ruby-kafka-aws-iam 1.4.2 → 1.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/kafka/client.rb +4 -1
- data/lib/kafka/connection.rb +1 -6
- data/lib/kafka/sasl/awsmskiam.rb +27 -24
- data/lib/kafka/sasl_authenticator.rb +3 -2
- data/lib/kafka/ssl_socket_with_timeout.rb +1 -5
- data/lib/kafka/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 410a10299e8244f0e25ca5d6cea717a54792caa24cf006674d2d2eb45124b646
|
|
4
|
+
data.tar.gz: 97492d2e16908532076a635049bddb7149ec374a282e6c3b13c20000fe0d523f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 95e075270ff241afba5b09f03ba18dddcf500022daa56077b2cfeb35a95ed66f69f3db356b7b4bb8a3f77a50bb4c44509d1197d4b936b8418723cce757259d76
|
|
7
|
+
data.tar.gz: 6f2a8046c8b4a77ea3980b5c6b3f88aa7df51a078451b97705defda0c4fcfcc8567407e39817542607ffcec3155c58009a56905550d72d8ec35ceb294b880010
|
data/lib/kafka/client.rb
CHANGED
|
@@ -86,7 +86,9 @@ module Kafka
|
|
|
86
86
|
sasl_gssapi_keytab: nil, sasl_plain_authzid: '', sasl_plain_username: nil, sasl_plain_password: nil,
|
|
87
87
|
sasl_scram_username: nil, sasl_scram_password: nil, sasl_scram_mechanism: nil,
|
|
88
88
|
sasl_aws_msk_iam_access_key_id: nil,
|
|
89
|
-
sasl_aws_msk_iam_secret_key_id: nil,
|
|
89
|
+
sasl_aws_msk_iam_secret_key_id: nil,
|
|
90
|
+
sasl_aws_msk_iam_aws_region: nil,
|
|
91
|
+
sasl_aws_msk_iam_session_token: nil,
|
|
90
92
|
sasl_over_ssl: true, ssl_ca_certs_from_system: false, partitioner: nil, sasl_oauth_token_provider: nil, ssl_verify_hostname: true,
|
|
91
93
|
resolve_seed_brokers: false)
|
|
92
94
|
@logger = TaggedLogger.new(logger)
|
|
@@ -117,6 +119,7 @@ module Kafka
|
|
|
117
119
|
sasl_aws_msk_iam_access_key_id: sasl_aws_msk_iam_access_key_id,
|
|
118
120
|
sasl_aws_msk_iam_secret_key_id: sasl_aws_msk_iam_secret_key_id,
|
|
119
121
|
sasl_aws_msk_iam_aws_region: sasl_aws_msk_iam_aws_region,
|
|
122
|
+
sasl_aws_msk_iam_session_token: sasl_aws_msk_iam_session_token,
|
|
120
123
|
sasl_oauth_token_provider: sasl_oauth_token_provider,
|
|
121
124
|
logger: @logger
|
|
122
125
|
)
|
data/lib/kafka/connection.rb
CHANGED
|
@@ -127,12 +127,7 @@ module Kafka
|
|
|
127
127
|
@logger.debug "Opening connection to #{@host}:#{@port} with client id #{@client_id}..."
