chore: releasing version 0.3.7 (#705)

Signed-off-by: badalprasadsingh <badal@datazip.io>
Signed-off-by: Badal Prasad Singh <badal@datazip.io>
Signed-off-by: Sai Sanjay <saisanjay7660@gmail.com>
Co-authored-by: Badal Prasad Singh <badal@datazip.io>
Co-authored-by: Duke <duke@datazip.io>
Co-authored-by: Sai Sanjay <saisanjay7660@gmail.com>
Co-authored-by: Vaibhav <vaibhav@datazip.io>

Author: 5 people

build.sh

@@ -120,4 +120,4 @@ if [ $# -gt 0 ]; then
     fi
 else
     fail "No arguments provided."
-fi
+fi

drivers/abstract/abstract.go

@@ -136,10 +136,6 @@ func (a *AbstractDriver) ClearState(streams []types.StreamInterface) (*types.Sta
 		for streamID := range dropStreams {
 			a.state.Global.Streams.Remove(streamID)
 		}
-		// if all global streams are dropped, no point for global state itself, making it null
-		if len(a.state.Global.Streams.Array()) == 0 {
-			a.state.Global.State = nil
-		}
 	}
 
 	if len(a.state.Streams) > 0 {

drivers/kafka/README.md

@@ -29,9 +29,30 @@ Add Kafka credentials in following format in `source.json` file. To check more a
         "max_threads": 3
     }
 ```
-- There are 3 security protocols:<br>
+- There are 4 security protocols:<br>
     - `PLAINTEXT`
         - Kafka cluster without any authentication and encryption.
+    - `SSL`
+        - Kafka cluster with TLS encryption (no SASL authentication).
+        - Supports external certificates for custom CA or mTLS.
+        - All certificate fields are optional (useful for AWS MSK where broker certificates are managed).
+        ```json
+        "protocol": {
+            "security_protocol": "SSL",
+            "tls_skip_verify": false,
+            "ssl": {
+                "server_ca": "-----BEGIN CERTIFICATE-----\nMII...\n-----END CERTIFICATE-----",
+                "client_cert": "-----BEGIN CERTIFICATE-----\nMII...\n-----END CERTIFICATE-----",
+                "client_key": "-----BEGIN PRIVATE KEY-----\nMII...\n-----END PRIVATE KEY-----",
+            }
+        }
+        ```
+        - For AWS MSK (no custom certificates needed):
+        ```json
+        "protocol": {
+            "security_protocol": "SSL"
+        }
+        ```
     - `SASL_PLAINTEXT`
         - Kafka cluster with Simple Authentication and Security Layer i.e. authentication but no encription.
         - Requires SASL mechanism and SASL JAAS Configuration string. Supported are: 
@@ -53,6 +74,7 @@ Add Kafka credentials in following format in `source.json` file. To check more a
             ```
     - `SASL_SSL`
         - Kafka cluster with Simple Authentication and Security Layer i.e. authentication and encryption using Secure Sockets Layer.
+        - Supports external certificates for custom CA or TLS/SSL (optional).
         - Requires SASL mechanism and SASL JAAS Configuration string. Supported are: 
             - PLAIN
             ```json
@@ -70,6 +92,20 @@ Add Kafka credentials in following format in `source.json` file. To check more a
                 "sasl_jaas_config": "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"TEST-PASS\" password=\"TEST-PASS\";"
             },
             ```
+            - With external certificates (TLS/SSL):
+            ```json
+            "protocol": {
+                "security_protocol": "SASL_SSL",
+                "sasl_mechanism": "PLAIN",
+                "sasl_jaas_config": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"TEST-USER\" password=\"TEST-PASS\";",
+                "tls_skip_verify": false,
+                "ssl": {
+                    "server_ca": "-----BEGIN CERTIFICATE-----\nMII...\n-----END CERTIFICATE-----",
+                    "client_cert": "-----BEGIN CERTIFICATE-----\nMII...\n-----END CERTIFICATE-----",
+                    "client_key": "-----BEGIN PRIVATE KEY-----\nMII...\n-----END PRIVATE KEY-----"
+                }
+            },
+            ```
 
 ## Commands
 ### Discover Command

drivers/kafka/go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/apache/arrow-go/v18 v18.2.0 // indirect
 	github.com/apache/thrift v0.21.0 // indirect
 	github.com/aws/aws-sdk-go v1.55.6 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.36.5 // indirect
@@ -58,18 +59,24 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/klauspost/asmfmt v1.3.2 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
+	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
@@ -106,12 +113,14 @@ require (
 	github.com/testcontainers/testcontainers-go v0.37.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/twmb/murmur3 v1.1.8 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.2 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/xitongsys/parquet-go v1.6.2 // indirect
 	github.com/xitongsys/parquet-go-source v0.0.0-20241021075129-b732d2ac9c9b // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
 	go.mongodb.org/mongo-driver v1.17.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
@@ -120,10 +129,14 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+	golang.org/x/mod v0.25.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	google.golang.org/grpc v1.71.3 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect

drivers/kafka/internal/config.go

@@ -17,9 +17,11 @@ type Config struct {
 }
 
 type ProtocolConfig struct {
-	SecurityProtocol string `json:"security_protocol"`
-	SASLMechanism    string `json:"sasl_mechanism,omitempty"`
-	SASLJAASConfig   string `json:"sasl_jaas_config,omitempty"`
+	SecurityProtocol string           `json:"security_protocol"`
+	SASLMechanism    string           `json:"sasl_mechanism,omitempty"`
+	SASLJAASConfig   string           `json:"sasl_jaas_config,omitempty"`
+	TLSSkipVerify    bool             `json:"tls_skip_verify,omitempty"`
+	SSL              *utils.SSLConfig `json:"ssl,omitempty"`
 }
 
 func (c *Config) Validate() error {
@@ -28,7 +30,7 @@ func (c *Config) Validate() error {
 	}
 
 	if c.Protocol.SecurityProtocol == "" {
-		return fmt.Errorf("security_protocol must be either PLAINTEXT or SASL_PLAINTEXT or SASL_SSL")
+		return fmt.Errorf("security_protocol must be one of: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL")
 	}
 
 	if c.Protocol.SecurityProtocol == "SASL_PLAINTEXT" || c.Protocol.SecurityProtocol == "SASL_SSL" {
@@ -40,6 +42,20 @@ func (c *Config) Validate() error {
 		}
 	}
 
+	if c.Protocol.SecurityProtocol == "SSL" || c.Protocol.SecurityProtocol == "SASL_SSL" {
+		if c.Protocol.SSL != nil {
+			// Server CA is always required
+			if c.Protocol.SSL.ServerCA == "" {
+				return fmt.Errorf("server_ca must be provided")
+			}
+
+			// Client Cert and Key are required together for mTLS
+			if (c.Protocol.SSL.ClientCert != "") != (c.Protocol.SSL.ClientKey != "") {
+				return fmt.Errorf("both client_cert and client_key must be provided together for mTLS")
+			}
+		}
+	}
+
 	if c.MaxThreads <= 0 {
 		c.MaxThreads = constants.DefaultThreadCount
 	}

drivers/kafka/internal/kafka.go

@@ -3,13 +3,15 @@ package driver
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
-	kafkapkg "github.com/datazip-inc/olake/pkg/kafka"
 	"regexp"
 	"strings"
 	"sync"
 	"time"
 
+	kafkapkg "github.com/datazip-inc/olake/pkg/kafka"
+
 	"github.com/datazip-inc/olake/constants"
 	"github.com/datazip-inc/olake/drivers/abstract"
 	"github.com/datazip-inc/olake/types"
@@ -149,6 +151,15 @@ func (k *Kafka) createDialer() (*kafka.Dialer, error) {
 	switch k.config.Protocol.SecurityProtocol {
 	case "PLAINTEXT":
 		// No additional configuration needed
+
+	case "SSL":
+		// Pure TLS without SASL authentication
+		tlsConfig, err := k.buildTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+		dialer.TLS = tlsConfig
+
 	case "SASL_PLAINTEXT":
 		switch k.config.Protocol.SASLMechanism {
 		case "PLAIN":
@@ -164,10 +175,15 @@ func (k *Kafka) createDialer() (*kafka.Dialer, error) {
 		default:
 			return nil, fmt.Errorf("unsupported SASL mechanism: %s", k.config.Protocol.SASLMechanism)
 		}
+
 	case "SASL_SSL":
-		dialer.TLS = &tls.Config{
-			MinVersion: tls.VersionTLS12,
+		// TLS with SASL authentication
+		tlsConfig, err := k.buildTLSConfig()
+		if err != nil {
+			return nil, err
 		}
+		dialer.TLS = tlsConfig
+
 		switch k.config.Protocol.SASLMechanism {
 		case "PLAIN":
 			dialer.SASLMechanism = plain.Mechanism{
@@ -182,6 +198,7 @@ func (k *Kafka) createDialer() (*kafka.Dialer, error) {
 		default:
 			return nil, fmt.Errorf("unsupported SASL mechanism: %s", k.config.Protocol.SASLMechanism)
 		}
+
 	default:
 		return nil, fmt.Errorf("unsupported security protocol: %s", k.config.Protocol.SecurityProtocol)
 	}
@@ -202,6 +219,38 @@ func parseSASLPlain(jassConfig string) (string, string, error) {
 	return matches[1], matches[2], nil
 }
 
+// buildTLSConfig creates TLS configuration with optional external certificates
+func (k *Kafka) buildTLSConfig() (*tls.Config, error) {
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
+	// Apply SSL config if provided
+	if k.config.Protocol.SSL != nil {
+		tlsConfig.InsecureSkipVerify = k.config.Protocol.TLSSkipVerify
+
+		// Load CA certificate if provided
+		if k.config.Protocol.SSL.ServerCA != "" {
+			caCertPool := x509.NewCertPool()
+			if !caCertPool.AppendCertsFromPEM([]byte(k.config.Protocol.SSL.ServerCA)) {
+				return nil, fmt.Errorf("failed to parse CA certificate")
+			}
+			tlsConfig.RootCAs = caCertPool
+		}
+
+		// Load client certificate and key for mTLS
+		if k.config.Protocol.SSL.ClientCert != "" && k.config.Protocol.SSL.ClientKey != "" {
+			cert, err := tls.X509KeyPair([]byte(k.config.Protocol.SSL.ClientCert), []byte(k.config.Protocol.SSL.ClientKey))
+			if err != nil {
+				return nil, fmt.Errorf("failed to load client certificate/key: %w", err)
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+	}
+
+	return tlsConfig, nil
+}
+
 // checkPartitionCompletion checks if a partition is complete and handles loop termination
 func (k *Kafka) checkPartitionCompletion(ctx context.Context, readerID string, completedPartitions, observedPartitions map[types.PartitionKey]struct{}) (bool, error) {
 	// cache observed partitions

drivers/kafka/resources/spec.json

@@ -75,13 +75,87 @@
                             "title": "SASL JAAS Config",
