apache · BewareMyPower · Feb 8, 2023 · Feb 7, 2023
diff --git a/lib/ClientConnection.cc b/lib/ClientConnection.cc
@@ -31,6 +31,7 @@
 #include "ProducerImpl.h"
 #include "PulsarApi.pb.h"
 #include "Url.h"
+#include "auth/InitialAuthData.h"
 #include "checksum/ChecksumProvider.h"
 
 DECLARE_LOG_OBJECT()
@@ -225,7 +226,8 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
         std::string tlsCertificates = clientConfiguration.getTlsCertificateFilePath();
         std::string tlsPrivateKey = clientConfiguration.getTlsPrivateKeyFilePath();
 
-        AuthenticationDataPtr authData;
+        auto authData = std::dynamic_pointer_cast<AuthenticationDataProvider>(
+            std::make_shared<InitialAuthData>(clientConfiguration.getTlsTrustCertsFilePath()));
         if (authentication_->getAuthData(authData) == ResultOk && authData->hasDataForTls()) {
             tlsCertificates = authData->getTlsCertificates();
             tlsPrivateKey = authData->getTlsPrivateKey();

diff --git a/lib/auth/AuthOauth2.cc b/lib/auth/AuthOauth2.cc
@@ -25,6 +25,7 @@
 #include <sstream>
 #include <stdexcept>
 
+#include "InitialAuthData.h"
 #include "lib/LogUtils.h"
 DECLARE_LOG_OBJECT()
 
@@ -191,6 +192,10 @@ void ClientCredentialFlow::initialize() {
     char errorBuffer[CURL_ERROR_SIZE];
     curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, errorBuffer);
 
+    if (!tlsTrustCertsFilePath_.empty()) {
+        curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
+    }
+
     // Make get call to server
     res = curl_easy_perform(handle);
 
@@ -317,6 +322,10 @@ Oauth2TokenResultPtr ClientCredentialFlow::authenticate() {
     char errorBuffer[CURL_ERROR_SIZE];
     curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, errorBuffer);
 
+    if (!tlsTrustCertsFilePath_.empty()) {
+        curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
+    }
+
     // Make get call to server
     res = curl_easy_perform(handle);
 
@@ -401,6 +410,15 @@ AuthenticationPtr AuthOauth2::create(ParamMap& params) { return AuthenticationPt
 const std::string AuthOauth2::getAuthMethodName() const { return "token"; }
 
 Result AuthOauth2::getAuthData(AuthenticationDataPtr& authDataContent) {
+    auto initialAuthData = std::dynamic_pointer_cast<InitialAuthData>(authDataContent);
+    if (initialAuthData) {
+        auto flowPtr = std::dynamic_pointer_cast<ClientCredentialFlow>(flowPtr_);
+        if (!flowPtr_) {
+            throw std::invalid_argument("AuthOauth2::flowPtr_ is not a ClientCredentialFlow");
+        }
+        flowPtr->setTlsTrustCertsFilePath(initialAuthData->tlsTrustCertsFilePath_);
+    }
+
     if (cachedTokenPtr_ == nullptr || cachedTokenPtr_->isExpired()) {
         try {
             cachedTokenPtr_ = CachedTokenPtr(new Oauth2CachedToken(flowPtr_->authenticate()));

diff --git a/lib/auth/AuthOauth2.h b/lib/auth/AuthOauth2.h
@@ -60,12 +60,17 @@ class ClientCredentialFlow : public Oauth2Flow {
     ParamMap generateParamMap() const;
     std::string getTokenEndPoint() const;
 
+    void setTlsTrustCertsFilePath(const std::string& tlsTrustCertsFilePath) {
+        tlsTrustCertsFilePath_ = tlsTrustCertsFilePath;
+    }
+
    private:
     std::string tokenEndPoint_;
     const std::string issuerUrl_;
     const KeyFile keyFile_;
     const std::string audience_;
     const std::string scope_;
+    std::string tlsTrustCertsFilePath_;
     std::once_flag initializeOnce_;
 };
 

diff --git a/lib/auth/InitialAuthData.h b/lib/auth/InitialAuthData.h
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+#pragma once
+
+#include <pulsar/Authentication.h>
+
+namespace pulsar {
+
+class ClientConfiguration;
+
+struct InitialAuthData : public AuthenticationDataProvider {
+    const std::string tlsTrustCertsFilePath_;
+
+    InitialAuthData(const std::string& tlsTrustCertsFilePath)
+        : tlsTrustCertsFilePath_(tlsTrustCertsFilePath) {}
+
+    bool hasDataForHttp() override { return false; }
+    std::string getHttpHeaders() override { return ""; }
+    bool hasDataFromCommand() override { return false; }
+    std::string getCommandData() override { return ""; }
+};
+
+}  // namespace pulsar