RubyGems - ruby-kafka-aws-iam - Versions diffs - 1.4.1 - Mend

ruby-kafka-aws-iam 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (145) hide show

checksums.yaml +7 -0
data/.circleci/config.yml +393 -0
data/.github/workflows/stale.yml +19 -0
data/.gitignore +13 -0
data/.readygo +1 -0
data/.rspec +3 -0
data/.rubocop.yml +44 -0
data/.ruby-version +1 -0
data/.yardopts +3 -0
data/CHANGELOG.md +314 -0
data/Gemfile +5 -0
data/ISSUE_TEMPLATE.md +23 -0
data/LICENSE.txt +176 -0
data/Procfile +2 -0
data/README.md +1356 -0
data/Rakefile +8 -0
data/benchmarks/message_encoding.rb +23 -0
data/bin/console +8 -0
data/bin/setup +5 -0
data/docker-compose.yml +39 -0
data/examples/consumer-group.rb +35 -0
data/examples/firehose-consumer.rb +64 -0
data/examples/firehose-producer.rb +54 -0
data/examples/simple-consumer.rb +34 -0
data/examples/simple-producer.rb +42 -0
data/examples/ssl-producer.rb +44 -0
data/lib/kafka/async_producer.rb +297 -0
data/lib/kafka/broker.rb +217 -0
data/lib/kafka/broker_info.rb +16 -0
data/lib/kafka/broker_pool.rb +41 -0
data/lib/kafka/broker_uri.rb +43 -0
data/lib/kafka/client.rb +838 -0
data/lib/kafka/cluster.rb +513 -0
data/lib/kafka/compression.rb +45 -0
data/lib/kafka/compressor.rb +86 -0
data/lib/kafka/connection.rb +228 -0
data/lib/kafka/connection_builder.rb +33 -0
data/lib/kafka/consumer.rb +642 -0
data/lib/kafka/consumer_group/assignor.rb +63 -0
data/lib/kafka/consumer_group.rb +231 -0
data/lib/kafka/crc32_hash.rb +15 -0
data/lib/kafka/datadog.rb +420 -0
data/lib/kafka/digest.rb +22 -0
data/lib/kafka/fetch_operation.rb +115 -0
data/lib/kafka/fetched_batch.rb +58 -0
data/lib/kafka/fetched_batch_generator.rb +120 -0
data/lib/kafka/fetched_message.rb +48 -0
data/lib/kafka/fetched_offset_resolver.rb +48 -0
data/lib/kafka/fetcher.rb +224 -0
data/lib/kafka/gzip_codec.rb +34 -0
data/lib/kafka/heartbeat.rb +25 -0
data/lib/kafka/instrumenter.rb +38 -0
data/lib/kafka/interceptors.rb +33 -0
data/lib/kafka/lz4_codec.rb +27 -0
data/lib/kafka/message_buffer.rb +87 -0
data/lib/kafka/murmur2_hash.rb +17 -0
data/lib/kafka/offset_manager.rb +259 -0
data/lib/kafka/partitioner.rb +40 -0
data/lib/kafka/pause.rb +92 -0
data/lib/kafka/pending_message.rb +29 -0
data/lib/kafka/pending_message_queue.rb +41 -0
data/lib/kafka/produce_operation.rb +205 -0
data/lib/kafka/producer.rb +528 -0
data/lib/kafka/prometheus.rb +316 -0
data/lib/kafka/protocol/add_offsets_to_txn_request.rb +29 -0
data/lib/kafka/protocol/add_offsets_to_txn_response.rb +21 -0
data/lib/kafka/protocol/add_partitions_to_txn_request.rb +34 -0
data/lib/kafka/protocol/add_partitions_to_txn_response.rb +47 -0
data/lib/kafka/protocol/alter_configs_request.rb +44 -0
data/lib/kafka/protocol/alter_configs_response.rb +49 -0
data/lib/kafka/protocol/api_versions_request.rb +21 -0
data/lib/kafka/protocol/api_versions_response.rb +53 -0
data/lib/kafka/protocol/consumer_group_protocol.rb +19 -0
data/lib/kafka/protocol/create_partitions_request.rb +42 -0
data/lib/kafka/protocol/create_partitions_response.rb +28 -0
data/lib/kafka/protocol/create_topics_request.rb +45 -0
data/lib/kafka/protocol/create_topics_response.rb +26 -0
data/lib/kafka/protocol/decoder.rb +175 -0
data/lib/kafka/protocol/delete_topics_request.rb +33 -0