                             "description": "JAAS configuration string (e.g., org.apache.kafka.common.security.plain.PlainLoginModule required username=\"user\" password=\"pass\";)",
                             "minLength": 1
+                        },
+                        "tls_skip_verify": {
+                            "type": "boolean",
+                            "title": "Skip TLS Verification",
+                            "description": "Skip TLS certificate verification (not recommended for production)",
+                            "default": false
+                        },
+                        "ssl": {
+                            "type": "object",
+                            "title": "SSL Configuration",
+                            "description": "SSL/TLS certificate configuration (optional for AWS MSK)",
+                            "properties": {
+                                "server_ca": {
+                                    "type": "string",
+                                    "title": "CA Certificate",
+                                    "description": "CA certificate content in PEM format",
+                                    "multiline": true
+                                },
+                                "client_cert": {
+                                    "type": "string",
+                                    "title": "Client Certificate",
+                                    "description": "Client certificate content for mTLS authentication in PEM format",
+                                    "multiline": true
+                                },
+                                "client_key": {
+                                    "type": "string",
+                                    "title": "Client Key",
+                                    "description": "Client private key content for mTLS authentication in PEM format",
+                                    "multiline": true
+                                }
+                            }
                         }
                     },
                     "required": [
                         "security_protocol",
                         "sasl_mechanism",
                         "sasl_jaas_config"
                     ]
+                },
+                {
+                    "title": "SSL",
+                    "type": "object",
+                    "properties": {
+                        "security_protocol": {
+                            "const": "SSL"
+                        },
+                        "tls_skip_verify": {
+                            "type": "boolean",
+                            "title": "Skip TLS Verification",
+                            "description": "Skip TLS certificate verification (not recommended for production)",
+                            "default": false
+                        },
+                        "ssl": {
+                            "type": "object",
+                            "title": "SSL Configuration",
+                            "description": "SSL/TLS certificate configuration (all fields optional for AWS MSK)",
+                            "properties": {
+                                "server_ca": {
+                                    "type": "string",
+                                    "title": "CA Certificate",
+                                    "description": "CA certificate content in PEM format",
+                                    "multiline": true
+                                },
+                                "client_cert": {
+                                    "type": "string",
+                                    "title": "Client Certificate",
+                                    "description": "Client certificate content for mTLS authentication in PEM format",
+                                    "multiline": true
+                                },
+                                "client_key": {
+                                    "type": "string",
+                                    "title": "Client Key",
+                                    "description": "Client private key content for mTLS authentication in PEM format",
+                                    "multiline": true
+                                }
+                            }
+                        }
+                    },
+                    "required": [
+                        "security_protocol"
+                    ]
                 }
             ]
         },

drivers/mysql/internal/datatype_conversion.go

@@ -20,10 +20,13 @@ var mysqlTypeToDataTypes = map[string]types.DataType{
 	// Floating point types
 	"float":   types.Float32,
 	"real":    types.Float32,
-	"decimal": types.Float32,
-	"numeric": types.Float32,
 	"double":  types.Float64,
 
+	// Can handle up to 15 significant digits accurately (e.g., DECIMAL(15,2) or DECIMAL(15,7))
+	// Values with 16 digits may have minor rounding. Beyond 16 (from 17) digits will have precision loss.
+	"numeric": types.Float64,
+	"decimal": types.Float64,
+
 	// String types
 	"char":       types.String,
 	"varchar":    types.String,