This repository has been archived by the owner on May 9, 2023. It is now read-only.
forked from zio/zio-kafka
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Nick
committed
Jan 20, 2023
1 parent
d1cd3e6
commit a816525
Showing
14 changed files
with
467 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
207 changes: 207 additions & 0 deletions
207
zio-kafka-test-utils/src/main/resources/kafka-generate-ssl.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,207 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
KEYSTORE_FILENAME="kafka.keystore.jks" | ||
VALIDITY_IN_DAYS=3650 | ||
DEFAULT_TRUSTSTORE_FILENAME="kafka.truststore.jks" | ||
TRUSTSTORE_WORKING_DIRECTORY="truststore" | ||
KEYSTORE_WORKING_DIRECTORY="keystore" | ||
CA_CERT_FILE="ca-cert" | ||
KEYSTORE_SIGN_REQUEST="cert-file" | ||
KEYSTORE_SIGN_REQUEST_SRL="ca-cert.srl" | ||
KEYSTORE_SIGNED_CERT="cert-signed" | ||
|
||
function file_exists_and_exit() { | ||
echo "'$1' cannot exist. Move or delete it before" | ||
echo "re-running this script." | ||
exit 1 | ||
} | ||
|
||
if [ -e "$KEYSTORE_WORKING_DIRECTORY" ]; then | ||
file_exists_and_exit $KEYSTORE_WORKING_DIRECTORY | ||
fi | ||
|
||
if [ -e "$CA_CERT_FILE" ]; then | ||
file_exists_and_exit $CA_CERT_FILE | ||
fi | ||
|
||
if [ -e "$KEYSTORE_SIGN_REQUEST" ]; then | ||
file_exists_and_exit $KEYSTORE_SIGN_REQUEST | ||
fi | ||
|
||
if [ -e "$KEYSTORE_SIGN_REQUEST_SRL" ]; then | ||
file_exists_and_exit $KEYSTORE_SIGN_REQUEST_SRL | ||
fi | ||
|
||
if [ -e "$KEYSTORE_SIGNED_CERT" ]; then | ||
file_exists_and_exit $KEYSTORE_SIGNED_CERT | ||
fi | ||
|
||
echo | ||
echo "Welcome to the Kafka SSL keystore and truststore generator script." | ||
|
||
echo | ||
echo "First, do you need to generate a trust store and associated private key," | ||
echo "or do you already have a trust store file and private key?" | ||
echo | ||
echo -n "Do you need to generate a trust store and associated private key? [yn] " | ||
read generate_trust_store | ||
|
||
trust_store_file="" | ||
trust_store_private_key_file="" | ||
|
||
if [ "$generate_trust_store" == "y" ]; then | ||
if [ -e "$TRUSTSTORE_WORKING_DIRECTORY" ]; then | ||
file_exists_and_exit $TRUSTSTORE_WORKING_DIRECTORY | ||
fi | ||
|
||
mkdir $TRUSTSTORE_WORKING_DIRECTORY | ||
echo | ||
echo "OK, we'll generate a trust store and associated private key." | ||
echo | ||
echo "First, the private key." | ||
echo | ||
echo "You will be prompted for:" | ||
echo " - A password for the private key. Remember this." | ||
echo " - Information about you and your company." | ||
echo " - NOTE that the Common Name (CN) is currently not important." | ||
|
||
openssl req -new -x509 -keyout $TRUSTSTORE_WORKING_DIRECTORY/ca-key \ | ||
-out $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -days $VALIDITY_IN_DAYS | ||
|
||
trust_store_private_key_file="$TRUSTSTORE_WORKING_DIRECTORY/ca-key" | ||
|
||
echo | ||
echo "Two files were created:" | ||
echo " - $TRUSTSTORE_WORKING_DIRECTORY/ca-key -- the private key used later to" | ||
echo " sign certificates" | ||
echo " - $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -- the certificate that will be" | ||
echo " stored in the trust store in a moment and serve as the certificate" | ||
echo " authority (CA). Once this certificate has been stored in the trust" | ||
echo " store, it will be deleted. It can be retrieved from the trust store via:" | ||
echo " $ keytool -keystore <trust-store-file> -export -alias CARoot -rfc" | ||
|
||
echo | ||
echo "Now the trust store will be generated from the certificate." | ||
echo | ||
echo "You will be prompted for:" | ||
echo " - the trust store's password (labeled 'keystore'). Remember this" | ||
echo " - a confirmation that you want to import the certificate" | ||
|
||
