Add support for SSL authentication (certificate) (#1191)

* Add SchemaRegistry with SSL and certificate

* Fix conditional to add certificate and option for application manually provides the client certificates to the *Handler

* Renamed method from certificate to keystore to keep ubiquitous language

* Add a option to disable ssl verify for development purposes allowing to use self signed CA authorities

* Test for SSL Authentication

* keep naming convention consistent with librdkafka

* Fix bad merge

* Documentation improved

* Reverted unnecessary whitespace

Author: dinegri

src/Confluent.SchemaRegistry/CachedSchemaRegistryClient.cs

@@ -23,6 +23,7 @@
 using System.Linq;
 using System;
 using System.Threading;
+using System.Security.Cryptography.X509Certificates;
 using Confluent.Kafka;
 
 
@@ -74,6 +75,11 @@ public class CachedSchemaRegistryClient : ISchemaRegistryClient, IDisposable
         /// </summary>
         public const int DefaultMaxCachedSchemas = 1000;
 
+        /// <summary>
+        ///     The default SSL server certificate verification for Schema Registry REST API calls.
+        /// </summary>
+        public const bool DefaultEnableSslCertificateVerification = true;
+
         /// <summary>
         ///     The default key subject name strategy.
         /// </summary>
@@ -201,13 +207,22 @@ public CachedSchemaRegistryClient(IEnumerable<KeyValuePair<string, string>> conf
                     property.Key != SchemaRegistryConfig.PropertyNames.SchemaRegistryBasicAuthCredentialsSource &&
                     property.Key != SchemaRegistryConfig.PropertyNames.SchemaRegistryBasicAuthUserInfo &&
                     property.Key != SchemaRegistryConfig.PropertyNames.SchemaRegistryKeySubjectNameStrategy &&
-                    property.Key != SchemaRegistryConfig.PropertyNames.SchemaRegistryValueSubjectNameStrategy)
+                    property.Key != SchemaRegistryConfig.PropertyNames.SchemaRegistryValueSubjectNameStrategy &&
+                    property.Key != SchemaRegistryConfig.PropertyNames.SslCaLocation &&
+                    property.Key != SchemaRegistryConfig.PropertyNames.SslKeystoreLocation &&
+                    property.Key != SchemaRegistryConfig.PropertyNames.SslKeystorePassword &&
+                    property.Key != SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification)
                 {
                     throw new ArgumentException($"Unknown configuration parameter {property.Key}");
                 }
             }
 
-            this.restService = new RestService(schemaRegistryUris, timeoutMs, username, password);
+            var sslVerificationMaybe = config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification);
+            bool sslVerify;
+            try { sslVerify = sslVerificationMaybe.Value == null ? DefaultEnableSslCertificateVerification : bool.Parse(sslVerificationMaybe.Value); }
+            catch (FormatException) { throw new ArgumentException($"Configured value for {SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification} must be a bool."); }
+
+            this.restService = new RestService(schemaRegistryUris, timeoutMs, username, password, SetSslConfig(config), sslVerify);
         }
 
 
@@ -233,6 +248,31 @@ private bool CleanCacheIfFull()
             return false;
         }
 
+        /// <summary>
+        ///     Add certificates for SSL handshake.
+        /// </summary>
+        /// <param name="config">
+        ///     Configuration properties.
+        /// </param>
+        private List<X509Certificate2> SetSslConfig(IEnumerable<KeyValuePair<string, string>> config)
+        {
+            var certificates = new List<X509Certificate2>();
+
+            var certificateLocation = config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.SslKeystoreLocation).Value ?? "";
+            var certificatePassword = config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.SslKeystorePassword).Value ?? "";
+            if (!String.IsNullOrEmpty(certificateLocation))
+            {
+                certificates.Add(new X509Certificate2(certificateLocation, certificatePassword));
+            }
+
+            var caLocation = config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.SslCaLocation).Value ?? "";
+            if (!String.IsNullOrEmpty(caLocation))
+            {
+                certificates.Add(new X509Certificate2(caLocation));
+            }
+
+            return certificates;
+        }
 
