[fix] Use ClientConfiguration::getTlsTrustCertsFilePath for the OAuth2 flow #190
+65
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…2 flow Fixes apache#184 ### Modifications Add a `AuthenticationDataProvider` implementation `InitialAuthData`, which holds the CA cert path. Then, in `AuthOauth2::getAuthData`, retrieve the path and pass it to the `ClientCredentialFlow` for HTTP requests performed by libcurl. This solution is API and ABI compatible. ### Verifications It's hard to add the test in CI because we need an OAuth2 server configured with the CA configured. Follow the **How to reproduce** section in apache#184 (comment) to reproduce this issue. Apply this patch and build the `libpulsar.so` with `LINK_STATIC=ON`, then copy the `libpulsar.so` into the docker container (under `/app/lib`). Run `./a.out` directly, you will still see the `AuthenticationError`. However, if you added the path of `libpulsar.so` to the `LD_LIBRARY_PATH`: ```bash export LD_LIBRARY_PATH=/app/lib ./a.out ``` No error will happen. You can also replace the `/lib/libpulsar.so` with the `libpulsar.so` built from source.
BewareMyPower
requested review from
merlimat,
nodece,
RobertIndie,
Demogorgon314,
shibd and
michaeljmarshall
|
I opened a candidate release in my local env that includes this patch: https://github.com/BewareMyPower/pulsar-client-cpp/actions/runs/4112989933 |
shibd
approved these changes
Feb 7, 2023
BewareMyPower
added
release/3.1.2
and removed
cherry-picked/3.0
cherry-picked/3.1
labels
There was a problem hiding this comment.
I am not familiar with C++, but this looks correct to me. Thanks for fixing it @BewareMyPower!
BewareMyPower
added a commit
to BewareMyPower/pulsar-client-cpp
that referenced
this pull request
Dec 5, 2023
### Motivation apache#313 has reverted the fix of apache#190, which applies the `tlsTrustCertsFilePath` config for OAuth2 authentication. The macOS pre-built libraries are affected most because the bundled CA path is empty. ### Modification Apply the `tlsTrustCertsFilePath` for OAuth2. ### TODO Add the workflow to verify `tlsTrustCertsFilePath` is applied for OAuth2.
BewareMyPower
added a commit
to BewareMyPower/pulsar-client-cpp
that referenced
this pull request
Dec 5, 2023
### Motivation apache#313 has reverted the fix of apache#190, which applies the `tlsTrustCertsFilePath` config for OAuth2 authentication. The macOS pre-built libraries are affected most because the bundled CA path is empty. ### Modification Apply the `tlsTrustCertsFilePath` for OAuth2.
BewareMyPower
added a commit
that referenced
this pull request
Dec 6, 2023
### Motivation #313 has reverted the fix of #190, which applies the `tlsTrustCertsFilePath` config for OAuth2 authentication. The macOS pre-built libraries are affected most because the bundled CA path is empty. ### Modification Apply the `tlsTrustCertsFilePath` for OAuth2. (cherry picked from commit 27cba3e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #184
Motivation
ClientConfiguration::getTlsTrustCertsFilePathis only used for HTTP service URL lookup and the TLS handshake, but not used for the OAuth2 client credentials flow. If the issuer URL or the OAuth2 authorization server requires the CA cert, the CA cert can only be loaded from a specific path, which is determined by how to build the C++ client. e.g. it's/etc/ssl/certs/ca-certificates.crtwhen libcurl is built in Debian-based Linux distros and/etc/pki/tls/certs/ca-bundle.crtin RedHat-based Linux distros. A typical issue is that the Pulsar Python wheels are built in a RedHat-based Linux image, if they are installed in a Debian-based Linux distro, users can only fix this issue by copying theca-certificats.certinto/etc/pki/tls/certs/ca-bundle.crt, while it should have been configured by thetls_trust_certs_file_pathconfig.Modifications
Add a
AuthenticationDataProviderimplementationInitialAuthData, which holds the CA cert path. Then, inAuthOauth2::getAuthData, retrieve the path and pass it to theClientCredentialFlowfor HTTP requests performed by libcurl.This solution is API and ABI compatible.
Verifications
It's hard to add the test in CI because we need an OAuth2 server configured with the CA configured.
Follow the How to reproduce section in
#184 (comment) to reproduce this issue. Apply this patch and build the
libpulsar.sowithLINK_STATIC=ON, then copy thelibpulsar.sointo the docker container (under/app/lib).Run
./a.outdirectly, you will still see theAuthenticationError. However, if you added the path oflibpulsar.soto theLD_LIBRARY_PATH:export LD_LIBRARY_PATH=/app/lib ./a.outNo error will happen. You can also replace the
/lib/libpulsar.sowith thelibpulsar.sobuilt from source.Documentation
doc-required(Your PR needs to update docs and you will update later)
doc-not-needed(Please explain why)
doc(Your PR contains doc changes)
doc-complete(Docs have been already added)