keytool -keystore $TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME \ | ||
-alias CARoot -import -file $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE | ||
|
||
trust_store_file="$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME" | ||
|
||
echo | ||
echo "$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME was created." | ||
|
||
# don't need the cert because it's in the trust store. | ||
rm $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE | ||
else | ||
echo | ||
echo -n "Enter the path of the trust store file. " | ||
read -e trust_store_file | ||
|
||
if ! [ -f $trust_store_file ]; then | ||
echo "$trust_store_file isn't a file. Exiting." | ||
exit 1 | ||
fi | ||
|
||
echo -n "Enter the path of the trust store's private key. " | ||
read -e trust_store_private_key_file | ||
|
||
if ! [ -f $trust_store_private_key_file ]; then | ||
echo "$trust_store_private_key_file isn't a file. Exiting." | ||
exit 1 | ||
fi | ||
fi | ||
|
||
echo | ||
echo "Continuing with:" | ||
echo " - trust store file: $trust_store_file" | ||
echo " - trust store private key: $trust_store_private_key_file" | ||
|
||
mkdir $KEYSTORE_WORKING_DIRECTORY | ||
|
||
echo | ||
echo "Now, a keystore will be generated. Each broker and logical client needs its own" | ||
echo "keystore. This script will create only one keystore. Run this script multiple" | ||
echo "times for multiple keystores." | ||
echo | ||
echo "You will be prompted for the following:" | ||
echo " - A keystore password. Remember it." | ||
echo " - Personal information, such as your name." | ||
echo " NOTE: currently in Kafka, the Common Name (CN) does not need to be the FQDN of" | ||
echo " this host. However, at some point, this may change. As such, make the CN" | ||
echo " the FQDN. Some operating systems call the CN prompt 'first / last name'" | ||
echo " - A key password, for the key being generated within the keystore. Remember this." | ||
|
||
# To learn more about CNs and FQDNs, read: | ||
# https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html | ||
|
||
keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME \ | ||
-alias localhost -validity $VALIDITY_IN_DAYS -genkey -keyalg RSA | ||
|
||
echo | ||
echo "'$KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME' now contains a key pair and a" | ||
echo "self-signed certificate. Again, this keystore can only be used for one broker or" | ||
echo "one logical client. Other brokers or clients need to generate their own keystores." | ||
|
||
echo | ||
echo "Fetching the certificate from the trust store and storing in $CA_CERT_FILE." | ||
echo | ||
echo "You will be prompted for the trust store's password (labeled 'keystore')" | ||
|
||
keytool -keystore $trust_store_file -export -alias CARoot -rfc -file $CA_CERT_FILE | ||
|
||
echo | ||
echo "Now a certificate signing request will be made to the keystore." | ||
echo | ||
echo "You will be prompted for the keystore's password." | ||
keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost \ | ||
-certreq -file $KEYSTORE_SIGN_REQUEST | ||
|
||
echo | ||
echo "Now the trust store's private key (CA) will sign the keystore's certificate." | ||
echo | ||
echo "You will be prompted for the trust store's private key password." | ||
openssl x509 -req -CA $CA_CERT_FILE -CAkey $trust_store_private_key_file \ | ||
-in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT \ | ||
-days $VALIDITY_IN_DAYS -CAcreateserial | ||
# creates $KEYSTORE_SIGN_REQUEST_SRL which is never used or needed. | ||
|
||
echo | ||
echo "Now the CA will be imported into the keystore." | ||
echo | ||
echo "You will be prompted for the keystore's password and a confirmation that you want to" | ||
echo "import the certificate." | ||
keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias CARoot \ | ||