         /// <inheritdoc/>
         public Task<int> GetSchemaIdAsync(string subject, string avroSchema)

src/Confluent.SchemaRegistry/Rest/RestService.cs

@@ -23,13 +23,13 @@
 using System.Net.Http;
 using System.Text;
 using System.Threading.Tasks;
-
+using System.Security.Cryptography.X509Certificates;
 
 namespace Confluent.SchemaRegistry
 {
     /// <remarks>
     ///     It may be useful to expose this publicly, but this is not
-    ///     required by the Avro serializers, so we will keep this internal 
+    ///     required by the Avro serializers, so we will keep this internal
     ///     for now to minimize documentation / risk of API change etc.
     /// </remarks>
     internal class RestService : IRestService
@@ -53,7 +53,7 @@ internal class RestService : IRestService
         /// <summary>
         ///     Initializes a new instance of the RestService class.
         /// </summary>
-        public RestService(string schemaRegistryUrl, int timeoutMs, string username, string password)
+        public RestService(string schemaRegistryUrl, int timeoutMs, string username, string password, List<X509Certificate2> certificates, bool enableSslCertificateVerification)
         {
             var authorizationHeader = username != null && password != null
                 ? new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username}:{password}")))
@@ -64,7 +64,16 @@ public RestService(string schemaRegistryUrl, int timeoutMs, string username, str
                 .Select(SanitizeUri)// need http or https - use http if not present.
                 .Select(uri =>
                 {
-                    var client = new HttpClient { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
+                    HttpClient client;
+                    if (certificates.Count > 0)
+                    {
+                        client = new HttpClient(CreateHandler(certificates, enableSslCertificateVerification)) { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
+                    }
+                    else
+                    {
+                        client = new HttpClient() { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
+                    }
+
                     if (authorizationHeader != null) { client.DefaultRequestHeaders.Authorization = authorizationHeader; }
                     return client;
                 })
@@ -77,6 +86,20 @@ private static string SanitizeUri(string uri)
             return $"{sanitized.TrimEnd('/')}/";
         }
 
+        private static HttpClientHandler CreateHandler(List<X509Certificate2> certificates, bool enableSslCertificateVerification)
+        {
+            var handler = new HttpClientHandler();
+            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
+
+            if (!enableSslCertificateVerification)
+            {
+                handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, certChain, policyErrors) => { return true; };
+            }
+
+            certificates.ForEach(c => handler.ClientCertificates.Add(c));
+            return handler;
+        }
+
         private RegisteredSchema SanitizeRegisteredSchema(RegisteredSchema schema)
         {
             if (schema.References == null)

src/Confluent.SchemaRegistry/SchemaRegistryConfig.cs

@@ -80,6 +80,27 @@ public static class PropertyNames
             /// </summary>
             [Obsolete("Subject name strategies should now be configured using the serializer's configuration. In the future, this configuration property will be removed from SchemaRegistryConfig")]
             public const string SchemaRegistryValueSubjectNameStrategy = "schema.registry.value.subject.name.strategy";
+
+            /// <summary>
+            ///     File path to CA certificate(s) for verifying the schema registry's key. it will use system CA certs if not provided
+            /// </summary>
+            public const string SslCaLocation = "schema.registry.ssl.ca.location";
+
+            /// <summary>
+            ///     SSL keystore (PKCS#12) location.
+            /// </summary>
+            public const string SslKeystoreLocation = "schema.registry.ssl.keystore.location";
+
+            /// <summary>
+            ///     SSL keystore (PKCS#12) password.
+            /// </summary>
+            public const string SslKeystorePassword = "schema.registry.ssl.keystore.password";
+
+            /// <summary>
+            ///     In scenarios of using a private and untrusted CA or in case of impossibility to add a private CA as trusted in system CA certs,
+            ///     it is possible to disable SSL verification but it only could be done in test/dev environments.
+            /// </summary>
+            public const string EnableSslCertificateVerification = "schema.registry.enable.ssl.certificate.verification";
         }
 
         /// <summary>
@@ -127,6 +148,53 @@ public int? RequestTimeoutMs
             set { SetObject(SchemaRegistryConfig.PropertyNames.SchemaRegistryRequestTimeoutMs, value.ToString()); }
         }
 