data/lib/kafka/protocol/delete_topics_response.rb +26 -0
data/lib/kafka/protocol/describe_configs_request.rb +35 -0
data/lib/kafka/protocol/describe_configs_response.rb +73 -0
data/lib/kafka/protocol/describe_groups_request.rb +27 -0
data/lib/kafka/protocol/describe_groups_response.rb +73 -0
data/lib/kafka/protocol/encoder.rb +184 -0
data/lib/kafka/protocol/end_txn_request.rb +29 -0
data/lib/kafka/protocol/end_txn_response.rb +19 -0
data/lib/kafka/protocol/fetch_request.rb +70 -0
data/lib/kafka/protocol/fetch_response.rb +136 -0
data/lib/kafka/protocol/find_coordinator_request.rb +29 -0
data/lib/kafka/protocol/find_coordinator_response.rb +29 -0
data/lib/kafka/protocol/heartbeat_request.rb +27 -0
data/lib/kafka/protocol/heartbeat_response.rb +17 -0
data/lib/kafka/protocol/init_producer_id_request.rb +26 -0
data/lib/kafka/protocol/init_producer_id_response.rb +27 -0
data/lib/kafka/protocol/join_group_request.rb +47 -0
data/lib/kafka/protocol/join_group_response.rb +41 -0
data/lib/kafka/protocol/leave_group_request.rb +25 -0
data/lib/kafka/protocol/leave_group_response.rb +17 -0
data/lib/kafka/protocol/list_groups_request.rb +23 -0
data/lib/kafka/protocol/list_groups_response.rb +35 -0
data/lib/kafka/protocol/list_offset_request.rb +53 -0
data/lib/kafka/protocol/list_offset_response.rb +89 -0
data/lib/kafka/protocol/member_assignment.rb +42 -0
data/lib/kafka/protocol/message.rb +172 -0
data/lib/kafka/protocol/message_set.rb +55 -0
data/lib/kafka/protocol/metadata_request.rb +31 -0
data/lib/kafka/protocol/metadata_response.rb +185 -0
data/lib/kafka/protocol/offset_commit_request.rb +47 -0
data/lib/kafka/protocol/offset_commit_response.rb +29 -0
data/lib/kafka/protocol/offset_fetch_request.rb +38 -0
data/lib/kafka/protocol/offset_fetch_response.rb +56 -0
data/lib/kafka/protocol/produce_request.rb +94 -0
data/lib/kafka/protocol/produce_response.rb +63 -0
data/lib/kafka/protocol/record.rb +88 -0
data/lib/kafka/protocol/record_batch.rb +223 -0
data/lib/kafka/protocol/request_message.rb +26 -0
data/lib/kafka/protocol/sasl_handshake_request.rb +33 -0
data/lib/kafka/protocol/sasl_handshake_response.rb +28 -0
data/lib/kafka/protocol/sync_group_request.rb +33 -0
data/lib/kafka/protocol/sync_group_response.rb +26 -0
data/lib/kafka/protocol/txn_offset_commit_request.rb +46 -0
data/lib/kafka/protocol/txn_offset_commit_response.rb +47 -0
data/lib/kafka/protocol.rb +225 -0
data/lib/kafka/round_robin_assignment_strategy.rb +52 -0
data/lib/kafka/sasl/awsmskiam.rb +128 -0
data/lib/kafka/sasl/gssapi.rb +76 -0
data/lib/kafka/sasl/oauth.rb +64 -0
data/lib/kafka/sasl/plain.rb +39 -0
data/lib/kafka/sasl/scram.rb +180 -0
data/lib/kafka/sasl_authenticator.rb +73 -0
data/lib/kafka/snappy_codec.rb +29 -0
data/lib/kafka/socket_with_timeout.rb +96 -0
data/lib/kafka/ssl_context.rb +66 -0
data/lib/kafka/ssl_socket_with_timeout.rb +192 -0
data/lib/kafka/statsd.rb +296 -0
data/lib/kafka/tagged_logger.rb +77 -0
data/lib/kafka/transaction_manager.rb +306 -0
data/lib/kafka/transaction_state_machine.rb +72 -0
data/lib/kafka/version.rb +5 -0
data/lib/kafka/zstd_codec.rb +27 -0
data/lib/kafka.rb +373 -0
data/lib/ruby-kafka.rb +5 -0
data/ruby-kafka.gemspec +54 -0
metadata +520 -0

