feat(kafka): SaslMechanismPlugin extension trait (0.14.0) (#94)

* feat(kafka): add SaslMechanismPlugin extension trait (0.14.0)

Adds a pluggable SASL mechanism extension point, unblocking downstream
OAUTHBEARER / MSK IAM / OIDC implementations without bringing their
dependencies into OSS.

- SaslMechanismPlugin trait + KIP-368 re-authentication scheduler
  (80% fraction, 30s floor, ±5s jitter).
- Default interpret_server_error handles both RFC 7628 JSON and
  Kafka 3.5+ free-form error_message bytes.
- SecurityConfig.sasl_mechanism_plugin field with #[serde(skip)] —
  programmatic wiring only, no YAML surface.
- Unified SASL dispatch: the four duplicated sasl_{plain,scram}_auth
  methods collapse into a single function called by both initial-connect
  and reconnect paths.
- SCRAM/PLAIN integration baseline tests (tests/sasl-test-infra/).
- OAUTHBEARER E2E fixture with Confluent cp-kafka 7.7.0 unsecured-JWS
  (tests/sasl-oauth-test-infra/).
- In-process hand-rolled Kafka-wire mock for plugin dispatch tests —
  zero new dev-deps (cleaner than the PRD's rsasl target).
- Example: examples/custom_sasl_plugin.rs — minimal static-token
  OAUTHBEARER reference implementation.

Zero new runtime dependencies. Behaviour unchanged for existing
PLAIN / SCRAM-* / mTLS / plaintext configurations.

See docs/PRD-sasl-mechanism-plugin.md (v2.1).

Known limitation: reauth task is not aborted on reconnect — followup
tracked separately.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

* fix(test): inline OAUTH JAAS via listener-scoped config

Setting `java.security.auth.login.config` via `KAFKA_OPTS` caused the
cp-kafka preflight ZK client to hang looking for a `Client` JAAS
section (and, once that was bypassed with `-Dzookeeper.sasl.client=false`,
to time out waiting for readiness despite a successful ZK session).

Switch to `KAFKA_LISTENER_NAME_SASL_OAUTHBEARER_SASL_JAAS_CONFIG` inline
so no JVM-level JAAS config is set and the ZK preflight isn't confused.
Drop the `./jaas.conf` volume mount since it is now unused.

Locally verified: `docker compose up -d --wait` reaches healthy, and
`sasl_oauth_bearer_static_token_e2e` passes against the fixture.

* chore(clippy): sort_by -> sort_by_key (Rust 1.95 lint)

Rust 1.95 promotes `clippy::unnecessary_sort_by` to a standard lint
under `-D warnings`, which made PR #94 CI red. The comparator here is
a plain descending sort on a Copy field, so `sort_by_key` + `Reverse`
is the idiomatic equivalent.

No behaviour change.

* chore(clippy): collapse nested if into match guard (Rust 1.95 lint)

Rust 1.95 tightened `clippy::collapsible_match` to flag nested `if`
inside a `match` arm. Local toolchain (1.94.1) does not reproduce.
No behavioural change.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

* ci: skip SASL integration tests that require Docker compose fixtures

The integration_suite workflow runs `--include-ignored` to cover ignored
suites, but CI does not spin up the SASL OAUTH / GSSAPI compose fixtures
those tests need. Extending the existing `--skip tls` pattern to also
skip `sasl_` keeps the job green while the fixtures remain dev-only.

