add support for schema registry

Author: spike83

README.md

@@ -2,9 +2,9 @@
 
 Apache Kafka client library providing additional integrations relating to OAuth/OIDC integrations with Confluent Cloud and Apache Kafka.
 
-## Authenticating to Confluent Cloud via OAuth, using Azure Managed Identites
+## Authenticating to Confluent Cloud via OAuth, using Azure Managed Identities
 
-Example Kafka client config and JAAS config:
+Example Kafka client config and JAAS config for authenticating to Confluent Cloud using Azure Managed Identities / Pod Identity:
 
 ```
 bootstrap.servers=pkc-xxxxx.ap-southeast-2.aws.confluent.cloud:9092
@@ -19,3 +19,38 @@ sasl.jaas.config= \
 		extension_logicalCluster='lkc-xxxxxx' \
 		extension_identityPoolId='pool-xxxx';
 ```
+
+Use Azure K8s Workload Identities:
+
+```
+bootstrap.servers=pkc-xxxxx.ap-southeast-2.aws.confluent.cloud:9092
+security.protocol=SASL_SSL
+sasl.oauthbearer.token.endpoint.url=${AZURE_AUTHORITY_HOST}${AZURE_TENANT_ID}/oauth2/v2.0/token
+sasl.login.callback.handler.class=io.confluent.oauth.azure.managedidentity.OAuthBearerLoginCallbackHandler
+sasl.mechanism=OAUTHBEARER
+sasl.jaas.config= \
+	org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
+		clientId='ignored' \
+		clientSecret='ignored' \
+		useWorkloadIdentity='true' \
+		extension_logicalCluster='lkc-xxxxxx' \
+		extension_identityPoolId='pool-xxxx';
+```
+
+
+
+Use with Schema Registry
+
+example:
+```
+echo '{"make": "Ford", "model": "Mustang", "price": 10000}' |kafka-avro-console-producer \
+  --bootstrap-server <bootstrap>.confluent.cloud:9092 \
+  --property schema.registry.url=https://<registry>.confluent.cloud \
+  --property bearer.auth.credentials.source='CUSTOM' \
+  --property bearer.auth.custom.provider.class=io.confluent.oauth.azure.managedidentity.RegistryBearerAuthCredentialProvider \
+  --property bearer.auth.logical.cluster='lsrc-xxxxxx' \
+  --producer.config client.properties \
+  --reader-config client.properties \
+  --topic cars \
+  --property value.schema='{"type": "record", "name": "Car", "namespace": "io.spoud.training", "fields": [{"name": "make", "type": "string"}, {"name": "model", "type": "string"}, {"name": "price", "type": "int", "default":  0}]}'
+```

build.gradle

@@ -7,10 +7,14 @@ version '1.1-SNAPSHOT'
 
 repositories {
     mavenCentral()
+    maven {
+        url = uri("https://packages.confluent.io/maven")
+    }
 }
 
 dependencies {
     implementation group: 'org.apache.kafka', name: 'kafka-clients', version: '3.7.0'
+    implementation group: 'io.confluent', name: 'kafka-schema-registry-client', version: '7.6.0'
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2'
     implementation 'org.bitbucket.b_c:jose4j:0.9.6'
     implementation 'org.slf4j:slf4j-api:1.7.36'

src/main/java/io/confluent/oauth/azure/managedidentity/OAuthBearerLoginCallbackHandler.java

@@ -28,6 +28,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import javax.net.ssl.SSLSocketFactory;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.UnsupportedCallbackException;
@@ -228,7 +229,7 @@ void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator access
         isInitialized = true;
     }
 
-    protected AccessTokenRetriever createAccessTokenRetriever(Map<String, ?> configs,
+    public static AccessTokenRetriever createAccessTokenRetriever(Map<String, ?> configs,
         String saslMechanism,
         Map<String, Object> jaasConfig) {
         final ConfigurationUtils cu = new ConfigurationUtils(configs, saslMechanism);
@@ -245,13 +246,18 @@ protected AccessTokenRetriever createAccessTokenRetriever(Map<String, ?> configs
         if (jou.shouldCreateSSLSocketFactory(tokenEndpointUrl))
             sslSocketFactory = jou.createSSLSocketFactory();
 
+        // make sure we have defaults since we don't get the properties for the schema registry case
+        long loginRetryBackoffMs = Optional.ofNullable(cu.validateLong(SASL_LOGIN_RETRY_BACKOFF_MS, false)).orElse(DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS);
+        long loginRetryBackoffMaxMs = Optional.ofNullable(cu.validateLong(SASL_LOGIN_RETRY_BACKOFF_MAX_MS, false)).orElse(DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS);
+
+
         io.confluent.oauth.HttpAccessTokenRetriever httpAccessTokenRetriever = new io.confluent.oauth.HttpAccessTokenRetriever(clientId,
                 clientSecret,
                 scope,
                 sslSocketFactory,
                 tokenEndpointUrl.toString(),
-                cu.validateLong(SASL_LOGIN_RETRY_BACKOFF_MS),
-                cu.validateLong(SASL_LOGIN_RETRY_BACKOFF_MAX_MS),
+                loginRetryBackoffMs,
+                loginRetryBackoffMaxMs,
                 cu.validateInteger(SASL_LOGIN_CONNECT_TIMEOUT_MS, false),
                 cu.validateInteger(SASL_LOGIN_READ_TIMEOUT_MS, false),
                 "GET",

src/main/java/io/confluent/oauth/azure/managedidentity/RegistryBearerAuthCredentialProvider.java