data/lib/kafka/round_robin_assignment_strategy.rb ADDED Viewed

@@ -0,0 +1,52 @@
+module Kafka
+  # A round robin assignment strategy inpired on the
+  # original java client round robin assignor. It's capable
+  # of handling identical as well as different topic subscriptions
+  # accross the same consumer group.
+  class RoundRobinAssignmentStrategy
+    def protocol_name
+      "roundrobin"
+    end
+    # Assign the topic partitions to the group members.
+    #
+    # @param cluster [Kafka::Cluster]
+    # @param members [Hash<String, Kafka::Protocol::JoinGroupResponse::Metadata>] a hash
+    #   mapping member ids to metadata
+    # @param partitions [Array<Kafka::ConsumerGroup::Assignor::Partition>] a list of
+    #   partitions the consumer group processes
+    # @return [Hash<String, Array<Kafka::ConsumerGroup::Assignor::Partition>] a hash
+    #   mapping member ids to partitions.
+    def call(cluster:, members:, partitions:)
+      partitions_per_member = Hash.new {|h, k| h[k] = [] }
+      relevant_partitions = valid_sorted_partitions(members, partitions)
+      members_ids = members.keys
+      iterator = (0...members.size).cycle
+      idx = iterator.next
+      relevant_partitions.each do |partition|
+        topic = partition.topic
+        while !members[members_ids[idx]].topics.include?(topic)
+          idx = iterator.next
+        end
+        partitions_per_member[members_ids[idx]] << partition
+        idx = iterator.next
+      end
+      partitions_per_member
+    end
+    def valid_sorted_partitions(members, partitions)
+      subscribed_topics = members.map do |id, metadata|
+        metadata && metadata.topics
+      end.flatten.compact
+      partitions
+        .select { |partition| subscribed_topics.include?(partition.topic) }
+        .sort_by { |partition| partition.topic }
+    end
+  end
+end

