use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain in project strimzi by strimzi.
the class AuthenticationUtils method configureClientAuthenticationVolumes.
/**
* Creates the Volumes used for authentication of Kafka client based components
*
* @param authentication Authentication object from CRD
* @param volumeList List where the volumes will be added
* @param oauthVolumeNamePrefix Prefix used for OAuth volumes
* @param isOpenShift Indicates whether we run on OpenShift or not
* @param volumeNamePrefix Prefix used for volume names
* @param createOAuthSecretVolumes Indicates whether OAuth secret volumes will be added to the list
*/
public static void configureClientAuthenticationVolumes(KafkaClientAuthentication authentication, List<Volume> volumeList, String oauthVolumeNamePrefix, boolean isOpenShift, String volumeNamePrefix, boolean createOAuthSecretVolumes) {
if (authentication != null) {
if (authentication instanceof KafkaClientAuthenticationTls) {
KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
addNewVolume(volumeList, volumeNamePrefix, tlsAuth.getCertificateAndKey().getSecretName(), isOpenShift);
} else if (authentication instanceof KafkaClientAuthenticationPlain) {
KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
addNewVolume(volumeList, volumeNamePrefix, passwordAuth.getPasswordSecret().getSecretName(), isOpenShift);
} else if (authentication instanceof KafkaClientAuthenticationScram) {
KafkaClientAuthenticationScram scramAuth = (KafkaClientAuthenticationScram) authentication;
addNewVolume(volumeList, volumeNamePrefix, scramAuth.getPasswordSecret().getSecretName(), isOpenShift);
} else if (authentication instanceof KafkaClientAuthenticationOAuth) {
KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
volumeList.addAll(configureOauthCertificateVolumes(oauthVolumeNamePrefix, oauth.getTlsTrustedCertificates(), isOpenShift));
if (createOAuthSecretVolumes) {
if (oauth.getClientSecret() != null) {
addNewVolume(volumeList, volumeNamePrefix, oauth.getClientSecret().getSecretName(), isOpenShift);
}
if (oauth.getAccessToken() != null) {
addNewVolume(volumeList, volumeNamePrefix, oauth.getAccessToken().getSecretName(), isOpenShift);
}
if (oauth.getRefreshToken() != null) {
addNewVolume(volumeList, volumeNamePrefix, oauth.getRefreshToken().getSecretName(), isOpenShift);
}
}
}
}
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain in project strimzi by strimzi.
the class KafkaMirrorMaker2Cluster method getEnvVars.
@SuppressWarnings({ "checkstyle:CyclomaticComplexity", "checkstyle:NPathComplexity" })
@Override
protected List<EnvVar> getEnvVars() {
List<EnvVar> varList = super.getEnvVars();
final StringBuilder clusterAliases = new StringBuilder();
final StringBuilder clustersTrustedCerts = new StringBuilder();
boolean hasClusterWithTls = false;
final StringBuilder clustersTlsAuthCerts = new StringBuilder();
final StringBuilder clustersTlsAuthKeys = new StringBuilder();
final StringBuilder clustersSaslPasswordFiles = new StringBuilder();
boolean hasClusterOauthTrustedCerts = false;
final StringBuilder clustersOauthClientSecrets = new StringBuilder();
final StringBuilder clustersOauthAccessTokens = new StringBuilder();
final StringBuilder clustersOauthRefreshTokens = new StringBuilder();
for (KafkaMirrorMaker2ClusterSpec mirrorMaker2Cluster : clusters) {
String clusterAlias = mirrorMaker2Cluster.getAlias();
if (clusterAliases.length() > 0) {
clusterAliases.append(";");
}
clusterAliases.append(clusterAlias);
if (mirrorMaker2Cluster.getTls() != null) {
hasClusterWithTls = true;
}
