Implement share consumer support for OAUTHBEARER with background callback handling and enhance related tests

Author: Ankith-Confluent

.semaphore/run-sasl-tests.yml

@@ -43,20 +43,20 @@ blocks:
               value: "False"
           commands:
             - if [[ "$TEST_TYPE" != *"plaintext"* ]]; then exit 0; fi
-            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && python3 sasl_test.py --kraft --suite "OAuth/OIDC" ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
             - 'export TEST_TRIVUP_PARAMETERS=''--conf ["connections.max.reauth.ms=10000"]'''
             - 'if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then export TEST_TRIVUP_PARAMETERS=''--oidc --conf ["connections.max.reauth.ms=10000"]''; fi'
             - ./tests/run-all-tests.sh
+            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && echo "TESTS=0126 make 2>&1; exit" | python3 interactive_broker_version.py --kraft --sasl OAUTHBEARER --oauthbearer-method OIDC ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
         - name: "SASL SSL cluster (x86_64)"
           env_vars:
             - name: TEST_SSL
               value: "True"
           commands:
             - if [[ "$TEST_TYPE" != *"ssl"* ]]; then exit 0; fi
-            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && python3 sasl_test.py --kraft --suite "OAuth/OIDC" ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
             - 'export TEST_TRIVUP_PARAMETERS=''--conf ["connections.max.reauth.ms=10000"]'''
             - 'if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then export TEST_TRIVUP_PARAMETERS=''--oidc --conf ["connections.max.reauth.ms=10000"]''; fi'
             - ./tests/run-all-tests.sh
+            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && echo "TESTS=0126 make 2>&1; exit" | python3 interactive_broker_version.py --kraft --sasl OAUTHBEARER --oauthbearer-method OIDC ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
   - name: "Run SASL tests (aarch64)"
     dependencies: []
     task:
@@ -73,17 +73,17 @@ blocks:
               value: "False"
           commands:
             - if [[ "$TEST_TYPE" != *"plaintext"* ]]; then exit 0; fi
-            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && python3 sasl_test.py --kraft --suite "OAuth/OIDC" ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
             - 'export TEST_TRIVUP_PARAMETERS=''--conf ["connections.max.reauth.ms=10000"]'''
             - 'if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then export TEST_TRIVUP_PARAMETERS=''--oidc --conf ["connections.max.reauth.ms=10000"]''; fi'
             - ./tests/run-all-tests.sh
+            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && echo "TESTS=0126 make 2>&1; exit" | python3 interactive_broker_version.py --kraft --sasl OAUTHBEARER --oauthbearer-method OIDC ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
         - name: "SASL SSL cluster (aarch64)"
           env_vars:
             - name: TEST_SSL
               value: "True"
           commands:
             - if [[ "$TEST_TYPE" != *"ssl"* ]]; then exit 0; fi
-            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && python3 sasl_test.py --kraft --suite "OAuth/OIDC" ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi
             - 'export TEST_TRIVUP_PARAMETERS=''--conf ["connections.max.reauth.ms=10000"]'''
             - 'if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then export TEST_TRIVUP_PARAMETERS=''--oidc --conf ["connections.max.reauth.ms=10000"]''; fi'
             - ./tests/run-all-tests.sh
+            - if [[ "$TEST_SASL" == "OAUTHBEARER" ]]; then (cd tests && echo "TESTS=0126 make 2>&1; exit" | python3 interactive_broker_version.py --kraft --sasl OAUTHBEARER --oauthbearer-method OIDC ${TEST_KAFKA_GIT_REF:-4.2.0}) && echo "OIDC tests (0126) PASSED" || { echo "OIDC tests (0126) FAILED"; exit 1; }; fi

src/rdkafka.h

@@ -3699,6 +3699,26 @@ RD_EXPORT
 rd_kafka_error_t *rd_kafka_sasl_background_callbacks_enable(rd_kafka_t *rk);
 
 
+/**
+ * @brief Enable SASL background callbacks for a share consumer.
+ *
+ * This is a convenience wrapper around
+ * rd_kafka_sasl_background_callbacks_enable() for share consumers.
+ * It forwards the SASL queue to the background thread so that
+ * OAUTHBEARER token refresh callbacks are served automatically.
+ *
+ * @param rkshare Share consumer instance.
+ *
+ * @returns NULL on success or an error object on failure.
+ *
+ * @sa rd_kafka_sasl_background_callbacks_enable()
+ * @sa rd_kafka_conf_set_oauthbearer_token_refresh_cb()
+ */
+RD_EXPORT
+rd_kafka_error_t *
+rd_kafka_share_sasl_background_callbacks_enable(rd_kafka_share_t *rkshare);
+
+
 /**
  * @brief Sets SASL credentials used for SASL PLAIN and SCRAM mechanisms by
  *        this Kafka client.

