Add support fo OAUTHBEARER

Author: kenneth-jia

include/kafka/AdminClientConfig.h

@@ -27,17 +27,86 @@ class Config: public Properties
      * Protocol used to communicate with brokers.
      * Default value: plaintext
      */
-    static const constexpr char* SECURITY_PROTOCOL          = "security.protocol";
+    static const constexpr char* SECURITY_PROTOCOL            = "security.protocol";
+
+    /**
+     * SASL mechanism to use for authentication.
+     * Default value: GSSAPI
+     */
+    static const constexpr char* SASL_MECHANISM               = "sasl.mechanisms";
+
+    /**
+     * SASL username for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_USERNAME                = "sasl.username";
+
+    /**
+     * SASL password for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_PASSWORD                = "sasl.password";
 
     /**
      * Shell command to refresh or acquire the client's Kerberos ticket.
      */
-    static const constexpr char* SASL_KERBEROS_KINIT_CMD    = "sasl.kerberos.kinit.cmd";
+    static const constexpr char* SASL_KERBEROS_KINIT_CMD      = "sasl.kerberos.kinit.cmd";
 
     /**
      * The client's Kerberos principal name.
      */
-    static const constexpr char* SASL_KERBEROS_SERVICE_NAME = "sasl.kerberos.service.name";
+    static const constexpr char* SASL_KERBEROS_SERVICE_NAME   = "sasl.kerberos.service.name";
+
+    /**
+     * Set to "default" or "oidc" to control with login method to be used.
+     * If set to "oidc", the following properties must also be specified:
+     *     sasl.oauthbearer.client.id
+     *     sasl.oauthbearer.client.secret
+     *     sasl.oauthbearer.token.endpoint.url
+     * Default value: default
+     */
+    static const constexpr char* SASL_OAUTHBEARER_METHOD              = "sasl.oauthbearer.method";
+
+    /**
+     * Public identifier for the applicaition.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_ID           = "sasl.oauthbearer.client.id";
+
+    /**
+     * Client secret only known to the application and the authorization server.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_SECRET       = "sasl.oauthbearer.client.secret";
+
+    /**
+     * Allow additional information to be provided to the broker. Comma-separated list of key=value pairs.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_EXTENSIONS          = "sasl.oauthbearer.extensions";
+
+    /**
+     * Client use this to specify the scope of the access request to the broker.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_SCOPE               = "sasl.oauthbearer.scope";
+
+    /**
+     * OAuth/OIDC issuer token endpoint HTTP(S) URI used to retreve token.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL  = "sasl.oauthbearer.token.endpoint.url";
+
+    /**
+     * SASL/OAUTHBEARER configuration.
+     * The format is implementation-dependent and must be parsed accordingly.
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CONFIG              = "sasl.oauthbearer.config";
+
+    /**
+     * Enable the builtin unsecure JWT OAUTHBEARER token handler if no oauthbearer_refresh_cb has been set.
+     * Should only be used for development or testing, and not in production.
+     * Default value: false
+     */
+    static const constexpr char* ENABLE_SASL_OAUTHBEARER_UNSECURE_JWT = "enable.sasl.oauthbearer.unsecure.jwt";
 };
 
 } } } // end of KAFKA_API::clients::admin

include/kafka/ConsumerConfig.h

@@ -94,21 +94,92 @@ class Config: public Properties
      * Default value: range,roundrobin
      */
     static const constexpr char* PARTITION_ASSIGNMENT_STRATEGY = "partition.assignment.strategy";
+
     /**
      * Protocol used to communicate with brokers.
      * Default value: plaintext
      */
-    static const constexpr char* SECURITY_PROTOCOL          = "security.protocol";
+    static const constexpr char* SECURITY_PROTOCOL            = "security.protocol";
+
+    /**
+     * SASL mechanism to use for authentication.
+     * Default value: GSSAPI
+     */
+    static const constexpr char* SASL_MECHANISM               = "sasl.mechanisms";
+
+    /**
+     * SASL username for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_USERNAME                = "sasl.username";
+
+    /**
+     * SASL password for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_PASSWORD                = "sasl.password";
 
