diff --git a/.gitignore b/.gitignore
index 88ca35d2..a4125900 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,3 +47,5 @@ charts/package/
# Ignore the templates.zip file created in main and test resources
src/main/resources/static/templates.zip
src/test/resources/static/templates.zip
+
+.cp-demo
diff --git a/.semaphore/multi-arch-builds-and-upload.yml b/.semaphore/multi-arch-builds-and-upload.yml
index ed36641c..8b361dc3 100644
--- a/.semaphore/multi-arch-builds-and-upload.yml
+++ b/.semaphore/multi-arch-builds-and-upload.yml
@@ -13,11 +13,13 @@ global_job_config:
- checkout
- make ci-bin-sem-cache-restore
- make docker-login-ci
+ - make load-cached-docker-images
epilogue:
always:
commands:
- - make ci-bin-sem-cache-store
- make store-test-results-to-semaphore
+ - make ci-bin-sem-cache-store
+ - make cache-docker-images
blocks:
- name: "Build Native Executable (MacOS AMD64)"
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index 88e1f6c2..0bde9ff3 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -27,11 +27,13 @@ global_job_config:
- checkout
- make ci-bin-sem-cache-restore
- make docker-login-ci
+ - make load-cached-docker-images
epilogue:
always:
commands:
- - make ci-bin-sem-cache-store
- make store-test-results-to-semaphore
+ - make ci-bin-sem-cache-store
+ - make cache-docker-images
blocks:
- name: "Build JARs and Unit Test"
diff --git a/Makefile b/Makefile
index 7440c6c6..e0b1fc94 100644
--- a/Makefile
+++ b/Makefile
@@ -95,3 +95,93 @@ upload-artifacts-to-github-release:
.PHONY: collect-notices-binary
collect-notices-binary: clean mvn-package-native-sources-only
$(IDE_SIDECAR_SCRIPTS)/collect-notices-binary.sh target/native-sources/lib
+
+# Targets for managing cp-demo testcontainers used by the integration tests
+
+# Start the cp-demo testcontainers
+# Note: You do not need to run this in order to run the integration tests, however, if you want
+# to manually bring up the cp-demo environment, you may run this target. You will be
+# able to run the integration tests against the same environment, please keep that in mind!
+.PHONY: cp-demo-start
+cp-demo-start:
+ export TESTCONTAINERS_RYUK_DISABLED=true; \
+ ./mvnw -s .mvn/settings.xml \
+ -Dexec.mainClass=io.confluent.idesidecar.restapi.util.CPDemoTestEnvironment \
+ -Dexec.classpathScope=test \
+ test-compile exec:java
+
+# Stop the cp-demo testcontainers
+.PHONY: cp-demo-stop
+cp-demo-stop:
+ ./mvnw -s .mvn/settings.xml test-compile && \
+ ./mvnw -s .mvn/settings.xml \
+ -Dexec.mainClass=io.confluent.idesidecar.restapi.util.CPDemoTestEnvironment \
+ -Dexec.classpathScope=test \
+ -Dexec.args=stop \
+ exec:java
+
+
+CONFLUENT_DOCKER_TAG = $(shell yq e '.ide-sidecar.integration-tests.cp-demo.tag' src/main/resources/application.yml | sed 's/^v//')
+# See io.confluent.idesidecar.restapi.util.ConfluentLocalKafkaWithRestProxyContainer
+CONFLUENT_LOCAL_DOCKER_TAG = "7.6.0"
+# See io.confluent.idesidecar.restapi.util.cpdemo.OpenldapContainer
+OSIXIA_OPENLDAP_DOCKER_TAG = "1.3.0"
+# See io.confluent.idesidecar.restapi.util.cpdemo.ToolsContainer
+CNFLDEMOS_TOOLS_DOCKER_TAG = "0.3"
+
+# Key for storing docker images in Semaphore CI cache
+SEMAPHORE_CP_ZOOKEEPER_DOCKER := ide-sidecar-docker-cp-zookeeper-$(CONFLUENT_DOCKER_TAG)
+SEMAPHORE_CP_SERVER_DOCKER := ide-sidecar-docker-cp-server-$(CONFLUENT_DOCKER_TAG)
+SEMAPHORE_OPENLDAP_DOCKER := ide-sidecar-docker-openldap-$(OSIXIA_OPENLDAP_DOCKER_TAG)
+SEMAPHORE_CNFLDEMOS_TOOLS_DOCKER := ide-sidecar-docker-cnfldemos-tools-$(CNFLDEMOS_TOOLS_DOCKER_TAG)
+SEMAPHORE_CONFLUENT_LOCAL_DOCKER := ide-sidecar-docker-confluent-local-$(CONFLUENT_LOCAL_DOCKER_TAG)
+
+## Cache docker images in Semaphore cache.
+.PHONY: cache-docker-images
+cache-docker-images:
+ cache has_key $(SEMAPHORE_CP_ZOOKEEPER_DOCKER) || (\
+ docker pull confluentinc/cp-zookeeper:$(CONFLUENT_DOCKER_TAG) && \
+ docker save confluentinc/cp-zookeeper:$(CONFLUENT_DOCKER_TAG) | gzip > cp-zookeeper.tgz && \
+ cache store $(SEMAPHORE_CP_ZOOKEEPER_DOCKER) cp-zookeeper.tgz && \
+ rm -rf cp-zookeeper.tgz)
+
+ cache has_key $(SEMAPHORE_CP_SERVER_DOCKER) || (\
+ docker pull confluentinc/cp-server:$(CONFLUENT_DOCKER_TAG) && \
+ docker save confluentinc/cp-server:$(CONFLUENT_DOCKER_TAG) | gzip > cp-server.tgz && \
+ cache store $(SEMAPHORE_CP_SERVER_DOCKER) cp-server.tgz && \
+ rm -rf cp-server.tgz)
+
+ cache has_key $(SEMAPHORE_OPENLDAP_DOCKER) || (\
+ docker pull osixia/openldap:$(OSIXIA_OPENLDAP_DOCKER_TAG) && \
+ docker save osixia/openldap:$(OSIXIA_OPENLDAP_DOCKER_TAG) | gzip > openldap.tgz && \
+ cache store $(SEMAPHORE_OPENLDAP_DOCKER) openldap.tgz && \
+ rm -rf openldap.tgz)
+
+ cache has_key $(SEMAPHORE_CNFLDEMOS_TOOLS_DOCKER) || (\
+ docker pull cnfldemos/tools:$(CNFLDEMOS_TOOLS_DOCKER_TAG) && \
+ docker save cnfldemos/tools:$(CNFLDEMOS_TOOLS_DOCKER_TAG) | gzip > cnfdemos-tools.tgz && \
+ cache store $(SEMAPHORE_CNFLDEMOS_TOOLS_DOCKER) cnfdemos-tools.tgz && \
+ rm -rf cnfdemos-tools.tgz)
+
+ cache has_key $(SEMAPHORE_CONFLUENT_LOCAL_DOCKER) || (\
+ docker pull confluentinc/cp-local:$(CONFLUENT_LOCAL_DOCKER_TAG) && \
+ docker save confluentinc/cp-local:$(CONFLUENT_LOCAL_DOCKER_TAG) | gzip > cp-local.tgz && \
+ cache store $(SEMAPHORE_CONFLUENT_LOCAL_DOCKER) cp-local.tgz && \
+ rm -rf cp-local.tgz)
+
+.PHONY: load-cached-docker-images
+load-cached-docker-images:
+ cache restore $(SEMAPHORE_CP_ZOOKEEPER_DOCKER) \
+ [ -f cp-zookeeper.tgz ] && docker load -i cp-zookeeper.tgz && rm -rf cp-zookeeper.tgz || true
+
+ cache restore $(SEMAPHORE_CP_SERVER_DOCKER) \
+ [ -f cp-server.tgz ] && docker load -i cp-server.tgz && rm -rf cp-server.tgz || true
+
+ cache restore $(SEMAPHORE_OPENLDAP_DOCKER) \
+ [ -f openldap.tgz ] && docker load -i openldap.tgz && rm -rf openldap.tgz || true
+
+ cache restore $(SEMAPHORE_CNFLDEMOS_TOOLS_DOCKER) \
+ [ -f cnfdemos-tools.tgz ] && docker load -i cnfdemos-tools.tgz && rm -rf cnfdemos-tools.tgz || true
+
+ cache restore $(SEMAPHORE_CONFLUENT_LOCAL_DOCKER) \
+ [ -f cp-local.tgz ] && docker load -i cp-local.tgz && rm -rf cp-local.tgz || true
diff --git a/pom.xml b/pom.xml
index 092cfd14..aab4d63f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -413,7 +413,7 @@
integration-test
verify
-
+
true
diff --git a/src/generated/resources/openapi.json b/src/generated/resources/openapi.json
index 284b70e3..f006f27c 100644
--- a/src/generated/resources/openapi.json
+++ b/src/generated/resources/openapi.json
@@ -659,7 +659,7 @@
"components" : {
"schemas" : {
"ApiKeyAndSecret" : {
- "description" : "Basic authentication credentials",
+ "description" : "API key and secret authentication credentials",
"required" : [ "api_key", "api_secret" ],
"type" : "object",
"properties" : {
@@ -1121,19 +1121,17 @@
"$ref" : "#/components/schemas/BasicCredentials"
}, {
"$ref" : "#/components/schemas/ApiKeyAndSecret"
+ }, {
+ "$ref" : "#/components/schemas/OAuthCredentials"
} ],
"nullable" : true
},
"ssl" : {
- "description" : "Whether to communicate with the Kafka cluster over TLS/SSL. Defaults to 'true', but set to 'false' when the Kafka cluster does not support TLS/SSL.",
- "default" : true,
- "type" : "boolean",
- "nullable" : true
- },
- "verify_ssl_certificates" : {
- "description" : "Whether to verify the Kafka cluster certificates. Defaults to 'true', but set to 'false' when the Kafka cluster has self-signed certificates.",
- "default" : true,
- "type" : "boolean",
+ "description" : "The SSL configuration for connecting to the Kafka cluster. To disable, set `enabled` to false. To use the default SSL settings, set `enabled` to true and leave the `truststore` and `keystore` fields unset.",
+ "type" : "object",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/TLSConfig"
+ } ],
"nullable" : true
}
}
@@ -1166,6 +1164,42 @@
}
}
},
+ "KeyStore" : {
+ "required" : [ "path" ],
+ "type" : "object",
+ "properties" : {
+ "path" : {
+ "description" : "The path to the local key store file. Only specified if client needs to be authenticated by the server (mutual TLS).",
+ "maxLength" : 256,
+ "type" : "string"
+ },
+ "password" : {
+ "description" : "The password for the local key store file. If a password is not set, key store file configured will still be used, but integrity checking is disabled. A key store password is not supported for PEM format.",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/Password"
+ } ],
+ "nullable" : true
+ },
+ "type" : {
+ "description" : "The file format of the local key store file.",
+ "default" : "JKS",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/StoreType"
+ } ],
+ "nullable" : true
+ },
+ "key_password" : {
+ "description" : "The password of the private key in the local key store file.",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/Password"
+ } ],
+ "nullable" : true
+ }
+ }
+ },
"LocalConfig" : {
"description" : "Configuration when using Confluent Local and optionally a local Schema Registry.",
"type" : "object",
@@ -1177,6 +1211,46 @@
}
}
},
+ "OAuthCredentials" : {
+ "description" : "OAuth 2.0 authentication credentials",
+ "required" : [ "tokens_url", "client_id" ],
+ "type" : "object",
+ "properties" : {
+ "tokens_url" : {
+ "description" : "The URL of the OAuth 2.0 identity provider's token endpoint.",
+ "maxLength" : 256,
+ "type" : "string"
+ },
+ "client_id" : {
+ "description" : "The public identifier for the application as registered with the OAuth 2.0 identity provider.",
+ "maxLength" : 128,
+ "minLength" : 1,
+ "type" : "string"
+ },
+ "client_secret" : {
+ "description" : "The client secret known only to the application and the OAuth 2.0 identity provider.",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/Password"
+ } ]
+ },
+ "scope" : {
+ "description" : "The scope to use. The scope is optional and required only when your identity provider doesn't have a default scope or your groups claim is linked to a scope path to use when connecting to the external service.",
+ "maxLength" : 256,
+ "type" : "string"
+ },
+ "connect_timeout_millis" : {
+ "format" : "int32",
+ "description" : "The timeout in milliseconds when connecting to your identity provider.",
+ "minimum" : 0,
+ "type" : "integer"
+ },
+ "identityPool" : {
+ "description" : "Additional property that can be added in the request header to identify the principal ID for authorization. For example, this may bea Confluent Cloud identity pool.",
+ "type" : "string"
+ }
+ }
+ },
"ObjectMetadata" : {
"type" : "object",
"properties" : {
@@ -1375,6 +1449,16 @@
"$ref" : "#/components/schemas/BasicCredentials"
}, {
"$ref" : "#/components/schemas/ApiKeyAndSecret"
+ }, {
+ "$ref" : "#/components/schemas/OAuthCredentials"
+ } ],
+ "nullable" : true
+ },
+ "ssl" : {
+ "description" : "The SSL configuration for connecting to Schema Registry. If null, the connection will use SSL with the default settings. To disable, set `enabled` to false.",
+ "type" : "object",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/TLSConfig"
} ],
"nullable" : true
}
@@ -1475,6 +1559,43 @@
"enum" : [ "NO_TOKEN", "VALID_TOKEN", "INVALID_TOKEN", "FAILED" ],
"type" : "string"
},
+ "StoreType" : {
+ "enum" : [ "JKS", "PKCS12", "PEM", "UNKNOWN" ],
+ "type" : "string"
+ },
+ "TLSConfig" : {
+ "description" : "SSL configuration",
+ "required" : [ "enabled" ],
+ "type" : "object",
+ "properties" : {
+ "verify_hostname" : {
+ "description" : "Whether to verify the server certificate hostname. Defaults to true if not set.",
+ "default" : true,
+ "type" : "boolean"
+ },
+ "enabled" : {
+ "description" : "Whether SSL is enabled. If not set, defaults to true.",
+ "default" : true,
+ "type" : "boolean"
+ },
+ "truststore" : {
+ "description" : "The trust store configuration for authenticating the server's certificate.",
+ "type" : "object",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/TrustStore"
+ } ],
+ "nullable" : true
+ },
+ "keystore" : {
+ "description" : "The key store configuration that will identify and authenticate the client to the server, required for mutual TLS (mTLS)",
+ "type" : "object",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/KeyStore"
+ } ],
+ "nullable" : true
+ }
+ }
+ },
"Template" : {
"required" : [ "api_version", "kind", "id", "metadata", "spec" ],
"type" : "object",
@@ -1557,6 +1678,34 @@
"enum" : [ "NO_TIMESTAMP_TYPE", "CREATE_TIME", "LOG_APPEND_TIME" ],
"type" : "string"
},
+ "TrustStore" : {
+ "required" : [ "path" ],
+ "type" : "object",
+ "properties" : {
+ "path" : {
+ "description" : "The path to the local trust store file. Required for authenticating the server's certificate.",
+ "maxLength" : 256,
+ "type" : "string"
+ },
+ "password" : {
+ "description" : "The password for the local trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. A trust store password is not supported for PEM format.",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/Password"
+ } ],
+ "nullable" : true
+ },
+ "type" : {
+ "description" : "The file format of the local trust store file",
+ "default" : "JKS",
+ "type" : "string",
+ "allOf" : [ {
+ "$ref" : "#/components/schemas/StoreType"
+ } ],
+ "nullable" : true
+ }
+ }
+ },
"UserInfo" : {
"type" : "object",
"properties" : {
diff --git a/src/generated/resources/openapi.yaml b/src/generated/resources/openapi.yaml
index 85d0fed4..ed2b413d 100644
--- a/src/generated/resources/openapi.yaml
+++ b/src/generated/resources/openapi.yaml
@@ -445,7 +445,7 @@ paths:
components:
schemas:
ApiKeyAndSecret:
- description: Basic authentication credentials
+ description: API key and secret authentication credentials
required:
- api_key
- api_secret
@@ -814,20 +814,16 @@ components:
oneOf:
- $ref: "#/components/schemas/BasicCredentials"
- $ref: "#/components/schemas/ApiKeyAndSecret"
+ - $ref: "#/components/schemas/OAuthCredentials"
nullable: true
ssl:
- description: "Whether to communicate with the Kafka cluster over TLS/SSL.\
- \ Defaults to 'true', but set to 'false' when the Kafka cluster does not\
- \ support TLS/SSL."
- default: true
- type: boolean
- nullable: true
- verify_ssl_certificates:
- description: "Whether to verify the Kafka cluster certificates. Defaults\
- \ to 'true', but set to 'false' when the Kafka cluster has self-signed\
- \ certificates."
- default: true
- type: boolean
+ description: "The SSL configuration for connecting to the Kafka cluster.\
+ \ To disable, set `enabled` to false. To use the default SSL settings,\
+ \ set `enabled` to true and leave the `truststore` and `keystore` fields\
+ \ unset."
+ type: object
+ allOf:
+ - $ref: "#/components/schemas/TLSConfig"
nullable: true
KafkaClusterStatus:
description: The status related to the specified Kafka cluster.
@@ -850,6 +846,38 @@ components:
type: object
allOf:
- $ref: "#/components/schemas/AuthErrors"
+ KeyStore:
+ required:
+ - path
+ type: object
+ properties:
+ path:
+ description: The path to the local key store file. Only specified if client
+ needs to be authenticated by the server (mutual TLS).
+ maxLength: 256
+ type: string
+ password:
+ description: "The password for the local key store file. If a password is\
+ \ not set, key store file configured will still be used, but integrity\
+ \ checking is disabled. A key store password is not supported for PEM\
+ \ format."
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/Password"
+ nullable: true
+ type:
+ description: The file format of the local key store file.
+ default: JKS
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/StoreType"
+ nullable: true
+ key_password:
+ description: The password of the private key in the local key store file.
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/Password"
+ nullable: true
LocalConfig:
description: Configuration when using Confluent Local and optionally a local
Schema Registry.
@@ -859,6 +887,46 @@ components:
description: The URL of the Schema Registry running locally.
maxLength: 512
type: string
+ OAuthCredentials:
+ description: OAuth 2.0 authentication credentials
+ required:
+ - tokens_url
+ - client_id
+ type: object
+ properties:
+ tokens_url:
+ description: The URL of the OAuth 2.0 identity provider's token endpoint.
+ maxLength: 256
+ type: string
+ client_id:
+ description: The public identifier for the application as registered with
+ the OAuth 2.0 identity provider.
+ maxLength: 128
+ minLength: 1
+ type: string
+ client_secret:
+ description: The client secret known only to the application and the OAuth
+ 2.0 identity provider.
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/Password"
+ scope:
+ description: The scope to use. The scope is optional and required only when
+ your identity provider doesn't have a default scope or your groups claim
+ is linked to a scope path to use when connecting to the external service.
+ maxLength: 256
+ type: string
+ connect_timeout_millis:
+ format: int32
+ description: The timeout in milliseconds when connecting to your identity
+ provider.
+ minimum: 0
+ type: integer
+ identityPool:
+ description: "Additional property that can be added in the request header\
+ \ to identify the principal ID for authorization. For example, this may\
+ \ bea Confluent Cloud identity pool."
+ type: string
ObjectMetadata:
type: object
properties:
@@ -1005,6 +1073,15 @@ components:
oneOf:
- $ref: "#/components/schemas/BasicCredentials"
- $ref: "#/components/schemas/ApiKeyAndSecret"
+ - $ref: "#/components/schemas/OAuthCredentials"
+ nullable: true
+ ssl:
+ description: "The SSL configuration for connecting to Schema Registry. If\
+ \ null, the connection will use SSL with the default settings. To disable,\
+ \ set `enabled` to false."
+ type: object
+ allOf:
+ - $ref: "#/components/schemas/TLSConfig"
nullable: true
SchemaRegistryStatus:
description: The status related to the specified Schema Registry.
@@ -1076,6 +1153,42 @@ components:
- INVALID_TOKEN
- FAILED
type: string
+ StoreType:
+ enum:
+ - JKS
+ - PKCS12
+ - PEM
+ - UNKNOWN
+ type: string
+ TLSConfig:
+ description: SSL configuration
+ required:
+ - enabled
+ type: object
+ properties:
+ verify_hostname:
+ description: Whether to verify the server certificate hostname. Defaults
+ to true if not set.
+ default: true
+ type: boolean
+ enabled:
+ description: "Whether SSL is enabled. If not set, defaults to true."
+ default: true
+ type: boolean
+ truststore:
+ description: The trust store configuration for authenticating the server's
+ certificate.
+ type: object
+ allOf:
+ - $ref: "#/components/schemas/TrustStore"
+ nullable: true
+ keystore:
+ description: "The key store configuration that will identify and authenticate\
+ \ the client to the server, required for mutual TLS (mTLS)"
+ type: object
+ allOf:
+ - $ref: "#/components/schemas/KeyStore"
+ nullable: true
Template:
required:
- api_version
@@ -1150,6 +1263,32 @@ components:
- CREATE_TIME
- LOG_APPEND_TIME
type: string
+ TrustStore:
+ required:
+ - path
+ type: object
+ properties:
+ path:
+ description: The path to the local trust store file. Required for authenticating
+ the server's certificate.
+ maxLength: 256
+ type: string
+ password:
+ description: "The password for the local trust store file. If a password\
+ \ is not set, trust store file configured will still be used, but integrity\
+ \ checking is disabled. A trust store password is not supported for PEM\
+ \ format."