getClusterTrustedCerts(clustersTrustedCerts, mirrorMaker2Cluster, clusterAlias);
KafkaClientAuthentication authentication = mirrorMaker2Cluster.getAuthentication();
if (authentication != null) {
if (authentication instanceof KafkaClientAuthenticationTls) {
KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
if (tlsAuth.getCertificateAndKey() != null) {
appendCluster(clustersTlsAuthCerts, clusterAlias, () -> tlsAuth.getCertificateAndKey().getSecretName() + "/" + tlsAuth.getCertificateAndKey().getCertificate());
appendCluster(clustersTlsAuthKeys, clusterAlias, () -> tlsAuth.getCertificateAndKey().getSecretName() + "/" + tlsAuth.getCertificateAndKey().getKey());
}
} else if (authentication instanceof KafkaClientAuthenticationPlain) {
KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
appendClusterPasswordSecretSource(clustersSaslPasswordFiles, clusterAlias, passwordAuth.getPasswordSecret());
} else if (authentication instanceof KafkaClientAuthenticationScram) {
KafkaClientAuthenticationScram passwordAuth = (KafkaClientAuthenticationScram) authentication;
appendClusterPasswordSecretSource(clustersSaslPasswordFiles, clusterAlias, passwordAuth.getPasswordSecret());
} else if (authentication instanceof KafkaClientAuthenticationOAuth) {
KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
if (oauth.getTlsTrustedCertificates() != null && !oauth.getTlsTrustedCertificates().isEmpty()) {
hasClusterOauthTrustedCerts = true;
}
appendClusterOAuthSecretSource(clustersOauthClientSecrets, clusterAlias, oauth.getClientSecret());
appendClusterOAuthSecretSource(clustersOauthAccessTokens, clusterAlias, oauth.getAccessToken());
appendClusterOAuthSecretSource(clustersOauthRefreshTokens, clusterAlias, oauth.getRefreshToken());
}
}
}
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_CLUSTERS, clusterAliases.toString()));
if (hasClusterWithTls) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_CLUSTERS, "true"));
}
if (clustersTrustedCerts.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TRUSTED_CERTS_CLUSTERS, clustersTrustedCerts.toString()));
}
if (clustersTlsAuthCerts.length() > 0 || clustersTlsAuthKeys.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_CLUSTERS, "true"));
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_CERTS_CLUSTERS, clustersTlsAuthCerts.toString()));
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_KEYS_CLUSTERS, clustersTlsAuthKeys.toString()));
}
if (clustersSaslPasswordFiles.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_SASL_PASSWORD_FILES_CLUSTERS, clustersSaslPasswordFiles.toString()));
}
if (hasClusterOauthTrustedCerts) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_TRUSTED_CERTS, "true"));
}
if (clustersOauthClientSecrets.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_CLIENT_SECRETS_CLUSTERS, clustersOauthClientSecrets.toString()));
}
if (clustersOauthAccessTokens.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_ACCESS_TOKENS_CLUSTERS, clustersOauthAccessTokens.toString()));
}
if (clustersOauthRefreshTokens.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_REFRESH_TOKENS_CLUSTERS, clustersOauthRefreshTokens.toString()));
}
if (javaSystemProperties != null) {
varList.add(buildEnvVar(ENV_VAR_STRIMZI_JAVA_SYSTEM_PROPERTIES, ModelUtils.getJavaSystemPropertiesToString(javaSystemProperties)));
}
return varList;
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain in project strimzi-kafka-operator by strimzi.
the class AuthenticationUtils method getClientAuthenticationProperties.
/**
* Get a map of properties related to authentication in Kafka clients.