     /**
      * Shell command to refresh or acquire the client's Kerberos ticket.
      */
-    static const constexpr char* SASL_KERBEROS_KINIT_CMD    = "sasl.kerberos.kinit.cmd";
+    static const constexpr char* SASL_KERBEROS_KINIT_CMD      = "sasl.kerberos.kinit.cmd";
 
     /**
      * The client's Kerberos principal name.
      */
-    static const constexpr char* SASL_KERBEROS_SERVICE_NAME = "sasl.kerberos.service.name";
+    static const constexpr char* SASL_KERBEROS_SERVICE_NAME   = "sasl.kerberos.service.name";
+
+    /**
+     * Set to "default" or "oidc" to control with login method to be used.
+     * If set to "oidc", the following properties must also be specified:
+     *     sasl.oauthbearer.client.id
+     *     sasl.oauthbearer.client.secret
+     *     sasl.oauthbearer.token.endpoint.url
+     * Default value: default
+     */
+    static const constexpr char* SASL_OAUTHBEARER_METHOD              = "sasl.oauthbearer.method";
+
+    /**
+     * Public identifier for the applicaition.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_ID           = "sasl.oauthbearer.client.id";
+
+    /**
+     * Client secret only known to the application and the authorization server.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_SECRET       = "sasl.oauthbearer.client.secret";
+
+    /**
+     * Allow additional information to be provided to the broker. Comma-separated list of key=value pairs.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_EXTENSIONS          = "sasl.oauthbearer.extensions";
+
+    /**
+     * Client use this to specify the scope of the access request to the broker.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_SCOPE               = "sasl.oauthbearer.scope";
+
+    /**
+     * OAuth/OIDC issuer token endpoint HTTP(S) URI used to retreve token.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL  = "sasl.oauthbearer.token.endpoint.url";
+
+    /**
+     * SASL/OAUTHBEARER configuration.
+     * The format is implementation-dependent and must be parsed accordingly.
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CONFIG              = "sasl.oauthbearer.config";
+
+    /**
+     * Enable the builtin unsecure JWT OAUTHBEARER token handler if no oauthbearer_refresh_cb has been set.
+     * Should only be used for development or testing, and not in production.
+     * Default value: false
+     */
+    static const constexpr char* ENABLE_SASL_OAUTHBEARER_UNSECURE_JWT = "enable.sasl.oauthbearer.unsecure.jwt";
+
 };
 
 } } } // end of KAFKA_API::clients::consumer

include/kafka/KafkaClient.h

@@ -90,6 +90,16 @@ class KafkaClient
      */
     void setErrorCallback(ErrorCallback cb) { _errorCb = std::move(cb); }
 
+    /**
+     * Callback type for OAUTHBEARER token refresh.
+     */
+    using OauthbearerTokenRefreshCallback = std::function<SaslOauthbearerToken(const std::string&)>;
+
+    /**
+     * Set callback for OAUTHBEARER token refresh.
+     */
+    void setOauthbearerTokernRefreshCallback(OauthbearerTokenRefreshCallback cb) { _oauthbearerTokenRefreshCb = std::move(cb); }
+
     /**
      * Return the properties which took effect.
      */
@@ -220,10 +230,13 @@ class KafkaClient
 private:
     std::string         _clientId;
     std::string         _clientName;
+
     std::atomic<int>    _logLevel = {Log::Level::Notice};
     Logger              _logger;
-    StatsCallback       _statsCb;
-    ErrorCallback       _errorCb;
+
+    StatsCallback                   _statsCb;
+    ErrorCallback                   _errorCb;
+    OauthbearerTokenRefreshCallback _oauthbearerTokenRefreshCb;
 
