impr(BB-695): Update kafka client config generation to support basic auth

Author: tmacro

extensions/notification/NotificationConfigValidator.js

@@ -1,5 +1,6 @@
 const joi = require('joi');
 const { probeServerJoi } = require('../../lib/config/configItems.joi');
+const { supportedSaslProtocols } = require('./constants');
 
 const sslSchema = joi.object({
     ssl: joi.boolean().default(false),
@@ -10,7 +11,7 @@ const sslSchema = joi.object({
 });
 
 const saslAuthSchema = sslSchema.append({
-    protocol: joi.string().valid('SASL_PLAINTEXT', 'SASL_SSL').required(),
+    protocol: joi.string().valid(...supportedSaslProtocols).required(),
 });
 
 const kerberosAuthSchema = saslAuthSchema.append({

extensions/notification/constants.js

@@ -24,6 +24,7 @@ const constants = {
     eventVersion: '1.0',
     eventSource: 'scality:s3',
     eventS3SchemaVersion: '1.0',
+    supportedSaslProtocols: ['SASL_PLAINTEXT', 'SASL_SSL']
 };
 
 module.exports = constants;

extensions/notification/utils/auth.js

@@ -1,9 +1,10 @@
 const fs = require('fs');
+const joi = require('joi');
 
-const constants = require('../constants');
+const { authFilesFolder, supportedSaslProtocols } = require('../constants');
+const { credentialsFileSchema } = require('../NotificationConfigValidator');
 
 function getAuthFilePath(fileName) {
-    const { authFilesFolder } = constants;
     if (process.env.CONF_DIR !== undefined) {
         const path = `${process.env.CONF_DIR}/${authFilesFolder}/${fileName}`;
         try {
@@ -13,7 +14,13 @@ function getAuthFilePath(fileName) {
             return null;
         }
     }
-    return '';
+    return null;
+}
+
+function readCredentialsFile(filePath) {
+    const raw = fs.readFileSync(filePath, 'utf8');
+    const data = JSON.parse(raw);
+    return joi.attempt(data, credentialsFileSchema);
 }
 