|
|
128
128
|
|
|
129
129
|
if @ssl_context
|
|
130
|
-
@socket = SSLSocketWithTimeout.new(@host,
|
|
131
|
-
@port,
|
|
132
|
-
connect_timeout: @connect_timeout,
|
|
133
|
-
timeout: @socket_timeout,
|
|
134
|
-
ssl_context: @ssl_context,
|
|
135
|
-
logger: @logger)
|
|
130
|
+
@socket = SSLSocketWithTimeout.new(@host, @port, connect_timeout: @connect_timeout, timeout: @socket_timeout, ssl_context: @ssl_context)
|
|
136
131
|
else
|
|
137
132
|
@socket = SocketWithTimeout.new(@host, @port, connect_timeout: @connect_timeout, timeout: @socket_timeout)
|
|
138
133
|
end
|
data/lib/kafka/sasl/awsmskiam.rb
CHANGED
|
@@ -9,12 +9,13 @@ module Kafka
|
|
|
9
9
|
class AwsMskIam
|
|
10
10
|
AWS_MSK_IAM = "AWS_MSK_IAM"
|
|
11
11
|
|
|
12
|
-
def initialize(aws_region:, access_key_id:, secret_key_id:, logger:)
|
|
12
|
+
def initialize(aws_region:, access_key_id:, secret_key_id:, session_token: nil,logger:)
|
|
13
13
|
@semaphore = Mutex.new
|
|
14
14
|
|
|
15
15
|
@aws_region = aws_region
|
|
16
16
|
@access_key_id = access_key_id
|
|
17
17
|
@secret_key_id = secret_key_id
|
|
18
|
+
@session_token = session_token
|
|
18
19
|
@logger = TaggedLogger.new(logger)
|
|
19
20
|
end
|
|
20
21
|
|
|
@@ -39,13 +40,11 @@ module Kafka
|
|
|
39
40
|
encoder.write_bytes(msg)
|
|
40
41
|
|
|
41
42
|
begin
|
|
42
|
-
@logger.debug "Decoding first server SASL AWS_MSK_IAM message"
|
|
43
43
|
@server_first_message = decoder.bytes
|
|
44
44
|
@logger.debug "Received first server SASL AWS_MSK_IAM message: #{@server_first_message}"
|
|
45
45
|
|
|
46
46
|
raise Kafka::Error, "SASL AWS_MSK_IAM authentication failed: unknown error" unless @server_first_message
|
|
47
47
|
rescue Errno::ETIMEDOUT, EOFError => e
|
|
48
|
-
@logger.error e.backtrace
|
|
49
48
|
raise Kafka::Error, "SASL AWS_MSK_IAM authentication failed: #{e.message}"
|
|
50
49
|
end
|
|
51
50
|
|
|
@@ -64,37 +63,41 @@ module Kafka
|
|
|
64
63
|
|
|
65
64
|
def authentication_payload(host:, time_now:)
|
|
66
65
|
{
|
|
67
|
-
'version'
|
|
68
|
-
'host'
|
|
69
|
-
'user-agent'
|
|
70
|
-
'action'
|
|
71
|
-
'x-amz-algorithm'
|
|
72
|
-
'x-amz-credential'
|
|
73
|
-
'x-amz-date'
|
|
74
|
-
'x-amz-signedheaders'
|
|
75
|
-
'x-amz-expires'
|
|
76
|
-
'x-amz-
|
|
77
|
-
|
|
66
|
+
'version' => "2020_10_22",
|
|
67
|
+
'host' => host,
|
|
68
|
+
'user-agent' => "ruby-kafka",
|
|
69
|
+
'action' => "kafka-cluster:Connect",
|
|
70
|
+
'x-amz-algorithm' => "AWS4-HMAC-SHA256",
|
|
71
|
+
'x-amz-credential' => @access_key_id + "/" + time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request",
|
|
72
|
+
'x-amz-date' => time_now.strftime("%Y%m%dT%H%M%SZ"),
|
|
73
|
+
'x-amz-signedheaders' => "host",
|
|
74
|
+
'x-amz-expires' => "900",
|
|
75
|
+
'x-amz-security-token' => @session_token,
|
|
76
|
+
'x-amz-signature' => signature(host: host, time_now: time_now)
|
|
77
|
+
}.delete_if { |_, v| v.nil? }.to_json
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
def canonical_request(host:, time_now:)
|
|
81
81
|
"GET\n" +
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
82
|
+
"/\n" +
|
|
83
|
+
canonical_query_string(time_now: time_now) + "\n" +
|
|
84
|
+
canonical_headers(host: host) + "\n" +
|
|
85
|
+
signed_headers + "\n" +
|
|
86
|
+
hashed_payload
|
|
87
87
|
end
|
|
88
88
|
|
|
89
89
|
def canonical_query_string(time_now:)
|
|
90
|
-
|
|
90
|
+
params = {
|
|
91
91
|
"Action" => "kafka-cluster:Connect",
|
|
92
92
|
"X-Amz-Algorithm" => "AWS4-HMAC-SHA256",
|
|
93
93
|
"X-Amz-Credential" => @access_key_id + "/" + time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request",
|
|
94