data/lib/kafka/sasl/awsmskiam.rb ADDED Viewed

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+require 'securerandom'
+require 'base64'
+require 'json'
+module Kafka
+  module Sasl
+    class AwsMskIam
+      AWS_MSK_IAM = "AWS_MSK_IAM"
+      def initialize(aws_region:, access_key_id:, secret_key_id:, logger:)
+        @semaphore = Mutex.new
+        @aws_region = aws_region
+        @access_key_id = access_key_id
+        @secret_key_id = secret_key_id
+        @logger = TaggedLogger.new(logger)
+      end
+      def ident
+        AWS_MSK_IAM
+      end
+      def configured?
+        @aws_region && @access_key_id && @secret_key_id
+      end
+      def authenticate!(host, encoder, decoder)
+        @logger.debug "Authenticating #{@access_key_id} with SASL #{AWS_MSK_IAM}"
+        host_without_port = host.split(':', -1).first
+        time_now = Time.now.utc
+        msg = authentication_payload(host: host_without_port, time_now: time_now)
+        @logger.debug "Sending first client SASL AWS_MSK_IAM message:"
+        @logger.debug msg
+        encoder.write_bytes(msg)
+        begin
+          @server_first_message = decoder.bytes
+          @logger.debug "Received first server SASL AWS_MSK_IAM message: #{@server_first_message}"
+          raise Kafka::Error, "SASL AWS_MSK_IAM authentication failed: unknown error" unless @server_first_message
+        rescue Errno::ETIMEDOUT, EOFError => e
+          raise Kafka::Error, "SASL AWS_MSK_IAM authentication failed: #{e.message}"
+        end
+        @logger.debug "SASL #{AWS_MSK_IAM} authentication successful"
+      end
+      private
+      def bin_to_hex(s)
+        s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+      end
+      def digest
+        @digest ||= OpenSSL::Digest::SHA256.new
+      end
+      def authentication_payload(host:, time_now:)
+        {
+          'version': "2020_10_22",
+          'host': host,
+          'user-agent': "ruby-kafka",
+          'action': "kafka-cluster:Connect",
+          'x-amz-algorithm': "AWS4-HMAC-SHA256",
+          'x-amz-credential': @access_key_id + "/" + time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request",
+          'x-amz-date': time_now.strftime("%Y%m%dT%H%M%SZ"),
+          'x-amz-signedheaders': "host",
+          'x-amz-expires': "900",
+          'x-amz-signature': signature(host: host, time_now: time_now)
+        }.to_json
+      end
+      def canonical_request(host:, time_now:)
+        "GET\n" +
+        "/\n" +
+        canonical_query_string(time_now: time_now) + "\n" +
+        canonical_headers(host: host) + "\n" +
+        signed_headers + "\n" +
+        hashed_payload
+      end
+      def canonical_query_string(time_now:)
+        URI.encode_www_form(
+          "Action" => "kafka-cluster:Connect",
+          "X-Amz-Algorithm" => "AWS4-HMAC-SHA256",
+          "X-Amz-Credential" => @access_key_id + "/" + time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request",
+          "X-Amz-Date" => time_now.strftime("%Y%m%dT%H%M%SZ"),
+          "X-Amz-Expires" => "900",
+          "X-Amz-SignedHeaders" => "host"
+        )
+      end
+      def canonical_headers(host:)
+        "host" + ":" + host + "\n"
+      end
+      def signed_headers
+        "host"
+      end
+      def hashed_payload
+        bin_to_hex(digest.digest(""))
+      end
+      def string_to_sign(host:, time_now:)
+        "AWS4-HMAC-SHA256" + "\n" +
+        time_now.strftime("%Y%m%dT%H%M%SZ") + "\n" +
+        time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request" + "\n" +
+        bin_to_hex(digest.digest(canonical_request(host: host, time_now: time_now)))
+      end
+      def signature(host:, time_now:)
+        date_key = OpenSSL::HMAC.digest("SHA256", "AWS4" + @secret_key_id, time_now.strftime("%Y%m%d"))
+        date_region_key = OpenSSL::HMAC.digest("SHA256", date_key, @aws_region)
+        date_region_service_key = OpenSSL::HMAC.digest("SHA256", date_region_key, "kafka-cluster")
+        signing_key = OpenSSL::HMAC.digest("SHA256", date_region_service_key, "aws4_request")
+        signature = bin_to_hex(OpenSSL::HMAC.digest("SHA256", signing_key, string_to_sign(host: host, time_now: time_now)))
+        signature
+      end
+    end
+  end
+end