---------

Co-authored-by: Claude Opus 4.7 <[email protected]>

Author: sionsmith

.github/workflows/test.yml

@@ -131,9 +131,13 @@ jobs:
           TESTCONTAINERS: "true"
 
       - name: Run integration test suite
-        # Note: --include-ignored runs ignored tests, but we skip TLS tests as they require
-        # local certificate setup (see tests/tls-test-infra/README for manual TLS testing)
-        run: cargo test --test integration_suite_tests --all-features -- --nocapture --include-ignored --skip tls
+        # --include-ignored runs ignored tests. We skip suites whose fixtures
+        # aren't brought up in this workflow:
+        #   - tls:   requires local certificate setup (tests/tls-test-infra/)
+        #   - sasl_: requires SASL Docker compose fixtures
+        #            (tests/sasl-oauth-test-infra/, tests/sasl-gssapi-test-infra/)
+        # These are run manually or in dedicated workflows.
+        run: cargo test --test integration_suite_tests --all-features -- --nocapture --include-ignored --skip tls --skip sasl_
         env:
           DOCKER_HOST: unix:///var/run/docker.sock
           RUST_LOG: debug

CHANGELOG.md

@@ -5,6 +5,37 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.14.0] - 2026-04-21
+
+### Added
+- **Pluggable SASL mechanism extension point** (`SaslMechanismPlugin` trait)
+  — lets downstream crates implement OAUTHBEARER, MSK IAM, or custom
+  SASL mechanisms without forking `kafka-backup-core`.
+  - Handshake + single- or multi-round `SaslAuthenticate` dispatch.
+  - KIP-368 re-authentication scheduler: spawns a task post-handshake
+    when the broker advertises `session_lifetime_ms > 0`; fires
+    `reauth_payload` at 80 % of the advertised lifetime with a 30 s
+    minimum floor and ±5 s jitter.
+  - Default `interpret_server_error` handles both RFC 7628 JSON and
+    Apache Kafka 3.5+ free-form `error_message` bytes.
+  - New field `SecurityConfig.sasl_mechanism_plugin: Option<Arc<dyn SaslMechanismPlugin>>`
+    (marked `#[serde(skip)]` — programmatic wiring only, no YAML surface).
+- 14 unit tests + 4 integration tests exercising single-round,
+  multi-round, server-error, and scheduler paths against an
+  in-process Kafka-wire mock (no Docker required).
+- `#[ignore]` E2E test against Confluent cp-kafka 7.7.0 configured for
+  SASL_PLAINTEXT + OAUTHBEARER with the bundled unsecured-JWS validator.
+  Fixture: `tests/sasl-oauth-test-infra/`.
+- Example: `examples/custom_sasl_plugin.rs` — minimal static-token
+  OAUTHBEARER plugin (reference implementation).
+
+### Changed
+- SASL dispatch in `KafkaClient` unified: the four duplicated
+  `sasl_{plain,scram}_auth{,_raw}` methods collapse into a single
+  dispatch function called by both initial-connect and reconnect.
+  Behaviour for existing `PLAIN` / `SCRAM-SHA-256` / `SCRAM-SHA-512`
+  configurations is unchanged.
+
 ## [0.13.5] - 2026-04-16
 
 ### Fixed

Cargo.lock

@@ -6,7 +6,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.13.5"
+version = "0.14.0"
 edition = "2021"
 license = "MIT"
 authors = ["OSO"]

Cargo.toml

@@ -354,5 +354,6 @@ fn parse_security_config(protocol: Option<&str>) -> SecurityConfig {
         ssl_ca_location,
         ssl_certificate_location: None,
         ssl_key_location: None,
+        sasl_mechanism_plugin: None,
     }
 }

crates/kafka-backup-cli/src/commands/offset_reset.rs

@@ -324,5 +324,6 @@ fn parse_security_config(protocol: Option<&str>) -> SecurityConfig {
         ssl_ca_location,
         ssl_certificate_location: None,
         ssl_key_location: None,
+        sasl_mechanism_plugin: None,
     }
 }

crates/kafka-backup-cli/src/commands/offset_reset_bulk.rs

@@ -507,5 +507,6 @@ fn parse_security_config(protocol: Option<&str>) -> SecurityConfig {
         ssl_ca_location,
         ssl_certificate_location: None,
         ssl_key_location: None,
+        sasl_mechanism_plugin: None,
     }
 }