 /**
@@ -23,51 +30,81 @@ function getAuthFilePath(fileName) {
  */
 function generateKafkaAuthObject(auth) {
     const authObject = {};
-    const { supportedAuthTypes } = constants;
-    // TODO: S3C-3985 auth object should be validated/checked
-    const {
-        type,
-        ssl,
-        protocol,
-        ca,
-        client,
-        key,
-        keyPassword,
-        keytab,
-        principal,
-        serviceName,
-    } = auth;
+
+    const { type, ssl, ca, client, key } = auth;
+
     if (ssl) {
         authObject['security.protocol'] = 'ssl';
-        const caPath = getAuthFilePath(ca);
-        if (caPath) {
+        if (ca) {
+            const caPath = getAuthFilePath(ca);
+            if (caPath === null) {
+                throw new Error(`CA file ${ca} not found in ${authFilesFolder}`);
+            }
             authObject['ssl.ca.location'] = caPath;
         }
-        const keyPath = getAuthFilePath(key);
-        if (keyPath) {
+
+        if (key) {
+            authObject['ssl.key.password'] = auth.keyPassword;
+            const keyPath = getAuthFilePath(key);
+            if (keyPath === null) {
+                throw new Error(`Key file ${key} not found in ${authFilesFolder}`);
+            }
             authObject['ssl.key.location'] = keyPath;
         }
-        const clientPath = getAuthFilePath(client);
-        if (clientPath) {
+
+        if (client) {
+            const clientPath = getAuthFilePath(client);
+            if (clientPath === null) {
+                throw new Error(`Client certificate file ${client} not found in ${authFilesFolder}`);
+            }
             authObject['ssl.certificate.location'] = clientPath;
         }
-        authObject['ssl.key.password'] = keyPassword;
     }
-    // only kereberos is supported now
-    if (type && supportedAuthTypes.includes(type)) {
-        authObject['security.protocol'] = protocol;
-        authObject['sasl.kerberos.service.name'] = serviceName;
-        authObject['sasl.kerberos.principal'] = principal;
-        // optional, sasl protocols will have GSSAPI as their default mechanism
-        authObject['sasl.mechanisms'] = 'GSSAPI';
-        const keytabPath = getAuthFilePath(keytab);
-        if (keytabPath) {
-            authObject['sasl.kerberos.keytab'] = keytabPath;
-            // default kinit command
-            const kinitCommand = `kinit -k ${principal} -t ${keytabPath}`;
-            authObject['sasl.kerberos.kinit.cmd'] = kinitCommand;
+
+    switch (type) {
+        case undefined:
+            break;
+        case 'kerberos': {
+            const { protocol, serviceName, principal, keytab } = auth;
+            if (!supportedSaslProtocols.includes(protocol)) {
+                throw new Error(`Unsupported security.protocol: ${protocol}`);
+            }
+            // optional, sasl protocols will have GSSAPI as their default mechanism
+            authObject['sasl.mechanisms'] = 'GSSAPI';
+            authObject['security.protocol'] = protocol;
+            authObject['sasl.kerberos.service.name'] = serviceName;
+            authObject['sasl.kerberos.principal'] = principal;
+            if (keytab) {
+                const keytabPath = getAuthFilePath(keytab);
+                if (keytabPath === null) {
+                    throw new Error(`Keytab file ${keytab} not found in ${authFilesFolder}`);
+                }
+                authObject['sasl.kerberos.keytab'] = keytabPath;
+                authObject['sasl.kerberos.kinit.cmd'] = `kinit -k ${principal} -t ${keytabPath}`;
+            }
+            break;
+        }
+        case 'basic': {
+            const { protocol, credentialsFile } = auth;
+            if (!supportedSaslProtocols.includes(protocol)) {
+                throw new Error(`Unsupported security.protocol: ${protocol}`);
+            }
+            const credsFilePath = getAuthFilePath(credentialsFile);
+            if (credsFilePath === null) {
+                throw new Error(`Credentials file ${credentialsFile} not found in ${authFilesFolder}`);
+            }
+            const credentials = readCredentialsFile(credsFilePath);
+            authObject['sasl.mechanisms'] = 'PLAIN';
+            authObject['security.protocol'] = protocol;
+            authObject['sasl.username'] = credentials.username;
+            authObject['sasl.password'] = credentials.password;
+            break;
+        }
+        default: {
+            throw new Error(`Unsupported auth type: ${type}`);
         }
     }
+
     return authObject;
 }
 