data/lib/kafka/sasl/gssapi.rb ADDED Viewed

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+module Kafka
+  module Sasl
+    class Gssapi
+      GSSAPI_IDENT = "GSSAPI"
+      GSSAPI_CONFIDENTIALITY = false
+      def initialize(logger:, principal:, keytab:)
+        @logger = TaggedLogger.new(logger)
+        @principal = principal
+        @keytab = keytab
+      end
+      def configured?
+        @principal && !@principal.empty?
+      end
+      def ident
+        GSSAPI_IDENT
+      end
+      def authenticate!(host, encoder, decoder)
+        load_gssapi
+        initialize_gssapi_context(host)
+        @encoder = encoder
+        @decoder = decoder
+        # send gssapi token and receive token to verify
+        token_to_verify = send_and_receive_sasl_token
+        # verify incoming token
+        unless @gssapi_ctx.init_context(token_to_verify)
+          raise Kafka::Error, "GSSAPI context verification failed."
+        end
+        # we can continue, so send OK
+        @encoder.write([0, 2].pack('l>c'))
+        # read wrapped message and return it back with principal
+        handshake_messages
+      end
+      def handshake_messages
+        msg = @decoder.bytes
+        raise Kafka::Error, "GSSAPI negotiation failed." unless msg
+        # unwrap with integrity only
+        msg_unwrapped = @gssapi_ctx.unwrap_message(msg, GSSAPI_CONFIDENTIALITY)
+        msg_wrapped = @gssapi_ctx.wrap_message(msg_unwrapped + @principal, GSSAPI_CONFIDENTIALITY)
+        @encoder.write_bytes(msg_wrapped)
+      end
+      def send_and_receive_sasl_token
+        @encoder.write_bytes(@gssapi_token)
+        @decoder.bytes
+      end
+      def load_gssapi
+        begin
+          require "gssapi"
+        rescue LoadError
+          @logger.error "In order to use GSSAPI authentication you need to install the `gssapi` gem."
+          raise
+        end
+      end
+      def initialize_gssapi_context(host)
+        @logger.debug "GSSAPI: Initializing context with #{host}, principal #{@principal}"
+        @gssapi_ctx = GSSAPI::Simple.new(host, @principal, @keytab)
+        @gssapi_token = @gssapi_ctx.init_context(nil)
+      end
+    end
+  end
+end

data/lib/kafka/sasl/oauth.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+module Kafka
+  module Sasl
+    class OAuth
+      OAUTH_IDENT = "OAUTHBEARER"
+      # token_provider: THE FOLLOWING INTERFACE MUST BE FULFILLED:
+      #
+      # [REQUIRED] TokenProvider#token      - Returns an ID/Access Token to be sent to the Kafka client.
+      #   The implementation should ensure token reuse so that multiple calls at connect time do not
+      #   create multiple tokens. The implementation should also periodically refresh the token in
+      #   order to guarantee that each call returns an unexpired token. A timeout error should
+      #   be returned after a short period of inactivity so that the broker can log debugging
+      #   info and retry.
+      #
+      # [OPTIONAL] TokenProvider#extensions - Returns a map of key-value pairs that can be sent with the
+      #   SASL/OAUTHBEARER initial client response. If not provided, the values are ignored. This feature
+      #   is only available in Kafka >= 2.1.0.
+      #
+      def initialize(logger:, token_provider:)
+        @logger = TaggedLogger.new(logger)
+        @token_provider = token_provider
+      end
+      def ident
+        OAUTH_IDENT
+      end
+      def configured?
+        @token_provider
+      end
+      def authenticate!(host, encoder, decoder)
+        # Send SASLOauthBearerClientResponse with token
+        @logger.debug "Authenticating to #{host} with SASL #{OAUTH_IDENT}"
+        encoder.write_bytes(initial_client_response)
+        begin
+          # receive SASL OAuthBearer Server Response
+          msg = decoder.bytes
+          raise Kafka::Error, "SASL #{OAUTH_IDENT} authentication failed: unknown error" unless msg
+        rescue Errno::ETIMEDOUT, EOFError => e
+          raise Kafka::Error, "SASL #{OAUTH_IDENT} authentication failed: #{e.message}"
+        end
+        @logger.debug "SASL #{OAUTH_IDENT} authentication successful."
+      end
+      private
+      def initial_client_response
+        raise Kafka::TokenMethodNotImplementedError, "Token provider doesn't define 'token'" unless @token_provider.respond_to? :token
+        "n,,\x01auth=Bearer #{@token_provider.token}#{token_extensions}\x01\x01"
+      end
+      def token_extensions
+        return nil unless @token_provider.respond_to? :extensions
+        "\x01#{@token_provider.extensions.map {|e| e.join("=")}.join("\x01")}"
+      end
+    end
+  end
+end