     EventsPollingOption _eventsPollingOption;
     Interceptors        _interceptors;
@@ -245,6 +258,9 @@ class KafkaClient
     // Error callback (for librdkafka)
     static void errorCallback(rd_kafka_t* rk, int err, const char* reason, void* opaque);
 
+    // OAUTHBEARER Toker Refresh Callback (for librdkafka)
+    static void oauthbearerTokenRefreshCallback(rd_kafka_t* rk, const char* oauthbearerConfig, void* /*opaque*/);
+
     // Interceptor callback (for librdkafka)
     static rd_kafka_resp_err_t configInterceptorOnNew(rd_kafka_t* rk, const rd_kafka_conf_t* conf, void* opaque, char* errStr, std::size_t maxErrStrSize);
     static rd_kafka_resp_err_t interceptorOnThreadStart(rd_kafka_t* rk, rd_kafka_thread_type_t threadType, const char* threadName, void* opaque);
@@ -259,6 +275,9 @@ class KafkaClient
     // Error callback (for class instance)
     void onError(const Error& error);
 
+    // OAUTHBEARER Toker Refresh Callback (for class instance)
+    SaslOauthbearerToken onOauthbearerTokenRefresh(const std::string& oauthbearerConfig);
+
     // Interceptor callback (for class instance)
     void interceptThreadStart(const std::string& threadName, const std::string& threadType);
     void interceptThreadExit(const std::string& threadName, const std::string& threadType);
@@ -432,6 +451,9 @@ KafkaClient::KafkaClient(ClientType                     clientType,
     // Error Callback
     rd_kafka_conf_set_error_cb(rk_conf.get(), KafkaClient::errorCallback);
 
+    // OAUTHBEARER Toker Refresh Callback
+    rd_kafka_conf_set_oauthbearer_token_refresh_cb(rk_conf.get(), KafkaClient::oauthbearerTokenRefreshCallback);
+
     // Other Callbacks
     if (extraConfigRegister) extraConfigRegister(rk_conf.get());
 
@@ -442,6 +464,7 @@ KafkaClient::KafkaClient(ClientType                     clientType,
         KAFKA_THROW_IF_WITH_ERROR(result);
     }
 
+
     // Set client handler
     _rk.reset(rd_kafka_new((clientType == ClientType::KafkaConsumer ? RD_KAFKA_CONSUMER : RD_KAFKA_PRODUCER),
                            rk_conf.release(),  // rk_conf's ownship would be transferred to rk, after the "rd_kafka_new()" call
@@ -553,6 +576,17 @@ KafkaClient::onError(const Error& error)
     if (_errorCb) _errorCb(error);
 }
 
+inline SaslOauthbearerToken
+KafkaClient::onOauthbearerTokenRefresh(const std::string& oauthbearerConfig)
+{
+    if (!_oauthbearerTokenRefreshCb)
+    {
+        throw std::runtime_error("No OAUTHBEARER token refresh callback configured!");
+    }
+
+    return _oauthbearerTokenRefreshCb(oauthbearerConfig);
+}
+
 inline void
 KafkaClient::errorCallback(rd_kafka_t* rk, int err, const char* reason, void* /*opaque*/)
 {
@@ -573,6 +607,41 @@ KafkaClient::errorCallback(rd_kafka_t* rk, int err, const char* reason, void* /*
     kafkaClient(rk).onError(error);
 }
 
