Merge master

Author: PratRanj07

.github/pull_request_template.md

@@ -0,0 +1,43 @@
+<!--
+Suggested PR template: Fill/delete/add sections as needed. Optionally delete any commented block.
+-->
+What
+----
+<!--
+Briefly describe **what** you have changed and **why**.
+Optionally include implementation strategy.
+-->
+
+Checklist
+------------------
+- [ ] Contains customer facing changes? Including API/behavior changes <!-- This can help identify if it has introduced any breaking changes -->
+- [ ] Did you add sufficient unit test and/or integration test coverage for this PR?
+  - If not, please explain why it is not required
+
+References
+----------
+JIRA: 
+<!--
+Copy&paste links: to Jira ticket, other PRs, issues, Slack conversations...
+For code bumps: link to PR, tag or GitHub `/compare/master...master`
+-->
+
+Test & Review
+------------
+<!--
+Has it been tested? how?
+Copy&paste any handy instructions, steps or requirements that can save time to the reviewer or any reader.
+-->
+
+Open questions / Follow-ups
+--------------------------
+<!--
+Optional: anything open to discussion for the reviewer, out of scope, or follow-ups.
+-->
+
+<!--
+Review stakeholders
+------------------
+<!--
+Optional: mention stakeholders or if special context that is required to review.
+-->

3RD_PARTY.md

@@ -10,3 +10,4 @@ To add your project, open a pull request!
 - [Multi Schema Avro Deserializer](https://github.com/ycherkes/multi-schema-avro-desrializer) - Avro deserializer for reading messages serialized with multiple schemas.
 - [OpenSleigh.Transport.Kafka](https://github.com/mizrael/OpenSleigh/tree/develop/src/OpenSleigh.Transport.Kafka) - A Kafka Transport for OpenSleigh, a distributed saga management library.
 - [SlimMessageBus.Host.Kafka](https://github.com/zarusz/SlimMessageBus) - Apache Kafka transport for SlimMessageBus (lightweight message bus for .NET)
+- [Kafka Core](https://github.com/ffernandolima/confluent-kafka-core-dotnet) - Kafka Core empowers developers to build robust .NET applications on top of Confluent Kafka, focusing on simplicity, maintainability, and extensibility with intuitive abstractions and builders.

src/Confluent.SchemaRegistry.Encryption.Aws/AwsKmsClient.cs

@@ -12,7 +12,7 @@ public class AwsKmsClient : IKmsClient
     {
         private AmazonKeyManagementServiceClient kmsClient;
         private string keyId;
-        
+
         public string KekId { get; }
 
         public AwsKmsClient(string kekId, AWSCredentials credentials)
@@ -36,7 +36,7 @@ public AwsKmsClient(string kekId, AWSCredentials credentials)
 
         public bool DoesSupport(string uri)
         {
-            return uri.StartsWith(AwsKmsDriver.Prefix); 
+            return KekId == uri;
         }
 
         public async Task<byte[]> Encrypt(byte[] plaintext)

src/Confluent.SchemaRegistry.Encryption.Aws/AwsKmsDriver.cs

@@ -1,5 +1,7 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using Amazon.Runtime;
+using Amazon.Runtime.CredentialManagement;
 
 namespace Confluent.SchemaRegistry.Encryption.Aws
 {
@@ -13,20 +15,73 @@ public static void Register()
         public static readonly string Prefix = "aws-kms://";
         public static readonly string AccessKeyId = "access.key.id";
         public static readonly string SecretAccessKey = "secret.access.key";
-        
+        public static readonly string Profile = "profile";
+        public static readonly string RoleArn = "role.arn";
+        public static readonly string RoleSessionName = "role.session.name";
+        public static readonly string RoleExternalId = "role.external.id";
+
         public string GetKeyUrlPrefix()
         {
             return Prefix;
         }
 
