notification.kafka: add SASL authentication and TLS support (#8832)
* notification.kafka: add SASL authentication and TLS support (#8827) Wire sarama SASL (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512) and TLS configuration into the Kafka notification producer and consumer, enabling connections to secured Kafka clusters. * notification.kafka: validate mTLS config * kafka notification: validate partial mTLS config, replace panics with errors - Reject when only one of tls_client_cert/tls_client_key is provided - Replace three panic() calls in KafkaInput.initialize with returned errors * kafka notification: enforce minimum TLS 1.2 for Kafka connections
This commit is contained in:
Chris Lu
65
weed/notification/kafka/kafka_sasl_tls_test.go
Normal file
65
weed/notification/kafka/kafka_sasl_tls_test.go
Normal file
@@ -0,0 +1,65 @@
|
||||
package kafka
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/Shopify/sarama"
|
||||
)
|
||||
|
||||
func TestConfigureSASLTLSRejectsPartialMTLSConfig(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
cfg SASLTLSConfig
|
||||
}{
|
||||
{
|
||||
name: "missing key",
|
||||
cfg: SASLTLSConfig{
|
||||
TLSEnabled: true,
|
||||
TLSClientCert: "/tmp/client.crt",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "missing cert",
|
||||
cfg: SASLTLSConfig{
|
||||
TLSEnabled: true,
|
||||
TLSClientKey: "/tmp/client.key",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := ConfigureSASLTLS(sarama.NewConfig(), tt.cfg)
|
||||
if err == nil {
|
||||
t.Fatal("expected error")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "both tls_client_cert and tls_client_key must be provided") {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigureSASLTLSConfiguresSCRAMSHA256(t *testing.T) {
|
||||
config := sarama.NewConfig()
|
||||
err := ConfigureSASLTLS(config, SASLTLSConfig{
|
||||
SASLEnabled: true,
|
||||
SASLMechanism: "SCRAM-SHA-256",
|
||||
SASLUsername: "alice",
|
||||
SASLPassword: "secret",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("ConfigureSASLTLS returned error: %v", err)
|
||||
}
|
||||
|
||||
if !config.Net.SASL.Enable {
|
||||
t.Fatal("expected SASL to be enabled")
|
||||
}
|
||||
if config.Net.SASL.Mechanism != sarama.SASLTypeSCRAMSHA256 {
|
||||
t.Fatalf("unexpected mechanism: %v", config.Net.SASL.Mechanism)
|
||||
}
|
||||
if config.Net.SASL.SCRAMClientGeneratorFunc == nil {
|
||||
t.Fatal("expected SCRAM client generator")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user