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/Password"
+ nullable: true
+ type:
+ description: The file format of the local trust store file
+ default: JKS
+ type: string
+ allOf:
+ - $ref: "#/components/schemas/StoreType"
+ nullable: true
UserInfo:
type: object
properties:
diff --git a/src/main/java/io/confluent/idesidecar/restapi/application/ProxyProcessorBeanProducers.java b/src/main/java/io/confluent/idesidecar/restapi/application/ProxyProcessorBeanProducers.java
index d2860845..dff3f4d3 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/application/ProxyProcessorBeanProducers.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/application/ProxyProcessorBeanProducers.java
@@ -12,6 +12,7 @@
import io.confluent.idesidecar.restapi.proxy.clusters.processors.ClusterStrategyProcessor;
import io.confluent.idesidecar.restapi.util.WebClientFactory;
import io.vertx.core.Future;
+import io.vertx.core.Vertx;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Inject;
@@ -30,6 +31,9 @@ public class ProxyProcessorBeanProducers {
@Inject
WebClientFactory webClientFactory;
+ @Inject
+ Vertx vertx;
+
@Produces
@Singleton
@Named("clusterProxyProcessor")
@@ -45,7 +49,7 @@ public Processor> clusterProxyP
clusterInfoProcessor,
clusterStrategyProcessor,
clusterProxyProcessor,
- new ProxyRequestProcessor<>(webClientFactory),
+ new ProxyRequestProcessor<>(webClientFactory, vertx),
new EmptyProcessor<>()
);
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/clients/AdminClients.java b/src/main/java/io/confluent/idesidecar/restapi/clients/AdminClients.java
index f8907328..e68d3bb2 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/clients/AdminClients.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/clients/AdminClients.java
@@ -38,7 +38,7 @@ public AdminClient getClient(String connectionId, String clusterId) {
// Generate the Kafka admin client configuration
var config = configurator.getAdminClientConfig(connectionId, clusterId);
Log.debugf(
- "Creating schema registry client for connection %s and cluster %s with configuration:\n %s",
+ "Creating admin client for connection %s and cluster %s with configuration:\n %s",
connectionId,
clusterId,
config
diff --git a/src/main/java/io/confluent/idesidecar/restapi/clients/ClientConfigurator.java b/src/main/java/io/confluent/idesidecar/restapi/clients/ClientConfigurator.java
index a04b718e..6b3ca875 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/clients/ClientConfigurator.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/clients/ClientConfigurator.java
@@ -3,25 +3,24 @@
import io.confluent.idesidecar.restapi.cache.ClusterCache;
import io.confluent.idesidecar.restapi.connections.ConnectionState;
import io.confluent.idesidecar.restapi.connections.ConnectionStateManager;
-import io.confluent.idesidecar.restapi.credentials.Credentials;
import io.confluent.idesidecar.restapi.exceptions.ClusterNotFoundException;
import io.confluent.idesidecar.restapi.exceptions.ConnectionNotFoundException;
import io.confluent.idesidecar.restapi.kafkarest.SchemaManager;
import io.confluent.idesidecar.restapi.models.graph.KafkaCluster;
import io.confluent.idesidecar.restapi.models.graph.SchemaRegistry;
import io.confluent.idesidecar.restapi.util.CCloud;
+import io.confluent.idesidecar.restapi.util.ConfigUtil;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClientConfig;
import io.confluent.kafka.serializers.AbstractKafkaSchemaSerDeConfig;
import io.quarkus.logging.Log;
-import io.confluent.idesidecar.restapi.util.ConfigUtil;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.time.Duration;
import java.util.LinkedHashMap;
import java.util.Map;
-import org.apache.kafka.clients.CommonClientConfigs;
-import java.util.function.Supplier;
import java.util.Optional;
+import java.util.function.Supplier;
+import org.apache.kafka.clients.CommonClientConfigs;
@ApplicationScoped
public class ClientConfigurator {
@@ -258,10 +257,20 @@ public static Map getKafkaClientConfig(
// Second, add any connection properties for Kafka cluster credentials (if defined)
var options = connection.getKafkaConnectionOptions().withRedact(redact);
- connection
- .getKafkaCredentials()
- .flatMap(creds -> creds.kafkaClientProperties(options))
- .ifPresent(props::putAll);
+
+ if (connection.getKafkaCredentials().isPresent()) {
+ connection
+ .getKafkaCredentials()
+ .flatMap(creds -> creds.kafkaClientProperties(options))
+ .ifPresent(props::putAll);
+ } else if (connection.getKafkaTLSConfig().isPresent()) {
+ // No credentials, but maybe TLS config is present
+ var tlsConfig = connection.getKafkaTLSConfig().get();
+ if (tlsConfig.enabled()) {
+ props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
+ tlsConfig.getProperties(redact).ifPresent(props::putAll);
+ }
+ }
// Add any auth properties for Schema Registry to the Kafka client config,
// with the "schema.registry." prefix (unless the property already starts with that)
@@ -314,11 +323,23 @@ public static Map getSchemaRegistryClientConfig(
.orElse(null);
// Add any properties for SR credentials (if defined)
- var options = new Credentials.SchemaRegistryConnectionOptions(redact, logicalId);
- connection
- .getSchemaRegistryCredentials()
- .flatMap(creds -> creds.schemaRegistryClientProperties(options))
- .ifPresent(props::putAll);
+ var options = connection
+ .getSchemaRegistryOptions()
+ .withRedact(redact)
+ .withLogicalClusterId(logicalId);
+ if (connection.getSchemaRegistryCredentials().isPresent()) {
+ connection
+ .getSchemaRegistryCredentials()
+ .flatMap(creds -> creds.schemaRegistryClientProperties(options))
+ .ifPresent(props::putAll);
+ } else if (connection.getSchemaRegistryTLSConfig().isPresent()) {
+ // No credentials, but maybe TLS config is present
+ var tlsConfig = connection.getSchemaRegistryTLSConfig().get();
+ if (tlsConfig.enabled()) {
+ tlsConfig.getProperties(redact).ifPresent(props::putAll);
+ }
+ }
+
return props;
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/clients/SchemaRegistryClients.java b/src/main/java/io/confluent/idesidecar/restapi/clients/SchemaRegistryClients.java
index c7ccd9eb..59729fc3 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/clients/SchemaRegistryClients.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/clients/SchemaRegistryClients.java
@@ -9,10 +9,11 @@
import io.confluent.idesidecar.restapi.util.RequestHeadersConstants;
import io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClient;
+import io.confluent.kafka.schemaregistry.client.rest.RestService;
+import io.confluent.kafka.schemaregistry.client.security.SslFactory;
import io.quarkus.logging.Log;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
-import java.util.Collections;
import java.util.Map;
import org.eclipse.microprofile.config.inject.ConfigProperty;
@@ -85,12 +86,21 @@ private SchemaRegistryClient createClient(
Map configurationProperties,
Map headers
) {
+ var restService = new RestService(srClusterUri);
+ restService.configure(configurationProperties);
+ restService.setHttpHeaders(headers);
+
+ var sslFactory = new SslFactory(configurationProperties);
+ if (sslFactory.sslContext() != null) {
+ restService.setSslSocketFactory(sslFactory.sslContext().getSocketFactory());
+ }
+
return new CachedSchemaRegistryClient(
- Collections.singletonList(srClusterUri),
+ restService,
SR_CACHE_SIZE,
SCHEMA_PROVIDERS,
- configurationProperties,
- headers
+ null,
+ null
);
}
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/connections/ConnectionState.java b/src/main/java/io/confluent/idesidecar/restapi/connections/ConnectionState.java
index 6b1d2124..a5537d12 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/connections/ConnectionState.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/connections/ConnectionState.java
@@ -2,6 +2,9 @@
import io.confluent.idesidecar.restapi.credentials.Credentials;
import io.confluent.idesidecar.restapi.credentials.Credentials.KafkaConnectionOptions;
+import io.confluent.idesidecar.restapi.credentials.CredentialsKafkaConnectionOptionsBuilder;
+import io.confluent.idesidecar.restapi.credentials.CredentialsSchemaRegistryConnectionOptionsBuilder;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig;
import io.confluent.idesidecar.restapi.models.ConnectionMetadata;
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.ConnectionType;
@@ -169,17 +172,32 @@ public String getInternalId() {
*/
public KafkaConnectionOptions getKafkaConnectionOptions() {
if (spec.kafkaClusterConfig() != null) {
- return new KafkaConnectionOptions(
- spec.kafkaClusterConfig().sslOrDefault(),
- spec.kafkaClusterConfig().verifySslCertificatesOrDefault(),
- false
- );
+ return CredentialsKafkaConnectionOptionsBuilder
+ .builder()
+ .redact(false)
+ .tlsConfig(spec.kafkaClusterConfig().tlsConfig())
+ .build();
}
- return new KafkaConnectionOptions(
- ConnectionSpec.KafkaClusterConfig.DEFAULT_SSL,
- ConnectionSpec.KafkaClusterConfig.DEFAULT_VERIFY_SSL_CERTIFICATES,
- false
- );
+
+ return CredentialsKafkaConnectionOptionsBuilder
+ .builder()
+ .redact(false)
+ .build();
+ }
+
+ public Credentials.SchemaRegistryConnectionOptions getSchemaRegistryOptions() {
+ if (spec.schemaRegistryConfig() != null) {
+ return CredentialsSchemaRegistryConnectionOptionsBuilder
+ .builder()
+ .redact(false)
+ .tlsConfig(spec.schemaRegistryConfig().tlsConfig())
+ .build();
+ }
+
+ return CredentialsSchemaRegistryConnectionOptionsBuilder
+ .builder()
+ .redact(false)
+ .build();
}
/**
@@ -201,4 +219,12 @@ public Optional getKafkaCredentials() {
public Optional getSchemaRegistryCredentials() {
return Optional.empty();
}
+
+ public Optional getKafkaTLSConfig() {
+ return Optional.empty();
+ }
+
+ public Optional getSchemaRegistryTLSConfig() {
+ return Optional.empty();
+ }
}
\ No newline at end of file
diff --git a/src/main/java/io/confluent/idesidecar/restapi/connections/DirectConnectionState.java b/src/main/java/io/confluent/idesidecar/restapi/connections/DirectConnectionState.java
index ee3d6867..45302758 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/connections/DirectConnectionState.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/connections/DirectConnectionState.java
@@ -5,6 +5,7 @@
import io.confluent.idesidecar.restapi.auth.AuthErrors;
import io.confluent.idesidecar.restapi.clients.ClientConfigurator;
import io.confluent.idesidecar.restapi.credentials.Credentials;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig;
import io.confluent.idesidecar.restapi.models.ClusterType;
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.ConnectionType;
@@ -17,7 +18,9 @@
import io.confluent.idesidecar.restapi.models.ConnectionStatusSchemaRegistryStatusBuilder;
import io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClient;
+import io.confluent.kafka.schemaregistry.client.rest.RestService;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
+import io.confluent.kafka.schemaregistry.client.security.SslFactory;
import io.quarkus.logging.Log;
import io.smallrye.common.constraint.NotNull;
import io.smallrye.common.constraint.Nullable;
@@ -27,8 +30,7 @@
import java.io.IOException;
import java.net.UnknownHostException;
import java.time.Duration;
-import java.util.Collections;
-import java.util.Map;
+import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
@@ -137,6 +139,35 @@ public Optional getSchemaRegistryCredentials() {
return Optional.ofNullable(credentials);
}
+ @Override
+ public Optional getKafkaTLSConfig() {
+ if (spec.kafkaClusterConfig() != null) {
+ return Optional.of(
+ Objects.requireNonNullElse(
+ spec.kafkaClusterConfig().tlsConfig(),
+ // Use the default TLS configuration if none is provided
+ new TLSConfig()
+ )
+ );
+ }
+
+ return Optional.empty();
+ }
+
+ @Override
+ public Optional getSchemaRegistryTLSConfig() {
+ if (spec.schemaRegistryConfig() != null) {
+ return Optional.of(
+ spec.schemaRegistryConfig().tlsConfig() != null
+ ? spec.schemaRegistryConfig().tlsConfig()
+ // Use the default TLS configuration if none is provided
+ : new TLSConfig()
+ );
+ }
+
+ return Optional.empty();
+ }
+
@Override
protected Future doRefreshStatus() {
return Future.join(
@@ -185,7 +216,7 @@ protected Future getKafkaConnectionStatus() {
);
} else if (cause instanceof TimeoutException) {
message = ("Unable to connect to the Kafka cluster at %s."
- + "Check the credentials or the network."
+ + " Check the credentials or the network."
).formatted(
spec.kafkaClusterConfig().bootstrapServers()
);
@@ -372,10 +403,12 @@ protected SchemaRegistryClient createSchemaRegistryClient(
false,
TIMEOUT
);
- return new CachedSchemaRegistryClient(
- Collections.singletonList(config.uri()),
- 10,
- srClientConfig
- );
+ var restService = new RestService(config.uri());
+ restService.configure(srClientConfig);
+ var sslFactory = new SslFactory(srClientConfig);
+ if (sslFactory.sslContext() != null) {
+ restService.setSslSocketFactory(sslFactory.sslContext().getSocketFactory());
+ }
+ return new CachedSchemaRegistryClient(restService, 10);
}
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/credentials/ApiKeyAndSecret.java b/src/main/java/io/confluent/idesidecar/restapi/credentials/ApiKeyAndSecret.java
index e8d6a0b9..ea30a2c0 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/credentials/ApiKeyAndSecret.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/credentials/ApiKeyAndSecret.java
@@ -14,9 +14,11 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
+
+import org.apache.kafka.clients.CommonClientConfigs;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
-@Schema(description = "Basic authentication credentials")
+@Schema(description = "API key and secret authentication credentials")
@RegisterForReflection
public record ApiKeyAndSecret(
@@ -54,15 +56,14 @@ public Optional> kafkaClientProperties(
KafkaConnectionOptions options
) {
var config = new LinkedHashMap();
- if (options.ssl()) {
- config.put("security.protocol", "SASL_SSL");
+ var tlsConfig = options.tlsConfig();
+ if (tlsConfig.enabled()) {
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
+ tlsConfig.getProperties(options.redact()).ifPresent(config::putAll);
} else {
- config.put("security.protocol", "SASL_PLAINTEXT");
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
}
config.put("sasl.mechanism", "PLAIN");
- if (!options.verifyCertificates()) {
- config.put("ssl.endpoint.identification.algorithm", "");
- }
config.put(
"sasl.jaas.config",
"%s required username=\"%s\" password=\"%s\";".formatted(
@@ -80,6 +81,10 @@ public Optional> schemaRegistryClientProperties(
) {
var config = new LinkedHashMap();
config.put("basic.auth.credentials.source", "USER_INFO");
+ options
+ .tlsConfig()
+ .getProperties(options.redact())
+ .ifPresent(config::putAll);
config.put(
"basic.auth.user.info",
"%s:%s".formatted(key, secret.asString(options.redact()))
diff --git a/src/main/java/io/confluent/idesidecar/restapi/credentials/BasicCredentials.java b/src/main/java/io/confluent/idesidecar/restapi/credentials/BasicCredentials.java
index c7dc7688..4466a6aa 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/credentials/BasicCredentials.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/credentials/BasicCredentials.java
@@ -12,6 +12,8 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
+
+import org.apache.kafka.clients.CommonClientConfigs;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
@Schema(description = "Basic authentication credentials")
@@ -49,15 +51,14 @@ public Optional> kafkaClientProperties(
KafkaConnectionOptions options
) {
var config = new LinkedHashMap();
- if (options.ssl()) {
- config.put("security.protocol", "SASL_SSL");
+ var tlsConfig = options.tlsConfig();
+ if (tlsConfig.enabled()) {
+ tlsConfig.getProperties(options.redact()).ifPresent(config::putAll);
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
} else {
- config.put("security.protocol", "SASL_PLAINTEXT");
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
}
config.put("sasl.mechanism", "PLAIN");
- if (!options.verifyCertificates()) {
- config.put("ssl.endpoint.identification.algorithm", "");
- }
config.put(
"sasl.jaas.config",
"%s required username=\"%s\" password=\"%s\";".formatted(
@@ -75,6 +76,10 @@ public Optional> schemaRegistryClientProperties(
) {
var config = new LinkedHashMap();
config.put("basic.auth.credentials.source", "USER_INFO");
+ options
+ .tlsConfig()
+ .getProperties(options.redact())
+ .ifPresent(config::putAll);
config.put(
"basic.auth.user.info",
"%s:%s".formatted(username, password.asString(options.redact()))
diff --git a/src/main/java/io/confluent/idesidecar/restapi/credentials/Credentials.java b/src/main/java/io/confluent/idesidecar/restapi/credentials/Credentials.java
index 3ab11cb8..77295234 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/credentials/Credentials.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/credentials/Credentials.java
@@ -20,27 +20,30 @@
@JsonSubTypes({
@Type(value = BasicCredentials.class),
@Type(value = ApiKeyAndSecret.class),
+ @Type(value = OAuthCredentials.class)
})
@RegisterForReflection
public interface Credentials {
@RecordBuilder
record KafkaConnectionOptions(
- boolean ssl,
- boolean verifyCertificates,
- boolean redact
+ boolean redact,
+ TLSConfig tlsConfig
) implements CredentialsKafkaConnectionOptionsBuilder.With {
}
@RecordBuilder
record SchemaRegistryConnectionOptions(
boolean redact,
+ TLSConfig tlsConfig,
String logicalClusterId
) implements CredentialsSchemaRegistryConnectionOptionsBuilder.With {
}
enum Type {
BASIC,
+ MUTUAL_TLS,
+ OAUTH2,
API_KEY_AND_SECRET,
}
@@ -63,6 +66,16 @@ default boolean isBasic() {
return type() == Type.BASIC;
}
+ /**
+ * Return true if this is an OAuth 2.0 credentials object.
+ *
+ * @return true if {@link #type()} equals {@link Type#OAUTH2}
+ */
+ @JsonIgnore
+ default boolean isOauth2() {
+ return type() == Type.OAUTH2;
+ }
+
/**
* Return true if this is an API key and secret credentials object.
*
diff --git a/src/main/java/io/confluent/idesidecar/restapi/credentials/OAuthCredentials.java b/src/main/java/io/confluent/idesidecar/restapi/credentials/OAuthCredentials.java
new file mode 100644
index 00000000..e52645e3
--- /dev/null
+++ b/src/main/java/io/confluent/idesidecar/restapi/credentials/OAuthCredentials.java
@@ -0,0 +1,242 @@
+package io.confluent.idesidecar.restapi.credentials;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.confluent.idesidecar.restapi.exceptions.Failure;
+import io.confluent.idesidecar.restapi.exceptions.Failure.Error;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Null;
+import jakarta.validation.constraints.Size;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.apache.kafka.clients.CommonClientConfigs;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+@Schema(description = "OAuth 2.0 authentication credentials")
+public record OAuthCredentials(
+
+ @Schema(description = "The URL of the OAuth 2.0 identity provider's token endpoint.")
+ @JsonProperty(value = "tokens_url")
+ @Size(max = TOKENS_URL_MAX_LEN)
+ @NotNull
+ String tokensUrl,
+
+ @Schema(description = "The public identifier for the application as registered with the "
+ + "OAuth 2.0 identity provider.")
+ @JsonProperty(value = "client_id")
+ @Size(min = 1, max = CLIENT_ID_MAX_LEN)
+ @NotNull
+ String clientId,
+
+ @Schema(description = "The client secret known only to the application and the "
+ + "OAuth 2.0 identity provider.")
+ @JsonProperty(value = "client_secret")
+ @Size(max = CLIENT_SECRET_MAX_LEN)
+ @Null
+ Password clientSecret,
+
+ @Schema(description = "The scope to use. The scope is optional and required only when your "
+ + "identity provider doesn't have a default scope or your groups claim is "
+ + "linked to a scope path to use when connecting to the external service.")
+ @JsonProperty(value = "scope")
+ @Size(max = SCOPE_MAX_LEN)
+ @Null
+ String scope,
+
+ @Schema(description = "The timeout in milliseconds when connecting to your identity provider.")
+ @JsonProperty(value = "connect_timeout_millis")
+ @Min(0)
+ @Null
+ Integer connectTimeoutMillis,
+
+ @Schema(description = "Additional property that can be added in the request header to identify "
+ + "the principal ID for authorization. For example, this may be"
+ + "a Confluent Cloud identity pool.")
+ @Null
+ String identityPool
+) implements Credentials {
+
+ private static final int TOKENS_URL_MAX_LEN = 256;
+ private static final int CLIENT_ID_MAX_LEN = 128;
+ private static final int CLIENT_SECRET_MAX_LEN = 256;
+ private static final int SCOPE_MAX_LEN = 256;
+
+ private static final String OAUTHBEARER_LOGIN_MODULE_CLASS =
+ "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule";
+ private static final String OAUTHBEARER_CALLBACK_CLASS =
+ "org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler";
+
+ public OAuthCredentials(
+ String tokensUrl,
+ String clientId,
+ Password clientSecret,
+ String scope) {
+ this(tokensUrl, clientId, clientSecret, scope, null, null);
+ }
+
+ public OAuthCredentials(
+ String tokensUrl,
+ String clientId,
+ Password clientSecret
+ ) {
+ this(tokensUrl, clientId, clientSecret, null, null, null);
+ }
+
+ @Override
+ public Type type() {
+ return Type.OAUTH2;
+ }
+
+ @Override
+ public Optional> kafkaClientProperties(
+ KafkaConnectionOptions options
+ ) {
+ var jaasConfig = "%s required clientId=\"%s\"".formatted(
+ OAUTHBEARER_LOGIN_MODULE_CLASS,
+ clientId
+ );
+ if (clientSecret != null) {
+ jaasConfig += " clientSecret=\"%s\"".formatted(clientSecret.asString(options.redact()));
+ }
+ if (scope != null) {
+ jaasConfig += " scope=\"%s\"".formatted(scope);
+ }
+
+ var config = new LinkedHashMap();
+ config.put("sasl.mechanism", "OAUTHBEARER");
+ config.put("sasl.oauthbearer.token.endpoint.url", tokensUrl);
+ config.put("sasl.login.callback.handler.class", OAUTHBEARER_CALLBACK_CLASS);
+ config.put("sasl.jaas.config", jaasConfig);
+ if (connectTimeoutMillis != null) {
+ config.put("sasl.oauthbearer.connect.timeout.ms", connectTimeoutMillis.toString());
+ }
+
+ var tlsConfig = options.tlsConfig();
+ if (tlsConfig.enabled()) {
+ tlsConfig.getProperties(options.redact()).ifPresent(config::putAll);
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
+ } else {
+ config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
+ }
+
+ return Optional.of(config);
+ }
+
+ @Override
+ public Optional> schemaRegistryClientProperties(
+ SchemaRegistryConnectionOptions options
+ ) {
+ var config = new LinkedHashMap();
+ config.put("bearer.auth.credentials.source", "OAUTHBEARER");
+ config.put("bearer.auth.issuer.endpoint.url", tokensUrl);
+ config.put("bearer.auth.client.id", clientId);
+ config.put("bearer.auth.client.secret", clientSecret.asString(options.redact()));
+ if (scope != null) {
+ config.put("bearer.auth.scope", scope);
+ }
+ if (options.logicalClusterId() != null) {
+ config.put("bearer.auth.logical.cluster", options.logicalClusterId());
+ }
+ if (identityPool != null) {
+ config.put("bearer.auth.identity.pool.id", identityPool);
+ }
+ options
+ .tlsConfig()
+ .getProperties(options.redact())
+ .ifPresent(config::putAll);
+ return Optional.of(config);
+ }
+
+ @Override
+ public void validate(
+ List errors,
+ String path,
+ String what
+ ) {
+ if (tokensUrl == null || tokensUrl.isBlank()) {
+ errors.add(
+ Error.create()
+ .withDetail("%s OAuth tokens URL is required and may not be blank", what)
+ .withSource("%s.tokens_url", path)
+ );
+ } else if (tokensUrl.length() > TOKENS_URL_MAX_LEN) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s OAuth tokens URL must be at most %d characters",
+ what,
+ TOKENS_URL_MAX_LEN
+ )
+ .withSource("%s.tokens_url", path)
+ );
+ } else {
+ try {
+ new URI(tokensUrl).toURL();
+ } catch (URISyntaxException | MalformedURLException e) {
+ errors.add(
+ Error.create()
+ .withDetail("%s OAuth tokens URL is not a valid URL", what)
+ .withSource("%s.tokens_url", path)
+ );
+ }
+ }
+ if (clientId == null || clientId.isBlank()) {
+ errors.add(
+ Error.create()
+ .withDetail("%s OAuth client ID is required and may not be blank", what)
+ .withSource("%s.client_id", path)
+ );
+ } else if (clientId.length() > CLIENT_ID_MAX_LEN) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s OAuth client ID may not be longer than %d characters",
+ what,
+ CLIENT_ID_MAX_LEN
+ )
+ .withSource("%s.client_id", path)
+ );
+ }
+ if (clientSecret == null) {
+ errors.add(
+ Error.create()
+ .withDetail("%s OAuth client secret is required", what)
+ .withSource("%s.client_secret", path)
+ );
+ } else if (clientSecret.longerThan(CLIENT_SECRET_MAX_LEN)) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s OAuth client secret may not be longer than %d characters",
+ what,
+ CLIENT_SECRET_MAX_LEN
+ )
+ .withSource("%s.client_secret", path)
+ );
+ }
+ if (scope != null && scope.length() > SCOPE_MAX_LEN) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s OAuth scope may not be longer than %d characters",
+ what,
+ SCOPE_MAX_LEN
+ )
+ .withSource("%s.scope", path)
+ );
+ }
+ if (connectTimeoutMillis != null && connectTimeoutMillis < 0) {
+ errors.add(
+ Error.create()
+ .withDetail("%s connect timeout in milliseconds must be positive", what)
+ .withSource("%s.connect_timeout_millis", path)
+ );
+ }
+ }
+}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/credentials/TLSConfig.java b/src/main/java/io/confluent/idesidecar/restapi/credentials/TLSConfig.java
new file mode 100644
index 00000000..29aa795a
--- /dev/null
+++ b/src/main/java/io/confluent/idesidecar/restapi/credentials/TLSConfig.java
@@ -0,0 +1,367 @@
+package io.confluent.idesidecar.restapi.credentials;
+
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import io.confluent.idesidecar.restapi.exceptions.Failure;
+import io.confluent.idesidecar.restapi.exceptions.Failure.Error;
+import io.soabase.recordbuilder.core.RecordBuilder;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Null;
+import jakarta.validation.constraints.Size;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+/**
+ * The SSL/TLS configuration object.