+inline void
+KafkaClient::oauthbearerTokenRefreshCallback(rd_kafka_t* rk, const char* oauthbearerConfig, void* /* opaque */)
+{
+    SaslOauthbearerToken oauthbearerToken;
+
+    try
+    {
+        oauthbearerToken = kafkaClient(rk).onOauthbearerTokenRefresh(oauthbearerConfig);
+    }
+    catch (const std::exception& e)
+    {
+        rd_kafka_oauthbearer_set_token_failure(rk, e.what());
+    }
+
+    LogBuffer<LOG_BUFFER_SIZE> errInfo;
+
+    std::vector<const char*> extensions;
+    extensions.reserve(oauthbearerToken.extensions.size() * 2);
+    for (const auto& kv: oauthbearerToken.extensions)
+    {
+        extensions.push_back(kv.first.c_str());
+        extensions.push_back(kv.second.c_str());
+    }
+
+    if (rd_kafka_oauthbearer_set_token(rk,
+                                       oauthbearerToken.value.c_str(),
+                                       oauthbearerToken.mdLifetime.count(),
+                                       oauthbearerToken.mdPrincipalName.c_str(),
+                                       extensions.data(), extensions.size(),
+                                       errInfo.str(), errInfo.capacity()) != RD_KAFKA_RESP_ERR_NO_ERROR)
+    {
+        rd_kafka_oauthbearer_set_token_failure(rk, errInfo.c_str());
+    }
+}
+
 inline void
 KafkaClient::interceptThreadStart(const std::string& threadName, const std::string& threadType)
 {

include/kafka/ProducerConfig.h

@@ -135,6 +135,22 @@ class Config: public Properties
      */
     static const constexpr char* SECURITY_PROTOCOL            = "security.protocol";
 
+    /**
+     * SASL mechanism to use for authentication.
+     * Default value: GSSAPI
+     */
+    static const constexpr char* SASL_MECHANISM               = "sasl.mechanisms";
+
+    /**
+     * SASL username for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_USERNAME                = "sasl.username";
+
+    /**
+     * SASL password for use with the PLAIN and SASL-SCRAM-.. mechanism.
+     */
+    static const constexpr char* SASL_PASSWORD                = "sasl.password";
+
     /**
      * Shell command to refresh or acquire the client's Kerberos ticket.
      */
@@ -144,6 +160,59 @@ class Config: public Properties
      * The client's Kerberos principal name.
      */
     static const constexpr char* SASL_KERBEROS_SERVICE_NAME   = "sasl.kerberos.service.name";
+
+    /**
+     * Set to "default" or "oidc" to control with login method to be used.
+     * If set to "oidc", the following properties must also be specified:
+     *     sasl.oauthbearer.client.id
+     *     sasl.oauthbearer.client.secret
+     *     sasl.oauthbearer.token.endpoint.url
+     * Default value: default
+     */
+    static const constexpr char* SASL_OAUTHBEARER_METHOD              = "sasl.oauthbearer.method";
+
+    /**
+     * Public identifier for the applicaition.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_ID           = "sasl.oauthbearer.client.id";
+
+    /**
+     * Client secret only known to the application and the authorization server.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CLIENT_SECRET       = "sasl.oauthbearer.client.secret";
+
+    /**
+     * Allow additional information to be provided to the broker. Comma-separated list of key=value pairs.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_EXTENSIONS          = "sasl.oauthbearer.extensions";
+
+    /**
+     * Client use this to specify the scope of the access request to the broker.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_SCOPE               = "sasl.oauthbearer.scope";
+
+    /**
+     * OAuth/OIDC issuer token endpoint HTTP(S) URI used to retreve token.
+     * Only used with "sasl.oauthbearer.method=oidc".
+     */
+    static const constexpr char* SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL  = "sasl.oauthbearer.token.endpoint.url";
+
+    /**
+     * SASL/OAUTHBEARER configuration.
+     * The format is implementation-dependent and must be parsed accordingly.
+     */
+    static const constexpr char* SASL_OAUTHBEARER_CONFIG              = "sasl.oauthbearer.config";
+
+    /**
+     * Enable the builtin unsecure JWT OAUTHBEARER token handler if no oauthbearer_refresh_cb has been set.
+     * Should only be used for development or testing, and not in production.
+     * Default value: false
+     */
+    static const constexpr char* ENABLE_SASL_OAUTHBEARER_UNSECURE_JWT = "enable.sasl.oauthbearer.unsecure.jwt";
 };
 
 } } } // end of KAFKA_API::clients::producer