+        /// <summary>
+        ///     File or directory path to CA certificate(s) for verifying the schema registry's key.
+        ///
+        ///     default: ''
+        ///     importance: low
+        /// </summary>
+        public string SslCaLocation
+        {
+            get { return Get(SchemaRegistryConfig.PropertyNames.SslCaLocation); }
+            set { SetObject(SchemaRegistryConfig.PropertyNames.SslCaLocation, value.ToString()); }
+        }
+
+        /// <summary>
+        ///     Path to client's keystore (PKCS#12) used for authentication.
+        ///
+        ///     default: ''
+        ///     importance: low
+        /// </summary>
+        public string SslKeystoreLocation
+        {
+            get { return Get(SchemaRegistryConfig.PropertyNames.SslKeystoreLocation); }
+            set { SetObject(SchemaRegistryConfig.PropertyNames.SslKeystoreLocation, value.ToString()); }
+        }
+
+        /// <summary>
+        ///     Client's keystore (PKCS#12) password.
+        ///
+        ///     default: ''
+        ///     importance: low
+        /// </summary>
+        public string SslKeystorePassword
+        {
+            get { return Get(SchemaRegistryConfig.PropertyNames.SslKeystorePassword); }
+            set { SetObject(SchemaRegistryConfig.PropertyNames.SslKeystorePassword, value.ToString()); }
+        }
+
+        /// <summary>
+        ///     Enable/Disable SSL server certificate verification. Only use in contained test/dev environments.
+        ///
+        ///     default: ''
+        ///     importance: low
+        /// </summary>
+        public bool? EnableSslCertificateVerification
+        {
+            get { return GetBool(SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification); }
+            set { SetObject(SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification, value); }
+        }
 
         /// <summary>
         ///     Specifies the maximum number of schemas CachedSchemaRegistryClient

test/Confluent.SchemaRegistry.IntegrationTests/Confluent.SchemaRegistry.IntegrationTests.csproj

@@ -12,6 +12,9 @@
     <None Update="schema.registry.parameters.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Update="secrets\**">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
   <ItemGroup>

test/Confluent.SchemaRegistry.IntegrationTests/Tests/Config.cs

@@ -4,7 +4,12 @@ public class Config
     {
         public string Server { get; set; }
         public string ServerWithAuth { get; set; }
+        public string ServerWithSsl { get; set; }
         public string Username { get; set; }
         public string Password { get; set; }
+        public string KeystoreLocation { get; set; }
+        public string KeystorePassword { get; set; }
+        public string CaLocation { get; set; }
+        public string EnableSslCertificateVerification { get; set; }
     }
 }

test/Confluent.SchemaRegistry.IntegrationTests/Tests/SslAuth.cs

@@ -0,0 +1,78 @@
+// Copyright 20 Confluent Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Refer to LICENSE for more information.
+
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using Xunit;
+using Confluent.Kafka;
+
+
+namespace Confluent.SchemaRegistry.IntegrationTests
+{
+    public static partial class Tests
+    {
+        [Theory, MemberData(nameof(SchemaRegistryParameters))]
+        public static void SslAuth(Config config)
+        {
+            var testSchema1 =
+                "{\"type\":\"record\",\"name\":\"User\",\"namespace\":\"Confluent.Kafka.Examples.AvroSpecific" +
+                "\",\"fields\":[{\"name\":\"name\",\"type\":\"string\"},{\"name\":\"favorite_number\",\"type\":[\"i" +
+                "nt\",\"null\"]},{\"name\":\"favorite_color\",\"type\":[\"string\",\"null\"]}]}";
+
+            // 1. valid configuration cases
+
+            // 1.1. using SSL valid certificate.
+            var conf = new SchemaRegistryConfig
+            {
+                Url = config.ServerWithSsl,
+                SslKeystoreLocation = config.KeystoreLocation,
+                SslKeystorePassword = config.KeystorePassword,
+                SslCaLocation = config.CaLocation,
+                EnableSslCertificateVerification = bool.Parse(config.EnableSslCertificateVerification),
+            };
+
+            // some sanity checking of strongly typed config property name mappings.
+            Assert.Equal(config.ServerWithSsl, conf.Get("schema.registry.url"));
+
+            using (var sr = new CachedSchemaRegistryClient(conf))
+            {
+                var topicName = Guid.NewGuid().ToString();
+                var subject = SubjectNameStrategy.Topic.ToDelegate()(new SerializationContext(MessageComponentType.Value, topicName), null);
+                var id = sr.RegisterSchemaAsync(subject, testSchema1).Result;
+                var schema = sr.GetLatestSchemaAsync(subject).Result;
+                Assert.Equal(schema.Id, id);
+            }
+
+            // try to connect with invalid SSL config. shouldn't work.
+            Assert.Throws<HttpRequestException>(() =>
+            {
+                var sr = new CachedSchemaRegistryClient(new SchemaRegistryConfig { Url = config.ServerWithSsl });
+                var topicName = Guid.NewGuid().ToString();
+                var subject = SubjectNameStrategy.Topic.ConstructValueSubjectName(topicName, null);
+                try
+                {
+                    var id = sr.RegisterSchemaAsync(subject, testSchema1).Result;
+                }
+                catch (Exception e)
+                {
+                    throw e.InnerException;
+                }
+            });
+
+        }
+    }
+}

