Ft/sasl scram sha 256 512 (dapr#1856)

* working with hardcoded SHA-512 Signed-off-by: Andrew Duss <[email protected]> * cleanup code Signed-off-by: Andrew Duss <[email protected]> * Do not hardcode specific testTopicName Signed-off-by: ItalyPaleAle <[email protected]> Signed-off-by: Andrew Duss <[email protected]> * Ensure context propagation in MySQL binding (dapr#1829) Spin-off from PR adding contexts to input bindings Signed-off-by: ItalyPaleAle <[email protected]> Co-authored-by: Dapr Bot <[email protected]> Signed-off-by: Andrew Duss <[email protected]> * Add support for AAD auth in Azure Storage Queues binding (dapr#1842) * Add support for AAD auth in Azure Storage Queues binding Signed-off-by: ItalyPaleAle <[email protected]> * 🧹 Signed-off-by: ItalyPaleAle <[email protected]> Co-authored-by: Bernd Verst <[email protected]> Signed-off-by: Andrew Duss <[email protected]> * Moved authentication to be an internal pkg (dapr#1855) Signed-off-by: ItalyPaleAle <[email protected]> Signed-off-by: Andrew Duss <[email protected]> * Azure AD support in SignalR (dapr#1852) * WIP: Azure AD support in SignalR Signed-off-by: ItalyPaleAle <[email protected]> * Correct SignalR AAD details Signed-off-by: ItalyPaleAle <[email protected]> * Misc fixes Signed-off-by: ItalyPaleAle <[email protected]> * azauth package name Signed-off-by: ItalyPaleAle <[email protected]> Signed-off-by: Andrew Duss <[email protected]> * rename SCRAM properly as SASL Signed-off-by: Andrew Duss <[email protected]> * update gomod/sum Signed-off-by: Andrew Duss <[email protected]> * gofmt Signed-off-by: Andrew Duss <[email protected]> * mod tidy Signed-off-by: Andrew Duss <[email protected]> * goval Signed-off-by: Andrew Duss <[email protected]> * use xdg-go instead of depreicated xdg library Signed-off-by: Andrew Duss <[email protected]> Co-authored-by: ItalyPaleAle <[email protected]> Co-authored-by: Dapr Bot <[email protected]> Co-authored-by: Bernd Verst <[email protected]> Co-authored-by: Yaron Schneider <[email protected]> Signed-off-by: Andrew Duss <[email protected]>
mindovermiles262 · Aug 18, 2022 · 46f0113 · 46f0113
1 parent cfb6511
commit 46f0113
Show file tree

Hide file tree

Showing 9 changed files with 88 additions and 6 deletions.
diff --git a/go.mod b/go.mod
@@ -332,7 +332,7 @@ require (
 	github.com/tklauser/numcpus v0.2.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
-	github.com/xdg-go/scram v1.0.2 // indirect
+	github.com/xdg-go/scram v1.0.2
 	github.com/xdg-go/stringprep v1.0.2 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect

diff --git a/internal/component/kafka/auth.go b/internal/component/kafka/auth.go
@@ -22,11 +22,19 @@ import (
 	"github.com/Shopify/sarama"
 )
 
-func updatePasswordAuthInfo(config *sarama.Config, saslUsername, saslPassword string) {
+func updatePasswordAuthInfo(config *sarama.Config, metadata *kafkaMetadata, saslUsername, saslPassword string) {
 	config.Net.SASL.Enable = true
 	config.Net.SASL.User = saslUsername
 	config.Net.SASL.Password = saslPassword
-	config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
+	if metadata.SaslMechanism == "SHA-256" {
+		config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA256} }
+		config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256
+	} else if metadata.SaslMechanism == "SHA-512" {
+		config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA512} }
+		config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512
+	} else {
+		config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
+	}
 }
 
 func updateMTLSAuthInfo(config *sarama.Config, metadata *kafkaMetadata) error {
@@ -53,13 +61,14 @@ func updateTLSConfig(config *sarama.Config, metadata *kafkaMetadata) error {
 
 	// nolint: gosec
 	config.Net.TLS.Config = &tls.Config{InsecureSkipVerify: metadata.TLSSkipVerify, MinVersion: tls.VersionTLS12}
+	config.Net.TLS.Enable = true
+
 	if metadata.TLSCaCert != "" {
 		caCertPool := x509.NewCertPool()
 		if ok := caCertPool.AppendCertsFromPEM([]byte(metadata.TLSCaCert)); !ok {
 			return errors.New("kafka error: unable to load ca certificate")
 		}
 		config.Net.TLS.Config.RootCAs = caCertPool
-		config.Net.TLS.Enable = true
 	}
 
