rskafka 0.6.0

A minimal Rust client for Apache Kafka
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

use std::{fmt::Debug, sync::Arc};

use futures::future::BoxFuture;
use rsasl::{
    callback::SessionCallback,
    config::SASLConfig,
    property::{AuthzId, OAuthBearerKV, OAuthBearerToken},
};

use crate::messenger::SaslError;

#[derive(Debug, Clone)]
pub enum SaslConfig {
    /// SASL - PLAIN
    ///
    /// # References
    /// - <https://datatracker.ietf.org/doc/html/rfc4616>
    Plain(Credentials),
    /// SASL - SCRAM-SHA-256
    ///
    /// # References
    /// - <https://datatracker.ietf.org/doc/html/rfc7677>
    ScramSha256(Credentials),
    /// SASL - SCRAM-SHA-512
    ///
    /// # References
    /// - <https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512-04>
    ScramSha512(Credentials),
    /// SASL - OAUTHBEARER
    ///
    /// # References
    /// - <https://datatracker.ietf.org/doc/html/rfc7628>
    Oauthbearer(OauthBearerCredentials),
}

#[derive(Debug, Clone)]
pub struct Credentials {
    pub username: String,
    pub password: String,
}

impl Credentials {
    pub fn new(username: String, password: String) -> Self {
        Self { username, password }
    }
}

impl SaslConfig {
    pub(crate) async fn get_sasl_config(&self) -> Result<Arc<SASLConfig>, SaslError> {
        match self {
            Self::Plain(credentials)
            | Self::ScramSha256(credentials)
            | Self::ScramSha512(credentials) => Ok(SASLConfig::with_credentials(
                None,
                credentials.username.clone(),
                credentials.password.clone(),
            )?),
            Self::Oauthbearer(credentials) => {
                // Fetch the token first, since that's an async call.
                let token = (*credentials.callback)()
                    .await
                    .map_err(SaslError::Callback)?;

                struct OauthProvider {
                    authz_id: Option<String>,
                    bearer_kvs: Vec<(String, String)>,
                    token: String,
                }

                // Define a callback that is called while stepping through the SASL client
                // to provide necessary data for oauth.
                // Since this callback is synchronous, we fetch the token first. Generally
                // speaking the SASL process should not take long enough for the token to
                // expire, but we do need to check for token expiry each time we authenticate.
                impl SessionCallback for OauthProvider {
                    fn callback(
                        &self,
                        _session_data: &rsasl::callback::SessionData,
                        _context: &rsasl::callback::Context<'_>,
                        request: &mut rsasl::callback::Request<'_>,
                    ) -> Result<(), rsasl::prelude::SessionError> {
                        request
                            .satisfy::<OAuthBearerKV>(
                                &self
                                    .bearer_kvs
                                    .iter()
                                    .map(|(k, v)| (k.as_str(), v.as_str()))
                                    .collect::<Vec<_>>(),
                            )?
                            .satisfy::<OAuthBearerToken>(&self.token)?;
                        if let Some(authz_id) = &self.authz_id {
                            request.satisfy::<AuthzId>(authz_id)?;
                        }
                        Ok(())
                    }
                }

                Ok(SASLConfig::builder()
                    .with_default_mechanisms()
                    .with_callback(OauthProvider {
                        authz_id: credentials.authz_id.clone(),
                        bearer_kvs: credentials.bearer_kvs.clone(),
                        token,
                    })?)
            }
        }
    }

    pub(crate) fn mechanism(&self) -> &str {
        use rsasl::mechanisms::*;
        match self {
            Self::Plain { .. } => plain::PLAIN.mechanism.as_str(),
            Self::ScramSha256 { .. } => scram::SCRAM_SHA256.mechanism.as_str(),
            Self::ScramSha512 { .. } => scram::SCRAM_SHA512.mechanism.as_str(),
            Self::Oauthbearer { .. } => oauthbearer::OAUTHBEARER.mechanism.as_str(),
        }
    }
}

type DynError = Box<dyn std::error::Error + Send + Sync>;

/// Callback for fetching an OAUTH token. This should cache tokens and only request a new token
/// when the old is close to expiring.
pub type OauthCallback =
    Arc<dyn Fn() -> BoxFuture<'static, Result<String, DynError>> + Send + Sync>;

#[derive(Clone)]
pub struct OauthBearerCredentials {
    /// Callback that should return a token that is valid and will remain valid for
    /// long enough to complete authentication. This should cache the token and only request
    /// a new one when the old is close to expiring.
    /// The token must be on [RFC 6750](https://www.rfc-editor.org/rfc/rfc6750) format.
    pub callback: OauthCallback,
    /// ID of a user to impersonate. Can be left as `None` to authenticate using
    /// the user for the token returned by `callback`.
    pub authz_id: Option<String>,
    /// Custom key-value pairs sent as part of the SASL request. Most normal usage
    /// can let this be an empty list.
    pub bearer_kvs: Vec<(String, String)>,
}

impl Debug for OauthBearerCredentials {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("OauthBearerCredentials")
            .field("authz_id", &self.authz_id)
            .field("bearer_kvs", &self.bearer_kvs)
            .finish_non_exhaustive()
    }
}