schema-registry-client 0.4.2

Serialize/deserialize data to/from Kafka using the Confluent Schema Registry
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

use crate::rules::encryption::awskms::aws_client::AwsClient;
use crate::rules::encryption::kms_driver::KmsDriver;
use crate::serdes::serde::SerdeError;
use aws_config::default_provider::credentials::DefaultCredentialsChain;
use aws_config::profile::ProfileFileCredentialsProvider;
use aws_config::sts::AssumeRoleProvider;
use aws_credential_types::Credentials;
use aws_credential_types::provider::ProvideCredentials;
use aws_sdk_kms::config::Region;
use log::error;
use std::collections::HashMap;
use std::env;
use std::sync::mpsc::{Sender, SyncSender};
use std::sync::{Arc, mpsc};
use tink_core::TinkError;
use tink_core::registry::KmsClient;

const PREFIX: &str = "aws-kms://";
const ACCESS_KEY_ID: &str = "access.key.id";
const SECRET_ACCESS_KEY: &str = "secret.access.key";
const PROFILE: &str = "profile";
const ROLE_ARN: &str = "role.arn";
const ROLE_SESSION_NAME: &str = "role.session.name";
const ROLE_EXTERNAL_ID: &str = "role.external.id";

pub struct AwsKmsDriver {}

impl Default for AwsKmsDriver {
    fn default() -> Self {
        Self::new()
    }
}

impl AwsKmsDriver {
    pub fn new() -> AwsKmsDriver {
        AwsKmsDriver {}
    }

    pub fn register() {
        crate::rules::encryption::register_kms_driver(AwsKmsDriver::new());
    }
}

impl KmsDriver for AwsKmsDriver {
    fn get_key_url_prefix(&self) -> &'static str {
        PREFIX
    }

    fn new_kms_client(
        &self,
        conf: &HashMap<String, String>,
        key_url: &str,
    ) -> Result<Arc<dyn KmsClient>, SerdeError> {
        let creds = get_creds(conf, key_url)?;
        Ok(Arc::new(AwsClient::new(key_url, creds)?))
    }
}

fn get_creds(
    conf: &HashMap<String, String>,
    key_url: &str,
) -> Result<Arc<dyn ProvideCredentials>, TinkError> {
    let (sender, receiver) = mpsc::sync_channel(1);
    tokio::spawn(get_creds_async(conf.clone(), key_url.to_string(), sender));
    receiver
        .recv()
        .map_err(|e| TinkError::new("failed to receive"))?
}

async fn get_creds_async(
    conf: HashMap<String, String>,
    key_url: String,
    sender: SyncSender<Result<Arc<dyn ProvideCredentials>, TinkError>>,
) {
    let creds = build_creds(conf, key_url).await;
    if creds.is_err() {
        error!("failed to get creds: {creds:?}");
    }
    if sender.send(creds).is_err() {
        error!("failed to send result");
    }
}

async fn build_creds(
    conf: HashMap<String, String>,
    key_url: String,
) -> Result<Arc<dyn ProvideCredentials>, TinkError> {
    let mut role_arn = conf.get(ROLE_ARN).cloned();
    if role_arn.is_none() {
        role_arn = env::var("AWS_ROLE_ARN").ok();
    }
    let mut role_session_name = conf.get(ROLE_SESSION_NAME).cloned();
    if role_session_name.is_none() {
        role_session_name = env::var("AWS_ROLE_SESSION_NAME").ok();
    }
    let mut role_external_id = conf.get(ROLE_EXTERNAL_ID).cloned();
    if role_external_id.is_none() {
        role_external_id = env::var("AWS_ROLE_EXTERNAL_ID").ok();
    }
    let role_web_identity_token_file = env::var("AWS_WEB_IDENTITY_TOKEN_FILE").ok();
    let key = conf.get(ACCESS_KEY_ID).cloned();
    let secret = conf.get(SECRET_ACCESS_KEY).cloned();
    let profile = conf.get(PROFILE).cloned();

    let key_arn = key_uri_to_key_arn(key_url.as_str())?;
    let region = Region::new(get_region_from_key_arn(&key_arn)?);
    let mut creds: Arc<dyn ProvideCredentials>;
    if let Some(key) = key
        && let Some(secret) = secret
    {
        creds = Arc::new(Credentials::from_keys(key, secret, None));
    } else if let Some(profile) = profile {
        creds = Arc::new(
            ProfileFileCredentialsProvider::builder()
                .profile_name(profile)
                .build(),
        );
    } else {
        let builder = DefaultCredentialsChain::builder();
        let c = builder.build().await;
        creds = Arc::new(c);
    }
    // If roleWebIdentityTokenFile is set, use the DefaultCredentialsProvider
    if let Some(role_arn) = role_arn
        && role_web_identity_token_file.is_none()
    {
        let mut builder = AssumeRoleProvider::builder(role_arn).region(region.clone());
        if let Some(role_session_name) = role_session_name {
            builder = builder.session_name(role_session_name);
        }
        if let Some(role_external_id) = role_external_id {
            builder = builder.external_id(role_external_id);
        }
        let c = builder.build_from_provider(creds).await;
        creds = Arc::new(c);
    }
    Ok(creds)
}

fn key_uri_to_key_arn(key_uri: &str) -> Result<String, TinkError> {
    if !key_uri.starts_with(PREFIX) {
        return Err(TinkError::new("invalid key uri"));
    }
    Ok(key_uri.replace(PREFIX, ""))
}

fn get_region_from_key_arn(key_arn: &str) -> Result<String, TinkError> {
    // An AWS key ARN is of the form
    // arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
    let parts: Vec<&str> = key_arn.split(':').collect();
    if parts.len() < 6 {
        return Err(TinkError::new("invalid key arn"));
    }
    Ok(parts[3].to_string())
}