src/rdkafka_sasl.c

@@ -476,6 +476,12 @@ rd_kafka_error_t *rd_kafka_sasl_background_callbacks_enable(rd_kafka_t *rk) {
 }
 
 
+rd_kafka_error_t *
+rd_kafka_share_sasl_background_callbacks_enable(rd_kafka_share_t *rkshare) {
+        return rd_kafka_sasl_background_callbacks_enable(rkshare->rkshare_rk);
+}
+
+
 /**
  * Global SASL termination.
  */

tests/0022-consume_batch.c

@@ -193,6 +193,59 @@ static void do_test_consume_batch_oauthbearer_cb(void) {
 
         rd_kafka_destroy(rk);
 }
+
+
+static rd_bool_t share_refresh_called = rd_false;
+
+static void share_refresh_cb(rd_kafka_t *rk,
+                              const char *oauthbearer_config,
+                              void *opaque) {
+        TEST_SAY("Share consumer refresh callback called\n");
+        TEST_ASSERT(!share_refresh_called);
+        share_refresh_called = rd_true;
+        rd_kafka_oauthbearer_set_token_failure(rk, "Refresh called");
+}
+
+/**
+ * @brief Verify that the oauthbearer_refresh_cb() is triggered
+ *        when using rd_kafka_share_consume_batch() with a share consumer.
+ */
+static void do_test_share_consume_batch_oauthbearer_cb(void) {
+        rd_kafka_share_t *rk;
+        rd_kafka_conf_t *conf;
+        rd_kafka_message_t *rkms[1];
+        size_t rcvd = 0;
+        rd_kafka_error_t *err;
+        char errstr[512];
+
+        SUB_TEST_QUICK();
+
+        share_refresh_called = rd_false;
+
+        conf = rd_kafka_conf_new();
+        test_conf_set(conf, "security.protocol", "sasl_plaintext");
+        test_conf_set(conf, "sasl.mechanism", "OAUTHBEARER");
+        test_conf_set(conf, "group.id", "share-oauthbearer-cb-test");
+        rd_kafka_conf_set_oauthbearer_token_refresh_cb(conf,
+                                                        share_refresh_cb);
+
+        /* Create share consumer */
+        rk = rd_kafka_share_consumer_new(conf, errstr, sizeof(errstr));
+        TEST_ASSERT(rk, "Failed to create share consumer: %s", errstr);
+
+        /* Poll to trigger the token refresh callback */
+        err = rd_kafka_share_consume_batch(rk, 1000, rkms, &rcvd);
+        if (err)
+                rd_kafka_error_destroy(err);
+
+        TEST_SAY("share_refresh_called = %d\n", share_refresh_called);
+        TEST_ASSERT(share_refresh_called,
+                    "Expected refresh callback to have been called "
+                    "for share consumer");
+
+        rd_kafka_share_consumer_close(rk);
+        rd_kafka_share_destroy(rk);
+}
 #endif
 
 
@@ -272,6 +325,7 @@ int main_0022_consume_batch(int argc, char **argv) {
 int main_0022_consume_batch_local(int argc, char **argv) {
 #if WITH_SASL_OAUTHBEARER
         do_test_consume_batch_oauthbearer_cb();
+        do_test_share_consume_batch_oauthbearer_cb();
 #else
         TEST_SKIP("No OAUTHBEARER support\n");
 #endif