+ * Usage modes:
+ *
+ * - Default SSL settings without truststore or keystore: set {@link #enabled} to {@code true}
+ * and leave other fields unset
+ * - Truststore only: provide a truststore path and password
+ * - Truststore and keystore: provide a truststore path and password, and a keystore path and
+ * password. This is equivalent to mutual TLS or mTLS
+ * - Disable hostname verification: set {@link #verifyHostname} to {@code false} to disable
+ * server certificate hostname verification
+ * - SSL Disabled: set {@link #enabled} to {@code false} to disable SSL
+ *
+ */
+@Schema(description = "SSL configuration")
+@RecordBuilder
+public record TLSConfig(
+ @Schema(
+ description = "Whether to verify the server certificate hostname."
+ + " Defaults to true if not set.",
+ defaultValue = DEFAULT_VERIFY_HOSTNAME_VALUE
+ )
+ @JsonProperty(value = "verify_hostname")
+ @Null
+ Boolean verifyHostname,
+
+ @Schema(
+ description = "Whether SSL is enabled. If not set, defaults to true.",
+ defaultValue = DEFAULT_ENABLED_VALUE,
+ required = true
+ )
+ @JsonProperty(value = "enabled")
+ @NotNull
+ Boolean enabled,
+
+ @Schema(
+ description = "The trust store configuration for authenticating the server's certificate.",
+ nullable = true
+ )
+ @JsonProperty(value = "truststore")
+ @Null
+ TrustStore truststore,
+
+ @Schema(
+ description = "The key store configuration that will identify and authenticate "
+ + "the client to the server, required for mutual TLS (mTLS)",
+ nullable = true
+ )
+ @JsonProperty(value = "keystore")
+ @Null
+ KeyStore keystore
+) implements TLSConfigBuilder.With {
+
+ @RecordBuilder
+ public record TrustStore(
+ @Schema(description = "The path to the local trust store file. Required for authenticating "
+ + "the server's certificate.")
+ @JsonProperty(value = "path")
+ @Size(max = TRUSTSTORE_PATH_MAX_LEN)
+ @NotNull
+ String path,
+
+ @Schema(
+ description = "The password for the local trust store file. If a password is not set, "
+ + "trust store file configured will still be used, but integrity checking "
+ + "is disabled. A trust store password is not supported for PEM format.",
+ nullable = true
+ )
+ @JsonProperty(value = "password")
+ @Size(max = TRUSTSTORE_PASSWORD_MAX_LEN)
+ @Null
+ Password password,
+
+ @Schema(description = "The file format of the local trust store file",
+ defaultValue = DEFAULT_STORE_TYPE,
+ nullable = true)
+ @JsonProperty(value = "type")
+ @Null
+ StoreType type
+ ) {
+
+ public void validate(
+ List errors,
+ String path,
+ String what
+ ) {
+ if (this.path == null || this.path.isBlank()) {
+ errors.add(
+ Error.create()
+ .withDetail("%s truststore path is required and may not be blank", what)
+ .withSource("%s.path", path)
+ );
+ } else if (this.path.length() > TRUSTSTORE_PATH_MAX_LEN) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s truststore path may not be longer than %d characters",
+ what,
+ TRUSTSTORE_PATH_MAX_LEN
+ )
+ .withSource("%s.path", path)
+ );
+ }
+ if (password != null && password.longerThan(TRUSTSTORE_PASSWORD_MAX_LEN)) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s truststore password may not be longer than %d characters",
+ what,
+ TRUSTSTORE_PASSWORD_MAX_LEN
+ )
+ .withSource("%s.password", path)
+ );
+ }
+ }
+ }
+
+ @RecordBuilder
+ public record KeyStore(
+ @Schema(description = "The path to the local key store file. Only specified if client "
+ + "needs to be authenticated by the server (mutual TLS).")
+ @JsonProperty(value = "path")
+ @Size(max = KEYSTORE_PATH_MAX_LEN)
+ @NotNull
+ String path,
+
+ @Schema(
+ description =
+ "The password for the local key store file. If a password is not set, key "
+ + "store file configured will still be used, but integrity checking is "
+ + "disabled. A key store password is not supported for PEM format.",
+ nullable = true
+ )
+ @JsonProperty(value = "password")
+ @Size(max = KEYSTORE_PASSWORD_MAX_LEN)
+ @Null
+ Password password,
+
+ @Schema(description = "The file format of the local key store file.",
+ defaultValue = DEFAULT_STORE_TYPE,
+ nullable = true)
+ @JsonProperty(value = "type")
+ @Null
+ StoreType type,
+
+ @Schema(description = "The password of the private key in the local key store file.",
+ nullable = true)
+ @JsonProperty(value = "key_password")
+ @Size(max = KEY_PASSWORD_MAX_LEN)
+ @Null
+ Password keyPassword
+ ) {
+
+ public void validate(
+ List errors,
+ String path,
+ String what
+ ) {
+ if (type == StoreType.UNKNOWN) {
+ var values = StoreType.allowedValues();
+ errors.add(
+ Error.create()
+ .withDetail("%s keystore type if provided must be one of: %s", what, values)
+ .withSource("%s.type", path)
+ );
+ }
+ if (this.path == null || this.path.isBlank()) {
+ errors.add(
+ Error.create()
+ .withDetail("%s keystore path is required and may not be blank", what)
+ .withSource("%s.path", path)
+ );
+ } else if (this.path.length() > KEYSTORE_PATH_MAX_LEN) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s keystore path may not be longer than %d characters",
+ what,
+ KEYSTORE_PATH_MAX_LEN
+ )
+ .withSource("%s.path", path)
+ );
+ }
+ if (keyPassword != null && keyPassword.longerThan(KEY_PASSWORD_MAX_LEN)) {
+ errors.add(
+ Error.create()
+ .withDetail(
+ "%s key password may not be longer than %d characters",
+ what,
+ KEY_PASSWORD_MAX_LEN
+ )
+ .withSource("%s.password", path)
+ );
+ }
+ }
+ }
+
+ private static final int TRUSTSTORE_PATH_MAX_LEN = 256;
+ private static final int TRUSTSTORE_PASSWORD_MAX_LEN = 256;
+ private static final int KEYSTORE_PATH_MAX_LEN = 256;
+ private static final int KEYSTORE_PASSWORD_MAX_LEN = 256;
+ private static final int KEY_PASSWORD_MAX_LEN = 256;
+ private static final String DEFAULT_STORE_TYPE = "JKS";
+
+ private static final String DEFAULT_VERIFY_HOSTNAME_VALUE = "true";
+ private static final Boolean DEFAULT_VERIFY_HOSTNAME = Boolean.valueOf(
+ DEFAULT_VERIFY_HOSTNAME_VALUE
+ );
+
+ private static final String DEFAULT_ENABLED_VALUE = "true";
+ private static final Boolean DEFAULT_ENABLED = Boolean.valueOf(
+ DEFAULT_ENABLED_VALUE
+ );
+
+ @JsonDeserialize(using = StoreType.Deserializer.class)
+ public enum StoreType {
+ JKS,
+ PKCS12,
+ PEM,
+ @Schema(hidden = true)
+ @JsonEnumDefaultValue
+ UNKNOWN;
+
+ /**
+ * A custom deserializer to handle the store type literals that cannot be parsed.
+ */
+ public static class Deserializer extends JsonDeserializer {
+ @Override
+ public StoreType deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
+ try {
+ return StoreType.valueOf(p.getValueAsString());
+ } catch (IllegalArgumentException e) {
+ return StoreType.UNKNOWN; // Return default on unknown value
+ }
+ }
+ }
+
+ /**
+ * Get the list of allowed values for this enum, without hidden values.
+ * @return the non-hidden allowed values as a comma-separated string
+ */
+ public static String allowedValues() {
+ return Arrays
+ .stream(values())
+ .filter(v -> v != UNKNOWN)
+ .map(Enum::name)
+ .collect(Collectors.joining(", "));
+ }
+ }
+
+ /**
+ * Default SSL configuration.
+ */
+ public TLSConfig() {
+ this(DEFAULT_VERIFY_HOSTNAME, DEFAULT_ENABLED, null, null);
+ }
+
+ public TLSConfig(String truststorePath, Password truststorePassword) {
+ this(
+ DEFAULT_VERIFY_HOSTNAME,
+ DEFAULT_ENABLED,
+ new TrustStore(truststorePath, truststorePassword, null),
+ null
+ );
+ }
+
+ public TLSConfig(
+ String truststorePath,
+ Password truststorePassword,
+ String keystorePath,
+ Password keystorePassword,
+ Password keyPassword
+ ) {
+ this(
+ DEFAULT_VERIFY_HOSTNAME,
+ DEFAULT_ENABLED,
+ new TrustStore(truststorePath, truststorePassword, null),
+ new KeyStore(keystorePath, keystorePassword, null, keyPassword)
+ );
+ }
+
+ public Optional> getProperties(boolean redact) {
+ var config = new LinkedHashMap();
+ if (verifyHostname != null && !verifyHostname) {
+ config.put("ssl.endpoint.identification.algorithm", "");
+ }
+
+ if (truststore != null) {
+ config.put("ssl.truststore.location", truststore.path);
+ if (truststore.type != null && truststore.type != StoreType.UNKNOWN) {
+ config.put("ssl.truststore.type", truststore.type.name());
+ }
+ if (truststore.password != null) {
+ config.put("ssl.truststore.password", truststore.password.asString(redact));
+ }
+ }
+
+ if (keystore != null) {
+ config.put("ssl.keystore.location", keystore.path);
+ if (keystore.type != null && keystore.type != StoreType.UNKNOWN) {
+ config.put("ssl.keystore.type", keystore.type.name());
+ }
+ if (keystore.password != null) {
+ config.put("ssl.keystore.password", keystore.password.asString(redact));
+ }
+ if (keystore.keyPassword != null) {
+ config.put("ssl.key.password", keystore.keyPassword.asString(redact));
+ }
+ }
+
+ return Optional.of(config);
+ }
+
+ public void validate(
+ List errors,
+ String path,
+ String what
+ ) {
+ if (enabled != null && !enabled) {
+ if (truststore != null) {
+ errors.add(
+ Error.create()
+ .withDetail("%s truststore is not allowed when SSL is disabled", what)
+ .withSource("%s.truststore", path)
+ );
+ }
+ if (keystore != null) {
+ errors.add(
+ Error.create()
+ .withDetail("%s keystore is not allowed when SSL is disabled", what)
+ .withSource("%s.keystore", path)
+ );
+ }
+ } else {
+ if (truststore != null) {
+ truststore.validate(errors, "%s.truststore".formatted(path), what);
+ }
+
+ if (keystore != null) {
+ keystore.validate(errors, "%s.keystore".formatted(path), what);
+ }
+ }
+ }
+}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/messageviewer/MessageViewerContext.java b/src/main/java/io/confluent/idesidecar/restapi/messageviewer/MessageViewerContext.java
index 93033268..c8c70cdf 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/messageviewer/MessageViewerContext.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/messageviewer/MessageViewerContext.java
@@ -1,11 +1,12 @@
package io.confluent.idesidecar.restapi.messageviewer;
-import io.confluent.idesidecar.restapi.clients.SchemaErrors;
import io.confluent.idesidecar.restapi.messageviewer.data.SimpleConsumeMultiPartitionRequest;
import io.confluent.idesidecar.restapi.messageviewer.data.SimpleConsumeMultiPartitionResponse;
+import io.confluent.idesidecar.restapi.models.ClusterType;
import io.confluent.idesidecar.restapi.models.graph.KafkaCluster;
import io.confluent.idesidecar.restapi.models.graph.SchemaRegistry;
import io.confluent.idesidecar.restapi.proxy.ProxyContext;
+import io.confluent.idesidecar.restapi.proxy.clusters.ClusterProxyContext;
import io.vertx.core.MultiMap;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.http.HttpMethod;
@@ -15,8 +16,7 @@
/**
* Stores the context of a request of the message viewer API.
*/
-public class MessageViewerContext extends ProxyContext {
- private final String clusterId;
+public class MessageViewerContext extends ClusterProxyContext {
private final String topicName;
private KafkaCluster kafkaClusterInfo;
private SchemaRegistry schemaRegistryInfo;
@@ -43,17 +43,14 @@ public MessageViewerContext(
.map(body -> Buffer.buffer(body.toJsonString()))
.orElse(null),
requestPathParams,
- connectionId
+ connectionId,
+ clusterId,
+ ClusterType.KAFKA
);
- this.clusterId = clusterId;
this.topicName = topicName;
this.consumeRequest = requestBody;
}
- public String getClusterId() {
- return this.clusterId;
- }
-
public String getTopicName() {
return this.topicName;
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/messageviewer/strategy/ConfluentCloudConsumeStrategy.java b/src/main/java/io/confluent/idesidecar/restapi/messageviewer/strategy/ConfluentCloudConsumeStrategy.java
index 989fed44..3a4b3d2d 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/messageviewer/strategy/ConfluentCloudConsumeStrategy.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/messageviewer/strategy/ConfluentCloudConsumeStrategy.java
@@ -66,7 +66,9 @@ public Future execute(MessageViewerContext context) {
} else {
context.setProxyRequestBody(Buffer.buffer("{}"));
}
- ProxyHttpClient proxyHttpClient = new ProxyHttpClient<>(webClientFactory);
+ ProxyHttpClient proxyHttpClient = new ProxyHttpClient<>(
+ webClientFactory, vertx
+ );
return proxyHttpClient.send(context).compose(processedCtx ->
vertx
.createSharedWorkerExecutor("consume-worker")
diff --git a/src/main/java/io/confluent/idesidecar/restapi/models/ConnectionSpec.java b/src/main/java/io/confluent/idesidecar/restapi/models/ConnectionSpec.java
index 36b9236d..a8da3cdc 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/models/ConnectionSpec.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/models/ConnectionSpec.java
@@ -8,9 +8,7 @@
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
-import io.confluent.idesidecar.restapi.credentials.ApiKeyAndSecret;
-import io.confluent.idesidecar.restapi.credentials.BasicCredentials;
-import io.confluent.idesidecar.restapi.credentials.Credentials;
+import io.confluent.idesidecar.restapi.credentials.*;
import io.confluent.idesidecar.restapi.exceptions.Failure;
import io.confluent.idesidecar.restapi.exceptions.Failure.Error;
import io.confluent.idesidecar.restapi.util.CCloud.KafkaEndpoint;
@@ -36,20 +34,30 @@ public record ConnectionSpec(
@Schema(description = "The unique identifier of the connection resource.")
@Size(min = 1, max = 64)
String id,
+
@Schema(description = "The user-supplied name of the connection resource.")
@Size(max = 64)
String name,
+
@Schema(description = "The type of connection resource.")
ConnectionType type,
+
@Schema(description = "The details for connecting to CCloud.")
- @JsonProperty(CCLOUD_CONFIG_FIELD_NAME) CCloudConfig ccloudConfig,
+ @JsonProperty(CCLOUD_CONFIG_FIELD_NAME)
+ CCloudConfig ccloudConfig,
+
@Schema(description = "The details for connecting to Confluent Local.")
- @JsonProperty(LOCAL_CONFIG_FIELD_NAME) LocalConfig localConfig,
+ @JsonProperty(LOCAL_CONFIG_FIELD_NAME)
+ LocalConfig localConfig,
+
@Schema(description = "The details for connecting to a CCloud, Confluent Platform, or "
+ "Apache Kafka cluster.")
- @JsonProperty(KAFKA_CLUSTER_CONFIG_FIELD_NAME) KafkaClusterConfig kafkaClusterConfig,
+ @JsonProperty(KAFKA_CLUSTER_CONFIG_FIELD_NAME)
+ KafkaClusterConfig kafkaClusterConfig,
+
@Schema(description = "The details for connecting to a Schema Registry.")
- @JsonProperty(SCHEMA_REGISTRY_CONFIG_FIELD_NAME) SchemaRegistryConfig schemaRegistryConfig
+ @JsonProperty(SCHEMA_REGISTRY_CONFIG_FIELD_NAME)
+ SchemaRegistryConfig schemaRegistryConfig
) implements ConnectionSpecBuilder.With {
public static final String CCLOUD_CONFIG_FIELD_NAME = "ccloud_config";
@@ -70,43 +78,37 @@ public enum ConnectionType {
}
public static ConnectionSpec createCCloud(String id, String name, CCloudConfig ccloudConfig) {
- return new ConnectionSpec(
- id,
- name,
- CCLOUD,
- ccloudConfig,
- null,
- null,
- null
- );
+ return ConnectionSpecBuilder.builder()
+ .id(id)
+ .name(name)
+ .type(CCLOUD)
+ .ccloudConfig(ccloudConfig)
+ .build();
}
public static ConnectionSpec createLocal(String id, String name, LocalConfig localConfig) {
- return new ConnectionSpec(
- id,
- name,
- LOCAL,
- null,
- localConfig != null ? localConfig : new LocalConfig(null),
- null,
- null
- );
+ return ConnectionSpecBuilder.builder()
+ .id(id)
+ .name(name)
+ .type(LOCAL)
+ .localConfig(localConfig != null ? localConfig : new LocalConfig(null))
+ .build();
}
public static ConnectionSpec createDirect(
- String id, String name,
+ String id,
+ String name,
KafkaClusterConfig kafkaConfig,
SchemaRegistryConfig srConfig
) {
- return new ConnectionSpec(
- id,
- name,
- DIRECT,
- null,
- null,
- kafkaConfig,
- srConfig
- );
+ return ConnectionSpecBuilder
+ .builder()
+ .id(id)
+ .name(name)
+ .type(DIRECT)
+ .kafkaClusterConfig(kafkaConfig)
+ .schemaRegistryConfig(srConfig)
+ .build();
}
public ConnectionSpec(String id, String name, ConnectionType type) {
@@ -311,6 +313,7 @@ public record KafkaClusterConfig(
oneOf = {
BasicCredentials.class,
ApiKeyAndSecret.class,
+ OAuthCredentials.class,
},
nullable = true
)
@@ -318,48 +321,20 @@ public record KafkaClusterConfig(
Credentials credentials,
@Schema(
- description =
- "Whether to communicate with the Kafka cluster over TLS/SSL. Defaults to 'true', "
- + "but set to 'false' when the Kafka cluster does not support TLS/SSL.",
- defaultValue = KafkaClusterConfig.DEFAULT_SSL_VALUE,
+ description = "The SSL configuration for connecting to the Kafka cluster. " +
+ "To disable, set `enabled` to false. " +
+ "To use the default SSL settings, set `enabled` to true and " +
+ "leave the `truststore` and `keystore` fields unset.",
nullable = true
)
@JsonProperty(value = "ssl")
@Null
- Boolean ssl,
-
- @Schema(
- description =
- "Whether to verify the Kafka cluster certificates. Defaults to 'true', but set "
- + "to 'false' when the Kafka cluster has self-signed certificates.",
- defaultValue = KafkaClusterConfig.DEFAULT_VERIFY_SSL_CERTIFICATES_VALUE,
- nullable = true
- )
- @JsonProperty(value = "verify_ssl_certificates")
- @Null
- Boolean verifySslCertificates
+ TLSConfig tlsConfig
) implements ConnectionSpecKafkaClusterConfigBuilder.With {
// Constants used in annotations above
private static final int ID_MAX_LEN = 64;
private static final int BOOTSTRAP_SERVERS_MAX_LEN = 256;
- private static final String DEFAULT_SSL_VALUE = "true";
- private static final String DEFAULT_VERIFY_SSL_CERTIFICATES_VALUE = "true";
-
- public static final boolean DEFAULT_SSL = Boolean.valueOf(DEFAULT_SSL_VALUE);
- public static final boolean DEFAULT_VERIFY_SSL_CERTIFICATES = Boolean.valueOf(
- DEFAULT_VERIFY_SSL_CERTIFICATES_VALUE
- );
-
- @JsonIgnore
- public boolean sslOrDefault() {
- return ssl != null ? ssl : DEFAULT_SSL;
- }
-
- @JsonIgnore
- public boolean verifySslCertificatesOrDefault() {
- return verifySslCertificates != null ? verifySslCertificates : DEFAULT_VERIFY_SSL_CERTIFICATES;
- }
@JsonIgnore
public Optional asCCloudEndpoint() {
@@ -416,11 +391,21 @@ public record SchemaRegistryConfig(
oneOf = {
BasicCredentials.class,
ApiKeyAndSecret.class,
+ OAuthCredentials.class,
},
nullable = true
)
@Null
- Credentials credentials
+ Credentials credentials,
+
+ @Schema(
+ description = "The SSL configuration for connecting to Schema Registry. If null," +
+ " the connection will use SSL with the default settings. To disable, set `enabled` to false.",
+ nullable = true
+ )
+ @JsonProperty(value = "ssl")
+ @Null
+ TLSConfig tlsConfig
) implements ConnectionSpecSchemaRegistryConfigBuilder.With {
private static final int ID_MAX_LEN = 64;
@@ -536,7 +521,8 @@ public List validateUpdate(ConnectionSpec newSpec) {
if (sr != null && local != null && local.schemaRegistryUri != null) {
errors.add(
Error.create()
- .withDetail("Local config cannot be used with schema_registry configuration")
+ .withDetail(
+ "Local config cannot be used with schema_registry configuration")
.withSource("local_config.schema-registry-uri")
);
}
@@ -550,10 +536,17 @@ public List validateUpdate(ConnectionSpec newSpec) {
var kafka = newSpec.kafkaClusterConfig();
if (kafka != null) {
kafka.validate(errors, "kafka_cluster", "Kafka cluster");
+ if (kafka.tlsConfig != null) {
+ kafka.tlsConfig.validate(errors, "kafka_cluster.ssl", "Kafka cluster");
+ }
}
+
var sr = newSpec.schemaRegistryConfig();
if (sr != null) {
sr.validate(errors, "schema_registry", "Schema Registry");
+ if (sr.tlsConfig != null) {
+ sr.tlsConfig.validate(errors, "schema_registry.ssl", "Schema Registry");
+ }
}
checkLocalConfigNotAllowed(errors, newSpec);
checkCCloudConfigNotAllowed(errors, newSpec);
diff --git a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyContext.java b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyContext.java
index 41965967..cbf08166 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyContext.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyContext.java
@@ -82,6 +82,23 @@ public Failure failf(int status, String message, Object... args) {
// Getters and setters
// Add additional getters and setters as needed
+
+ public String getProxyRequestAbsoluteUrl() {
+ return proxyRequestAbsoluteUrl;
+ }
+
+ public MultiMap getProxyRequestHeaders() {
+ return proxyRequestHeaders;
+ }
+
+ public HttpMethod getProxyRequestMethod() {
+ return proxyRequestMethod;
+ }
+
+ public Buffer getProxyRequestBody() {
+ return proxyRequestBody;
+ }
+
public String getRequestUri() {
return requestUri;
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyHttpClient.java b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyHttpClient.java
index 51ac948e..2c3b7def 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyHttpClient.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyHttpClient.java
@@ -1,24 +1,37 @@
package io.confluent.idesidecar.restapi.proxy;
import io.confluent.idesidecar.restapi.exceptions.ProcessorFailedException;
+import io.confluent.idesidecar.restapi.proxy.clusters.ClusterProxyContext;
import io.confluent.idesidecar.restapi.util.WebClientFactory;
import io.vertx.core.Future;
+import io.vertx.core.Vertx;
+import io.vertx.ext.web.client.WebClient;
/**
* HTTP client used when proxying requests to the Kafka REST and Schema Registry APIs.