data/lib/kafka/sasl/plain.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Kafka
+  module Sasl
+    class Plain
+      PLAIN_IDENT = "PLAIN"
+      def initialize(logger:, authzid:, username:, password:)
+        @logger = TaggedLogger.new(logger)
+        @authzid = authzid
+        @username = username
+        @password = password
+      end
+      def ident
+        PLAIN_IDENT
+      end
+      def configured?
+        @authzid && @username && @password
+      end
+      def authenticate!(host, encoder, decoder)
+        msg = [@authzid, @username, @password].join("\000").force_encoding("utf-8")
+        encoder.write_bytes(msg)
+        begin
+          msg = decoder.bytes
+          raise Kafka::Error, "SASL PLAIN authentication failed: unknown error" unless msg
+        rescue Errno::ETIMEDOUT, EOFError => e
+          raise Kafka::Error, "SASL PLAIN authentication failed: #{e.message}"
+        end
+        @logger.debug "SASL PLAIN authentication successful."
+      end
+    end
+  end
+end

data/lib/kafka/sasl/scram.rb ADDED Viewed

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+require 'securerandom'
+require 'base64'
+module Kafka
+  module Sasl
+    class Scram
+      MECHANISMS = {
+        "sha256" => "SCRAM-SHA-256",
+        "sha512" => "SCRAM-SHA-512",
+      }.freeze
+      def initialize(username:, password:, mechanism: 'sha256', logger:)
+        @semaphore = Mutex.new
+        @username = username
+        @password = password
+        @logger = TaggedLogger.new(logger)
+        if mechanism
+          @mechanism = MECHANISMS.fetch(mechanism) do
+            raise Kafka::SaslScramError, "SCRAM mechanism #{mechanism} is not supported."
+          end
+        end
+      end
+      def ident
+        @mechanism
+      end
+      def configured?
+        @username && @password && @mechanism
+      end
+      def authenticate!(host, encoder, decoder)
+        @logger.debug "Authenticating #{@username} with SASL #{@mechanism}"
+        begin
+          @semaphore.synchronize do
+            msg = first_message
+            @logger.debug "Sending first client SASL SCRAM message: #{msg}"
+            encoder.write_bytes(msg)
+            @server_first_message = decoder.bytes
+            @logger.debug "Received first server SASL SCRAM message: #{@server_first_message}"
+            msg = final_message
+            @logger.debug "Sending final client SASL SCRAM message: #{msg}"
+            encoder.write_bytes(msg)
+            response = parse_response(decoder.bytes)
+            @logger.debug "Received last server SASL SCRAM message: #{response}"
+            raise FailedScramAuthentication, response['e'] if response['e']
+            raise FailedScramAuthentication, "Invalid server signature" if response['v'] != server_signature
+          end
+        rescue EOFError => e
+          raise FailedScramAuthentication, e.message
+        end
+        @logger.debug "SASL SCRAM authentication successful"
+      end
+      private
+      def first_message
+        "n,,#{first_message_bare}"
+      end
+      def first_message_bare
+        "n=#{encoded_username},r=#{nonce}"
+      end
+      def final_message_without_proof
+        "c=biws,r=#{rnonce}"
+      end
+      def final_message
+        "#{final_message_without_proof},p=#{client_proof}"
+      end
+      def server_data
+        parse_response(@server_first_message)
+      end
+      def rnonce
+        server_data['r']
+      end
+      def salt
+        Base64.strict_decode64(server_data['s'])
+      end
+      def iterations
+        server_data['i'].to_i
+      end
+      def auth_message
+        [first_message_bare, @server_first_message, final_message_without_proof].join(',')
+      end
+      def salted_password
+        hi(@password, salt, iterations)
+      end
+      def client_key
+        hmac(salted_password, 'Client Key')
+      end
+      def stored_key
+        h(client_key)
+      end
+      def server_key
+        hmac(salted_password, 'Server Key')
+      end
+      def client_signature
+        hmac(stored_key, auth_message)
+      end
+      def server_signature
+        Base64.strict_encode64(hmac(server_key, auth_message))
+      end
+      def client_proof
+        Base64.strict_encode64(xor(client_key, client_signature))
+      end
+      def h(str)
+        digest.digest(str)
+      end
+      def hi(str, salt, iterations)
+        OpenSSL::PKCS5.pbkdf2_hmac(
+          str,
+          salt,
+          iterations,
+          digest.size,
+          digest
+        )
+      end
+      def hmac(data, key)
+        OpenSSL::HMAC.digest(digest, data, key)
+      end
+      def xor(first, second)
+        first.bytes.zip(second.bytes).map { |(a, b)| (a ^ b).chr }.join('')
+      end
+      def parse_response(data)
+        data.split(',').map { |s| s.split('=', 2) }.to_h
+      end
+      def encoded_username
+        safe_str(@username.encode(Encoding::UTF_8))
+      end
+      def nonce
+        @nonce ||= SecureRandom.urlsafe_base64(32)
+      end
+      def digest
+        @digest ||= case @mechanism
+                    when 'SCRAM-SHA-256'
+                      OpenSSL::Digest::SHA256.new
+                    when 'SCRAM-SHA-512'
+                      OpenSSL::Digest::SHA512.new
+                    else
+                      raise ArgumentError, "Unknown SASL mechanism '#{@mechanism}'"
+                    end
+      end
+      def safe_str(val)
+        val.gsub('=', '=3D').gsub(',', '=2C')
+      end
+    end
+  end
+end