crates/kafka-backup-cli/src/commands/offset_rollback.rs

@@ -232,11 +232,8 @@ fn parse_prometheus_metrics(text: &str) -> ParsedMetrics {
                 | "kafka_backup_segments_written_total" => {
                     metrics.segments_written = value as u64;
                 }
-                "kafka_backup_storage_write_bytes_total_total" => {
-                    // Use storage write bytes as backup bytes if not already set
-                    if metrics.bytes_total == 0 {
-                        metrics.bytes_total = value as u64;
-                    }
+                "kafka_backup_storage_write_bytes_total_total" if metrics.bytes_total == 0 => {
+                    metrics.bytes_total = value as u64;
                 }
                 "kafka_backup_throughput_records_per_second" => {
                     metrics.throughput_records_per_sec = value;

crates/kafka-backup-cli/src/commands/status_watch.rs

@@ -0,0 +1,109 @@
+//! Minimal `SaslMechanismPlugin` reference: a static-token `OAUTHBEARER` plugin.
+//!
+//! This example shows the smallest useful implementation of the
+//! [`SaslMechanismPlugin`] extension trait: hand a static JWT (or any opaque
+//! bearer token) to the `KafkaClient`, and the handshake completes against
+//! any broker configured to accept that token.
+//!
+//! Real-world plugins typically wrap a token-refresh cache — an OIDC client,
+//! an AWS MSK IAM presigner, a Keycloak adapter, etc. The canonical
+//! production implementations live in `kafka-backup-enterprise-core` and
+//! cover MSK IAM (`aws-sigv4`), Confluent Cloud, and OIDC.
+//!
+//! Run it with:
+//!
+//! ```bash
+//! cargo build --example custom_sasl_plugin -p kafka-backup-core
+//! ```
+//!
+//! The example does not actually connect to a broker — it just proves the
+//! wiring compiles against the public trait surface.
+
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use kafka_backup_core::config::{KafkaConfig, SecurityConfig, SecurityProtocol, TopicSelection};
+use kafka_backup_core::kafka::{
+    KafkaClient, SaslMechanismPlugin, SaslMechanismPluginHandle, SaslPluginError,
+};
+
+/// A static-token OAUTHBEARER plugin.
+///
+/// Constructs an RFC 7628 client-initial-response payload from a fixed
+/// principal and bearer token. Suitable for local testing against brokers
+/// running the Apache Kafka `OAuthBearerUnsecuredValidatorCallbackHandler`
+/// (unsecured-JWS mode) or any broker that accepts static tokens.
+#[derive(Debug)]
+struct StaticTokenOauthBearer {
+    principal: String,
+    token: String,
+}
+
+impl StaticTokenOauthBearer {
+    fn new(principal: impl Into<String>, token: impl Into<String>) -> Self {
+        Self {
+            principal: principal.into(),
+            token: token.into(),
+        }
+    }
+
+    fn into_handle(self) -> SaslMechanismPluginHandle {
+        Arc::new(self)
+    }
+}
+
+#[async_trait]
+impl SaslMechanismPlugin for StaticTokenOauthBearer {
+    fn mechanism_name(&self) -> &str {
+        "OAUTHBEARER"
+    }
+
+    async fn initial_payload(&self) -> Result<Vec<u8>, SaslPluginError> {
+        Ok(build_rfc7628_cir(&self.principal, &self.token))
+    }
+}
+
+/// Build an RFC 7628 §3.1 client initial response:
+/// `n,a=<authzid>,<0x01>auth=Bearer <token><0x01><0x01>`.
+fn build_rfc7628_cir(principal: &str, token: &str) -> Vec<u8> {
+    let mut buf = Vec::with_capacity(principal.len() + token.len() + 16);
+    buf.extend_from_slice(b"n,a=");
+    buf.extend_from_slice(principal.as_bytes());
+    buf.push(b',');
+    buf.push(0x01);
+    buf.extend_from_slice(b"auth=Bearer ");
+    buf.extend_from_slice(token.as_bytes());
+    buf.push(0x01);
+    buf.push(0x01);
+    buf
+}
+
+fn main() {
+    // An unsecured JWT (`alg: none`) for local testing. Production tokens
+    // come from an IdP — Okta, Keycloak, AWS STS, etc.
+    let unsecured_jwt = concat!(
+        "eyJhbGciOiJub25lIn0",
+        ".",
+        "eyJzdWIiOiJ0ZXN0LXVzZXIiLCJleHAiOjk5OTk5OTk5OTksImlhdCI6MTAwMH0",
+        ".",
+    );
+
+    let plugin = StaticTokenOauthBearer::new("test-user", unsecured_jwt).into_handle();
+
+    let config = KafkaConfig {
+        bootstrap_servers: vec!["localhost:9097".to_string()],
+        security: SecurityConfig {
+            security_protocol: SecurityProtocol::SaslPlaintext,
+            sasl_mechanism_plugin: Some(plugin),
+            ..Default::default()
+        },
+        topics: TopicSelection::default(),
+        connection: Default::default(),
+    };
+
+    let _client = KafkaClient::new(config);
+    println!(
+        "OAUTHBEARER plugin wired into KafkaClient. \
+         Connect would go to localhost:9097 — skipped (no broker in this example)."
+    );
+}