*/
-public class ProxyHttpClient {
+public class ProxyHttpClient {
WebClientFactory webClientFactory;
+ Vertx vertx;
- public ProxyHttpClient(WebClientFactory webClientFactory) {
+ public ProxyHttpClient(WebClientFactory webClientFactory, Vertx vertx) {
this.webClientFactory = webClientFactory;
+ this.vertx = vertx;
}
public Future send(T context) {
- return webClientFactory.getWebClient()
- .requestAbs(context.proxyRequestMethod, context.proxyRequestAbsoluteUrl)
- .putHeaders(context.proxyRequestHeaders)
- .sendBuffer(context.proxyRequestBody)
+ var options = webClientFactory.getDefaultWebClientOptions();
+ if (context.getTruststoreOptions() != null) {
+ options.setTrustStoreOptions(context.getTruststoreOptions());
+ }
+ if (context.getKeystoreOptions() != null) {
+ options.setKeyStoreOptions(context.getKeystoreOptions());
+ }
+
+ return WebClient.create(vertx, options)
+ .requestAbs(context.getProxyRequestMethod(), context.getProxyRequestAbsoluteUrl())
+ .putHeaders(context.getProxyRequestHeaders())
+ .sendBuffer(context.getProxyRequestBody())
.compose(
// If success, update context and pass it to the next processor
// Success means we were able to make a call to the server & we got a response.
diff --git a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyRequestProcessor.java b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyRequestProcessor.java
index 4143e55f..adc333b6 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyRequestProcessor.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/proxy/ProxyRequestProcessor.java
@@ -1,8 +1,10 @@
package io.confluent.idesidecar.restapi.proxy;
import io.confluent.idesidecar.restapi.processors.Processor;
+import io.confluent.idesidecar.restapi.proxy.clusters.ClusterProxyContext;
import io.confluent.idesidecar.restapi.util.WebClientFactory;
import io.vertx.core.Future;
+import io.vertx.core.Vertx;
/**
* Generic processor that ships the request to the target server and updates the context with the
@@ -10,13 +12,13 @@
*
* @param The type of the context that must extend {@link ProxyContext}
*/
-public class ProxyRequestProcessor extends
+public class ProxyRequestProcessor extends
Processor> {
ProxyHttpClient proxyHttpClient;
- public ProxyRequestProcessor(WebClientFactory webClientFactory) {
- proxyHttpClient = new ProxyHttpClient<>(webClientFactory);
+ public ProxyRequestProcessor(WebClientFactory webClientFactory, Vertx vertx) {
+ proxyHttpClient = new ProxyHttpClient<>(webClientFactory, vertx);
}
@Override
diff --git a/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/ClusterProxyContext.java b/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/ClusterProxyContext.java
index 5d8911db..dcca844b 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/ClusterProxyContext.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/ClusterProxyContext.java
@@ -1,5 +1,6 @@
package io.confluent.idesidecar.restapi.proxy.clusters;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig;
import io.confluent.idesidecar.restapi.models.ClusterType;
import io.confluent.idesidecar.restapi.models.graph.Cluster;
import io.confluent.idesidecar.restapi.proxy.ProxyContext;
@@ -8,6 +9,10 @@
import io.vertx.core.MultiMap;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.http.HttpMethod;
+import io.vertx.core.net.JksOptions;
+import io.vertx.core.net.KeyStoreOptions;
+import io.vertx.core.net.KeyStoreOptionsBase;
+
import java.util.Map;
/**
@@ -24,6 +29,10 @@ public class ClusterProxyContext extends ProxyContext {
Cluster clusterInfo;
ClusterStrategy clusterStrategy;
+ // TLS options
+ JksOptions truststoreOptions;
+ JksOptions keystoreOptions;
+
public ClusterProxyContext(
String requestUri,
MultiMap requestHeaders,
@@ -62,4 +71,30 @@ public String getClusterId() {
public ClusterType getClusterType() {
return clusterType;
}
+
+ public JksOptions getTruststoreOptions() {
+ return truststoreOptions;
+ }
+
+ public void setTruststoreOptions(TLSConfig.TrustStore trustStore) {
+ this.truststoreOptions = new JksOptions()
+ .setPath(trustStore.path())
+ .setPassword(trustStore.password().asString(false));
+ }
+
+ public JksOptions getKeystoreOptions() {
+ return keystoreOptions;
+ }
+
+ public void setKeystoreOptions(TLSConfig.KeyStore keyStore) {
+ var keystoreOptions = new JksOptions()
+ .setPath(keyStore.path())
+ .setPassword(keyStore.password().asString(false));
+
+ if (keyStore.keyPassword() != null) {
+ keystoreOptions.setAliasPassword(keyStore.keyPassword().asString(false));
+ }
+
+ this.keystoreOptions = keystoreOptions;
+ }
}
diff --git a/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/processors/ClusterProxyProcessor.java b/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/processors/ClusterProxyProcessor.java
index 6db8f744..4d45482f 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/processors/ClusterProxyProcessor.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/proxy/clusters/processors/ClusterProxyProcessor.java
@@ -48,6 +48,30 @@ public Future process(ClusterProxyContext context) {
context.setProxyRequestMethod(context.getRequestMethod());
context.setProxyRequestBody(context.getRequestBody());
+ // Set TLS options
+ var connectionState = context.getConnectionState();
+
+ switch (context.getClusterType()) {
+ case KAFKA -> {
+ // Confluent Local Kafka REST Proxy is not configured with TLS.
+ // However, Confluent Cloud Kafka REST does support mutual TLS. It only requires
+ // the keystore options to be set. This is a TODO item for the future.
+ // (https://github.com/confluentinc/ide-sidecar/issues/235)
+ }
+ case SCHEMA_REGISTRY ->
+ connectionState
+ .getSchemaRegistryTLSConfig()
+ .ifPresent(
+ tlsConfig -> {
+ if (tlsConfig.truststore() != null) {
+ context.setTruststoreOptions(tlsConfig.truststore());
+ }
+ if (tlsConfig.keystore() != null) {
+ context.setKeystoreOptions(tlsConfig.keystore());
+ }
+ });
+ }
+
return next().process(context).map(
processedContext -> {
if (processedContext.getProxyResponseBody() != null) {
diff --git a/src/main/java/io/confluent/idesidecar/restapi/util/WebClientFactory.java b/src/main/java/io/confluent/idesidecar/restapi/util/WebClientFactory.java
index 32cffd7f..769d6a64 100644
--- a/src/main/java/io/confluent/idesidecar/restapi/util/WebClientFactory.java
+++ b/src/main/java/io/confluent/idesidecar/restapi/util/WebClientFactory.java
@@ -116,7 +116,7 @@ public synchronized void updateWebClientOptions(@Observes PreferencesSpec prefer
Log.debugf("Updated the Vert.x web client config to: %s", clientOptions);
}
- WebClientOptions getDefaultWebClientOptions() {
+ public WebClientOptions getDefaultWebClientOptions() {
var clientOptions = new WebClientOptions();
clientOptions.setConnectTimeout((int) WEBCLIENT_CONNECT_TIMEOUT_SECONDS.toMillis());
clientOptions.setUserAgent(sidecarInfo.getUserAgent());
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index bf6bf660..772d8a40 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -198,6 +198,10 @@ ide-sidecar:
max-backoff-ms: 5000
timeout-ms: 10000
max-retries: 5
+ integration-tests:
+ # cp-demo configs used by Confluent Platform integration tests
+ cp-demo:
+ tag: v7.7.1
quarkus:
apicurio-registry:
diff --git a/src/test/java/io/confluent/idesidecar/restapi/cache/ClientConfiguratorStaticTest.java b/src/test/java/io/confluent/idesidecar/restapi/cache/ClientConfiguratorStaticTest.java
index 5330f569..e12f483a 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/cache/ClientConfiguratorStaticTest.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/cache/ClientConfiguratorStaticTest.java
@@ -13,7 +13,13 @@
import io.confluent.idesidecar.restapi.credentials.BasicCredentials;
import io.confluent.idesidecar.restapi.credentials.Credentials;
import io.confluent.idesidecar.restapi.credentials.Credentials.KafkaConnectionOptions;
+import io.confluent.idesidecar.restapi.credentials.Credentials.SchemaRegistryConnectionOptions;
+import io.confluent.idesidecar.restapi.credentials.OAuthCredentials;
import io.confluent.idesidecar.restapi.credentials.Password;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig;
+import io.confluent.idesidecar.restapi.credentials.TLSConfigBuilder;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig.KeyStore;
+import io.confluent.idesidecar.restapi.credentials.TLSConfig.TrustStore;
import io.confluent.idesidecar.restapi.models.graph.KafkaCluster;
import io.confluent.idesidecar.restapi.models.graph.SchemaRegistry;
import io.confluent.idesidecar.restapi.util.CCloud;
@@ -44,15 +50,79 @@ class ClientConfiguratorStaticTest {
static final String PASSWORD = "my-secret";
static final String API_KEY = "api-key-123";
static final String API_SECRET = "api-secret-123";
+ static final String OAUTH_TOKEN_URL = "http://localhost:8081/oauth/token";
+ static final String OAUTH_CLIENT_ID = "client-123";
+ static final String OAUTH_SCOPE = "oauth-scope";
+ static final String OAUTH_SECRET = "oauth-secret";
+ static final String MTLS_TRUSTSTORE_PATH = "/path/to/truststore";
+ static final String MTLS_KEYSTORE_PATH = "/path/to/keystore";
+ static final String MTLS_TRUSTSTORE_PASSWORD = "my-ts-secret";
+ static final String MTLS_KEYSTORE_PASSWORD = "my-ks-secret";
+ static final String MTLS_KEY_PASSWORD = "my-key-secret";
static final BasicCredentials BASIC_CREDENTIALS = new BasicCredentials(
USERNAME,
new Password(PASSWORD.toCharArray())
);
+ static final OAuthCredentials OAUTH_CREDENTIALS = new OAuthCredentials(
+ OAUTH_TOKEN_URL,
+ OAUTH_CLIENT_ID,
+ new Password(OAUTH_SECRET.toCharArray())
+ );
+ static final OAuthCredentials OAUTH_CREDENTIALS_WITH_SCOPE = new OAuthCredentials(
+ OAUTH_TOKEN_URL,
+ OAUTH_CLIENT_ID,
+ new Password(OAUTH_SECRET.toCharArray()),
+ OAUTH_SCOPE
+ );
static final ApiKeyAndSecret API_KEY_AND_SECRET = new ApiKeyAndSecret(
API_KEY,
new ApiSecret(API_SECRET.toCharArray())
);
+ static final TLSConfig ONE_WAY_TLS_CONFIG = new TLSConfig(
+ MTLS_TRUSTSTORE_PATH,
+ new Password(MTLS_TRUSTSTORE_PASSWORD.toCharArray())
+ );
+ static final TLSConfig DEFAULT_TLS_CONFIG = new TLSConfig();
+ static final TLSConfig ONE_WAY_TLS_CONFIG_WITHOUT_HOSTNAME_VERIFICATION = ONE_WAY_TLS_CONFIG
+ .with()
+ .verifyHostname(false)
+ .build();
+
+ static final TLSConfig MUTUAL_TLS_CONFIG = new TLSConfig(
+ MTLS_TRUSTSTORE_PATH,
+ new Password(MTLS_TRUSTSTORE_PASSWORD.toCharArray()),
+ MTLS_KEYSTORE_PATH,
+ new Password(MTLS_KEYSTORE_PASSWORD.toCharArray()),
+ new Password(MTLS_KEY_PASSWORD.toCharArray())
+ );
+ static final TLSConfig MUTUAL_TLS_CONFIG_WITH_TYPES = new TLSConfig(
+ true,
+ true,
+ new TrustStore(
+ MTLS_TRUSTSTORE_PATH,
+ new Password(MTLS_TRUSTSTORE_PASSWORD.toCharArray()),
+ TLSConfig.StoreType.JKS
+ ),
+ new KeyStore(
+ MTLS_KEYSTORE_PATH,
+ new Password(MTLS_KEYSTORE_PASSWORD.toCharArray()),
+ TLSConfig.StoreType.JKS,
+ new Password(MTLS_KEY_PASSWORD.toCharArray())
+ )
+ );
+
+ static final TLSConfig TLS_DISABLED = TLSConfigBuilder
+ .builder()
+ .enabled(false)
+ .build();
+
+ static final TLSConfig HOSTNAME_VERIFICATION_DISABLED = TLSConfigBuilder
+ .builder()
+ // TLS is enabled but hostname verification is disabled
+ .enabled(true)
+ .verifyHostname(false)
+ .build();
@Mock ConnectionState connection;
@Mock KafkaCluster kafka;
@@ -87,8 +157,8 @@ record TestInput(
Credentials kafkaCredentials,
SchemaRegistry schemaRegistry,
Credentials srCredentials,
- boolean ssl,
- boolean verifyUnsignedCertificates,
+ TLSConfig kafkaTLSConfig,
+ TLSConfig schemaRegistryTLSConfig,
boolean redact,
Duration timeout,
String expectedKafkaConfig,
@@ -101,8 +171,8 @@ record TestInput(
null,
schemaRegistry,
null,
- true,
- true,
+ TLS_DISABLED,
+ TLS_DISABLED,
false,
null,
"""
@@ -118,8 +188,8 @@ record TestInput(
null,
null,
null,
- true,
- true,
+ TLS_DISABLED,
+ TLS_DISABLED,
false,
null,
"""
@@ -127,14 +197,52 @@ record TestInput(
""",
null
),
+ new TestInput(
+ "No credentials, just Kafka and default TLS",
+ kafka,
+ null,
+ null,
+ null,
+ DEFAULT_TLS_CONFIG,
+ null,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SSL
+ """,
+ null
+ ),
+ new TestInput(
+ "No credentials and TLS",
+ kafka,
+ null,
+ schemaRegistry,
+ null,
+ ONE_WAY_TLS_CONFIG,
+ ONE_WAY_TLS_CONFIG,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SSL
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
+ """
+ schema.registry.url=http://localhost:8081
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD)
+ ),
new TestInput(
"With basic credentials and plaintext",
kafka,
BASIC_CREDENTIALS,
schemaRegistry,
BASIC_CREDENTIALS,
- false,
- false,
+ TLS_DISABLED,
+ TLS_DISABLED,
false,
Duration.ofSeconds(10),
"""
@@ -142,7 +250,6 @@ record TestInput(
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
- ssl.endpoint.identification.algorithm=
""".formatted(USERNAME, PASSWORD),
"""
schema.registry.url=http://localhost:8081
@@ -157,8 +264,8 @@ record TestInput(
BASIC_CREDENTIALS,
schemaRegistry,
BASIC_CREDENTIALS,
- false,
- false,
+ TLS_DISABLED,
+ TLS_DISABLED,
true,
null,
"""
@@ -166,8 +273,6 @@ record TestInput(
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="********";
- ssl.endpoint.identification.algorithm=
-
""".formatted(USERNAME),
"""
schema.registry.url=http://localhost:8081
@@ -181,8 +286,8 @@ record TestInput(
BASIC_CREDENTIALS,
schemaRegistry,
BASIC_CREDENTIALS,
- true,
- true,
+ ONE_WAY_TLS_CONFIG,
+ ONE_WAY_TLS_CONFIG,
false,
null,
"""
@@ -190,12 +295,120 @@ record TestInput(
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
- """.formatted(USERNAME, PASSWORD),
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
"""
schema.registry.url=http://localhost:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=%s:%s
- """.formatted(USERNAME, PASSWORD)
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD)
+ ),
+ new TestInput(
+ "With basic credentials and Mutual TLS",
+ kafka,
+ BASIC_CREDENTIALS,
+ schemaRegistry,
+ BASIC_CREDENTIALS,
+ MUTUAL_TLS_CONFIG,
+ MUTUAL_TLS_CONFIG,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_SSL
+ sasl.mechanism=PLAIN
+ sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.keystore.location=%s
+ ssl.keystore.password=%s
+ ssl.key.password=%s
+ """
+ .formatted(
+ USERNAME,
+ PASSWORD,
+ MTLS_TRUSTSTORE_PATH,
+ MTLS_TRUSTSTORE_PASSWORD,
+ MTLS_KEYSTORE_PATH,
+ MTLS_KEYSTORE_PASSWORD,
+ MTLS_KEY_PASSWORD
+ ),
+ """
+ schema.registry.url=http://localhost:8081
+ basic.auth.credentials.source=USER_INFO
+ basic.auth.user.info=%s:%s
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.keystore.location=%s
+ ssl.keystore.password=%s
+ ssl.key.password=%s
+ """
+ .formatted(
+ USERNAME,
+ PASSWORD,
+ MTLS_TRUSTSTORE_PATH,
+ MTLS_TRUSTSTORE_PASSWORD,
+ MTLS_KEYSTORE_PATH,
+ MTLS_KEYSTORE_PASSWORD,
+ MTLS_KEY_PASSWORD
+ )
+ ),
+ new TestInput(
+ "With basic credentials and Mutual TLS with explicit types",
+ kafka,
+ BASIC_CREDENTIALS,
+ schemaRegistry,
+ BASIC_CREDENTIALS,
+ MUTUAL_TLS_CONFIG_WITH_TYPES,
+ MUTUAL_TLS_CONFIG_WITH_TYPES,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_SSL
+ sasl.mechanism=PLAIN
+ sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.truststore.type=JKS
+ ssl.keystore.location=%s
+ ssl.keystore.password=%s
+ ssl.keystore.type=JKS
+ ssl.key.password=%s
+ """
+ .formatted(
+ USERNAME,
+ PASSWORD,
+ MTLS_TRUSTSTORE_PATH,
+ MTLS_TRUSTSTORE_PASSWORD,
+ MTLS_KEYSTORE_PATH,
+ MTLS_KEYSTORE_PASSWORD,
+ MTLS_KEY_PASSWORD
+ ),
+ """
+ schema.registry.url=http://localhost:8081
+ basic.auth.credentials.source=USER_INFO
+ basic.auth.user.info=%s:%s
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.truststore.type=JKS
+ ssl.keystore.location=%s
+ ssl.keystore.password=%s
+ ssl.keystore.type=JKS
+ ssl.key.password=%s
+ """
+ .formatted(
+ USERNAME,
+ PASSWORD,
+ MTLS_TRUSTSTORE_PATH,
+ MTLS_TRUSTSTORE_PASSWORD,
+ MTLS_KEYSTORE_PATH,
+ MTLS_KEYSTORE_PASSWORD,
+ MTLS_KEY_PASSWORD
+ )
),
new TestInput(
"With basic credentials and TLS but redacted",
@@ -203,8 +416,8 @@ record TestInput(
BASIC_CREDENTIALS,
schemaRegistry,
BASIC_CREDENTIALS,
- true,
- true,
+ ONE_WAY_TLS_CONFIG,
+ ONE_WAY_TLS_CONFIG,
true,
null,
"""
@@ -212,21 +425,25 @@ record TestInput(
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="********";
- """.formatted(USERNAME),
+ ssl.truststore.location=%s
+ ssl.truststore.password=********
+ """.formatted(USERNAME, MTLS_TRUSTSTORE_PATH),
"""
schema.registry.url=http://localhost:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=%s:********
- """.formatted(USERNAME)
+ ssl.truststore.location=%s
+ ssl.truststore.password=********
+ """.formatted(USERNAME, MTLS_TRUSTSTORE_PATH)
),
new TestInput(
- "With basic credentials and TLS and verify hostnames",
+ "With basic credentials and TLS and disable server hostname verification",
kafka,
BASIC_CREDENTIALS,
schemaRegistry,
BASIC_CREDENTIALS,
- true,
- true,
+ ONE_WAY_TLS_CONFIG_WITHOUT_HOSTNAME_VERIFICATION,
+ ONE_WAY_TLS_CONFIG_WITHOUT_HOSTNAME_VERIFICATION,
false,
null,
"""
@@ -234,12 +451,18 @@ record TestInput(
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
- """.formatted(USERNAME, PASSWORD),
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.endpoint.identification.algorithm=
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
"""
schema.registry.url=http://localhost:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=%s:%s
- """.formatted(USERNAME, PASSWORD)
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.endpoint.identification.algorithm=
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD)
),
new TestInput(
"With mixed credentials and TLS",
@@ -247,8 +470,8 @@ record TestInput(
BASIC_CREDENTIALS,
schemaRegistry,
API_KEY_AND_SECRET,
- true,
- true,
+ ONE_WAY_TLS_CONFIG,
+ ONE_WAY_TLS_CONFIG,
false,
null,
"""
@@ -256,12 +479,167 @@ record TestInput(
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
- """.formatted(USERNAME, PASSWORD),
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
"""
schema.registry.url=http://localhost:8081
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=%s:%s
- """.formatted(API_KEY, API_SECRET)
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(API_KEY, API_SECRET, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD)
+ ),
+ new TestInput(
+ "With different TLS configs for Kafka and SR",
+ kafka,
+ BASIC_CREDENTIALS,
+ schemaRegistry,
+ BASIC_CREDENTIALS,
+ ONE_WAY_TLS_CONFIG,
+ MUTUAL_TLS_CONFIG,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_SSL
+ sasl.mechanism=PLAIN
+ sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="%s" password="%s";
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(USERNAME, PASSWORD, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
+ """
+ schema.registry.url=http://localhost:8081
+ basic.auth.credentials.source=USER_INFO
+ basic.auth.user.info=%s:%s
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ ssl.keystore.location=%s
+ ssl.keystore.password=%s
+ ssl.key.password=%s
+ """
+ .formatted(
+ USERNAME,
+ PASSWORD,
+ MTLS_TRUSTSTORE_PATH,
+ MTLS_TRUSTSTORE_PASSWORD,
+ MTLS_KEYSTORE_PATH,
+ MTLS_KEYSTORE_PASSWORD,
+ MTLS_KEY_PASSWORD
+ )
+ ),
+ new TestInput(
+ "With OAuth for Kafka and SR",
+ kafka,
+ OAUTH_CREDENTIALS,
+ schemaRegistry,
+ OAUTH_CREDENTIALS,
+ TLS_DISABLED,
+ TLS_DISABLED,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_PLAINTEXT
+ sasl.mechanism=OAUTHBEARER
+ sasl.oauthbearer.token.endpoint.url=http://localhost:8081/oauth/token
+ sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="%s" clientSecret="%s"
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET),
+ """
+ schema.registry.url=http://localhost:8081
+ bearer.auth.credentials.source=OAUTHBEARER
+ bearer.auth.issuer.endpoint.url=http://localhost:8081/oauth/token
+ bearer.auth.client.id=%s
+ bearer.auth.client.secret=%s
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET)
+ ),
+ new TestInput(
+ "With OAuth for Kafka and SR over TLS",
+ kafka,
+ OAUTH_CREDENTIALS,
+ schemaRegistry,
+ OAUTH_CREDENTIALS,
+ ONE_WAY_TLS_CONFIG,
+ ONE_WAY_TLS_CONFIG,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_SSL
+ sasl.mechanism=OAUTHBEARER
+ sasl.oauthbearer.token.endpoint.url=http://localhost:8081/oauth/token
+ sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="%s" clientSecret="%s"
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(
+ OAUTH_CLIENT_ID, OAUTH_SECRET, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD),
+ """
+ schema.registry.url=http://localhost:8081
+ bearer.auth.credentials.source=OAUTHBEARER
+ bearer.auth.issuer.endpoint.url=http://localhost:8081/oauth/token
+ bearer.auth.client.id=%s
+ bearer.auth.client.secret=%s
+ ssl.truststore.location=%s
+ ssl.truststore.password=%s
+ """.formatted(
+ OAUTH_CLIENT_ID, OAUTH_SECRET, MTLS_TRUSTSTORE_PATH, MTLS_TRUSTSTORE_PASSWORD)
+ ),
+ new TestInput(
+ "With OAuth with scopes for Kafka and SR",
+ kafka,
+ OAUTH_CREDENTIALS_WITH_SCOPE,
+ schemaRegistry,
+ OAUTH_CREDENTIALS_WITH_SCOPE,
+ TLS_DISABLED,
+ TLS_DISABLED,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_PLAINTEXT
+ sasl.mechanism=OAUTHBEARER
+ sasl.oauthbearer.token.endpoint.url=http://localhost:8081/oauth/token
+ sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="%s" clientSecret="%s" scope="%s"
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET, OAUTH_SCOPE),
+ """
+ schema.registry.url=http://localhost:8081
+ bearer.auth.credentials.source=OAUTHBEARER
+ bearer.auth.issuer.endpoint.url=http://localhost:8081/oauth/token
+ bearer.auth.client.id=%s
+ bearer.auth.client.secret=%s
+ bearer.auth.scope=%s
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET, OAUTH_SCOPE)
+ ),
+ new TestInput(
+ "With OAuth for Kafka and SR and disable server hostname verification",
+ kafka,
+ OAUTH_CREDENTIALS,
+ schemaRegistry,
+ OAUTH_CREDENTIALS,
+ HOSTNAME_VERIFICATION_DISABLED,
+ HOSTNAME_VERIFICATION_DISABLED,
+ false,
+ null,
+ """
+ bootstrap.servers=localhost:9092
+ security.protocol=SASL_SSL
+ ssl.endpoint.identification.algorithm=
+ sasl.mechanism=OAUTHBEARER
+ sasl.oauthbearer.token.endpoint.url=http://localhost:8081/oauth/token
+ sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="%s" clientSecret="%s"
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET),
+ """
+ schema.registry.url=http://localhost:8081
+ bearer.auth.credentials.source=OAUTHBEARER
+ bearer.auth.issuer.endpoint.url=http://localhost:8081/oauth/token
+ bearer.auth.client.id=%s
+ bearer.auth.client.secret=%s
+ ssl.endpoint.identification.algorithm=
+ """.formatted(OAUTH_CLIENT_ID, OAUTH_SECRET)
)
);
return inputs
@@ -273,12 +651,14 @@ record TestInput(
expectGetKafkaCredentialsFromConnection(input.kafkaCredentials);
expectGetSchemaRegistryCredentialsFromConnection(input.srCredentials);
- var options = new KafkaConnectionOptions(
- input.ssl,
- input.verifyUnsignedCertificates,
- input.redact
- );
+ expectGetKafkaTLSConfigFromConnection(input.kafkaTLSConfig);
+ expectGetSchemaRegistryTLSConfigFromConnection(input.schemaRegistryTLSConfig);
+ var options = new KafkaConnectionOptions(input.redact, input.kafkaTLSConfig);
expectGetKafkaConnectionOptions(options);
+ var srOptions = new SchemaRegistryConnectionOptions(
+ input.redact, input.schemaRegistryTLSConfig, null
+ );
+ expectGetSchemaRegistryConnectionOptions(srOptions);
// The Kafka config without SR should match
var kafkaConfig = ClientConfigurator.getKafkaClientConfig(
@@ -351,6 +731,11 @@ void expectGetKafkaConnectionOptions(KafkaConnectionOptions options) {
.thenReturn(options);
}
+ void expectGetSchemaRegistryConnectionOptions(SchemaRegistryConnectionOptions options) {
+ when(connection.getSchemaRegistryOptions())
+ .thenReturn(options);
+ }
+
void expectGetKafkaCredentialsFromConnection(Credentials credentials) {
when(connection.getKafkaCredentials())
.thenReturn(Optional.ofNullable(credentials));
@@ -361,6 +746,16 @@ void expectGetSchemaRegistryCredentialsFromConnection(Credentials credentials) {
.thenReturn(Optional.ofNullable(credentials));
}
+ void expectGetKafkaTLSConfigFromConnection(TLSConfig tlsConfig) {
+ when(connection.getKafkaTLSConfig())
+ .thenReturn(Optional.ofNullable(tlsConfig));
+ }
+
+ void expectGetSchemaRegistryTLSConfigFromConnection(TLSConfig tlsConfig) {
+ when(connection.getSchemaRegistryTLSConfig())
+ .thenReturn(Optional.ofNullable(tlsConfig));
+ }
+
void assertMapsEquals(Map expected, Map actual, String message) {
expected.forEach((k, v) -> {
var actualValue = actual.get(k);
diff --git a/src/test/java/io/confluent/idesidecar/restapi/integration/AbstractIT.java b/src/test/java/io/confluent/idesidecar/restapi/integration/AbstractIT.java
index 109b2bb3..a316549d 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/integration/AbstractIT.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/integration/AbstractIT.java
@@ -274,7 +274,8 @@ protected void setupConnection(
Class testClass,
Optional connectionSpec
) {
- setupConnection(testClass.getSimpleName(), connectionSpec.orElseThrow());
+ var fullyQualifiedName = testClass.getName();
+ setupConnection(fullyQualifiedName, connectionSpec.orElseThrow());
}
/**
diff --git a/src/test/java/io/confluent/idesidecar/restapi/integration/ConfluentPlatformIT.java b/src/test/java/io/confluent/idesidecar/restapi/integration/ConfluentPlatformIT.java
index 31260367..8aaa7f06 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/integration/ConfluentPlatformIT.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/integration/ConfluentPlatformIT.java
@@ -1,8 +1,27 @@
package io.confluent.idesidecar.restapi.integration;
-import io.confluent.idesidecar.restapi.util.LocalTestEnvironment;
+import io.confluent.idesidecar.restapi.kafkarest.RecordsV3ErrorsSuite;
+import io.confluent.idesidecar.restapi.kafkarest.RecordsV3Suite;
+import io.confluent.idesidecar.restapi.kafkarest.RecordsV3WithoutSRSuite;
+import io.confluent.idesidecar.restapi.kafkarest.api.TopicV3Suite;
+import io.confluent.idesidecar.restapi.testutil.NoAccessFilterProfile;
+import io.confluent.idesidecar.restapi.util.CPDemoTestEnvironment;
+import io.confluent.idesidecar.restapi.util.TestEnvironment;
+import io.quarkus.test.junit.QuarkusIntegrationTest;
+import io.quarkus.test.junit.TestProfile;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.TestInstance;
+import org.junitpioneer.jupiter.SetSystemProperty;
+@QuarkusIntegrationTest
+@Tag("io.confluent.common.utils.IntegrationTest")
+// This could be used by tests to determine if they are running in the CP test environment
+// and adjust their behavior.
+@SetSystemProperty(key = "running-in-cp-test-environment", value = "true")
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
public class ConfluentPlatformIT {
/**
@@ -11,7 +30,7 @@ public class ConfluentPlatformIT {
* test classes extend this class. Testcontainers will assure that this is initialized once,
* and stop the containers using the Ryuk container after all the tests have run.
*/
- private static final LocalTestEnvironment TEST_ENVIRONMENT = new LocalTestEnvironment();
+ private static final CPDemoTestEnvironment TEST_ENVIRONMENT = new CPDemoTestEnvironment();
static {
// Start up the test environment before any tests are run.
@@ -19,6 +38,10 @@ public class ConfluentPlatformIT {
TEST_ENVIRONMENT.start();
}
+ @AfterAll
+ static void afterAll() {
+ TEST_ENVIRONMENT.shutdown();
+ }
@Nested
class DirectWithMutualTLSConnectionTests {
@@ -30,6 +53,64 @@ class DirectWithOauthConnectionTests {
}
+ @Nested
+ class DirectWithBasicAuthConnectionTests {
+ @QuarkusIntegrationTest
+ @Tag("io.confluent.common.utils.IntegrationTest")
+ @TestProfile(NoAccessFilterProfile.class)
+ @Nested
+ @TestInstance(TestInstance.Lifecycle.PER_CLASS)
+ class TopicTests extends AbstractIT implements TopicV3Suite {
+
+ @Override
+ public CPDemoTestEnvironment environment() {
+ return TEST_ENVIRONMENT;
+ }
+
+ @BeforeEach
+ @Override
+ public void setupConnection() {
+ setupConnection(this, environment().directConnectionBasicAuth());
+ }
+ }
+ }
+
+ @QuarkusIntegrationTest
+ @Tag("io.confluent.common.utils.IntegrationTest")
+ @TestProfile(NoAccessFilterProfile.class)
+ @Nested
+ class WithoutSRRecordTests extends AbstractIT implements
+ RecordsV3WithoutSRSuite {
+ @Override
+ public CPDemoTestEnvironment environment() {
+ return TEST_ENVIRONMENT;
+ }
+ @BeforeEach
+ @Override
+ public void setupConnection() {
+ setupConnection(this, environment().directConnectionSpecWithoutSR());
+ }
+ }
+
+ @QuarkusIntegrationTest
+ @Tag("io.confluent.common.utils.IntegrationTest")
+ @TestProfile(NoAccessFilterProfile.class)
+ @Nested
+ @TestInstance(TestInstance.Lifecycle.PER_CLASS)
+ class RecordTests extends AbstractIT implements
+ RecordsV3Suite, RecordsV3ErrorsSuite {
+
+ @Override
+ public CPDemoTestEnvironment environment() {
+ return TEST_ENVIRONMENT;
+ }
+
+ @BeforeEach
+ @Override
+ public void setupConnection() {
+ setupConnection(this, TestEnvironment::directConnectionSpec);
+ }
+ }
}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/integration/LocalIT.java b/src/test/java/io/confluent/idesidecar/restapi/integration/LocalIT.java
index 4577bba4..c4be45a5 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/integration/LocalIT.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/integration/LocalIT.java
@@ -2,9 +2,9 @@
import io.confluent.idesidecar.restapi.integration.connection.DirectConnectionSuite;
import io.confluent.idesidecar.restapi.integration.connection.LocalConnectionSuite;
+import io.confluent.idesidecar.restapi.kafkarest.RecordsV3DryRunSuite;
import io.confluent.idesidecar.restapi.kafkarest.RecordsV3ErrorsSuite;
import io.confluent.idesidecar.restapi.kafkarest.RecordsV3Suite;
-import io.confluent.idesidecar.restapi.kafkarest.RecordsV3DryRunSuite;
import io.confluent.idesidecar.restapi.kafkarest.RecordsV3WithoutSRSuite;
import io.confluent.idesidecar.restapi.kafkarest.api.ClusterV3Suite;
import io.confluent.idesidecar.restapi.kafkarest.api.PartitionV3Suite;
@@ -18,12 +18,12 @@
import io.confluent.idesidecar.restapi.util.TestEnvironment;
import io.quarkus.test.junit.QuarkusIntegrationTest;
import io.quarkus.test.junit.TestProfile;
+import java.util.Optional;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
-import java.util.Optional;
public class LocalIT {
diff --git a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3BaseSuite.java b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3BaseSuite.java
index 579468db..c8d58441 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3BaseSuite.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3BaseSuite.java
@@ -1,6 +1,7 @@
package io.confluent.idesidecar.restapi.kafkarest;
import static io.confluent.idesidecar.restapi.util.ResourceIOUtil.loadResource;
+import static org.awaitility.Awaitility.await;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -13,6 +14,7 @@
import io.confluent.idesidecar.restapi.kafkarest.model.ProduceRequestData;
import io.confluent.idesidecar.restapi.messageviewer.data.SimpleConsumeMultiPartitionRequestBuilder;
import io.confluent.kafka.schemaregistry.client.rest.entities.Schema;
+import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@@ -143,8 +145,8 @@ default void produceAndConsume(RecordData key, RecordData value) {
// Create topic with a single partition
createTopic(topicName);
- Schema keySchema = null, valueSchema = null;
- String keySubject = null, valueSubject = null;
+ Schema keySchema, valueSchema;
+ String keySubject, valueSubject;
// Create key schema if not null
if (key.hasSchema()) {
@@ -154,6 +156,9 @@ default void produceAndConsume(RecordData key, RecordData value) {
key.schemaFormat().name(),
key.rawSchema()
);
+ } else {
+ keySubject = null;
+ keySchema = null;
}
// Create value schema if not null
@@ -164,41 +169,55 @@ default void produceAndConsume(RecordData key, RecordData value) {
value.schemaFormat().name(),
value.rawSchema()
);
+ } else {
+ valueSubject = null;
+ valueSchema = null;
}
// Produce record to topic
- var resp = produceRecordThen(
- topicName,
- ProduceRequest
- .builder()
- .partitionId(null)
- .key(
- ProduceRequestData
- .builder()
- .schemaVersion(Optional.ofNullable(keySchema).map(Schema::getVersion).orElse(null))
- .data(key.data())
- .subject(keySubject)
- .subjectNameStrategy(
- Optional.ofNullable(key.subjectNameStrategy).map(Enum::toString).orElse(null)
- )
- .build()
- )
- .value(
- ProduceRequestData
- .builder()
- .schemaVersion(Optional.ofNullable(valueSchema).map(Schema::getVersion).orElse(null))
- .data(value.data())
- .subject(valueSubject)
- .subjectNameStrategy(
- Optional.ofNullable(value.subjectNameStrategy).map(Enum::toString).orElse(null)
- )
- .build()
- )
- .build()
- );
+ var produceRequest = ProduceRequest
+ .builder()
+ .partitionId(null)
+ .key(
+ ProduceRequestData
+ .builder()
+ .schemaVersion(Optional.ofNullable(keySchema).map(Schema::getVersion).orElse(null))
+ .data(key.data())
+ .subject(keySubject)
+ .subjectNameStrategy(
+ Optional.ofNullable(key.subjectNameStrategy).map(Enum::toString).orElse(null)
+ )
+ .build()
+ )
+ .value(
+ ProduceRequestData
+ .builder()
+ .schemaVersion(Optional.ofNullable(valueSchema).map(Schema::getVersion).orElse(null))
+ .data(value.data())
+ .subject(valueSubject)
+ .subjectNameStrategy(
+ Optional.ofNullable(value.subjectNameStrategy).map(Enum::toString).orElse(null)
+ )
+ .build()
+ )
+ .build();
+
+ // Send produce request
+ var resp = produceRecordThen(topicName, produceRequest);
if (key.data() != null || value.data() != null) {
- resp.statusCode(200);
+ // Retry if 404
+ if (resp.extract().statusCode() == 404) {
+ // Keep trying until 200
+ await()
+ .atMost(Duration.ofSeconds(10))
+ .pollInterval(Duration.ofMillis(500))
+ .untilAsserted(() -> {
+ var retry = produceRecordThen(topicName, produceRequest);
+ assertEquals(200, retry.extract().statusCode());
+ });
+ }
+
assertTopicHasRecord(key, value, topicName);
} else {
// A "SadPath" test in a "HappyPath" test?! Blasphemy!
diff --git a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3ErrorsSuite.java b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3ErrorsSuite.java
index 1bef15db..c4047fbf 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3ErrorsSuite.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/RecordsV3ErrorsSuite.java
@@ -1,16 +1,19 @@
package io.confluent.idesidecar.restapi.kafkarest;
import static io.confluent.idesidecar.restapi.util.ResourceIOUtil.loadResource;
+import static org.awaitility.Awaitility.await;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.matchesRegex;
import io.confluent.idesidecar.restapi.kafkarest.model.ProduceRequest;
import io.confluent.idesidecar.restapi.kafkarest.model.ProduceRequestData;
+import java.time.Duration;
import java.util.List;
import java.util.Map;
import java.util.stream.Stream;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledIfSystemProperty;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
@@ -256,24 +259,30 @@ static Stream unsupportedSchemaDetails() {
default void shouldThrowNotImplementedForUnsupportedSchemaDetails(ProduceRequestData data) {
var topic = randomTopicName();
createTopic(topic);
- produceRecordThen(
- topic,
- ProduceRequest
- .builder()
- .partitionId(null)
- // Doesn't matter if key or value, the schema details within
- // should trigger the 501 response
- .key(data)
- .value(data)
- .build()
- )
- .statusCode(400)
- .body("message", equalTo(
- "This endpoint does not support specifying schema ID, type, schema, standalone subject or subject name strategy."
- ));
+
+ await()
+ .atMost(Duration.ofSeconds(10))
+ .untilAsserted(() ->
+ produceRecordThen(
+ topic,
+ ProduceRequest
+ .builder()
+ .partitionId(null)
+ // Doesn't matter if key or value, the schema details within
+ // should trigger the 501 response
+ .key(data)
+ .value(data)
+ .build()
+ )
+ .statusCode(400)
+ .body("message", equalTo(
+ "This endpoint does not support specifying schema ID, type, schema, standalone subject or subject name strategy."
+ )));
}
@Test
+ // TODO: Figure out why this test fails for cp-demo
+ @DisabledIfSystemProperty(named = "running-in-cp-test-environment", matches = "true")
default void shouldHandleWrongTopicNameStrategy() {
var topic = randomTopicName();
createTopic(topic);
diff --git a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/api/TopicV3Suite.java b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/api/TopicV3Suite.java
index 52f7f587..f14a226a 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/kafkarest/api/TopicV3Suite.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/kafkarest/api/TopicV3Suite.java
@@ -1,9 +1,11 @@
package io.confluent.idesidecar.restapi.kafkarest.api;
import static io.confluent.idesidecar.restapi.util.ConfluentLocalKafkaWithRestProxyContainer.CLUSTER_ID;
+import static org.awaitility.Awaitility.await;
import static org.hamcrest.Matchers.equalTo;
import io.confluent.idesidecar.restapi.integration.ITSuite;
+import java.time.Duration;
import org.junit.jupiter.api.Test;
public interface TopicV3Suite extends ITSuite {
@@ -39,11 +41,16 @@ default void shouldDeleteKafkaTopic() {
.statusCode(204);
// List topics should not contain the topic name
- givenDefault()
- .get("/internal/kafka/v3/clusters/{cluster_id}/topics")
- .then()
- .statusCode(200)
- .body("data.find { it.topic_name == 'test-topic-delete-me' }", equalTo(null));
+ await().atMost(Duration.ofSeconds(10)).until(
+ () -> !givenDefault()
+ .get("/internal/kafka/v3/clusters/{cluster_id}/topics")
+ .then()
+ .extract()
+ .body()
+ .jsonPath()
+ .getList("data.topic_name")
+ .contains("test-topic-delete-me")
+ );
}
@Test
diff --git a/src/test/java/io/confluent/idesidecar/restapi/models/graph/RealDirectFetcherTest.java b/src/test/java/io/confluent/idesidecar/restapi/models/graph/RealDirectFetcherTest.java
index f9a85f5f..c53c3557 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/models/graph/RealDirectFetcherTest.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/models/graph/RealDirectFetcherTest.java
@@ -9,6 +9,9 @@
import io.confluent.idesidecar.restapi.connections.ConnectionStateManager;
import io.confluent.idesidecar.restapi.connections.DirectConnectionState;
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecBuilder;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecKafkaClusterConfigBuilder;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecSchemaRegistryConfigBuilder;
import io.confluent.kafka.schemaregistry.client.MockSchemaRegistryClient;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClient;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
@@ -33,53 +36,51 @@ public class RealDirectFetcherTest {
private static final String SR_CLUSTER_ID = "schema-registry-1";
private static final String SR_URL = "http://localhost:123456";
private static final Duration ONE_SECOND = Duration.ofSeconds(1);
- private static final ConnectionSpec KAFKA_AND_SR_SPEC = new ConnectionSpec(
- CONNECTION_ID,
- "my connection",
- ConnectionSpec.ConnectionType.DIRECT,
- null,
- null,
- new ConnectionSpec.KafkaClusterConfig(
- KAFKA_BOOTSTRAP_SERVERS,
- null,
- false,
- false
- ),
- new ConnectionSpec.SchemaRegistryConfig(
- SR_CLUSTER_ID,
- SR_URL,
- null
+ private static final ConnectionSpec KAFKA_AND_SR_SPEC = ConnectionSpecBuilder
+ .builder()
+ .id(CONNECTION_ID)
+ .name("my connection")
+ .type(ConnectionSpec.ConnectionType.DIRECT)
+ .kafkaClusterConfig(
+ ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers(KAFKA_BOOTSTRAP_SERVERS)
+ .build()
)
- );
-
- private static final ConnectionSpec NO_KAFKA_SPEC = new ConnectionSpec(
- CONNECTION_ID,
- "my connection",
- ConnectionSpec.ConnectionType.DIRECT,
- null,
- null,
- null,
- new ConnectionSpec.SchemaRegistryConfig(
- SR_CLUSTER_ID,
- SR_URL,
- null
+ .schemaRegistryConfig(
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .uri(SR_URL)
+ .id(SR_CLUSTER_ID)
+ .build()
)
- );
-
- private static final ConnectionSpec NO_SR_SPEC = new ConnectionSpec(
- CONNECTION_ID,
- "my connection",
- ConnectionSpec.ConnectionType.DIRECT,
- null,
- null,
- new ConnectionSpec.KafkaClusterConfig(
- KAFKA_BOOTSTRAP_SERVERS,
- null,
- false,
- false
- ),
- null
- );
+ .build();
+
+ private static final ConnectionSpec NO_KAFKA_SPEC = ConnectionSpecBuilder
+ .builder()
+ .id(CONNECTION_ID)
+ .name("my connection")
+ .type(ConnectionSpec.ConnectionType.DIRECT)
+ .schemaRegistryConfig(
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .uri(SR_URL)
+ .id(SR_CLUSTER_ID)
+ .build()
+ )
+ .build();
+
+ private static final ConnectionSpec NO_SR_SPEC = ConnectionSpecBuilder
+ .builder()
+ .id(CONNECTION_ID)
+ .name("my connection")
+ .type(ConnectionSpec.ConnectionType.DIRECT)
+ .kafkaClusterConfig(ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers(KAFKA_BOOTSTRAP_SERVERS)
+ .build()
+ )
+ .build();
@InjectMock
ConnectionStateManager connections;
diff --git a/src/test/java/io/confluent/idesidecar/restapi/resources/ConnectionsResourceTest.java b/src/test/java/io/confluent/idesidecar/restapi/resources/ConnectionsResourceTest.java
index f645f7f7..3edd81e7 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/resources/ConnectionsResourceTest.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/resources/ConnectionsResourceTest.java
@@ -31,7 +31,8 @@
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.CCloudConfig;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.ConnectionType;
-import io.confluent.idesidecar.restapi.models.ConnectionSpec.SchemaRegistryConfig;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecBuilder;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecSchemaRegistryConfigBuilder;
import io.confluent.idesidecar.restapi.models.ConnectionStatus;
import io.confluent.idesidecar.restapi.models.ConnectionStatus.Authentication.Status;
import io.confluent.idesidecar.restapi.models.ConnectionStatus.ConnectedState;
@@ -530,13 +531,14 @@ void updateConnectionWithMultipleValidationErrors() {
ccloudTestUtil.createConnection("c1", "Connection 1", ConnectionType.LOCAL);
// This connection spec is not valid
- var badSpec = new ConnectionSpec(
- "c3", "Connection name changed!", ConnectionType.PLATFORM,
- new CCloudConfig("org-id"),
- null,
- null,
- null
- );
+ var badSpec = ConnectionSpecBuilder
+ .builder()
+ .id("c3")
+ .name("Connection name changed!")
