Eventhub oauth

snowplow · Dec 13, 2023 · ab6c0bc · ab6c0bc
1 parent 2b4cd29
commit ab6c0bc
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 12 deletions.
diff --git a/kafka/src/main/resources/application.conf b/kafka/src/main/resources/application.conf
@@ -11,6 +11,12 @@ collector {
       retries = 10
       maxBytes = 1000000
       buffer = ${collector.streams.buffer}
+      producerConf = {
+        "security.protocol" = "SASL_SSL"
+        "sasl.mechanism" = "OAUTHBEARER"
+        "sasl.jaas.config": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;"
+        "sasl.login.callback.handler.class": "com.snowplowanalytics.snowplow.collectors.scalastream.sinks.AzureAuthenticationCallbackHandler"
+      }
     }
 
     //Legacy style

diff --git a/...wanalytics.snowplow.collectors.scalastream/sinks/AzureAuthenticationCallbackHandler.scala b/...wanalytics.snowplow.collectors.scalastream/sinks/AzureAuthenticationCallbackHandler.scala
@@ -0,0 +1,75 @@
+/**
+  * Copyright (c) 2013-present Snowplow Analytics Ltd.
+  * All rights reserved.
+  *
+  * This program is licensed to you under the Snowplow Community License Version 1.0,
+  * and you may not use this file except in compliance with the Snowplow Community License Version 1.0.
+  * You may obtain a copy of the Snowplow Community License Version 1.0 at https://docs.snowplow.io/community-license-1.0
+  */
+package com.snowplowanalytics.snowplow.collectors.scalastream
+package sinks
+
+import java.net.URI
+import java.{lang, util}
+
+import javax.security.auth.callback.Callback
+import javax.security.auth.callback.UnsupportedCallbackException
+import javax.security.auth.login.AppConfigurationEntry
+
+import org.apache.kafka.clients.producer.ProducerConfig
+import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback
+
+import com.microsoft.azure.credentials.MSICredentials
+
+import com.nimbusds.jwt.JWTParser
+
+class AzureAuthenticationCallbackHandler extends AuthenticateCallbackHandler {
+
+  val CREDENTIALS: MSICredentials = new MSICredentials()
+
+  var sbUri: String = ""
+
+  override def configure(
+    configs: util.Map[String, _],
+    saslMechanism: String,
+    jaasConfigEntries: util.List[AppConfigurationEntry]
+  ): Unit = {
+    val bootstrapServer = configs.get(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG).toString.replaceAll("\\[|\\]", "")
+    val uri             = URI.create("https://" + bootstrapServer)
+    this.sbUri = uri.getScheme + "://" + uri.getHost
+  }
+
+  override def handle(callbacks: Array[Callback]): Unit =
+    callbacks.foreach {
+      case callback: OAuthBearerTokenCallback =>
+        try {
+          val token = getOAuthBearerToken()
+          callback.token(token)
+        } catch {
+          case e: Throwable => e.printStackTrace()
+        }
+      case callback => throw new UnsupportedCallbackException(callback)
+    }
+
+  def getOAuthBearerToken(): OAuthBearerToken = {
+    val accessToken = CREDENTIALS.getToken(sbUri)
+    val jwt         = JWTParser.parse(accessToken)
+    val claims      = jwt.getJWTClaimsSet
+
+    new OAuthBearerToken {
+      override def value(): String = accessToken
+
+      override def lifetimeMs(): Long = claims.getExpirationTime.getTime
+
+      override def scope(): util.Set[String] = null
+
+      override def principalName(): String = null
+
+      override def startTimeMs(): lang.Long = null
+    }
+  }
+
+  override def close(): Unit = ()
+}
diff --git a/project/BuildSettings.scala b/project/BuildSettings.scala
@@ -86,7 +86,8 @@ object BuildSettings {
       libraryDependencies ++= Seq(
         Dependencies.Libraries.kafkaClients,
         Dependencies.Libraries.mskAuth,
-
+        Dependencies.Libraries.azureAuth,
+
         // integration tests dependencies
         Dependencies.Libraries.IntegrationTests.specs2,
         Dependencies.Libraries.IntegrationTests.specs2CE

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -37,6 +37,7 @@ object Dependencies {
     val testcontainers   = "0.40.10"
     val thrift           = "0.15.0" // force this version to mitigate security vulnerabilities
     val tracker          = "2.0.0"
+    val azureAuth        = "1.7.14"
   }
 
   object Libraries {
@@ -58,17 +59,18 @@ object Dependencies {
     val trackerCore       = "com.snowplowanalytics" %% "snowplow-scala-tracker-core"           % V.tracker
 
     //sinks
-    val fs2PubSub      = "com.permutive"              %% "fs2-google-pubsub-grpc" % V.fs2PubSub
-    val jackson        = "com.fasterxml.jackson.core" % "jackson-databind"        % V.jackson
-    val kafkaClients   = "org.apache.kafka"           % "kafka-clients"           % V.kafka
-    val kinesis        = "com.amazonaws"              % "aws-java-sdk-kinesis"    % V.awsSdk
-    val log4j          = "org.apache.logging.log4j"   % "log4j-core"              % V.log4j
-    val mskAuth        = "software.amazon.msk"        % "aws-msk-iam-auth"        % V.mskAuth % Runtime // Enables AWS MSK IAM authentication https://github.com/snowplow/stream-collector/pull/214
-    val nettyAll       = "io.netty"                   % "netty-all"               % V.nettyAll
-    val nsqClient      = "com.snowplowanalytics"      % "nsq-java-client"         % V.nsqClient
-    val pubsub         = "com.google.cloud"           % "google-cloud-pubsub"     % V.pubsub
-    val sqs            = "com.amazonaws"              % "aws-java-sdk-sqs"        % V.awsSdk
-    val sts            = "com.amazonaws"              % "aws-java-sdk-sts"        % V.awsSdk % Runtime // Enables web token authentication https://github.com/snowplow/stream-collector/issues/169
+    val fs2PubSub      = "com.permutive"              %% "fs2-google-pubsub-grpc"     % V.fs2PubSub
+    val jackson        = "com.fasterxml.jackson.core" % "jackson-databind"            % V.jackson
+    val kafkaClients   = "org.apache.kafka"           % "kafka-clients"               % V.kafka
+    val kinesis        = "com.amazonaws"              % "aws-java-sdk-kinesis"        % V.awsSdk
+    val log4j          = "org.apache.logging.log4j"   % "log4j-core"                  % V.log4j
+    val mskAuth        = "software.amazon.msk"        % "aws-msk-iam-auth"            % V.mskAuth % Runtime // Enables AWS MSK IAM authentication https://github.com/snowplow/stream-collector/pull/214
+    val nettyAll       = "io.netty"                   % "netty-all"                   % V.nettyAll
+    val nsqClient      = "com.snowplowanalytics"      % "nsq-java-client"             % V.nsqClient
+    val pubsub         = "com.google.cloud"           % "google-cloud-pubsub"         % V.pubsub
+    val sqs            = "com.amazonaws"              % "aws-java-sdk-sqs"            % V.awsSdk
+    val sts            = "com.amazonaws"              % "aws-java-sdk-sts"            % V.awsSdk % Runtime // Enables web token authentication https://github.com/snowplow/stream-collector/issues/169
+    val azureAuth      = "com.microsoft.azure"        % "azure-client-authentication" % V.azureAuth
 
     //common unit tests
     val specs2    = "org.specs2"     %% "specs2-core"                % V.specs2    % Test