         public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl)
         {
+            config.TryGetValue(RoleArn, out string roleArn);
+            if (roleArn == null)
+            {
+                roleArn = Environment.GetEnvironmentVariable("AWS_ROLE_ARN");
+            }
+            config.TryGetValue(RoleSessionName, out string roleSessionName);
+            if (roleSessionName == null)
+            {
+                roleSessionName = Environment.GetEnvironmentVariable("AWS_ROLE_SESSION_NAME");
+            }
+            config.TryGetValue(RoleExternalId, out string roleExternalId);
+            if (roleExternalId == null)
+            {
+                roleExternalId = Environment.GetEnvironmentVariable("AWS_ROLE_EXTERNAL_ID");
+            }
             AWSCredentials credentials = null;
             if (config.TryGetValue(AccessKeyId, out string accessKeyId) 
                 && config.TryGetValue(SecretAccessKey, out string secretAccessKey))
             {
                 credentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
             }
+            else if (config.TryGetValue(Profile, out string profile))
+            {
+                var credentialProfileStoreChain = new CredentialProfileStoreChain();
+                if (credentialProfileStoreChain.TryGetAWSCredentials(
+                        profile, out AWSCredentials creds))
+                    credentials = creds;
+            }
+            if (credentials == null)
+            {
+                credentials = FallbackCredentialsFactory.GetCredentials();
+            }
+            if (roleArn != null)
+            {
+                if (string.IsNullOrEmpty(roleExternalId))
+                {
+                    credentials = new AssumeRoleAWSCredentials(
+                        credentials,
+                        roleArn,
+                        roleSessionName ?? "confluent-encrypt");
+                }
+                else
+                {
+                    var options = new AssumeRoleAWSCredentialsOptions
+                    {
+                        ExternalId = roleExternalId
+                    };
+
+                    credentials = new AssumeRoleAWSCredentials(
+                        credentials,
+                        roleArn,
+                        roleSessionName ?? "confluent-encrypt",
+                        options);
+                }
+            }
             return new AwsKmsClient(keyUrl, credentials);
         }
     }

src/Confluent.SchemaRegistry.Encryption.Aws/Confluent.SchemaRegistry.Encryption.Aws.csproj

@@ -29,7 +29,8 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.302.19" />
+        <PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.400.61" />
+        <PackageReference Include="AWSSDK.SecurityToken" Version="3.7.401.10" />
     </ItemGroup>
 
     <ItemGroup>

src/Confluent.SchemaRegistry.Encryption.Azure/AzureKmsClient.cs

@@ -25,7 +25,7 @@ public AzureKmsClient(string kekId, TokenCredential tokenCredential)
 
         public bool DoesSupport(string uri)
         {
-            return uri.StartsWith(AzureKmsDriver.Prefix); 
+            return KekId == uri;
         }
 
         public async Task<byte[]> Encrypt(byte[] plaintext)

src/Confluent.SchemaRegistry.Encryption.Gcp/GcpKmsClient.cs

@@ -36,7 +36,7 @@ public GcpKmsClient(string kekId, GoogleCredential credential)
 
         public bool DoesSupport(string uri)
         {
-            return uri.StartsWith(GcpKmsDriver.Prefix);
+            return KekId == uri;
         }
 
         public async Task<byte[]> Encrypt(byte[] plaintext)

src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs

@@ -21,11 +21,6 @@ public class HcVaultKmsClient : IKmsClient
 
         public HcVaultKmsClient(string kekId, string ns, string tokenId)
         {
-            if (tokenId == null)
-            {
-                tokenId = Environment.GetEnvironmentVariable("VAULT_TOKEN");
-                ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE");
-            }
             KekId = kekId;
             Namespace = ns;
             TokenId = tokenId;
@@ -53,7 +48,7 @@ public HcVaultKmsClient(string kekId, string ns, string tokenId)
 
         public bool DoesSupport(string uri)
         {
-            return uri.StartsWith(HcVaultKmsDriver.Prefix);
+            return KekId == uri;
         }
 
         public async Task<byte[]> Encrypt(byte[] plaintext)

src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs

@@ -23,6 +23,11 @@ public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl
         {
             config.TryGetValue(TokenId, out string tokenId);
             config.TryGetValue(Namespace, out string ns);
+            if (tokenId == null)
+            {
+                tokenId = Environment.GetEnvironmentVariable("VAULT_TOKEN");
+                ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE");
+            }
             return new HcVaultKmsClient(keyUrl, ns, tokenId);
         }
     }

src/Confluent.SchemaRegistry.Encryption/LocalKmsClient.cs

@@ -16,14 +16,6 @@ public class LocalKmsClient : IKmsClient
 
         public LocalKmsClient(string secret)
         {
-            if (secret == null)
-            {
-                secret = Environment.GetEnvironmentVariable("LOCAL_SECRET");
-            }
-            if (secret == null)
-            {
-                throw new ArgumentNullException("Cannot load secret");
-            }
             Secret = secret;
             cryptor = new Cryptor(DekFormat.AES128_GCM);
             byte[] rawKey = Hkdf.DeriveKey(