+ .type(ConnectionType.PLATFORM)
+ .ccloudConfig(new CCloudConfig("org-id"))
+ .build();
+
var response = given()
.contentType(ContentType.JSON)
.body(badSpec)
@@ -1101,7 +1103,6 @@ record TestInput(
.withSource("kafka_cluster")
.withDetail("Kafka cluster configuration is not allowed when type is LOCAL")
),
-
// CCloud connections
new TestInput(
"CCloud spec is valid with name and no config",
@@ -1219,7 +1220,6 @@ record TestInput(
.withSource("schema_registry")
.withDetail( "Schema Registry configuration is not allowed when type is CCLOUD")
),
-
// Direct connections
new TestInput(
"Direct spec is valid with name and no config",
@@ -1237,7 +1237,8 @@ record TestInput(
"name": "Some connection name",
"type": "DIRECT",
"kafka_cluster": {
- "bootstrap_servers": "localhost:9092"
+ "bootstrap_servers": "localhost:9092",
+ "ssl": { "enabled": true }
}
}
"""
@@ -1253,7 +1254,8 @@ record TestInput(
"credentials": {
"username": "user",
"password": "pass"
- }
+ },
+ "ssl": { "enabled": true }
}
}
"""
@@ -1265,7 +1267,8 @@ record TestInput(
"name": "Some connection name",
"type": "DIRECT",
"schema_registry": {
- "uri": "http://localhost:8081"
+ "uri": "http://localhost:8081",
+ "ssl": { "enabled": true }
}
}
"""
@@ -1280,7 +1283,110 @@ record TestInput(
"bootstrap_servers": "localhost:9092"
},
"schema_registry": {
- "uri": "http://localhost:8081"
+ "uri": "http://localhost:8081",
+ "ssl": { "enabled": true }
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is valid with Kafka and verify server certificate hostname",
+ """
+ {
+ "name": "Some connection name",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": { "enabled": true, "verify_hostname": true}
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is valid with Kafka and don't verify server certificate hostname",
+ """
+ {
+ "name": "Some connection name",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": { "enabled": true, "verify_hostname": false}
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is valid with Kafka and SR over TLS",
+ """
+ {
+ "name": "Some connection name",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "enabled": true,
+ "truststore": {
+ "path": "/path/to/truststore.jks",
+ "password": "truststore-password"
+ }
+ }
+ },
+ "schema_registry": {
+ "uri": "https://localhost:8081"
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is valid over SSL with truststore path only",
+ """
+ {
+ "name": "Connection 1",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "truststore": {
+ "path": "/path/to/truststore.jks"
+ }
+ }
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is valid with Kafka and SR over mutual TLS",
+ """
+ {
+ "name": "Some connection name",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "truststore": {
+ "path": "/path/to/truststore.jks",
+ "password": "truststore-password"
+ },
+ "keystore": {
+ "path": "/path/to/keystore.jks",
+ "password": "keystore-password",
+ "key_password": "key-password"
+ }
+ }
+ },
+ "schema_registry": {
+ "uri": "https://localhost:8081",
+ "ssl": {
+ "truststore": {
+ "path": "/path/to/truststore.jks",
+ "password": "truststore-password"
+ },
+ "keystore": {
+ "path": "/path/to/keystore.jks",
+ "password": "keystore-password",
+ "key_password": "key-password"
+ }
+ }
}
}
"""
@@ -1349,6 +1455,70 @@ record TestInput(
.withSource("ccloud_config")
.withDetail("CCloud configuration is not allowed when type is DIRECT")
),
+ new TestInput(
+ "Direct spec is invalid with SSL without truststore path",
+ """
+ {
+ "name": "Connection 1",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "truststore": {
+ "password": "truststore-password"
+ }
+ }
+ }
+ }
+ """,
+ createError()
+ .withSource("kafka_cluster.ssl.truststore.path")
+ .withDetail("Kafka cluster truststore path is required and may not be blank")
+ ),
+ new TestInput(
+ "Direct spec is valid with SSL having keystore only",
+ """
+ {
+ "name": "Connection 1",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "keystore": {
+ "path": "/path/to/keystore.jks",
+ "password": "keystore-password",
+ "key_password": "key-password"
+ }
+ }
+ }
+ }
+ """
+ ),
+ new TestInput(
+ "Direct spec is invalid with SSL keystore not having path",
+ """
+ {
+ "name": "Connection 1",
+ "type": "DIRECT",
+ "kafka_cluster": {
+ "bootstrap_servers": "localhost:9092",
+ "ssl": {
+ "truststore": {
+ "path": "/path/to/truststore.jks",
+ "password": "truststore-password"
+ },
+ "keystore": {
+ "password": "keystore-password",
+ "key_password": "key-password"
+ }
+ }
+ }
+ }
+ """,
+ createError()
+ .withSource("kafka_cluster.ssl.keystore.path")
+ .withDetail("Kafka cluster keystore path is required and may not be blank")
+ ),
// Combination
new TestInput(
@@ -1443,11 +1613,10 @@ record TestInput(
validLocalSpec
.withoutLocalConfig()
.withSchemaRegistry(
- new SchemaRegistryConfig(
- null,
- "http://localhost:8081",
- null
- )
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .uri("http://localhost:8081")
+ .build()
)
),
new TestInput(
@@ -1456,14 +1625,14 @@ record TestInput(
validLocalSpec
.withoutLocalConfig()
.withSchemaRegistry(
- new SchemaRegistryConfig(
- null,
- "http://localhost:8081",
- new BasicCredentials(
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .uri("http://localhost:8081")
+ .credentials(new BasicCredentials(
"user",
new Password("pass".toCharArray())
- )
- )
+ ))
+ .build()
)
),
new TestInput(
@@ -1472,14 +1641,14 @@ record TestInput(
validLocalSpec
.withoutLocalConfig()
.withSchemaRegistry(
- new SchemaRegistryConfig(
- null,
- "http://localhost:8081",
- new ApiKeyAndSecret(
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .uri("http://localhost:8081")
+ .credentials(new ApiKeyAndSecret(
"api-key-123",
new ApiSecret("api-secret-123456".toCharArray())
- )
- )
+ ))
+ .build()
)
),
new TestInput(
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/CCloudTestUtil.java b/src/test/java/io/confluent/idesidecar/restapi/util/CCloudTestUtil.java
index 59a239d1..b5a671cc 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/util/CCloudTestUtil.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/CCloudTestUtil.java
@@ -19,6 +19,7 @@
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.CCloudConfig;
import io.confluent.idesidecar.restapi.models.ConnectionSpec.ConnectionType;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecBuilder;
import io.vertx.core.json.JsonObject;
import jakarta.ws.rs.core.MediaType;
import java.io.IOException;
@@ -256,15 +257,12 @@ public ConnectionSpec createConnection(
ConnectionType connectionType
) {
return createConnection(
- new ConnectionSpec(
- connectionId,
- connectionName,
- connectionType,
- null,
- null,
- null,
- null
- )
+ ConnectionSpecBuilder
+ .builder()
+ .id(connectionId)
+ .name(connectionName)
+ .type(connectionType)
+ .build()
);
}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/CPDemoTestEnvironment.java b/src/test/java/io/confluent/idesidecar/restapi/util/CPDemoTestEnvironment.java
new file mode 100644
index 00000000..59fda14c
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/CPDemoTestEnvironment.java
@@ -0,0 +1,449 @@
+package io.confluent.idesidecar.restapi.util;
+
+import static org.junit.jupiter.api.Assertions.fail;
+
+import com.github.dockerjava.api.model.Container;
+import io.confluent.idesidecar.restapi.credentials.*;
+import io.confluent.idesidecar.restapi.models.ConnectionSpec;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecKafkaClusterConfigBuilder;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecSchemaRegistryConfigBuilder;
+import io.confluent.idesidecar.restapi.util.cpdemo.CPServerContainer;
+import io.confluent.idesidecar.restapi.util.cpdemo.OpenldapContainer;
+import io.confluent.idesidecar.restapi.util.cpdemo.SchemaRegistryContainer;
+import io.confluent.idesidecar.restapi.util.cpdemo.ToolsContainer;
+import io.confluent.idesidecar.restapi.util.cpdemo.ZookeeperContainer;
+import io.quarkus.logging.Log;
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
+import org.junitpioneer.jupiter.SetEnvironmentVariable;
+import org.testcontainers.DockerClientFactory;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.lifecycle.Startables;
+import org.testcontainers.utility.TestcontainersConfiguration;
+
+/**
+ * A {@link TestEnvironment} that starts a CP Demo environment with a two-node Kafka cluster,
+ * Zookeeper, OpenLDAP, and Schema Registry.
+ * Modeled after https://github.com/confluentinc/cp-demo/blob/7.7.1-post/docker-compose.yml
+ */
+public class CPDemoTestEnvironment implements TestEnvironment {
+ private Network network;
+ private ToolsContainer tools;
+ private ZookeeperContainer zookeeper;
+ private OpenldapContainer ldap;
+ private CPServerContainer kafka1;
+ private CPServerContainer kafka2;
+ private SchemaRegistryContainer schemaRegistry;
+
+ private static final List CP_DEMO_CONTAINERS = List.of(
+ "tools", "zookeeper", "kafka1", "kafka2", "openldap", "schemaregistry"
+ );
+
+ @Override
+ public void start() {
+ // If we see that some but not all cp-demo containers are in running state,
+ // complain and exit.
+ var cpDemoRunning = isCpDemoRunningAllContainers();
+ if (isCpDemoRunningAnyContainer() && !cpDemoRunning) {
+ fail("Detected some but not all cp-demo containers running. "
+ + "Please stop all cp-demo containers using make cp-demo-stop and try running the tests again.");
+ }
+
+ // If we see that all cp-demo containers are exited, remove them.
+ removeCPDemoContainersIfStopped();
+
+ // Run the setup script
+ runScript("src/test/resources/cp-demo-scripts/setup.sh");
+
+ network = createReusableNetwork("cp-demo");
+ // Check if zookeeper, kafka1, kafka2, ldap, schemaRegistry are already running
+ Log.info("Starting Tools...");
+ tools = new ToolsContainer(network);
+ tools.start();
+
+ if (!cpDemoRunning) {
+ Log.info("Registering root CA...");
+ registerRootCA();
+ }
+
+ Log.info("Starting Zookeeper...");
+ zookeeper = new ZookeeperContainer(network);
+ zookeeper.waitingFor(Wait.forHealthcheck());
+ zookeeper.start();
+
+ Log.info("Starting OpenLDAP...");
+ ldap = new OpenldapContainer(network);
+ ldap.start();
+
+ kafka1 = new CPServerContainer(
+ network,
+ "kafka1",
+ 8091,
+ 9091,
+ 10091,
+ 11091,
+ 12091,
+ 13091,
+ 14091
+ );
+ kafka1.withEnv(Map.of(
+ "KAFKA_BROKER_ID", "1",
+ "KAFKA_BROKER_RACK", "r1",
+ "KAFKA_JMX_PORT", "9991"
+ ));
+ kafka2 = new CPServerContainer(
+ network,
+ "kafka2",
+ 8092,
+ 9092,
+ 10092,
+ 11092,
+ 12092,
+ 13092,
+ 14092
+ );
+ kafka2.withEnv(Map.of(
+ "KAFKA_BROKER_ID", "2",
+ "KAFKA_BROKER_RACK", "r2",
+ "KAFKA_JMX_PORT", "9992"
+ ));
+
+ // Must be started in parallel
+ Log.info("Starting Kafka brokers...");
+ Startables.deepStart(List.of(kafka1, kafka2)).join();
+
+ if (!cpDemoRunning) {
+ Log.info("Creating role bindings...");
+ runToolScript("/tmp/helper/create-role-bindings.sh");
+ setMinISR();
+ }
+
+ Log.info("Starting Schema Registry...");
+ schemaRegistry = new SchemaRegistryContainer(network);
+ schemaRegistry.start();
+ }
+
+ /**
+ * We don't stop the containers after tests are run. This is used to stop the containers manually
+ * from the {@link #main(String[])} method. Refer to the Make target
+ * {@code make cp-demo-stop} for stopping the cp-demo containers.
+ */
+ @Override
+ public void shutdown() {
+ shutdownContainers();
+ }
+
+ /**
+ * Workaround for setting min ISR on topic _confluent-metadata-auth
+ */
+ private void setMinISR() {
+ try {
+ kafka1.execInContainer(
+ "kafka-configs",
+ "--bootstrap-server", "kafka1:12091",
+ "--entity-type", "topics",
+ "--entity-name", "_confluent-metadata-auth",
+ "--alter",
+ "--add-config", "min.insync.replicas=1"
+ );
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ private void registerRootCA() {
+ // Add root CA to container (obviates need for supplying it at CLI login '--ca-cert-path')
+ runToolScript(
+ "cp /etc/kafka/secrets/snakeoil-ca-1.crt /usr/local/share/ca-certificates && /usr/sbin/update-ca-certificates"
+ );
+ }
+
+ private void runToolScript(String script) {
+ try {
+ tools.execInContainer("bash", "-c", script);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ /**
+ * Do we have any of the CP Demo containers in running state?
+ */
+ private boolean isCpDemoRunningAnyContainer() {
+ return getContainerStream().anyMatch(container -> container.getState().equals("running"));
+ }
+
+ /**
+ * Do we have a CP Demo environment running with all containers?
+ */
+ private boolean isCpDemoRunningAllContainers() {
+ // If empty, return false
+ var containers = getContainerStream().collect(Collectors.toUnmodifiableSet());
+ if (containers.isEmpty()) {
+ return false;
+ }
+
+ return containers
+ .stream()
+ .allMatch(container -> container.getState().equals("running"));
+ }
+
+ private static Stream getContainerStream() {
+ return DockerClientFactory
+ .instance()
+ .client()
+ .listContainersCmd()
+ .withShowAll(true)
+ .exec()
+ .stream()
+ .filter(
+ container -> CP_DEMO_CONTAINERS
+ .stream()
+ .anyMatch(c -> Arrays.asList(container.getNames()).contains(c))
+ );
+ }
+
+ private void removeCPDemoContainersIfStopped() {
+ CP_DEMO_CONTAINERS.forEach(container -> {
+ try {
+ DockerClientFactory
+ .instance()
+ .client()
+ .listContainersCmd()
+ .withShowAll(true)
+ .exec()
+ .stream()
+ .filter(c -> c.getNames()[0].contains(container))
+ .forEach(c -> {
+ if (c.getState().equals("exited")) {
+ DockerClientFactory
+ .instance()
+ .client()
+ .removeContainerCmd(c.getId())
+ .exec();
+ }
+ });
+ } catch (Exception e) {
+ Log.error("Error deleting stopped containers", e);
+ }
+ });
+ }
+
+ private static void shutdownContainers() {
+ CP_DEMO_CONTAINERS.forEach(container -> {
+ try {
+ DockerClientFactory
+ .instance()
+ .client()
+ .listContainersCmd()
+ .withShowAll(true)
+ .exec()
+ .stream()
+ .filter(c -> c.getNames()[0].contains(container))
+ .forEach(c -> {
+ DockerClientFactory
+ .instance()
+ .client()
+ .stopContainerCmd(c.getId())
+ .exec();
+ });
+ } catch (Exception e) {
+ Log.error("Error deleting stopped containers", e);
+ }
+ });
+
+ // Remove the network
+ DockerClientFactory
+ .instance()
+ .client()
+ .listNetworksCmd()
+ .exec()
+ .stream()
+ .filter(network -> network.getName().equals("cp-demo"))
+ .forEach(network -> {
+ DockerClientFactory
+ .instance()
+ .client()
+ .removeNetworkCmd(network.getId())
+ .exec();
+ });
+ }
+
+ @Override
+ public Optional localConnectionSpec() {
+ return Optional.empty();
+ }
+
+ @Override
+ public Optional directConnectionSpec() {
+ var cwd = System.getProperty("user.dir");
+ var schemaRegistryTrustStoreLocation = new File(cwd,
+ ".cp-demo/scripts/security/kafka.schemaregistry.truststore.jks"
+ ).getAbsolutePath();
+ var password = new Password("confluent".toCharArray());
+ var kafkaTrustStoreLocation = new File(cwd,
+ ".cp-demo/scripts/security/kafka.kafka1.truststore.jks"
+ ).getAbsolutePath();
+
+ return Optional.of(
+ ConnectionSpec.createDirect(
+ "direct-to-local-connection",
+ "Direct to Local",
+ ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers("localhost:11091")
+ .tlsConfig(TLSConfigBuilder
+ .builder()
+ // TODO: Figure out what the keystore config needs to be
+ // for mutual TLS.
+ .truststore(new TLSConfig.TrustStore(
+ kafkaTrustStoreLocation,
+ password,
+ null
+ ))
+ .enabled(true)
+ .build()
+ )
+ .build(),
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .id("local-sr-cp-demo")
+ .uri("https://localhost:8085")
+ .credentials(
+ new BasicCredentials(
+ "superUser",
+ new Password("superUser".toCharArray())
+ )
+ )
+ .tlsConfig(new TLSConfig(
+ schemaRegistryTrustStoreLocation, password
+ ))
+ .build()
+ )
+ );
+ }
+
+ public Optional directConnectionSpecWithoutSR() {
+ return Optional.of(
+ ConnectionSpec.createDirect(
+ "direct-to-local-connection-no-sr",
+ "Direct to Local (No SR)",
+ ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers("localhost:12091,localhost:12092")
+ // Disable TLS
+ .tlsConfig(TLSConfigBuilder.builder().enabled(false).build())
+ .build(),
+ null
+ )
+ );
+ }
+
+ public Optional directConnectionBasicAuth() {
+ return Optional.of(
+ ConnectionSpec.createDirect(
+ "direct-to-local-connection-basic-auth",
+ "Direct to Local (Basic Auth)",
+ ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers("localhost:13091,localhost:13092")
+ .credentials(new BasicCredentials(
+ "admin",
+ new Password("admin-secret".toCharArray())
+ ))
+ // Disable TLS
+ .tlsConfig(TLSConfigBuilder.builder().enabled(false).build())
+ .build(),
+ null
+ ));
+ }
+
+ /**
+ * Taken from https://github.com/testcontainers/testcontainers-java/issues/3081#issuecomment-1553064952
+ */
+ public static Network createReusableNetwork(String name) {
+ if (!TestcontainersConfiguration.getInstance().environmentSupportsReuse()) {
+ return Network.newNetwork();
+ }
+
+ String id = DockerClientFactory
+ .instance()
+ .client()
+ .listNetworksCmd()
+ .exec()
+ .stream()
+ .filter(network ->
+ network.getName().equals(name)
+ && network.getLabels().equals(DockerClientFactory.DEFAULT_LABELS)
+ )
+ .map(com.github.dockerjava.api.model.Network::getId)
+ .findFirst()
+ .orElseGet(() -> DockerClientFactory
+ .instance()
+ .client()
+ .createNetworkCmd()
+ .withName(name)
+ .withCheckDuplicate(true)
+ .withLabels(DockerClientFactory.DEFAULT_LABELS)
+ .exec()
+ .getId()
+ );
+
+ return new Network() {
+ @Override
+ public Statement apply(Statement base, Description description) {
+ return base;
+ }
+
+ @Override
+ public String getId() {
+ return id;
+ }
+
+ @Override
+ public void close() {
+ // never close
+ }
+ };
+ }
+
+ private void runScript(String path) {
+ var pb = new ProcessBuilder(path);
+ pb.inheritIO();
+ try {
+ var process = pb.start();
+ process.waitFor();
+ if (process.exitValue() != 0) {
+ throw new RuntimeException("Script failed with exit code " + process.exitValue());
+ }
+ } catch (IOException | InterruptedException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ /**
+ * Main method to start the test environment if used as a standalone application.