tests/unit/notification/utils/auth.js

@@ -0,0 +1,169 @@
+const assert = require('assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const { generateKafkaAuthObject } = require('../../../../extensions/notification/utils/auth');
+
+
+describe('generateKafkaAuthObject', () => {
+    const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'backbeat-test-'));
+    const currentConfDir = process.env.CONF_DIR;
+
+    before(() => {
+        fs.mkdirSync(path.join(tempDir, 'ssl'), { recursive: true });
+        [
+            'keytab.keytab',
+            'ca-cert.pem',
+            'client-cert.pem',
+            'client-key.pem'
+        ].forEach(file => fs.writeFileSync(path.join(tempDir, 'ssl', file), `fake-${file}`));
+        fs.writeFileSync(
+            path.join(tempDir, 'ssl', 'credentials.json'),
+            JSON.stringify({
+                username: 'testuser',
+                password: 'testpassword'
+            }
+        ));
+        process.env.CONF_DIR = tempDir;
+    });
+
+    after(() => {
+        fs.rmSync(tempDir, { recursive: true, force: true });
+        process.env.CONF_DIR = currentConfDir;
+    });
+
+    const testCases = [
+        {
+            description: 'empty auth object',
+            valid: true,
+            input: {},
+            expected: {},
+        },
+        // SSL configurations
+        {
+            description: 'SSL-only with ssl flag enabled',
+            valid: true,
+            input: {
+                ssl: true
+            },
+            expected: {
+                'security.protocol': 'ssl',
+            },
+        },
+        {
+            description: 'SSL-only with ssl flag disabled',
+            valid: true,
+            input: {
+                ssl: false
+            },
+            expected: {},
+        },
+        {
+            description: 'SSL with custom certificates',
+            valid: true,
+            input: {
+                ssl: true,
+                ca: 'ca-cert.pem',
+                client: 'client-cert.pem',
+                key: 'client-key.pem',
+                keyPassword: 'test-password',
+            },
+            expected: {
+                'security.protocol': 'ssl',
+                'ssl.ca.location': path.join(tempDir, 'ssl', 'ca-cert.pem'),
+                'ssl.certificate.location': path.join(tempDir, 'ssl', 'client-cert.pem'),
+                'ssl.key.location': path.join(tempDir, 'ssl', 'client-key.pem'),
+                'ssl.key.password': 'test-password',
+            },
+        },
+        // Kerberos authentication
+        {
+            description: 'Kerberos authentication with valid parameters',
+            valid: true,
+            input: {
+                type: 'kerberos',
+                protocol: 'SASL_PLAINTEXT',
+                keytab: 'keytab.keytab',
+                principal: 'test-principal',
+                serviceName: 'test-service',
+            },
+            expected: {
+                'sasl.mechanisms': 'GSSAPI',
+                'security.protocol': 'SASL_PLAINTEXT',
+                'sasl.kerberos.service.name': 'test-service',
+                'sasl.kerberos.principal': 'test-principal',
+                'sasl.kerberos.keytab': path.join(tempDir, 'ssl', 'keytab.keytab'),
+                'sasl.kerberos.kinit.cmd': `kinit -k test-principal -t ${path.join(tempDir, 'ssl', 'keytab.keytab')}`,
+            },
+        },
+        {
+            description: 'Kerberos authentication with missing keytab file',
+            valid: false,
+            input: {
+                type: 'kerberos',
+                protocol: 'SASL_PLAINTEXT',
+                keytab: 'nonexistent.keytab',
+                principal: 'test-principal',
+                serviceName: 'test-service',
+            },
+        },
+        {
+            description: 'Kerberos authentication with unsupported protocol',
+            valid: false,
+            input: {
+                type: 'kerberos',
+                protocol: 'UNSUPPORTED_PROTOCOL',
+                keytab: 'keytab.keytab',
+                principal: 'test-principal',
+                serviceName: 'test-service',
+            },
+        },
+        // Basic authentication
+        {
+            description: 'Basic authentication with valid parameters',
+            valid: true,
+            input: {
+                type: 'basic',
+                protocol: 'SASL_PLAINTEXT',
+                credentialsFile: 'credentials.json',
+            },
+            expected: {
+                'security.protocol': 'SASL_PLAINTEXT',
+                'sasl.mechanisms': 'PLAIN',
+                'sasl.username': 'testuser',
+                'sasl.password': 'testpassword',
+            },
+        },
+        {
+            description: 'Basic authentication with missing credentials file',
+            valid: false,
+            input: {
+                type: 'basic',
+                protocol: 'SASL_PLAINTEXT',
+                credentialsFile: 'nonexistent.json',
+            },
+        },
+        {
+            description: 'Basic authentication with unsupported protocol',
+            valid: false,
+            input: {
+                type: 'basic',
+                protocol: 'UNSUPPORTED_PROTOCOL',
+                credentialsFile: 'credentials.json',
+            },
+        }
+    ];
+
+    testCases.forEach(({ description, input, expected, valid }) => {
+        it(description, () => {
+            const tester = valid ? assert.doesNotThrow : assert.throws;
+            tester(() => {
+                const result = generateKafkaAuthObject(input);
+                if (valid) {
+                    assert.deepStrictEqual(result, expected);
+                }
+            });
+        });
+    });
+});