tests/0126-oauthbearer_oidc.c

@@ -94,6 +94,95 @@ do_test_produce_consumer_with_OIDC(const char *test_name,
 }
 
 
+/**
+ * @brief After config OIDC, make sure the share consumer
+ *        can work successfully.
+ */
+static void
+do_test_produce_share_consumer_with_OIDC(const char *test_name,
+                                 const rd_kafka_conf_t *base_conf) {
+        const char *topic;
+        rd_kafka_t *p1;
+        rd_kafka_share_t *sc1;
+        rd_kafka_conf_t *conf;
+        rd_kafka_topic_partition_list_t *subs;
+        rd_kafka_message_t *batch[500];
+        const char *grp_conf[] = {"share.auto.offset.reset", "SET", "earliest"};
+        int consumed = 0, attempts;
+        const int msg_cnt = 10;
+
+        const char *url = test_getenv("VALID_OIDC_URL", NULL);
+
+        SUB_TEST(
+            "Test share consumer with oidc configuration: %s", test_name);
+
+        if (!url) {
+                SUB_TEST_SKIP(
+                    "VALID_OIDC_URL environment variable is not set\n");
+                return;
+        }
+
+        conf = rd_kafka_conf_dup(base_conf);
+        test_conf_set(conf, "sasl.oauthbearer.token.endpoint.url", url);
+
+        rd_kafka_conf_set_dr_msg_cb(conf, test_dr_msg_cb);
+
+        p1 = test_create_handle(RD_KAFKA_PRODUCER, conf);
+
+        topic = test_mk_topic_name("0126-oauthbearer_oidc_share", 1);
+        test_create_topic_wait_exists(p1, topic, 1, 3, 5000);
+        TEST_SAY("Topic: %s is created\n", topic);
+
+        test_produce_msgs_easy(topic, 0, 0, msg_cnt);
+
+        /* Create share consumer (picks up SASL config from test_conf_init) */
+        sc1 = test_create_share_consumer("oidc-share-group");
+
+        /* Set group config for earliest offset */
+        test_IncrementalAlterConfigs_simple(
+            p1, RD_KAFKA_RESOURCE_GROUP, "oidc-share-group", grp_conf, 1);
+
+        /* Subscribe */
+        subs = rd_kafka_topic_partition_list_new(1);
+        rd_kafka_topic_partition_list_add(subs, topic, RD_KAFKA_PARTITION_UA);
+        rd_kafka_share_subscribe(sc1, subs);
+        rd_kafka_topic_partition_list_destroy(subs);
+
+        /* Give it some time to trigger the token refresh. */
+        rd_usleep(5 * 1000 * 1000, NULL);
+
+        /* Consume messages */
+        attempts = 50;
+        while (consumed < msg_cnt && attempts-- > 0) {
+                size_t rcvd = 0;
+                size_t m;
+                rd_kafka_error_t *err;
+
+                err = rd_kafka_share_consume_batch(sc1, 3000, batch, &rcvd);
+                if (err) {
+                        rd_kafka_error_destroy(err);
+                        continue;
+                }
+
+                for (m = 0; m < rcvd; m++) {
+                        if (!batch[m]->err)
+                                consumed++;
+                        rd_kafka_message_destroy(batch[m]);
+                }
+        }
+
+        TEST_ASSERT(consumed == msg_cnt,
+                    "Expected %d messages, consumed %d", msg_cnt, consumed);
+        TEST_SAY("Share consumer consumed %d/%d messages with OIDC\n",
+                 consumed, msg_cnt);
+
+        rd_kafka_share_consumer_close(sc1);
+        rd_kafka_share_destroy(sc1);
+        rd_kafka_destroy(p1);
+        SUB_TEST_PASS();
+}
+
+
 static void
 auth_error_cb(rd_kafka_t *rk, int err, const char *reason, void *opaque) {
         if (err == RD_KAFKA_RESP_ERR__AUTHENTICATION ||
@@ -149,6 +238,59 @@ static void do_test_produce_consumer_with_OIDC_expired_token_should_fail(
 }
 