+ */
+ @SetEnvironmentVariable(key = "TESTCONTAINERS_RYUK_DISABLED", value = "true")
+ public static void main(String[] args) {
+ var env = new CPDemoTestEnvironment();
+ if (args.length == 1 && args[0].equals("stop")) {
+ Log.info("Stopping CP Demo environment...");
+ env.shutdown();
+ Log.info("CP Demo environment stopped.");
+ } else {
+ Log.info("Starting CP Demo environment...");
+ env.start();
+ Log.info("CP Demo environment started. Use make cp-demo-stop to stop it.");
+ }
+ }
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/ConfluentLocalKafkaWithRestProxyContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/ConfluentLocalKafkaWithRestProxyContainer.java
index 8fdcaaff..766b5bbd 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/util/ConfluentLocalKafkaWithRestProxyContainer.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/ConfluentLocalKafkaWithRestProxyContainer.java
@@ -1,11 +1,9 @@
package io.confluent.idesidecar.restapi.util;
-import org.testcontainers.containers.GenericContainer;
-import org.testcontainers.utility.DockerImageName;
-
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.utility.DockerImageName;
/**
* A Testcontainers-based implementation of a local Confluent environment,
@@ -66,7 +64,8 @@
public class ConfluentLocalKafkaWithRestProxyContainer
extends GenericContainer
implements AutoCloseable {
- private static final int KAFKA_PORT = 9092;
+ private static final int KAFKA_PORT_HOST = 30092;
+ private static final int KAFKA_PORT_CONTAINER = 9092;
private static final String DEFAULT_IMAGE = "confluentinc/confluent-local:7.6.0";
private static final String CONTAINER_NAME = "confluent-local-broker-1";
private static final String REST_PROXY_HOST_NAME = "rest-proxy";
@@ -80,14 +79,11 @@ public ConfluentLocalKafkaWithRestProxyContainer() {
public ConfluentLocalKafkaWithRestProxyContainer(String dockerImageName) {
super(DockerImageName.parse(dockerImageName));
super.withEnv(getEnvironmentVariables())
- .withExposedPorts(KAFKA_PORT, REST_PROXY_PORT)
.withCreateContainerCmdModifier(cmd -> cmd
.withName(CONTAINER_NAME)
.withHostName(CONTAINER_NAME));
- setPortBindings(List.of(
- String.format("%d:%d", REST_PROXY_PORT, REST_PROXY_PORT),
- String.format("%d:%d", KAFKA_PORT, KAFKA_PORT)
- ));
+ addFixedExposedPort(KAFKA_PORT_HOST, KAFKA_PORT_CONTAINER);
+ addFixedExposedPort(REST_PROXY_PORT, REST_PROXY_PORT);
}
public String getClusterId() {
@@ -95,11 +91,11 @@ public String getClusterId() {
}
public String getKafkaBootstrapServers() {
- return String.format("%s:%d", getHost(), getMappedPort(KAFKA_PORT));
+ return String.format("%s:%d", getHost(), KAFKA_PORT_HOST);
}
public String getRestProxyEndpoint() {
- return String.format("http://%s:%d", getHost(), getMappedPort(REST_PROXY_PORT));
+ return String.format("http://%s:%d", getHost(), REST_PROXY_PORT);
}
private Map getEnvironmentVariables() {
@@ -114,13 +110,13 @@ private Map getEnvironmentVariables() {
String.format("PLAINTEXT://%s:29092,CONTROLLER://%s:29093,PLAINTEXT_HOST://0.0.0.0:%d",
CONTAINER_NAME,
CONTAINER_NAME,
- KAFKA_PORT)
+ KAFKA_PORT_CONTAINER)
);
env.put(
"KAFKA_ADVERTISED_LISTENERS",
String.format("PLAINTEXT://%s:29092,PLAINTEXT_HOST://localhost:%d",
CONTAINER_NAME,
- KAFKA_PORT)
+ KAFKA_PORT_HOST)
);
env.put("KAFKA_REST_HOST_NAME", REST_PROXY_HOST_NAME);
env.put("KAFKA_REST_LISTENERS",
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/LocalTestEnvironment.java b/src/test/java/io/confluent/idesidecar/restapi/util/LocalTestEnvironment.java
index b6ff3a88..8afa5c95 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/util/LocalTestEnvironment.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/LocalTestEnvironment.java
@@ -1,14 +1,16 @@
package io.confluent.idesidecar.restapi.util;
+import io.confluent.idesidecar.restapi.credentials.TLSConfigBuilder;
import io.confluent.idesidecar.restapi.models.ConnectionSpec;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecKafkaClusterConfigBuilder;
+import io.confluent.idesidecar.restapi.models.ConnectionSpecSchemaRegistryConfigBuilder;
import io.confluent.idesidecar.restapi.testutil.NoAccessFilterProfile;
import io.quarkus.test.junit.TestProfile;
+import java.time.Duration;
import java.util.Optional;
import org.testcontainers.containers.Network;
import org.testcontainers.containers.wait.strategy.Wait;
-import java.time.Duration;
-
/**
* A {@link TestEnvironment} that starts a local Confluent Local container with Kafka broker and
* Kafka REST server, and a Confluent Platform Schema Registry container.
@@ -89,17 +91,19 @@ public Optional directConnectionSpec() {
ConnectionSpec.createDirect(
"direct-to-local-connection",
"Direct to Local",
- new ConnectionSpec.KafkaClusterConfig(
- kafkaWithRestProxy.getKafkaBootstrapServers(),
- null,
- null,
- null
- ),
- new ConnectionSpec.SchemaRegistryConfig(
- schemaRegistry.getClusterId(),
- schemaRegistry.endpoint(),
- null
- )
+ ConnectionSpecKafkaClusterConfigBuilder
+ .builder()
+ .bootstrapServers(kafkaWithRestProxy.getKafkaBootstrapServers())
+ // Disable TLS
+ .tlsConfig(TLSConfigBuilder.builder().enabled(false).build())
+ .build(),
+ ConnectionSpecSchemaRegistryConfigBuilder
+ .builder()
+ .id(schemaRegistry.getClusterId())
+ .uri(schemaRegistry.endpoint())
+ // Disable TLS
+ .tlsConfig(TLSConfigBuilder.builder().enabled(false).build())
+ .build()
)
);
}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/SidecarClient.java b/src/test/java/io/confluent/idesidecar/restapi/util/SidecarClient.java
index 04950d32..12e60ca0 100644
--- a/src/test/java/io/confluent/idesidecar/restapi/util/SidecarClient.java
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/SidecarClient.java
@@ -9,12 +9,20 @@
import static io.confluent.idesidecar.restapi.util.ResourceIOUtil.loadResource;
import static io.restassured.RestAssured.given;
import static java.util.function.Predicate.not;
+import static org.awaitility.Awaitility.await;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.fail;
-import static org.awaitility.Awaitility.await;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import io.confluent.idesidecar.restapi.credentials.Password;
+import io.confluent.idesidecar.restapi.credentials.Redactable;
import io.confluent.idesidecar.restapi.kafkarest.model.CreateTopicRequestData;
import io.confluent.idesidecar.restapi.kafkarest.model.ProduceRequest;
import io.confluent.idesidecar.restapi.kafkarest.model.ProduceRequestData;
@@ -33,6 +41,7 @@
import io.restassured.http.ContentType;
import io.restassured.response.ValidatableResponse;
import io.restassured.specification.RequestSpecification;
+import java.io.IOException;
import java.time.Duration;
import java.util.HashMap;
import java.util.HashSet;
@@ -58,6 +67,7 @@ public class SidecarClient implements SidecarClientApi {
.getValue("quarkus.http.test-port", Integer.class);
private static final String SIDECAR_HOST = "http://localhost:%s".formatted(TEST_PORT);
+ private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
private final String sidecarHost;
@@ -68,6 +78,14 @@ public class SidecarClient implements SidecarClientApi {
private Set usedKafkaClusters = new HashSet<>();
private Set usedSchemaRegistries = new HashSet<>();
+ static {
+ // Used to serialize Password objects into their raw value
+ // when sending them in the request body
+ OBJECT_MAPPER.registerModule(
+ new SimpleModule().addSerializer(Password.class, new PasswordSerializer())
+ );
+ }
+
public SidecarClient() {
this.sidecarHost = SIDECAR_HOST;
}
@@ -121,7 +139,11 @@ public void deleteAllTopics(String clusterId) {
setCurrentCluster(clusterId);
var topics = listTopics();
for (var topic : topics) {
- deleteTopic(topic);
+ if (!topic.startsWith("_")) {
+ deleteTopic(topic);
+ } else {
+ Log.debugf("Skipping deletion of internal topic %s", topic);
+ }
}
}
}
@@ -344,13 +366,17 @@ public Connection testConnection(ConnectionSpec spec) {
@Override
public Connection createConnection(ConnectionSpec spec) {
// Create connection
- given()
- .contentType(ContentType.JSON)
- .body(spec)
- .post("%s/gateway/v1/connections".formatted(sidecarHost))
- .then()
- .statusCode(200)
- .body("spec.id", equalTo(spec.id()));
+ try {
+ given()
+ .contentType(ContentType.JSON)
+ .body(OBJECT_MAPPER.writeValueAsString(spec))
+ .post("%s/gateway/v1/connections".formatted(sidecarHost))
+ .then()
+ .statusCode(200)
+ .body("spec.id", equalTo(spec.id()));
+ } catch (JsonProcessingException e) {
+ throw new RuntimeException(e);
+ }
// If the connection spec configures a Kafka cluster or a Schema Registry, wait until the
// connection to the Kafka cluster or Schema registry has been established
@@ -833,4 +859,25 @@ public boolean directConnectionsGraphQLResponseContains(String connectionId) {
.anyMatch(m -> m.get("id").equals(connectionId));
}
+
+ public static class PasswordSerializer extends RawSerializer {
+
+ }
+
+ /**
+ * This serializer is unsafe to use in production code, as it will serialize the raw value of the
+ * {@link Redactable} object. It is intended for use in tests only.
+ */
+ protected abstract static class RawSerializer extends JsonSerializer {
+
+ @Override
+ public void serialize(T value, JsonGenerator gen, SerializerProvider serializers) {
+ try {
+ var chars = value.asCharArray();
+ gen.writeString(chars, 0, chars.length);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
+ }
}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/CPServerContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/CPServerContainer.java
new file mode 100644
index 00000000..7a4284b2
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/CPServerContainer.java
@@ -0,0 +1,376 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import static io.confluent.idesidecar.restapi.util.cpdemo.Constants.DEFAULT_CONFLUENT_DOCKER_TAG;
+
+import com.github.dockerjava.api.model.HealthCheck;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+public class CPServerContainer extends GenericContainer {
+
+ private static final String DEFAULT_IMAGE = "confluentinc/cp-server";
+
+ private final String tag;
+ private final String containerName;
+ private final Integer mdsPort;
+ private final Integer internalPort;
+ private final Integer tokenPort;
+ private final Integer sslPort;
+ private final Integer clearPort;
+ private final Integer internalHostPort;
+ private final Integer tokenHostPort;
+
+ public CPServerContainer(
+ String tag,
+ Network network,
+ String containerName,
+ Integer mdsPort,
+ Integer internalPort,
+ Integer tokenPort,
+ Integer sslPort,
+ Integer clearPort,
+ Integer internalHostPort,
+ Integer tokenHostPort
+ ) {
+ super(DEFAULT_IMAGE + ":" + tag);
+ this.tag = tag;
+ this.containerName = containerName;
+ this.mdsPort = mdsPort;
+ this.internalPort = internalPort;
+ this.tokenPort = tokenPort;
+ this.sslPort = sslPort;
+ this.clearPort = clearPort;
+ this.internalHostPort = internalHostPort;
+ this.tokenHostPort = tokenHostPort;
+
+ super.withNetwork(network);
+ super.withNetworkAliases(containerName);
+ super
+ .withEnv(kafkaZookeeperEnv())
+ .withEnv(listenersEnv(
+ internalPort, tokenPort, sslPort, clearPort, internalHostPort, tokenHostPort)
+ )
+ .withEnv(sslEnv())
+ .withEnv(confluentSchemaValidationEnv())
+ .withEnv(mdsEnv(mdsPort))
+ .withEnv(ldapEnv())
+ .withEnv(embeddedKafkaRest())
+ .withEnv(otherEnvs())
+ .withCreateContainerCmdModifier(cmd -> cmd
+ .withAliases(containerName)
+ .withName(containerName)
+ .withHostName(containerName)
+ .withHealthcheck(new HealthCheck()
+ .withTest(List.of(
+ "CMD", "bash", "-c",
+ "curl --user superUser:superUser -fail --silent --insecure https://%s:%d/kafka/v3/clusters/ --output /dev/null || exit 1"
+ .formatted(containerName, mdsPort)))
+ .withInterval(TimeUnit.SECONDS.toNanos(2))
+ .withRetries(25)
+ )
+ );
+
+ super.addFixedExposedPort(mdsPort, mdsPort);
+ super.addFixedExposedPort(internalPort, internalPort);
+ super.addFixedExposedPort(tokenPort, tokenPort);
+ super.addFixedExposedPort(sslPort, sslPort);
+ super.addFixedExposedPort(clearPort, clearPort);
+ super.addFixedExposedPort(internalHostPort, internalHostPort);
+ super.addFixedExposedPort(tokenHostPort, tokenHostPort);
+
+ // This just sets the Waiting strategy, doesn't actually wait. I know, it's confusing.
+ super.waitingFor(Wait.forHealthcheck());
+
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security/keypair",
+ "/tmp/conf"
+ );
+ super.withFileSystemBind(
+ ".cp-demo/scripts/helper",
+ "/tmp/helper"
+ );
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security",
+ "/etc/kafka/secrets"
+ );
+ super.withReuse(true);
+ }
+
+ /**
+ * Create a new cp-server container with the default tag
+ *
+ * @param network The network to attach the container to
+ * @param containerName The name of the container
+ * @param mdsPort The port for the MDS Server
+ * @param internalPort The port for the INTERNAL listener
+ * @param tokenPort The port for the TOKEN listener
+ * @param sslPort The port for the SSL listener
+ * @param clearPort The port for the CLEAR listener
+ * @param internalHostPort The port for the INTERNAL listener on localhost
+ * @param tokenHostPort The port for the TOKEN listener on localhost
+ */
+ public CPServerContainer(
+ Network network,
+ String containerName,
+ Integer mdsPort,
+ Integer internalPort,
+ Integer tokenPort,
+ Integer sslPort,
+ Integer clearPort,
+ Integer internalHostPort,
+ Integer tokenHostPort
+ ) {
+ this(DEFAULT_CONFLUENT_DOCKER_TAG, network, containerName, mdsPort, internalPort, tokenPort, sslPort, clearPort,
+ internalHostPort, tokenHostPort);
+ }
+
+ public Map kafkaZookeeperEnv() {
+ var env = new HashMap();
+ env.put("KAFKA_ZOOKEEPER_CONNECT", "zookeeper:2182");
+ env.put("KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE", "true");
+ env.put("KAFKA_ZOOKEEPER_SSL_CIPHER_SUITES", Constants.SSL_CIPHER_SUITES);
+ env.put("KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET", "org.apache.zookeeper.ClientCnxnSocketNetty");
+ env.put("KAFKA_ZOOKEEPER_SSL_KEYSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.keystore.jks".formatted(this.containerName));
+ env.put("KAFKA_ZOOKEEPER_SSL_KEYSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_ZOOKEEPER_SSL_KEYSTORE_TYPE", "PKCS12");
+ env.put("KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.truststore.jks".formatted(this.containerName));
+ env.put("KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_TYPE", "JKS");
+ env.put("KAFKA_ZOOKEEPER_SET_ACL", "true");
+ return env;
+ }
+
+ public Map listenersEnv(
+ Integer internalPort,
+ Integer tokenPort,
+ Integer sslPort,
+ Integer clearPort,
+ Integer internalHostPort,
+ Integer tokenHostPort
+ ) {
+ var env = new HashMap();
+ env.put("KAFKA_LISTENER_SECURITY_PROTOCOL_MAP",
+ "INTERNAL:SASL_PLAINTEXT,INTERNALHOST:SASL_PLAINTEXT,TOKEN:SASL_SSL,TOKENHOST:SASL_SSL,SSL:SSL,CLEAR:PLAINTEXT");
+ env.put("KAFKA_INTER_BROKER_LISTENER_NAME", "INTERNAL");
+ env.put("KAFKA_LISTENERS",
+ "INTERNAL://%s:%d,TOKEN://%s:%d,SSL://%s:%d,CLEAR://%s:%d,INTERNALHOST://%s:%d,TOKENHOST://%s:%d".formatted(
+ containerName, internalPort,
+ containerName, tokenPort,
+ containerName, sslPort,
+ containerName, clearPort,
+ containerName, internalHostPort,
+ containerName, tokenHostPort
+ ));
+ env.put("KAFKA_ADVERTISED_LISTENERS",
+ "INTERNAL://%s:%d,TOKEN://%s:%d,SSL://%s:%d,CLEAR://%s:%d,INTERNALHOST://%s:%d,TOKENHOST://%s:%d".formatted(
+ containerName, internalPort,
+ containerName, tokenPort,
+ "localhost", sslPort,
+ "localhost", clearPort,
+ "localhost", internalHostPort,
+ "localhost", tokenHostPort
+ ));
+ env.put("KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL", "PLAIN");
+ env.put("KAFKA_SASL_ENABLED_MECHANISMS", "PLAIN, OAUTHBEARER");
+
+ env.put("KAFKA_LISTENER_NAME_INTERNAL_SASL_ENABLED_MECHANISMS", "PLAIN");
+ env.put("KAFKA_LISTENER_NAME_INTERNAL_PLAIN_SASL_JAAS_CONFIG", """
+ org.apache.kafka.common.security.plain.PlainLoginModule required \\
+ username="admin" \\
+ password="admin-secret" \\
+ user_admin="admin-secret" \\
+ user_mds="mds-secret";
+ """);
+
+ env.put("KAFKA_LISTENER_NAME_INTERNALHOST_SASL_ENABLED_MECHANISMS", "PLAIN");
+ env.put("KAFKA_LISTENER_NAME_INTERNALHOST_PLAIN_SASL_JAAS_CONFIG", """
+ org.apache.kafka.common.security.plain.PlainLoginModule required \\
+ username="admin" \\
+ password="admin-secret" \\
+ user_admin="admin-secret" \\
+ user_mds="mds-secret";
+ """);
+
+ // Configure TOKEN listener for Confluent Platform components and impersonation
+ env.put("KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS",
+ "io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler");
+ env.put("KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS",
+ "io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler");
+ env.put("KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS", "OAUTHBEARER");
+ env.put("KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_JAAS_CONFIG", """
+ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \\
+ publicKeyPath="/tmp/conf/public.pem";
+ """);
+
+ // Configure TOKENHOST listener
+ env.put("KAFKA_LISTENER_NAME_TOKENHOST_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS",
+ "io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler");
+ env.put("KAFKA_LISTENER_NAME_TOKENHOST_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS",
+ "io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler");
+ env.put("KAFKA_LISTENER_NAME_TOKENHOST_SASL_ENABLED_MECHANISMS", "OAUTHBEARER");
+ env.put("KAFKA_LISTENER_NAME_TOKENHOST_OAUTHBEARER_SASL_JAAS_CONFIG", """
+ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \\
+ publicKeyPath="/tmp/conf/public.pem";
+ """);
+
+ env.put("KAFKA_LISTENER_NAME_SSL_SSL_PRINCIPAL_MAPPING_RULES",
+ "RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT");
+ env.put("KAFKA_LISTENER_NAME_TOKEN_SSL_PRINCIPAL_MAPPING_RULES",
+ "RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT");
+ return env;
+ }
+
+ public Map sslEnv() {
+ var env = new HashMap();
+ env.put("KAFKA_SSL_KEYSTORE_FILENAME", "kafka.%s.keystore.jks".formatted(containerName));
+ env.put("KAFKA_SSL_KEYSTORE_CREDENTIALS", "%s_keystore_creds".formatted(containerName));
+ env.put("KAFKA_SSL_KEY_CREDENTIALS", "%s_sslkey_creds".formatted(containerName));
+ env.put("KAFKA_SSL_TRUSTSTORE_FILENAME", "kafka.%s.truststore.jks".formatted(containerName));
+ env.put("KAFKA_SSL_TRUSTSTORE_CREDENTIALS", "%s_truststore_creds".formatted(containerName));
+ env.put("KAFKA_SSL_CIPHER_SUITES", Constants.SSL_CIPHER_SUITES);
+ env.put("KAFKA_SSL_CLIENT_AUTH", "requested");
+ return env;
+ }
+
+ public Map confluentSchemaValidationEnv() {
+ var env = new HashMap();
+ env.put("KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL", "https://schemaregistry:8085");
+ env.put("KAFKA_CONFLUENT_BASIC_AUTH_CREDENTIALS_SOURCE", "USER_INFO");
+ env.put("KAFKA_CONFLUENT_BASIC_AUTH_USER_INFO", "superUser:superUser");
+ env.put("KAFKA_CONFLUENT_SSL_TRUSTSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.truststore.jks".formatted(this.containerName));
+ env.put("KAFKA_CONFLUENT_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ return env;
+ }
+
+ public Map mdsEnv(Integer mdsPort) {
+ var env = new HashMap();
+ env.put("KAFKA_CONFLUENT_METADATA_TOPIC_REPLICATION_FACTOR", "2");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_METHOD", "BEARER");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_LISTENERS", "https://0.0.0.0:%d".formatted(mdsPort));
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_ADVERTISED_LISTENERS",
+ "https://%s:%d".formatted(containerName, mdsPort));
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.mds.truststore.jks");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.mds.keystore.jks");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEY_PASSWORD", "confluent");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_SSL_CIPHER_SUITES", Constants.SSL_CIPHER_SUITES);
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_MAX_LIFETIME_MS", "3600000");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_SIGNATURE_ALGORITHM", "RS256");
+ env.put("KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_KEY_PATH", "/tmp/conf/keypair.pem");
+ return env;
+ }
+
+ public Map ldapEnv() {
+ var env = new HashMap();
+ env.put("KAFKA_LDAP_JAVA_NAMING_FACTORY_INITIAL", "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put("KAFKA_LDAP_COM_SUN_JNDI_LDAP_READ_TIMEOUT", "3000");
+ env.put("KAFKA_LDAP_JAVA_NAMING_PROVIDER_URL", "ldap://openldap:389");
+ env.put("KAFKA_LDAP_JAVA_NAMING_SECURITY_PRINCIPAL", "cn=admin,dc=confluentdemo,dc=io");
+ env.put("KAFKA_LDAP_JAVA_NAMING_SECURITY_CREDENTIALS", "admin");
+ env.put("KAFKA_LDAP_JAVA_NAMING_SECURITY_AUTHENTICATION", "simple");
+ env.put("KAFKA_LDAP_SEARCH_MODE", "GROUPS");
+ env.put("KAFKA_LDAP_GROUP_SEARCH_BASE", "ou=groups,dc=confluentdemo,dc=io");