*
* @param authentication Authentication object with auth configuration
* @return Map of name/value pairs
*/
public static Map<String, String> getClientAuthenticationProperties(KafkaClientAuthentication authentication) {
Map<String, String> properties = new HashMap<>(3);
if (authentication != null) {
if (authentication instanceof KafkaClientAuthenticationTls) {
KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
properties.put(TLS_AUTH_CERT, String.format("%s/%s", tlsAuth.getCertificateAndKey().getSecretName(), tlsAuth.getCertificateAndKey().getCertificate()));
properties.put(TLS_AUTH_KEY, String.format("%s/%s", tlsAuth.getCertificateAndKey().getSecretName(), tlsAuth.getCertificateAndKey().getKey()));
} else if (authentication instanceof KafkaClientAuthenticationPlain) {
KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
properties.put(SASL_USERNAME, passwordAuth.getUsername());
properties.put(SASL_PASSWORD_FILE, String.format("%s/%s", passwordAuth.getPasswordSecret().getSecretName(), passwordAuth.getPasswordSecret().getPassword()));
properties.put(SASL_MECHANISM, KafkaClientAuthenticationPlain.TYPE_PLAIN);
} else if (authentication instanceof KafkaClientAuthenticationScram) {
KafkaClientAuthenticationScram scramAuth = (KafkaClientAuthenticationScram) authentication;
properties.put(SASL_USERNAME, scramAuth.getUsername());
properties.put(SASL_PASSWORD_FILE, String.format("%s/%s", scramAuth.getPasswordSecret().getSecretName(), scramAuth.getPasswordSecret().getPassword()));
properties.put(SASL_MECHANISM, scramAuth.getType());
} else if (authentication instanceof KafkaClientAuthenticationOAuth) {
KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
properties.put(SASL_MECHANISM, KafkaClientAuthenticationOAuth.TYPE_OAUTH);
List<String> options = new ArrayList<>(2);
if (oauth.getClientId() != null)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_CLIENT_ID, oauth.getClientId()));
if (oauth.getTokenEndpointUri() != null)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_TOKEN_ENDPOINT_URI, oauth.getTokenEndpointUri()));
if (oauth.getScope() != null)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_SCOPE, oauth.getScope()));
if (oauth.getAudience() != null)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_AUDIENCE, oauth.getAudience()));
if (oauth.isDisableTlsHostnameVerification())
options.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, ""));
if (!oauth.isAccessTokenIsJwt())
options.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_ACCESS_TOKEN_IS_JWT, false));
if (oauth.getMaxTokenExpirySeconds() > 0)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_MAX_TOKEN_EXPIRY_SECONDS, oauth.getMaxTokenExpirySeconds()));
if (oauth.getConnectTimeoutSeconds() != null && oauth.getConnectTimeoutSeconds() > 0)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_CONNECT_TIMEOUT_SECONDS, oauth.getConnectTimeoutSeconds()));
if (oauth.getReadTimeoutSeconds() != null && oauth.getReadTimeoutSeconds() > 0)
options.add(String.format("%s=\"%s\"", ClientConfig.OAUTH_READ_TIMEOUT_SECONDS, oauth.getReadTimeoutSeconds()));
properties.put(OAUTH_CONFIG, String.join(" ", options));
}
}
return properties;
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain in project strimzi-kafka-operator by strimzi.
the class KafkaMirrorMaker2Cluster method getEnvVars.
@SuppressWarnings({ "checkstyle:CyclomaticComplexity", "checkstyle:NPathComplexity" })
@Override
protected List<EnvVar> getEnvVars() {
List<EnvVar> varList = super.getEnvVars();
final StringBuilder clusterAliases = new StringBuilder();
final StringBuilder clustersTrustedCerts = new StringBuilder();
boolean hasClusterWithTls = false;
final StringBuilder clustersTlsAuthCerts = new StringBuilder();
final StringBuilder clustersTlsAuthKeys = new StringBuilder();
final StringBuilder clustersSaslPasswordFiles = new StringBuilder();
boolean hasClusterOauthTrustedCerts = false;
final StringBuilder clustersOauthClientSecrets = new StringBuilder();
final StringBuilder clustersOauthAccessTokens = new StringBuilder();
final StringBuilder clustersOauthRefreshTokens = new StringBuilder();
for (KafkaMirrorMaker2ClusterSpec mirrorMaker2Cluster : clusters) {
String clusterAlias = mirrorMaker2Cluster.getAlias();
if (clusterAliases.length() > 0) {
clusterAliases.append(";");
}
clusterAliases.append(clusterAlias);
if (mirrorMaker2Cluster.getTls() != null) {
hasClusterWithTls = true;
}
getClusterTrustedCerts(clustersTrustedCerts, mirrorMaker2Cluster, clusterAlias);