 
+/**
+ * @brief After config OIDC with expired token, make sure the share consumer
+ *        authentication fails as expected.
+ */
+static void
+do_test_produce_share_consumer_with_OIDC_expired_token_should_fail(
+    const rd_kafka_conf_t *base_conf) {
+        rd_kafka_share_t *sc1;
+        rd_kafka_conf_t *conf;
+        rd_kafka_message_t *batch[10];
+        size_t rcvd = 0;
+        rd_kafka_error_t *err;
+        char errstr[512];
+
+        const char *expired_url = test_getenv("EXPIRED_TOKEN_OIDC_URL", NULL);
+
+        SUB_TEST("Test OAUTHBEARER/OIDC share consumer failing with "
+                 "expired JWT");
+
+        if (!expired_url) {
+                SUB_TEST_SKIP(
+                    "EXPIRED_TOKEN_OIDC_URL environment variable is not "
+                    "set\n");
+                return;
+        }
+
+        conf = rd_kafka_conf_dup(base_conf);
+
+        error_seen = rd_false;
+        test_conf_set(conf, "sasl.oauthbearer.token.endpoint.url",
+                      expired_url);
+        test_conf_set(conf, "group.id", "oidc-share-fail");
+
+        rd_kafka_conf_set_error_cb(conf, auth_error_cb);
+
+        sc1 = rd_kafka_share_consumer_new(conf, errstr, sizeof(errstr));
+        TEST_ASSERT(sc1, "Failed to create share consumer: %s", errstr);
+
+        /* Poll — should trigger auth error callback, no messages expected */
+        err = rd_kafka_share_consume_batch(sc1, 10 * 1000, batch, &rcvd);
+        if (err)
+                rd_kafka_error_destroy(err);
+
+        TEST_ASSERT(error_seen,
+                    "Expected authentication error for share consumer "
+                    "with expired token");
+
+        rd_kafka_share_consumer_close(sc1);
+        rd_kafka_share_destroy(sc1);
+        SUB_TEST_PASS();
+}
+
+
 /**
  * @brief After configiguring OIDC, make sure the
  *        authentication fails as expected.
@@ -233,6 +375,58 @@ do_test_produce_consumer_with_OIDC_should_fail_invalid_token_endpoint(
         SUB_TEST_PASS();
 }
 
+
+/**
+ * @brief After config OIDC with invalid token endpoint, make sure the
+ *        share consumer authentication fails as expected.
+ */
+static void
+do_test_produce_share_consumer_with_OIDC_should_fail_invalid_token_endpoint(
+    const rd_kafka_conf_t *base_conf) {
+        rd_kafka_share_t *sc1;
+        rd_kafka_conf_t *conf;
+        rd_kafka_message_t *batch[10];
+        size_t rcvd = 0;
+        rd_kafka_error_t *err;
+        char errstr[512];
+
+        const char *invalid_url = test_getenv("INVALID_OIDC_URL", NULL);
+
+        SUB_TEST("Test OAUTHBEARER/OIDC share consumer failing with "
+                 "invalid JWT");
+
+        if (!invalid_url) {
+                SUB_TEST_SKIP(
+                    "INVALID_OIDC_URL environment variable is not set\n");
+                return;
+        }
+
+        conf = rd_kafka_conf_dup(base_conf);
+
+        error_seen = rd_false;
+        test_conf_set(conf, "sasl.oauthbearer.token.endpoint.url",
+                      invalid_url);
+        test_conf_set(conf, "group.id", "oidc-share-fail-invalid");
+
+        rd_kafka_conf_set_error_cb(conf, auth_error_cb);
+
+        sc1 = rd_kafka_share_consumer_new(conf, errstr, sizeof(errstr));
+        TEST_ASSERT(sc1, "Failed to create share consumer: %s", errstr);
+
+        /* Poll — should trigger auth error callback, no messages expected */
+        err = rd_kafka_share_consume_batch(sc1, 10 * 1000, batch, &rcvd);
+        if (err)
+                rd_kafka_error_destroy(err);
+
+        TEST_ASSERT(error_seen,
+                    "Expected authentication error for share consumer "
+                    "with invalid token endpoint");
+
+        rd_kafka_share_consumer_close(sc1);
+        rd_kafka_share_destroy(sc1);
+        SUB_TEST_PASS();
+}
+
 typedef enum oidc_configuration_jwt_bearer_variation_t {
         /** Use a private key file. */
         OIDC_CONFIGURATION_JWT_BEARER_VARIATION_PRIVATE_KEY_FILE,
@@ -516,9 +710,13 @@ int main_0126_oauthbearer_oidc(int argc, char **argv) {
         }
 
         do_test_produce_consumer_with_OIDC("client_credentials", conf);
+        do_test_produce_share_consumer_with_OIDC("client_credentials", conf);
         do_test_produce_consumer_with_OIDC_should_fail_invalid_token_endpoint(
             conf);
+        do_test_produce_share_consumer_with_OIDC_should_fail_invalid_token_endpoint(
+            conf);
         do_test_produce_consumer_with_OIDC_expired_token_should_fail(conf);
+        do_test_produce_share_consumer_with_OIDC_expired_token_should_fail(conf);
         do_test_produce_consumer_with_OIDC_jwt_bearer(conf);
         do_test_produce_consumer_with_OIDC_metadata_authentication(conf);