+ env.put("KAFKA_LDAP_GROUP_NAME_ATTRIBUTE", "cn");
+ env.put("KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE", "memberUid");
+ env.put("KAFKA_LDAP_GROUP_OBJECT_CLASS", "posixGroup");
+ env.put("KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE_PATTERN", "cn=(.*),ou=users,dc=confluentdemo,dc=io");
+ env.put("KAFKA_LDAP_USER_SEARCH_BASE", "ou=users,dc=confluentdemo,dc=io");
+ env.put("KAFKA_LDAP_USER_NAME_ATTRIBUTE", "uid");
+ env.put("KAFKA_LDAP_USER_OBJECT_CLASS", "inetOrgPerson");
+ return env;
+ }
+
+ public Map embeddedKafkaRest() {
+ var env = new HashMap();
+ // Hardcoded values
+ env.put("KAFKA_KAFKA_REST_BOOTSTRAP_SERVERS",
+ "SASL_SSL://kafka1:10091,SASL_SSL://kafka2:10092");
+ env.put("KAFKA_KAFKA_REST_CLIENT_SECURITY_PROTOCOL", "SASL_SSL");
+ env.put("KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.truststore.jks".formatted(containerName));
+ env.put("KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.keystore.jks".formatted(containerName));
+ env.put("KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_KAFKA_REST_CLIENT_SSL_KEY_PASSWORD", "confluent");
+ env.put("KAFKA_KAFKA_REST_KAFKA_REST_RESOURCE_EXTENSION_CLASS",
+ "io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension");
+ env.put("KAFKA_KAFKA_REST_REST_SERVLET_INITIALIZOR_CLASSES",
+ "io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler");
+ env.put("KAFKA_KAFKA_REST_PUBLIC_KEY_PATH", "/tmp/conf/public.pem");
+ // Hardcoded values
+ env.put("KAFKA_KAFKA_REST_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS",
+ "https://kafka1:8091,https://kafka2:8092");
+ env.put("KAFKA_KAFKA_REST_SSL_TRUSTSTORE_LOCATION",
+ "/etc/kafka/secrets/kafka.%s.truststore.jks".formatted(containerName));
+ env.put("KAFKA_KAFKA_REST_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ env.put("KAFKA_KAFKA_REST_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER", "BASIC");
+ env.put("KAFKA_KAFKA_REST_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO", "restAdmin:restAdmin");
+ env.put("KAFKA_KAFKA_REST_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS", "60000");
+ env.put("KAFKA_KAFKA_REST_CLIENT_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS", "60000");
+ return env;
+ }
+
+ public Map otherEnvs() {
+ var env = new HashMap();
+ env.put("KAFKA_OPTS", "-Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf");
+ env.put("KAFKA_AUTHORIZER_CLASS_NAME",
+ "io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer");
+ env.put("KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS", "CONFLUENT,ZK_ACL");
+ env.put("KAFKA_SUPER_USERS", "User:admin;User:mds;User:superUser;User:ANONYMOUS");
+ env.put("KAFKA_LOG4J_LOGGERS", "kafka.authorizer.logger=INFO");
+ env.put("KAFKA_LOG4J_ROOT_LOGLEVEL", "INFO");
+
+ env.put("KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR", "2");
+ env.put("KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR", "2");
+ env.put("KAFKA_CONFLUENT_SECURITY_EVENT_LOGGER_EXPORTER_KAFKA_TOPIC_REPLICAS", "2");
+ env.put("KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR", "2");
+ env.put("KAFKA_TRANSACTION_STATE_LOG_MIN_ISR", "1");
+ env.put("KAFKA_CONFLUENT_BALANCER_TOPIC_REPLICATION_FACTOR", "2");
+ env.put("KAFKA_CONFLUENT_BALANCER_HEAL_BROKER_FAILURE_THRESHOLD_MS", "30000");
+ env.put("KAFKA_DELETE_TOPIC_ENABLE", "true");
+ env.put("KAFKA_AUTO_CREATE_TOPICS_ENABLE", "false");
+ env.put("KAFKA_DEFAULT_REPLICATION_FACTOR", "2");
+
+ return env;
+ }
+
+ public String getTag() {
+ return tag;
+ }
+
+ public String getContainerName() {
+ return containerName;
+ }
+
+ public Integer getMdsPort() {
+ return mdsPort;
+ }
+
+ public Integer getInternalPort() {
+ return internalPort;
+ }
+
+ public Integer getTokenPort() {
+ return tokenPort;
+ }
+
+ public Integer getSslPort() {
+ return sslPort;
+ }
+
+ public Integer getClearPort() {
+ return clearPort;
+ }
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/Constants.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/Constants.java
new file mode 100644
index 00000000..1ed38804
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/Constants.java
@@ -0,0 +1,16 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import org.eclipse.microprofile.config.ConfigProvider;
+
+public class Constants {
+ private Constants() {
+ }
+
+ static String SSL_CIPHER_SUITES = "TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+
+ static final String DEFAULT_CONFLUENT_DOCKER_TAG = ConfigProvider
+ .getConfig()
+ .getValue("ide-sidecar.integration-tests.cp-demo.tag", String.class)
+ // Remove the leading 'v' from the tag, if present
+ .replaceFirst("v", "");
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/OpenldapContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/OpenldapContainer.java
new file mode 100644
index 00000000..860d6a13
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/OpenldapContainer.java
@@ -0,0 +1,42 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+
+public class OpenldapContainer extends GenericContainer {
+ private static final String DEFAULT_IMAGE = "osixia/openldap";
+ private static final String DEFAULT_TAG = "1.3.0";
+ private static final String CONTAINER_NAME = "openldap";
+
+ public OpenldapContainer(String tag, Network network) {
+ super(DEFAULT_IMAGE + ":" + tag);
+ super.withNetwork(network);
+ super.withNetworkAliases(CONTAINER_NAME);
+ super
+ .withEnv(getOpenldapEnv())
+ .withCommand("--copy-service --loglevel debug");
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security/ldap_users",
+ "/container/service/slapd/assets/config/bootstrap/ldif/custom"
+ );
+ super.withCreateContainerCmdModifier(cmd -> cmd
+ .withName(CONTAINER_NAME)
+ .withHostName(CONTAINER_NAME)
+ );
+ super.withReuse(true);
+ }
+
+ public OpenldapContainer(Network network) {
+ this(DEFAULT_TAG, network);
+ }
+
+ public Map getOpenldapEnv() {
+ var envs = new HashMap();
+ envs.put("LDAP_ORGANISATION", "ConfluentDemo");
+ envs.put("LDAP_DOMAIN", "confluentdemo.io");
+ envs.put("LDAP_BASE_DN", "dc=confluentdemo,dc=io");
+ return envs;
+ }
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/SchemaRegistryContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/SchemaRegistryContainer.java
new file mode 100644
index 00000000..55d149bc
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/SchemaRegistryContainer.java
@@ -0,0 +1,107 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import static io.confluent.idesidecar.restapi.util.cpdemo.Constants.DEFAULT_CONFLUENT_DOCKER_TAG;
+
+import com.github.dockerjava.api.model.HealthCheck;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+public class SchemaRegistryContainer extends GenericContainer {
+ private static final Integer PORT = 8085;
+ private static final String DEFAULT_IMAGE = "confluentinc/cp-schema-registry";
+ private static final String CONTAINER_NAME = "schemaregistry";
+
+ public SchemaRegistryContainer(String tag, Network network) {
+ super(DEFAULT_IMAGE + ":" + tag);
+ super.withNetwork(network);
+ super.withNetworkAliases(CONTAINER_NAME);
+ super.addFixedExposedPort(PORT, PORT);
+ super.withEnv(getSchemaRegistryEnv());
+
+ super.withCreateContainerCmdModifier(cmd -> cmd.withHealthcheck(new HealthCheck()
+ .withTest(List.of(
+ "CMD",
+ "bash",
+ "-c",
+ ("curl --user superUser:superUser --fail --silent " +
+ "--insecure https://schemaregistry:%d/subjects --output /dev/null " +
+ "|| exit 1").formatted(PORT))
+ )
+ .withInterval(TimeUnit.SECONDS.toNanos(2))
+ .withRetries(25)
+ )
+ .withName(CONTAINER_NAME)
+ .withHostName(CONTAINER_NAME)
+ );
+ super.waitingFor(Wait.forHealthcheck());
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security",
+ "/etc/kafka/secrets"
+ );
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security/keypair",
+ "/tmp/conf"
+ );
+ super.withReuse(true);
+ }
+
+ public SchemaRegistryContainer(Network network) {
+ this(DEFAULT_CONFLUENT_DOCKER_TAG, network);
+ }
+
+ public Map getSchemaRegistryEnv() {
+ var envs = new HashMap();
+ envs.put("SCHEMA_REGISTRY_HOST_NAME", "schemaregistry");
+ // Hardcoded values
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS", "kafka1:10091,kafka2:10092");
+ envs.put("SCHEMA_REGISTRY_LISTENERS", "https://0.0.0.0:%d".formatted(PORT));
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL", "SASL_SSL");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM", "OAUTHBEARER");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS", "io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler");
+ // Hardcoded values
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG", """
+ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \\
+ username="schemaregistryUser" \\
+ password="schemaregistryUser" \\
+ metadataServerUrls="https://kafka1:8091,https://kafka2:8092";
+ """);
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION", "/etc/kafka/secrets/kafka.schemaregistry.truststore.jks");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION", "/etc/kafka/secrets/kafka.schemaregistry.keystore.jks");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION", "/etc/kafka/secrets/kafka.schemaregistry.truststore.jks");
+ envs.put("SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION", "/etc/kafka/secrets/kafka.schemaregistry.keystore.jks");
+ envs.put("SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_SSL_KEY_PASSWORD", "confluent");
+ envs.put("SCHEMA_REGISTRY_SSL_CLIENT_AUTHENTICATION", "NONE");
+ envs.put("SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL", "https");
+ envs.put("SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL", "INFO");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_TOPIC", "_schemas");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_TOPIC_REPLICATION_FACTOR", "2");
+ envs.put("SCHEMA_REGISTRY_SSL_CIPHER_SUITES", Constants.SSL_CIPHER_SUITES);
+ envs.put("SCHEMA_REGISTRY_DEBUG", "false");
+ envs.put("SCHEMA_REGISTRY_SCHEMA_REGISTRY_RESOURCE_EXTENSION_CLASS", "io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension,io.confluent.schema.exporter.SchemaExporterResourceExtension");
+ envs.put("SCHEMA_REGISTRY_CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CLASS", "io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer");
+ envs.put("SCHEMA_REGISTRY_REST_SERVLET_INITIALIZOR_CLASSES", "io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler");
+ envs.put("SCHEMA_REGISTRY_PUBLIC_KEY_PATH", "/tmp/conf/public.pem");
+ // Hardcoded values
+ envs.put("SCHEMA_REGISTRY_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS", "https://kafka1:8091,https://kafka2:8092");
+ envs.put("SCHEMA_REGISTRY_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER", "BASIC");
+ envs.put("SCHEMA_REGISTRY_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO", "schemaregistryUser:schemaregistryUser");
+ envs.put("SCHEMA_REGISTRY_PASSWORD_ENCODER_SECRET", "encoder-secret");
+ envs.put("SCHEMA_REGISTRY_KAFKASTORE_UPDATE_HANDLERS", "io.confluent.schema.exporter.storage.SchemaExporterUpdateHandler");
+ envs.put("CUB_CLASSPATH", "/usr/share/java/confluent-security/schema-registry/*:/usr/share/java/schema-registry/*:/usr/share/java/schema-registry-plugins/*:/usr/share/java/cp-base-new/*");
+ return envs;
+ }
+
+ public Integer getPort() {
+ return PORT;
+ }
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ToolsContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ToolsContainer.java
new file mode 100644
index 00000000..2cf0ce8c
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ToolsContainer.java
@@ -0,0 +1,53 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import com.github.dockerjava.api.model.HealthCheck;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+public class ToolsContainer extends GenericContainer {
+ private static final String DEFAULT_IMAGE = "cnfldemos/tools";
+ private static final String DEFAULT_TAG = "0.3";
+ private static final String CONTAINER_NAME = "tools";
+
+ public ToolsContainer(String tag, Network network) {
+ super(DEFAULT_IMAGE + ":" + tag);
+ super.withNetwork(network);
+ super.withNetworkAliases(CONTAINER_NAME);
+ super.withEnv("TZ", "America/New_York");
+
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security",
+ "/etc/kafka/secrets"
+ );
+ super.withFileSystemBind(
+ ".cp-demo/scripts/helper",
+ "/tmp/helper"
+ );
+ super.waitingFor(Wait.forHealthcheck());
+ super.withCreateContainerCmdModifier(cmd ->
+ cmd
+ .withName(CONTAINER_NAME)
+ .withHostName(CONTAINER_NAME)
+ .withEntrypoint("/bin/bash")
+ .withTty(true)
+ .withHealthcheck(
+ new HealthCheck()
+ .withTest(List.of(
+ "CMD",
+ "bash", "-c", "echo 'health check'"
+ ))
+ .withStartPeriod(TimeUnit.SECONDS.toNanos(3))
+ .withRetries(10)
+ .withInterval(TimeUnit.SECONDS.toNanos(1))
+ )
+ );
+ super.withReuse(true);
+ }
+
+ public ToolsContainer(Network network) {
+ this(DEFAULT_TAG, network);
+ }
+}
diff --git a/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ZookeeperContainer.java b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ZookeeperContainer.java
new file mode 100644
index 00000000..dc9d04b1
--- /dev/null
+++ b/src/test/java/io/confluent/idesidecar/restapi/util/cpdemo/ZookeeperContainer.java
@@ -0,0 +1,66 @@
+package io.confluent.idesidecar.restapi.util.cpdemo;
+
+import static io.confluent.idesidecar.restapi.util.cpdemo.Constants.DEFAULT_CONFLUENT_DOCKER_TAG;
+
+import com.github.dockerjava.api.model.HealthCheck;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.Network;
+
+public class ZookeeperContainer extends GenericContainer {
+ private static final int ZOOKEEPER_PORT = 2181;
+ private static final int ZOOKEEPER_SECURE_PORT = 2182;
+ private static final String DEFAULT_IMAGE = "confluentinc/cp-zookeeper";
+ private static final String CONTAINER_NAME = "zookeeper";
+
+ public ZookeeperContainer(String tag, Network network) {
+ super(DEFAULT_IMAGE + ":" + tag);
+ super.withNetwork(network);
+ super.withNetworkAliases(CONTAINER_NAME);
+ super.addFixedExposedPort(ZOOKEEPER_PORT, ZOOKEEPER_PORT);
+ super.addFixedExposedPort(ZOOKEEPER_SECURE_PORT, ZOOKEEPER_SECURE_PORT);
+ super
+ .withEnv(getZookeeperEnv())
+ .withCreateContainerCmdModifier(cmd -> cmd
+ .withHealthcheck(new HealthCheck()
+ .withTest(List.of("CMD", "bash", "-c", "echo srvr | nc zookeeper 2181 || exit 1"))
+ .withInterval(TimeUnit.SECONDS.toNanos(2))
+ .withRetries(25))
+ .withName(CONTAINER_NAME)
+ .withHostName(CONTAINER_NAME)
+ );
+
+ super.withFileSystemBind(
+ ".cp-demo/scripts/security/",
+ "/etc/kafka/secrets"
+ );
+ super.withReuse(true);
+ }
+
+ public ZookeeperContainer(Network network) {
+ this(DEFAULT_CONFLUENT_DOCKER_TAG, network);
+ }
+
+ public Map getZookeeperEnv() {
+ var envs = new HashMap();
+ envs.put("ZOOKEEPER_CLIENT_PORT", "2181");
+ envs.put("ZOOKEEPER_TICK_TIME", "2000");
+ envs.put("ZOOKEEPER_SECURE_CLIENT_PORT", "2182");
+ envs.put("ZOOKEEPER_SERVER_CNXN_FACTORY", "org.apache.zookeeper.server.NettyServerCnxnFactory");
+ envs.put("ZOOKEEPER_SSL_KEYSTORE_LOCATION", "/etc/kafka/secrets/kafka.zookeeper.keystore.jks");
+ envs.put("ZOOKEEPER_SSL_KEYSTORE_PASSWORD", "confluent");
+ envs.put("ZOOKEEPER_SSL_KEYSTORE_TYPE", "PKCS12");
+ envs.put("ZOOKEEPER_SSL_TRUSTSTORE_LOCATION", "/etc/kafka/secrets/kafka.zookeeper.truststore.jks");
+ envs.put("ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD", "confluent");
+ envs.put("ZOOKEEPER_SSL_TRUSTSTORE_TYPE", "JKS");
+ envs.put("ZOOKEEPER_SSL_CIPHER_SUITES", Constants.SSL_CIPHER_SUITES);
+ envs.put("ZOOKEEPER_SSL_CLIENT_AUTH", "need");
+ envs.put("ZOOKEEPER_AUTH_PROVIDER_X509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider");
+ envs.put("ZOOKEEPER_AUTH_PROVIDER_SASL", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+ envs.put("KAFKA_OPTS", "-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf");
+ return envs;
+ }
+}
diff --git a/src/test/resources/cp-demo-scripts/broker_jaas.conf b/src/test/resources/cp-demo-scripts/broker_jaas.conf
new file mode 100644
index 00000000..871a793c
--- /dev/null
+++ b/src/test/resources/cp-demo-scripts/broker_jaas.conf
@@ -0,0 +1,18 @@
+Client {
+ org.apache.zookeeper.server.auth.DigestLoginModule required
+ username="kafka"
+ password="kafkasecret";
+};
+
+internalhost.KafkaServer {
+ org.apache.kafka.common.security.plain.PlainLoginModule required
+ username="admin"
+ password="admin-secret"
+ user_admin="admin-secret"
+ user_mds="mds-secret";
+};
+
+tokenhost.KafkaServer {
+ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
+ publicKeyPath="/tmp/conf/public.pem";
+};
diff --git a/src/test/resources/cp-demo-scripts/setup.sh b/src/test/resources/cp-demo-scripts/setup.sh
new file mode 100755
index 00000000..e861b963
--- /dev/null
+++ b/src/test/resources/cp-demo-scripts/setup.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# Note: This script must be run from the root directory of the repository
+
+# Set CLEAN to true to re-clone the cp-demo directory and re-create the certificates
+CLEAN=${CLEAN:-false}
+
+# Ensure yq is installed before running this script
+if ! command -v yq &> /dev/null; then
+ echo "yq is not installed. Please install yq before running this script."
+ echo "If you are on macOS, you can install yq using brew: brew install yq"
+ exit 1
+fi
+
+# Read test.cp-demo.tag from application.yml using yq
+CP_DEMO_TAG=$(yq e '.ide-sidecar.integration-tests.cp-demo.tag' src/main/resources/application.yml)
+
+CP_DEMO_DIR="$(pwd)/.cp-demo"
+CP_DEMO_SCRIPTS_DIR="${CP_DEMO_DIR}/scripts"
+
+clone_cp_demo_if_not_exists() {
+ # Delete cp-demo if CLEAN is set to true
+ if [ "${CLEAN}" == "true" ]; then
+ echo "CLEAN is set to true. Deleting cp-demo directory."
+ rm -rf ${CP_DEMO_DIR}
+ fi
+
+ if [ ! -d "${CP_DEMO_DIR}" ]; then
+ echo "Cloning cp-demo (tag: ${CP_DEMO_TAG}) to ${CP_DEMO_DIR}"
+ git clone --branch ${CP_DEMO_TAG} https://github.com/confluentinc/cp-demo.git ${CP_DEMO_DIR} \
+ --depth 1 \
+ --quiet
+
+ if [ $? -ne 0 ]; then
+ echo "Failed to clone cp-demo"
+ exit 1
+ fi
+
+ echo "Cloned cp-demo successfully. "
+ echo "Note: If you manually modify the contents of the cp-demo directory, "
+ echo "you may experience issues with the CP integration tests"
+ else
+ echo "cp-demo already exists at ${CP_DEMO_DIR}. Skipping cloning."
+ fi
+}
+
+# Overrides create_certificates from functions.sh
+create_certificates()
+{
+ # If clean is set, remove the .certs-created file
+ if [ "${CLEAN}" == "true" ]; then
+ echo "CLEAN is set to true. Deleting .certs-created file."
+ rm -f ${CP_DEMO_SCRIPTS_DIR}/security/.certs-created
+ fi
+
+ # Check if certificates have already been created
+ if [ -f ${CP_DEMO_SCRIPTS_DIR}/security/.certs-created ]; then
+ echo "Certificates have already been created. Skipping certificate creation."
+ return
+ fi
+ # Generate keys and certificates used for SSL
+ echo -e "Generate keys and certificates used for SSL (see ${CP_DEMO_SCRIPTS_DIR}/security)"
+ # Install findutils to be able to use 'xargs' in the certs-create.sh script
+ docker run -v ${CP_DEMO_SCRIPTS_DIR}/security/:/etc/kafka/secrets/ -u0 $REPOSITORY/cp-server:${CONFLUENT_DOCKER_TAG} bash -c "yum -y install findutils; cd /etc/kafka/secrets && ./certs-create.sh && chown -R $(id -u $USER):$(id -g $USER) /etc/kafka/secrets"
+
+ # Generating public and private keys for token signing
+ echo "Generating public and private keys for token signing"
+ docker run -v ${CP_DEMO_SCRIPTS_DIR}/security/:/etc/kafka/secrets/ -u0 $REPOSITORY/cp-server:${CONFLUENT_DOCKER_TAG} bash -c "mkdir -p /etc/kafka/secrets/keypair; openssl genrsa -out /etc/kafka/secrets/keypair/keypair.pem 2048; openssl rsa -in /etc/kafka/secrets/keypair/keypair.pem -outform PEM -pubout -out /etc/kafka/secrets/keypair/public.pem && chown -R $(id -u $USER):$(id -g $USER) /etc/kafka/secrets/keypair"
+
+ # Enable Docker appuser to read files when created by a different UID
+ echo -e "Setting insecure permissions on some files in ${CP_DEMO_SCRIPTS_DIR}/security for demo purposes\n"
+ chmod 644 ${CP_DEMO_SCRIPTS_DIR}/security/keypair/keypair.pem
+ chmod 644 ${CP_DEMO_SCRIPTS_DIR}/security/*.key
+ if [ $? -ne 0 ]; then
+ echo "Failed to set insecure permissions on some files in ${CP_DEMO_SCRIPTS_DIR}/security"
+ exit 1
+ fi
+ echo "Done creating certificates"
+
+ # Throw a file in there to indicate that the certs have been created
+ touch ${CP_DEMO_SCRIPTS_DIR}/security/.certs-created
+}
+
+update_cp_demo_to_match_integration_test_setup() {
+ # Override the broker_jaas.conf file in cp-demo with the one in the test resources
+ cp src/test/resources/cp-demo-scripts/broker_jaas.conf ${CP_DEMO_SCRIPTS_DIR}/security/broker_jaas.conf
+}
+
+main() {
+ clone_cp_demo_if_not_exists || exit 1
+ source ${CP_DEMO_SCRIPTS_DIR}/env.sh
+ create_certificates || exit 1
+ update_cp_demo_to_match_integration_test_setup || exit 1
+
+ echo "✅ cp-demo setup completed successfully."
+}
+
+main