KafkaClientAuthentication authentication = mirrorMaker2Cluster.getAuthentication();
if (authentication != null) {
if (authentication instanceof KafkaClientAuthenticationTls) {
KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
if (tlsAuth.getCertificateAndKey() != null) {
appendCluster(clustersTlsAuthCerts, clusterAlias, () -> tlsAuth.getCertificateAndKey().getSecretName() + "/" + tlsAuth.getCertificateAndKey().getCertificate());
appendCluster(clustersTlsAuthKeys, clusterAlias, () -> tlsAuth.getCertificateAndKey().getSecretName() + "/" + tlsAuth.getCertificateAndKey().getKey());
}
} else if (authentication instanceof KafkaClientAuthenticationPlain) {
KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
appendClusterPasswordSecretSource(clustersSaslPasswordFiles, clusterAlias, passwordAuth.getPasswordSecret());
} else if (authentication instanceof KafkaClientAuthenticationScram) {
KafkaClientAuthenticationScram passwordAuth = (KafkaClientAuthenticationScram) authentication;
appendClusterPasswordSecretSource(clustersSaslPasswordFiles, clusterAlias, passwordAuth.getPasswordSecret());
} else if (authentication instanceof KafkaClientAuthenticationOAuth) {
KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
if (oauth.getTlsTrustedCertificates() != null && !oauth.getTlsTrustedCertificates().isEmpty()) {
hasClusterOauthTrustedCerts = true;
}
appendClusterOAuthSecretSource(clustersOauthClientSecrets, clusterAlias, oauth.getClientSecret());
appendClusterOAuthSecretSource(clustersOauthAccessTokens, clusterAlias, oauth.getAccessToken());
appendClusterOAuthSecretSource(clustersOauthRefreshTokens, clusterAlias, oauth.getRefreshToken());
}
}
}
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_CLUSTERS, clusterAliases.toString()));
if (hasClusterWithTls) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_CLUSTERS, "true"));
}
if (clustersTrustedCerts.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TRUSTED_CERTS_CLUSTERS, clustersTrustedCerts.toString()));
}
if (clustersTlsAuthCerts.length() > 0 || clustersTlsAuthKeys.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_CLUSTERS, "true"));
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_CERTS_CLUSTERS, clustersTlsAuthCerts.toString()));
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_TLS_AUTH_KEYS_CLUSTERS, clustersTlsAuthKeys.toString()));
}
if (clustersSaslPasswordFiles.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_SASL_PASSWORD_FILES_CLUSTERS, clustersSaslPasswordFiles.toString()));
}
if (hasClusterOauthTrustedCerts) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_TRUSTED_CERTS, "true"));
}
if (clustersOauthClientSecrets.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_CLIENT_SECRETS_CLUSTERS, clustersOauthClientSecrets.toString()));
}
if (clustersOauthAccessTokens.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_ACCESS_TOKENS_CLUSTERS, clustersOauthAccessTokens.toString()));
}
if (clustersOauthRefreshTokens.length() > 0) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_MIRRORMAKER_2_OAUTH_REFRESH_TOKENS_CLUSTERS, clustersOauthRefreshTokens.toString()));
}
if (javaSystemProperties != null) {
varList.add(buildEnvVar(ENV_VAR_STRIMZI_JAVA_SYSTEM_PROPERTIES, ModelUtils.getJavaSystemPropertiesToString(javaSystemProperties)));
}
return varList;
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain in project strimzi by strimzi.
the class UtilTest method testAuthTlsPlainSecretFoundAndPasswordNotFound.
@Test
public void testAuthTlsPlainSecretFoundAndPasswordNotFound() {
SecretOperator secretOpertator = mock(SecretOperator.class);
Map<String, String> data = new HashMap<>();
data.put("passwordKey", "my-password");
Secret secret = new Secret();
secret.setData(data);
CompletionStage<Secret> cf = CompletableFuture.supplyAsync(() -> secret);
when(secretOpertator.getAsync(anyString(), anyString())).thenReturn(Future.fromCompletionStage(cf));
KafkaClientAuthenticationPlain auth = new KafkaClientAuthenticationPlain();
PasswordSecretSource passwordSecretSource = new PasswordSecretSource();
passwordSecretSource.setSecretName("my-secret");
passwordSecretSource.setPassword("password1");
auth.setPasswordSecret(passwordSecretSource);
Future<Integer> result = Util.authTlsHash(secretOpertator, "anyNamespace", auth, List.of());
result.onComplete(handler -> {
assertTrue(handler.failed());
assertEquals("Secret my-secret does not contain key password1", handler.cause().getMessage());
});
}
Aggregations