@@ -0,0 +1,130 @@
+package io.confluent.oauth.azure.managedidentity;
+
+import io.confluent.kafka.schemaregistry.client.SchemaRegistryClientConfig;
+import io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider;
+import org.apache.kafka.common.KafkaException;
+import org.apache.kafka.common.config.ConfigException;
+import org.apache.kafka.common.config.SaslConfigs;
+import org.apache.kafka.common.config.types.Password;
+import org.apache.kafka.common.security.JaasContext;
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import java.io.IOException;
+import java.net.URL;
+import java.util.*;
+
+import static io.confluent.oauth.azure.managedidentity.OAuthBearerLoginCallbackHandler.createAccessTokenRetriever;
+
+public class RegistryBearerAuthCredentialProvider implements BearerAuthCredentialProvider {
+
+    private static final Logger log = LoggerFactory.getLogger(RegistryBearerAuthCredentialProvider.class);
+    public static final String SASL_IDENTITY_POOL_CONFIG = "extension_identityPoolId";
+
+    private String targetSchemaRegistry;
+    private String targetIdentityPoolId;
+    private Map<String, Object> moduleOptions;
+
+    private AccessTokenRetriever accessTokenRetriever;
+    private AccessTokenValidator accessTokenValidator;
+    private boolean isInitialized;
+
+
+    @Override
+    public void configure(Map<String, ?> configs) {
+        // from SaslOauthCredentialProvider
+        Map<String, Object> updatedConfigs = getConfigsForJaasUtil(configs);
+        JaasContext jaasContext = JaasContext.loadClientContext(updatedConfigs);
+        List<AppConfigurationEntry> appConfigurationEntries = jaasContext.configurationEntries();
+        Map<String, ?> jaasconfig;
+        if (Objects.requireNonNull(appConfigurationEntries).size() == 1
+                && appConfigurationEntries.get(0) != null) {
+            jaasconfig = Collections.unmodifiableMap(
+                    ((AppConfigurationEntry) appConfigurationEntries.get(0)).getOptions());
+        } else {
+            throw new ConfigException(
+                    String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)",
+                            appConfigurationEntries.size()));
+        }
+
+        // make sure we have scope and sub set
+        Map<String, Object> myConfigs = new HashMap<>(configs);
+        myConfigs.put(SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME, "scope");
+        myConfigs.put(SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME, "sub");
+
+
+        ConfigurationUtils cu = new ConfigurationUtils(myConfigs);
+        JaasOptionsUtils jou = new JaasOptionsUtils((Map<String, Object>) jaasconfig);
+
+        targetSchemaRegistry = cu.validateString(
+                SchemaRegistryClientConfig.BEARER_AUTH_LOGICAL_CLUSTER, false);
+
+        // if the schema registry oauth configs are set it is given higher preference
+        targetIdentityPoolId = cu.get(SchemaRegistryClientConfig.BEARER_AUTH_IDENTITY_POOL_ID) != null
+                ? cu.validateString(SchemaRegistryClientConfig.BEARER_AUTH_IDENTITY_POOL_ID)
+                : jou.validateString(SASL_IDENTITY_POOL_CONFIG, false);
+
+        String saslMechanism = cu.validateString(SaslConfigs.SASL_MECHANISM);
+        moduleOptions = JaasOptionsUtils.getOptions(saslMechanism, appConfigurationEntries);
+        AccessTokenRetriever accessTokenRetriever = createAccessTokenRetriever(myConfigs, saslMechanism, moduleOptions);
+
+        AccessTokenValidator accessTokenValidator = AccessTokenValidatorFactory.create(myConfigs, saslMechanism);
+        init(accessTokenRetriever, accessTokenValidator);
+    }
+
+    /*
+     * Package-visible for testing.
+     */
+
+    void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator accessTokenValidator) {
+        this.accessTokenRetriever = accessTokenRetriever;
+        this.accessTokenValidator = accessTokenValidator;
+
+        try {
+            this.accessTokenRetriever.init();
+        } catch (IOException e) {
+            throw new KafkaException("The OAuth login configuration encountered an error when initializing the AccessTokenRetriever", e);
+        }
+
+        isInitialized = true;
+    }
+
+
+    @Override
+    public String getBearerToken(URL url) {
+        try {
+            String accessToken = accessTokenRetriever.retrieve();
+            OAuthBearerToken token = accessTokenValidator.validate(accessToken);
+            return accessToken;
+        } catch (ValidateException | IOException e) {
+            log.warn(e.getMessage(), e);
+            return "";
+        }
+    }
+
+    @Override
+    public String getTargetIdentityPoolId() {
+        return targetIdentityPoolId;
+    }
+
+    @Override
+    public String getTargetSchemaRegistry() {
+        return targetSchemaRegistry;
+    }
+
+    // from SaslOauthCredentialProvider
+    Map<String, Object> getConfigsForJaasUtil(Map<String, ?> configs) {
+        Map<String, Object> updatedConfigs = new HashMap<>(configs);
+        if (updatedConfigs.containsKey(SaslConfigs.SASL_JAAS_CONFIG)) {
+            Object saslJaasConfig = updatedConfigs.get(SaslConfigs.SASL_JAAS_CONFIG);
+            if (saslJaasConfig instanceof String) {
+                updatedConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password((String) saslJaasConfig));
+            }
+        }
+        return updatedConfigs;
+    }
+
+}