
   110  	UnknownAuth GSSAPIAuthType = 0
   111  	// UserAuth means the auth type is user.
   112  	UserAuth GSSAPIAuthType = sarama.KRB5_USER_AUTH
   113  	// KeyTabAuth means the auth type is keytab.
   114  	KeyTabAuth GSSAPIAuthType = sarama.KRB5_KEYTAB_AUTH
   115  )
   116  
   117  // AuthTypeFromString convent the string to GSSAPIAuthType.
   118  func AuthTypeFromString(s string) (GSSAPIAuthType, error) {
   119  	switch strings.ToLower(s) {
   120  	case "user":
   121  		return UserAuth, nil
   122  	case "keytab":
   123  		return KeyTabAuth, nil
   124  	default:
   125  		return UnknownAuth, errors.Errorf("unknown %s auth type", s)
   126  	}
   127  }
   128  
   129  // GSSAPI holds necessary path parameter to support sasl-gssapi.
   130  type GSSAPI struct {
   131  	AuthType           GSSAPIAuthType `toml:"sasl-gssapi-auth-type" json:"sasl-gssapi-auth-type"`
   132  	KeyTabPath         string         `toml:"sasl-gssapi-keytab-path" json:"sasl-gssapi-keytab-path"`
   133  	KerberosConfigPath string         `toml:"sasl-gssapi-kerberos-config-path" json:"sasl-gssapi-kerberos-config-path"`
   134  	ServiceName        string         `toml:"sasl-gssapi-service-name" json:"sasl-gssapi-service-name"`
   135  	Username           string         `toml:"sasl-gssapi-user" json:"sasl-gssapi-user"`
   136  	Password           string         `toml:"sasl-gssapi-password" json:"sasl-gssapi-password"`
   137  	Realm              string         `toml:"sasl-gssapi-realm" json:"sasl-gssapi-realm"`
   138  	DisablePAFXFAST    bool           `toml:"sasl-gssapi-disable-pafxfast" json:"sasl-gssapi-disable-pafxfast"`
   139  }