test/Confluent.SchemaRegistry.IntegrationTests/Tests/Tests.cs

@@ -47,8 +47,13 @@ public static IEnumerable<object[]> SchemaRegistryParameters()
                 var config = new Config();
                 config.Server = json["server"].ToString();
                 config.ServerWithAuth = json["server_with_auth"].ToString();
+                config.ServerWithSsl = json["server_with_ssl"].ToString();
                 config.Username = json["username"].ToString();
                 config.Password = json["password"].ToString();
+                config.KeystoreLocation = json["keystore_location"].ToString();
+                config.KeystorePassword = json["keystore_password"].ToString();
+                config.CaLocation = json["ca_location"].ToString();
+                config.EnableSslCertificateVerification = json["enable_ssl_certificate_verification"].ToString();
                 schemaRegistryParameters = new List<object[]> { new object[] { config } };
             }
             return schemaRegistryParameters;

test/Confluent.SchemaRegistry.IntegrationTests/docker-compose.yaml

@@ -8,6 +8,10 @@ services:
     image: confluentinc/cp-zookeeper
     environment:
       ZOOKEEPER_CLIENT_PORT: 2181
+  zookeeper_3:
+    image: confluentinc/cp-zookeeper
+    environment:
+      ZOOKEEPER_CLIENT_PORT: 2181
   kafka:
     image: confluentinc/cp-kafka
     depends_on:
@@ -28,6 +32,16 @@ services:
       KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
       KAFKA_ZOOKEEPER_CONNECT: zookeeper_2:2181
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+  kafka_3:
+    image: confluentinc/cp-kafka
+    depends_on:
+      - zookeeper_3
+    environment:
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT, PLAINTEXT_HOST:PLAINTEXT
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka_3:9092, PLAINTEXT_HOST://localhost:29092
+      KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper_3:2181
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
   schema-registry:
     image: confluentinc/cp-schema-registry
     depends_on:
@@ -58,3 +72,24 @@ services:
       SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka_2:9092
       SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8081
       SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper_2:2181
+  schema-registry_3:
+    image: confluentinc/cp-schema-registry
+    depends_on:
+      - zookeeper_3
+      - kafka_3
+    ports:
+      - 8083:8083
+    environment:
+      SCHEMA_REGISTRY_HOST_NAME: schema-registry
+      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka_3:9092
+      SCHEMA_REGISTRY_LISTENERS: https://0.0.0.0:8083
+      SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper_3:2181
+      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/schema-registry/secrets/schema-registry.keystore.jks
+      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: cnf123
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/schema-registry/secrets/schema-registry.truststore.jks
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: cnf123
+      SCHEMA_REGISTRY_SSL_KEY_PASSWORD: cnf123
+      SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: https
+      SCHEMA_REGISTRY_SSL_CLIENT_AUTH: 'true'
+    volumes:
+      - ./secrets:/etc/schema-registry/secrets