 	return nil

diff --git a/internal/component/kafka/kafka.go b/internal/component/kafka/kafka.go
@@ -99,7 +99,7 @@ func (k *Kafka) Init(metadata map[string]string) error {
 		k.logger.Info("Configuring SASL Password authentication")
 		k.saslUsername = meta.SaslUsername
 		k.saslPassword = meta.SaslPassword
-		updatePasswordAuthInfo(config, k.saslUsername, k.saslPassword)
+		updatePasswordAuthInfo(config, meta, k.saslUsername, k.saslPassword)
 	case mtlsAuthType:
 		k.logger.Info("Configuring mTLS authentcation")
 		err = updateMTLSAuthInfo(config, meta)

diff --git a/internal/component/kafka/metadata.go b/internal/component/kafka/metadata.go
@@ -45,6 +45,7 @@ type kafkaMetadata struct {
 	AuthType             string
 	SaslUsername         string
 	SaslPassword         string
+	SaslMechanism        string
 	InitialOffset        int64
 	MaxMessageBytes      int
 	OidcTokenEndpoint    string
@@ -119,6 +120,11 @@ func (k *Kafka) getKafkaMetadata(metadata map[string]string) (*kafkaMetadata, er
 		k.logger.Debugf("Using %s as ClientID", meta.ClientID)
 	}
 
+	if val, ok := metadata["saslMechanism"]; ok && val != "" {
+		meta.SaslMechanism = val
+		k.logger.Debugf("Using %s as saslMechanism", meta.SaslMechanism)
+	}
+
 	initialOffset, err := parseInitialOffset(metadata["initialOffset"])
 	if err != nil {
 		return nil, err
@@ -155,7 +161,6 @@ func (k *Kafka) getKafkaMetadata(metadata map[string]string) (*kafkaMetadata, er
 		} else {
 			return nil, errors.New("kafka error: missing SASL Password for authType 'password'")
 		}
-
 		k.logger.Debug("Configuring SASL password authentication.")
 	case oidcAuthType:
 		meta.AuthType = val

diff --git a/internal/component/kafka/scram_client.go b/internal/component/kafka/scram_client.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2022 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kafka
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+
+	"github.com/xdg-go/scram"
+)
+
+var (
+	SHA256 scram.HashGeneratorFcn = sha256.New
+	SHA512 scram.HashGeneratorFcn = sha512.New
+)
+
+type XDGSCRAMClient struct {
+	*scram.Client
+	*scram.ClientConversation
+	scram.HashGeneratorFcn
+}
+
+func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error) {
+	x.Client, err = x.HashGeneratorFcn.NewClient(userName, password, authzID)
+	if err != nil {
+		return err
+	}
+	x.ClientConversation = x.Client.NewConversation()
+	return nil
+}
+
+func (x *XDGSCRAMClient) Step(challenge string) (response string, err error) {
+	response, err = x.ClientConversation.Step(challenge)
+	return
+}
+
+func (x *XDGSCRAMClient) Done() bool {
+	return x.ClientConversation.Done()
+}
diff --git a/tests/certification/bindings/kafka/go.mod b/tests/certification/bindings/kafka/go.mod
@@ -95,6 +95,9 @@ require (
 	github.com/tylertreat/comcast v1.0.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.0.2 // indirect
+	github.com/xdg-go/stringprep v1.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.opentelemetry.io/otel v1.7.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect

diff --git a/tests/certification/bindings/kafka/go.sum b/tests/certification/bindings/kafka/go.sum
@@ -642,6 +642,12 @@ github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4 h1:UKbv1Y0TRLK
 github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.0.2 h1:akYIkZ28e6A96dkWNJQu3nmCzH3YfwMPQExUYDaRv7w=
+github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
+github.com/xdg-go/stringprep v1.0.2 h1:6iq84/ryjjeRmMJwxutI51F2GIPlP5BfTvXHeYjyhBc=
+github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=

diff --git a/tests/certification/pubsub/kafka/go.mod b/tests/certification/pubsub/kafka/go.mod
@@ -95,6 +95,9 @@ require (
 	github.com/tylertreat/comcast v1.0.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.0.2 // indirect
+	github.com/xdg-go/stringprep v1.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.opentelemetry.io/otel v1.7.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect

diff --git a/tests/certification/pubsub/kafka/go.sum b/tests/certification/pubsub/kafka/go.sum
@@ -642,6 +642,12 @@ github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4 h1:UKbv1Y0TRLK
 github.com/valyala/fasthttp v1.31.1-0.20211216042702-258a4c17b4f4/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.0.2 h1:akYIkZ28e6A96dkWNJQu3nmCzH3YfwMPQExUYDaRv7w=
+github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
+github.com/xdg-go/stringprep v1.0.2 h1:6iq84/ryjjeRmMJwxutI51F2GIPlP5BfTvXHeYjyhBc=
+github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=