Skip to main content

crabka_security/
lib.rs

1//! Security primitives used by Crabka brokers, clients, and tooling.
2//!
3//! The crate owns the protocol-independent pieces of TLS, SASL, SCRAM,
4//! OAuth/OIDC, mTLS principal extraction, delegation-token HMACs, Kerberos
5//! exchange state, and principal modelling. Network I/O remains in the caller:
6//! OAuth introspection is represented by the async [`IntrospectionClient`] trait,
7//! and the broker/client crates provide concrete transports and wire the
8//! resulting validators into listener or connection handshakes.
9//!
10//! ## SASL/PLAIN verification
11//!
12//! ```rust
13//! use crabka_security::{AuthMethod, verify_plain};
14//! use std::collections::HashMap;
15//!
16//! let mut users = HashMap::new();
17//! users.insert("alice".to_string(), "wonderland".to_string());
18//!
19//! let principal = verify_plain(&users, "alice", b"wonderland").unwrap();
20//! assert_eq!(principal.name, "alice");
21//! assert_eq!(principal.auth_method, AuthMethod::SaslPlain);
22//! ```
23//!
24//! ## Storing SCRAM credentials
25//!
26//! ```rust
27//! use crabka_security::{SaslMechanism, hash_scram_password};
28//!
29//! let credential = hash_scram_password(
30//!     b"correct horse battery staple",
31//!     SaslMechanism::ScramSha512,
32//!     4096,
33//! );
34//! assert_eq!(credential.iterations, 4096);
35//! ```
36
37pub mod ca;
38pub mod delegation_token;
39pub mod gssapi;
40mod jwks;
41mod jwks_trust;
42mod listener;
43mod mechanism;
44mod mtls;
45mod oauthbearer;
46mod plain;
47mod principal;
48mod reload;
49pub mod scram;
50mod tls;
51
52pub use delegation_token::{SecretBytes, compute_token_hmac};
53pub use jwks::{Jwks, JwksHandle};
54pub use jwks_trust::{JwksTrustError, build_client_config_from_pem};
55pub use listener::ListenerProtocol;
56pub use mechanism::SaslMechanism;
57pub use mtls::extract_principal_from_cert;
58pub use oauthbearer::{
59    AuthOutcome, ClientInitialResponse, IntrospectionClient, IntrospectionError,
60    IntrospectionValidator, OAuthBearerValidator, SignedJwsValidator, UnsecuredJwsValidator,
61    invalid_token_json, parse_client_initial_response,
62};
63pub use plain::verify_plain;
64pub use principal::{AuthError, AuthMethod, KafkaPrincipal, Principal};
65pub use reload::DynamicServerConfig;
66pub use scram::{
67    ScramClientExchange, ScramCredential, ScramServerExchange, StepResult, derive_keys_from_salted,
68    hash_scram_password, pbkdf2_salted, scram_hash_len,
69};
70pub use tls::{ClientAuthMode, TlsConfig, TlsError};