crates/kafka-backup-core/examples/custom_sasl_plugin.rs

@@ -207,6 +207,15 @@ pub struct SecurityConfig {
     /// Path to client key file (for mTLS)
     #[serde(default)]
     pub ssl_key_location: Option<PathBuf>,
+
+    /// Optional pluggable SASL mechanism implementation.
+    ///
+    /// When set, overrides [`sasl_mechanism`] and drives the handshake
+    /// through the plugin (e.g. `OAUTHBEARER` for MSK IAM). Not YAML-
+    /// configurable — downstream crates inject this programmatically
+    /// after parsing the config.
+    #[serde(skip)]
+    pub sasl_mechanism_plugin: Option<crate::kafka::SaslMechanismPluginHandle>,
 }
 
 /// Security protocol
@@ -960,6 +969,42 @@ bootstrap_servers:
         assert!(config.connection.tcp_nodelay);
     }
 
+    #[test]
+    fn test_security_config_serde_skips_plugin_field() {
+        // `sasl_mechanism_plugin` is `#[serde(skip)]` — programmatic only.
+        // Regressions would leak a non-serializable trait object into
+        // YAML and break config round-tripping. This test pins it.
+        use std::sync::Arc;
+
+        #[derive(Debug)]
+        struct NoopPlugin;
+        #[async_trait::async_trait]
+        impl crate::kafka::SaslMechanismPlugin for NoopPlugin {
+            fn mechanism_name(&self) -> &str {
+                "NOOP"
+            }
+            async fn initial_payload(&self) -> Result<Vec<u8>, crate::kafka::SaslPluginError> {
+                Ok(vec![])
+            }
+        }
+
+        let cfg = SecurityConfig {
+            security_protocol: SecurityProtocol::SaslPlaintext,
+            sasl_mechanism_plugin: Some(Arc::new(NoopPlugin)),
+            ..Default::default()
+        };
+        let yaml = serde_yaml::to_string(&cfg).expect("serialize security config");
+        assert!(
+            !yaml.contains("sasl_mechanism_plugin"),
+            "serde(skip) must keep the plugin field out of YAML; got:\n{yaml}"
+        );
+
+        // Round-trip: deserialization into a config without the field
+        // yields `None` — we never try to rehydrate a trait object.
+        let back: SecurityConfig = serde_yaml::from_str(&yaml).expect("deserialize");
+        assert!(back.sasl_mechanism_plugin.is_none());
+    }
+
     #[test]
     fn test_kafka_config_connection_custom() {
         // Test that custom connection settings are properly parsed