94
|
"X-Amz-Date" => time_now.strftime("%Y%m%dT%H%M%SZ"),
|
|
95
95
|
"X-Amz-Expires" => "900",
|
|
96
|
+
"X-Amz-Security-Token" => @session_token,
|
|
96
97
|
"X-Amz-SignedHeaders" => "host"
|
|
97
|
-
|
|
98
|
+
}.delete_if { |_, v| v.nil? }
|
|
99
|
+
|
|
100
|
+
URI.encode_www_form(params)
|
|
98
101
|
end
|
|
99
102
|
|
|
100
103
|
def canonical_headers(host:)
|
|
@@ -111,9 +114,9 @@ module Kafka
|
|
|
111
114
|
|
|
112
115
|
def string_to_sign(host:, time_now:)
|
|
113
116
|
"AWS4-HMAC-SHA256" + "\n" +
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
+
time_now.strftime("%Y%m%dT%H%M%SZ") + "\n" +
|
|
118
|
+
time_now.strftime("%Y%m%d") + "/" + @aws_region + "/kafka-cluster/aws4_request" + "\n" +
|
|
119
|
+
bin_to_hex(digest.digest(canonical_request(host: host, time_now: time_now)))
|
|
117
120
|
end
|
|
118
121
|
|
|
119
122
|
def signature(host:, time_now:)
|
|
@@ -14,8 +14,8 @@ module Kafka
|
|
|
14
14
|
sasl_oauth_token_provider:,
|
|
15
15
|
sasl_aws_msk_iam_access_key_id:,
|
|
16
16
|
sasl_aws_msk_iam_secret_key_id:,
|
|
17
|
-
sasl_aws_msk_iam_aws_region
|
|
18
|
-
|
|
17
|
+
sasl_aws_msk_iam_aws_region:,
|
|
18
|
+
sasl_aws_msk_iam_session_token: nil)
|
|
19
19
|
@logger = TaggedLogger.new(logger)
|
|
20
20
|
|
|
21
21
|
@plain = Sasl::Plain.new(
|
|
@@ -42,6 +42,7 @@ module Kafka
|
|
|
42
42
|
access_key_id: sasl_aws_msk_iam_access_key_id,
|
|
43
43
|
secret_key_id: sasl_aws_msk_iam_secret_key_id,
|
|
44
44
|
aws_region: sasl_aws_msk_iam_aws_region,
|
|
45
|
+
session_token: sasl_aws_msk_iam_session_token,
|
|
45
46
|
logger: @logger,
|
|
46
47
|
)
|
|
47
48
|
|
|
@@ -21,13 +21,12 @@ module Kafka
|
|
|
21
21
|
# @param timeout [Integer] the read and write timeout, in seconds.
|
|
22
22
|
# @param ssl_context [OpenSSL::SSL::SSLContext] which SSLContext the ssl connection should use
|
|
23
23
|
# @raise [Errno::ETIMEDOUT] if the timeout is exceeded.
|
|
24
|
-
def initialize(host, port, connect_timeout: nil, timeout: nil, ssl_context
|
|
24
|
+
def initialize(host, port, connect_timeout: nil, timeout: nil, ssl_context:)
|
|
25
25
|
addr = Socket.getaddrinfo(host, nil)
|
|
26
26
|
sockaddr = Socket.pack_sockaddr_in(port, addr[0][3])
|
|
27
27
|
|
|
28
28
|
@connect_timeout = connect_timeout
|
|
29
29
|
@timeout = timeout
|
|
30
|
-
@logger = logger
|
|
31
30
|
|
|
32
31
|
@tcp_socket = Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0)
|
|
33
32
|
@tcp_socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
|
|
@@ -94,7 +93,6 @@ module Kafka
|
|
|
94
93
|
def read(num_bytes)
|
|
95
94
|
buffer = String.new
|
|
96
95
|
|
|
97
|
-
@logger.debug "Reading #{num_bytes} bytes from #{@ssl_socket}"
|
|
98
96
|
until buffer.length >= num_bytes
|
|
99
97
|
begin
|
|
100
98
|
# Unlike plain TCP sockets, SSL sockets don't support IO.select
|
|
@@ -103,8 +101,6 @@ module Kafka
|
|
|
103
101
|
# catch exceptions from read_nonblock and gradually build up
|
|
104
102
|
# our read buffer.
|
|
105
103
|
buffer << @ssl_socket.read_nonblock(num_bytes - buffer.length)
|
|
106
|
-
|
|
107
|
-
@logger.debug "Bytes read: #{buffer.length}"
|
|
108
104
|
rescue IO::WaitReadable
|
|
109
105
|
if select_with_timeout(@ssl_socket, :read)
|
|
110
106
|
retry
|
data/lib/kafka/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-kafka-aws-iam
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.4.
|
|
4
|
+
version: 1.4.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Daniel Schierbeck
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-03-
|
|
11
|
+
date: 2022-03-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: digest-crc
|