data/lib/kafka/sasl_authenticator.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+require 'kafka/sasl/plain'
+require 'kafka/sasl/gssapi'
+require 'kafka/sasl/scram'
+require 'kafka/sasl/oauth'
+require 'kafka/sasl/awsmskiam'
+module Kafka
+  class SaslAuthenticator
+    def initialize(logger:, sasl_gssapi_principal:, sasl_gssapi_keytab:,
+                   sasl_plain_authzid:, sasl_plain_username:, sasl_plain_password:,
+                   sasl_scram_username:, sasl_scram_password:, sasl_scram_mechanism:,
+                   sasl_oauth_token_provider:,
+                   sasl_aws_msk_iam_access_key_id:,
+                   sasl_aws_msk_iam_secret_key_id:,
+                   sasl_aws_msk_iam_aws_region:
+                  )
+      @logger = TaggedLogger.new(logger)
+      @plain = Sasl::Plain.new(
+        authzid: sasl_plain_authzid,
+        username: sasl_plain_username,
+        password: sasl_plain_password,
+        logger: @logger,
+      )
+      @gssapi = Sasl::Gssapi.new(
+        principal: sasl_gssapi_principal,
+        keytab: sasl_gssapi_keytab,
+        logger: @logger,
+      )
+      @scram = Sasl::Scram.new(
+        username: sasl_scram_username,
+        password: sasl_scram_password,
+        mechanism: sasl_scram_mechanism,
+        logger: @logger,
+      )
+      @aws_msk_iam = Sasl::AwsMskIam.new(
+        access_key_id: sasl_aws_msk_iam_access_key_id,
+        secret_key_id: sasl_aws_msk_iam_secret_key_id,
+        aws_region: sasl_aws_msk_iam_aws_region,
+        logger: @logger,
+      )
+      @oauth = Sasl::OAuth.new(
+        token_provider: sasl_oauth_token_provider,
+        logger: @logger,
+      )
+      @mechanism = [@gssapi, @plain, @scram, @oauth, @aws_msk_iam].find(&:configured?)
+    end
+    def enabled?
+      !@mechanism.nil?
+    end
+    def authenticate!(connection)
+      return unless enabled?
+      ident = @mechanism.ident
+      response = connection.send_request(Kafka::Protocol::SaslHandshakeRequest.new(ident))
+      unless response.error_code == 0 && response.enabled_mechanisms.include?(ident)
+        raise Kafka::Error, "#{ident} is not supported."
+      end
+      @mechanism.authenticate!(connection.to_s, connection.encoder, connection.decoder)
+    end
+  end
+end

data/lib/kafka/snappy_codec.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+module Kafka
+  class SnappyCodec
+    def codec_id
+      2
+    end
+    def produce_api_min_version
+      0
+    end
+    def load
+      require "snappy"
+    rescue LoadError
+      raise LoadError,
+        "Using snappy compression requires adding a dependency on the `snappy` gem to your Gemfile."
+    end
+    def compress(data)
+      Snappy.deflate(data)
+    end
+    def decompress(data)
+      buffer = StringIO.new(data)
+      Snappy::Reader.new(buffer).read
+    end
+  end
+end