feat: client side ssl authentication support for kafka client

2025-02-21 02:56:40 -08:00 · 2025-01-29 10:02:30 +01:00 · 2025-01-29 10:02:30 +01:00 · e11001088f
parent 4a32204bc3
commit e11001088f
3 changed files with 30 additions and 54 deletions
--- a/packages/nodes-base/credentials/Kafka.credentials.ts
+++ b/packages/nodes-base/credentials/Kafka.credentials.ts
@ -30,8 +30,8 @@ export class Kafka implements ICredentialType {
 			default: true,
 		},
 		{
-			displayName: 'SSL CA',
-			name: 'sslCa',
+			displayName: 'Client SSL Cert',
+			name: 'clientSslCert',
 			type: 'string',
 			typeOptions: {
 				password: true,
@ -42,11 +42,11 @@ export class Kafka implements ICredentialType {
 				},
 			},
 			default: '',
-			description: 'Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.', 
+			description: 'Client’s public key in PEM format, used for authentication.', 
 		},
 		{
-			displayName: 'SSL Cert',
-			name: 'sslCert',
+			displayName: 'Client SSL Key',
+			name: 'clientSslKey',
 			type: 'string',
 			typeOptions: {
 				password: true,
@ -57,11 +57,11 @@ export class Kafka implements ICredentialType {
 				},
 			},
 			default: '',
-			description: 'Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.', 
+			description: 'Client’s private key in PEM format, used for authentication.', 
 		},
 		{
-			displayName: 'SSL Key',
-			name: 'sslKey',
+			displayName: 'Client SSL Key Passphrase',
+			name: 'clientSslPassphrase',
 			type: 'string',
 			typeOptions: {
 				password: true,
@ -72,22 +72,7 @@ export class Kafka implements ICredentialType {
 				},
 			},
 			default: '',
-			description: 'Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: ]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.', 
-		},
-		{
-			displayName: 'SSL Key Passphrase',
-			name: 'sslPassphrase',
-			type: 'string',
-			typeOptions: {
-				password: true,
-			},
-			displayOptions: {
-				show: {
-					ssl: [true],
-				},
-			},
-			default: '',
-			description: 'Shared passphrase used for a single private key and/or a PFX.', 
+			description: 'Passphrase used to decrypt the client SSL key.', 
 		},
 		{
 			displayName: 'Authentication',
--- a/packages/nodes-base/nodes/Kafka/Kafka.node.ts
+++ b/packages/nodes-base/nodes/Kafka/Kafka.node.ts
@ -225,19 +225,16 @@ export class Kafka implements INodeType {
 					let useSslConnectionOptions = false as boolean;
 					let sslConnectionOptions: ConnectionOptions = {}

-					if (ssl === true && (credentials.sslCa !== '' || credentials.sslCert !== ''  || credentials.sslKey !== '')) {
+					if (ssl === true && (credentials.clientSslCert !== ''  || credentials.clientSslKey !== '')) {
 						useSslConnectionOptions = true;
-						if (credentials.sslCa !== '') {
-							sslConnectionOptions.ca = [credentials.sslCa] as string[];
+						if (credentials.clientSslCert !== '') {
+							sslConnectionOptions.cert = credentials.clientSslCert as string;
 						}
-						if (credentials.sslCert !== '') {
-							sslConnectionOptions.cert = credentials.sslCert as string;
+						if (credentials.clientSslKey !== '') {
+							sslConnectionOptions.key = credentials.clientSslKey as string;
 						}
-						if (credentials.sslKey !== '') {
-							sslConnectionOptions.key = credentials.sslKey as string;
-						}
-						if (credentials.sslPassphrase !== '') {
-							sslConnectionOptions.passphrase = credentials.sslPassphrase as string;
+						if (credentials.clientSslPassphrase !== '') {
+							sslConnectionOptions.passphrase = credentials.clientSslPassphrase as string;
 						}
 					};

@ -314,19 +311,16 @@ export class Kafka implements INodeType {
 			let useSslConnectionOptions = false as boolean;
 			let sslConnectionOptions: ConnectionOptions = {}

-			if (ssl === true && (credentials.sslCa !== '' || credentials.sslCert !== ''  || credentials.sslKey !== '')) {
+			if (ssl === true && (credentials.clientSslCert !== ''  || credentials.clientSslKey !== '')) {
 				useSslConnectionOptions = true;
-				if (credentials.sslCa !== '') {
-					sslConnectionOptions.ca = [credentials.sslCa] as string[];
+				if (credentials.clientSslCert !== '') {
+					sslConnectionOptions.cert = credentials.clientSslCert as string;
 				}
-				if (credentials.sslCert !== '') {
-					sslConnectionOptions.cert = credentials.sslCert as string;
+				if (credentials.clientSslKey !== '') {
+					sslConnectionOptions.key = credentials.clientSslKey as string;
 				}
-				if (credentials.sslKey !== '') {
-					sslConnectionOptions.key = credentials.sslKey as string;
-				}
-				if (credentials.sslPassphrase !== '') {
-					sslConnectionOptions.passphrase = credentials.sslPassphrase as string;
+				if (credentials.clientSslPassphrase !== '') {
+					sslConnectionOptions.passphrase = credentials.clientSslPassphrase as string;
 				}
 			};
 			
--- a/packages/nodes-base/nodes/Kafka/KafkaTrigger.node.ts
+++ b/packages/nodes-base/nodes/Kafka/KafkaTrigger.node.ts
@ -193,19 +193,16 @@ export class KafkaTrigger implements INodeType {
 		let useSslConnectionOptions = false as boolean;
 		let sslConnectionOptions: ConnectionOptions = {}

-		if (ssl === true && (credentials.sslCa !== '' || credentials.sslCert !== ''  || credentials.sslKey !== '')) {
+		if (ssl === true && (credentials.clientSslCert !== ''  || credentials.clientSslKey !== '')) {
 			useSslConnectionOptions = true;
-			if (credentials.sslCa !== '') {
-				sslConnectionOptions.ca = [credentials.sslCa] as string[];
+			if (credentials.clientSslCert !== '') {
+				sslConnectionOptions.cert = credentials.clientSslCert as string;
 			}
-			if (credentials.sslCert !== '') {
-				sslConnectionOptions.cert = credentials.sslCert as string;
+			if (credentials.clientSslKey !== '') {
+				sslConnectionOptions.key = credentials.clientSslKey as string;
 			}
-			if (credentials.sslKey !== '') {
-				sslConnectionOptions.key = credentials.sslKey as string;
-			}
-			if (credentials.sslPassphrase !== '') {
-				sslConnectionOptions.passphrase = credentials.sslPassphrase as string;
+			if (credentials.clientSslPassphrase !== '') {
+				sslConnectionOptions.passphrase = credentials.clientSslPassphrase as string;
 			}
 		};