-import -file $CA_CERT_FILE | ||
rm $CA_CERT_FILE # delete the trust store cert because it's stored in the trust store. | ||
|
||
echo | ||
echo "Now the keystore's signed certificate will be imported back into the keystore." | ||
echo | ||
echo "You will be prompted for the keystore's password." | ||
keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import \ | ||
-file $KEYSTORE_SIGNED_CERT | ||
|
||
echo | ||
echo "All done!" | ||
echo | ||
echo "Delete intermediate files? They are:" | ||
echo " - '$KEYSTORE_SIGN_REQUEST_SRL': CA serial number" | ||
echo " - '$KEYSTORE_SIGN_REQUEST': the keystore's certificate signing request" | ||
echo " (that was fulfilled)" | ||
echo " - '$KEYSTORE_SIGNED_CERT': the keystore's certificate, signed by the CA, and stored back" | ||
echo " into the keystore" | ||
echo -n "Delete? [yn] " | ||
read delete_intermediate_files | ||
|
||
if [ "$delete_intermediate_files" == "y" ]; then | ||
rm $KEYSTORE_SIGN_REQUEST_SRL | ||
rm $KEYSTORE_SIGN_REQUEST | ||
rm $KEYSTORE_SIGNED_CERT | ||
fi |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
-----BEGIN ENCRYPTED PRIVATE KEY----- | ||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIzfQ361sbhwcCAggA | ||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFnRtpSC5wpfBIIEyJcYOkR1kbjO | ||
nnq2FuuObw3k2xwRqI/0EVLeQ8WPh3IPCDVlFLJ71S4HVhoUc9wJd+o+pnS3b9IR | ||
fP8Hf8usTH9LYdnA4m8oeJD79sxbZZzRGaphSMm2AfOGxndhxFXj0uscHWj2b35w | ||
vKDbQdicuxiN1oRo8lZWyVEBgBRDOX8azFoAINPPaTCLj1MSf2YByRMz5CXP83iC | ||
ADkogExPJuIigzQT/UrW+cBPMeQQIvcv/acWAmN8NciQIlzsxJ3gCaFRVIkzuJM0 | ||
CqY0hscXWRCWYtHjm0hF5SQSUsG+/5dfthXprN3/H5AZn3mqnBby8SvtyhoPmK89 | ||
sNy9JbTeA37yDR7ifP8rbIsiMM+WrCTkRLz/SOAlcQ5CyY0DoQiyheKYzTfH8Qr7 | ||
fcswFaRET2iQEBkDiTyA+tDHAkAqmRxOgiSyWoo7lmnhp7/DfxSes8Gfsz6JL93z | ||
cidD9zF7/iRO8Ucnakx1AexyqKVylhQtGGQWXivgpP37cxYdP6Y1HJQAu+/tA0tB | ||
6IreAOpL7M+ULL3hbNL/VTqs+QRN4psbO0BJvBOizoxj40bRMDGNd5Jo3tswmsax | ||
/jb82XRW/drjXKNImo1Uk+HzNr3DCLcncSTWNaRrWMIf7mGs5KOi0vKfT6ZCutkF | ||
Am1QPC5tV7taOprvQABl+OXbs44uSFrgbkTZh5TGADVK7X4xlCiW68aBislAb1pP | ||
lp9CBlud+yirFVsQbPvR7rHTYqa8cEM+MfOKND+QHZ6RwtpFWVTuFKICFjHRrd0k | ||
M42sT8IWVNBpQcFZ08U/0tudOU6Fpb+CwC1LVVYztdmhrTSJGsl/JyITO8AMsXk8 | ||
0mCh5z4vHSeRv7+1/6YdQ67stUhJOYI25J18Ez1unRmp0otg3VGQ1RAoyaQ0u1KQ | ||
78NlzB3JVRlCKbB798yMsmlvE1Pu0W81W200+6E0EC/29U8lKyLW26UndAC2wMbs | ||
UHsYmLh+L2jeCdaFHEpxMRSysUX8T+ucHH3R0jQwYhFOHVxHpdSH0WU/wTjZUNC3 | ||
5+nRTMg2I8nHlfE0/6osi2/y7DxPfGV/cxvybdBfrIgrZ0BXBqEQ2K+1zieqqIKQ | ||
e0rDNByAd/EuyEeRYXA+8efnzzp76pnxPgNa7T3espqBGiWagXfSq0pJpNokSF2n | ||
nqirsu+iReoCGjjP/LbR8vhWTbj940w5uupnK7T0NSuJsU1VjnsC2PmJNFYoHNsc | ||
e/8R0qe2j8vFpPIM06L3z+zXb7w6FBehRXnvdHkdjv6j/jZ0856hLsWLYprQQK87 | ||
hBFc9Qod2IM9RHM1DBLJdwTgMdaWi/NzeFU+ycGwk8Bq3f0i7rEN7wBzKWwr8k3Q | ||
cKVomdOqVgvjmMo4KNhBi9c1WuSIl78LYhdb2g011m3PjWjhTobN7V2vWaioeR5U | ||
ls9bA2CXlduebN+58LhGyJQ8HQ1IDFdXJGv/o8JLvlsa5ePSWo9JGUZM6cIjPXu0 | ||
oLoGxd+vI6wmhS7QjuHH8jvoe7KiycnINAxrezcoW0jy43iisiT/OCxU2QNvmx81 | ||
vjXQ9RoIC20C2XDS2egTjddJFRFOOL23wRXulgtZ11RzrvvqLVoJ5M7xkLcFbq5l | ||
T7LLJiv2KMJkEbZCgZ+pgA== | ||
-----END ENCRYPTED PRIVATE KEY----- |
Binary file added
BIN
+1.22 KB
zio-kafka-test-utils/src/main/resources/truststore/kafka.truststore.jks
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
zio-kafka-test-utils/src/main/scala/zio/kafka/ZIOSpecWithSslKafka.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
package zio.kafka | ||
|
||
import zio.ZLayer | ||
import zio.kafka.embedded.Kafka | ||
import zio.test._ | ||
|
||
trait ZIOSpecWithSslKafka extends ZIOSpec[TestEnvironment with Kafka] with KafkaRandom { | ||
override val bootstrap: ZLayer[Any, Any, TestEnvironment with Kafka] = | ||
testEnvironment ++ Kafka.sslEmbedded | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.