johnjcasey commented on code in PR #36099: URL: https://github.com/apache/beam/pull/36099#discussion_r2470562641
########## sdks/java/extensions/kafka-factories/src/main/java/org/apache/beam/sdk/extensions/kafka/factories/FileAwareFactoryFn.java: ########## @@ -0,0 +1,260 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.beam.sdk.extensions.kafka.factories; + +import com.google.cloud.secretmanager.v1.AccessSecretVersionResponse; +import com.google.cloud.secretmanager.v1.SecretManagerServiceClient; +import com.google.cloud.secretmanager.v1.SecretVersionName; +import java.io.File; +import java.io.IOException; +import java.nio.channels.FileChannel; +import java.nio.channels.ReadableByteChannel; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardOpenOption; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import org.apache.beam.sdk.io.FileSystems; +import org.apache.beam.sdk.transforms.SerializableFunction; +import org.apache.beam.vendor.guava.v32_1_2_jre.com.google.common.base.Preconditions; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * An abstract {@link SerializableFunction} that serves as a base class for factories that need to + * process a configuration map to handle external resources like files and secrets. + * + * <p>This class is designed to be extended by concrete factory implementations (e.g., for creating + * Kafka consumers). It automates the process of detecting special URI strings within the + * configuration values and transforming them before passing the processed configuration to the + * subclass. + * + * <h3>Supported Patterns:</h3> + * + * <ul> + * <li><b>External File Paths:</b> It recognizes paths prefixed with schemes like {@code gs://} or + * {@code s3://} that are supported by the Beam {@link FileSystems} API. It downloads these + * files to a local temporary directory (under {@code /tmp/<factory-type>/...}) and replaces + * the original path in the configuration with the new local file path. + * <li><b>Secret Manager Values:</b> It recognizes strings prefixed with {@code secretValue:}. It + * interprets the rest of the string as a Google Secret Manager secret version name (e.g., + * "projects/p/secrets/s/versions/v"), fetches the secret payload, and replaces the original + * {@code secretValue:...} identifier with the plain-text secret. + * </ul> + * + * <h3>Usage:</h3> + * + * <p>A subclass must implement the {@link #createObject(Map)} method, which receives the fully + * processed configuration map with all paths localized and secrets resolved. Subclasses can also + * override {@link #downloadAndProcessExtraFiles()} to handle specific preliminary file downloads + * (e.g., a krb5.conf file) before the main configuration processing begins. + * + * @param <T> The type of object this factory creates. + */ +public abstract class FileAwareFactoryFn<T> + implements SerializableFunction<Map<String, Object>, T> { + + public static final String SECRET_VALUE_PREFIX = "secretValue:"; + public static final String DIRECTORY_PREFIX = "/tmp"; + private static final Pattern PATH_PATTERN = + Pattern.compile("([a-zA-Z0-9]+://[^\"]+)|(secretValue:[^\"]+)|(secretFile:[^\"]+)"); + + private static final Map<String, byte[]> secretCache = new ConcurrentHashMap<>(); + + private final String factoryType; + private static final Logger LOG = LoggerFactory.getLogger(FileAwareFactoryFn.class); + + public FileAwareFactoryFn(String factoryType) { + Preconditions.checkNotNull(factoryType); + this.factoryType = factoryType; + } + + protected abstract T createObject(Map<String, Object> config); + + @Override + public T apply(Map<String, Object> config) { + if (config == null) { + return createObject(config); + } + + Map<String, Object> processedConfig = new HashMap<>(config); + + String key = ""; + Object value = null; + try { + downloadAndProcessExtraFiles(); + + for (Map.Entry<String, Object> e : config.entrySet()) { + try { + key = e.getKey(); + value = e.getValue(); + if (value instanceof String) { + String originalValue = (String) value; + Matcher matcher = PATH_PATTERN.matcher(originalValue); + StringBuffer sb = new StringBuffer(); + + while (matcher.find()) { + String externalPath = matcher.group(1); + String secretValue = matcher.group(2); + String secretFile = matcher.group(3); + + if (externalPath != null) { + try { + String tmpPath = replacePathWithLocal(externalPath); + String localPath = downloadExternalFile(externalPath, tmpPath); + matcher.appendReplacement(sb, Matcher.quoteReplacement(localPath)); + LOG.info("Downloaded {} to {}", externalPath, localPath); + } catch (IOException io) { + throw new IOException("Failed to download file : " + externalPath, io); + } + } else if (secretValue != null) { + try { + String secretId = secretValue.substring(SECRET_VALUE_PREFIX.length()); + String processedSecret = + processSecret(originalValue, secretId, getSecretWithCache(secretId)); + + matcher.appendReplacement(sb, Matcher.quoteReplacement(processedSecret)); + } catch (IllegalArgumentException ia) { + throw new IllegalArgumentException("Failed to get secret.", ia); + } + } else if (secretFile != null) { + throw new UnsupportedOperationException("Not yet implemented."); + } + } + matcher.appendTail(sb); + String processedValue = sb.toString(); + processedConfig.put(key, processedValue); + } + } catch (IOException ex) { + throw new RuntimeException( + "Failed trying to process value " + value + " for key " + key + ".", ex); + } + } + } catch (IOException e) { + throw new RuntimeException("Failed trying to process extra files.", e); + } + + LOG.info("ProcessedConfig: {}", processedConfig); Review Comment: Doesn't this processed config contain secrets? If so, we probably don't want to log it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
