[fix] Use ClientConfiguration::getTlsTrustCertsFilePath for the OAuth2 flow

Fixes apache#184

### Modifications

Add a `AuthenticationDataProvider` implementation `InitialAuthData`,
which holds the CA cert path. Then, in `AuthOauth2::getAuthData`,
retrieve the path and pass it to the `ClientCredentialFlow` for HTTP
requests performed by libcurl.

This solution is API and ABI compatible.

### Verifications

It's hard to add the test in CI because we need an OAuth2 server
configured with the CA configured.

Follow the **How to reproduce** section in
apache#184 (comment)
to reproduce this issue. Apply this patch and build the `libpulsar.so`
with `LINK_STATIC=ON`, then copy the `libpulsar.so` into the docker
container (under `/app/lib`).

Run `./a.out` directly, you will still see the `AuthenticationError`.
However, if you added the path of `libpulsar.so` to the
`LD_LIBRARY_PATH`:

```bash
export LD_LIBRARY_PATH=/app/lib
./a.out
```

No error will happen. You can also replace the `/lib/libpulsar.so` with
the `libpulsar.so` built from source.

(cherry picked from commit d7eb539)

Author: BewareMyPower

lib/ClientConnection.cc

@@ -30,6 +30,7 @@
 #include "ProducerImpl.h"
 #include "PulsarApi.pb.h"
 #include "Url.h"
+#include "auth/InitialAuthData.h"
 #include "checksum/ChecksumProvider.h"
 
 DECLARE_LOG_OBJECT()
@@ -224,7 +225,8 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
         std::string tlsCertificates = clientConfiguration.getTlsCertificateFilePath();
         std::string tlsPrivateKey = clientConfiguration.getTlsPrivateKeyFilePath();
 
-        AuthenticationDataPtr authData;
+        auto authData = std::dynamic_pointer_cast<AuthenticationDataProvider>(
+            std::make_shared<InitialAuthData>(clientConfiguration.getTlsTrustCertsFilePath()));
         if (authentication_->getAuthData(authData) == ResultOk && authData->hasDataForTls()) {
             tlsCertificates = authData->getTlsCertificates();
             tlsPrivateKey = authData->getTlsPrivateKey();

lib/auth/AuthOauth2.cc

@@ -25,6 +25,7 @@
 #include <sstream>
 #include <stdexcept>
 
+#include "InitialAuthData.h"
 #include "lib/LogUtils.h"
 DECLARE_LOG_OBJECT()
 
@@ -191,6 +192,10 @@ void ClientCredentialFlow::initialize() {
     char errorBuffer[CURL_ERROR_SIZE];
     curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, errorBuffer);
 
+    if (!tlsTrustCertsFilePath_.empty()) {
+        curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
+    }
+
     // Make get call to server
     res = curl_easy_perform(handle);
 
@@ -317,6 +322,10 @@ Oauth2TokenResultPtr ClientCredentialFlow::authenticate() {
     char errorBuffer[CURL_ERROR_SIZE];
     curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, errorBuffer);
 
+    if (!tlsTrustCertsFilePath_.empty()) {
+        curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
+    }
+
     // Make get call to server
     res = curl_easy_perform(handle);
 
@@ -401,6 +410,15 @@ AuthenticationPtr AuthOauth2::create(ParamMap& params) { return AuthenticationPt
 const std::string AuthOauth2::getAuthMethodName() const { return "token"; }
 
 Result AuthOauth2::getAuthData(AuthenticationDataPtr& authDataContent) {
+    auto initialAuthData = std::dynamic_pointer_cast<InitialAuthData>(authDataContent);
+    if (initialAuthData) {
+        auto flowPtr = std::dynamic_pointer_cast<ClientCredentialFlow>(flowPtr_);
+        if (!flowPtr_) {
+            throw std::invalid_argument("AuthOauth2::flowPtr_ is not a ClientCredentialFlow");
+        }
+        flowPtr->setTlsTrustCertsFilePath(initialAuthData->tlsTrustCertsFilePath_);
+    }
+
     if (cachedTokenPtr_ == nullptr || cachedTokenPtr_->isExpired()) {
         try {
             cachedTokenPtr_ = CachedTokenPtr(new Oauth2CachedToken(flowPtr_->authenticate()));

lib/auth/AuthOauth2.h

@@ -60,12 +60,17 @@ class ClientCredentialFlow : public Oauth2Flow {
     ParamMap generateParamMap() const;
     std::string getTokenEndPoint() const;
 
+    void setTlsTrustCertsFilePath(const std::string& tlsTrustCertsFilePath) {
+        tlsTrustCertsFilePath_ = tlsTrustCertsFilePath;
+    }
+
    private:
     std::string tokenEndPoint_;
     const std::string issuerUrl_;
     const KeyFile keyFile_;
     const std::string audience_;
     const std::string scope_;
+    std::string tlsTrustCertsFilePath_;
     std::once_flag initializeOnce_;
 };
 

lib/auth/InitialAuthData.h

@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+#pragma once
+
+#include <pulsar/Authentication.h>
+
+namespace pulsar {
+
+class ClientConfiguration;
+
+struct InitialAuthData : public AuthenticationDataProvider {
+    const std::string tlsTrustCertsFilePath_;
+
+    InitialAuthData(const std::string& tlsTrustCertsFilePath)
+        : tlsTrustCertsFilePath_(tlsTrustCertsFilePath) {}
+
+    bool hasDataForHttp() override { return false; }
+    std::string getHttpHeaders() override { return ""; }
+    bool hasDataFromCommand() override { return false; }
+    std::string getCommandData() override { return ""; }
+};
+
+}  // namespace pulsar