https.ca.pem requires CURLOPT_CAINFO_BLOB so at least CURL 7.77.0 (#5133)

Author: emasab

CONFIGURATION.md

@@ -117,7 +117,7 @@ sasl.oauthbearer.assertion.file          |  *  |                 |
 sasl.oauthbearer.assertion.claim.aud     |  *  |                 |               | low        | JWT audience claim. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*
 sasl.oauthbearer.assertion.claim.exp.seconds |  *  | 1 .. 2147483647 |           300 | low        | Assertion expiration time in seconds. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: integer*
 sasl.oauthbearer.assertion.claim.iss     |  *  |                 |               | low        | JWT issuer claim. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*
-sasl.oauthbearer.assertion.claim.jti.include |  *  | true, false     |         false | low        | JWT ID claim. When set to `true`a random UUID is generated. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: boolean*
+sasl.oauthbearer.assertion.claim.jti.include |  *  | true, false     |         false | low        | JWT ID claim. When set to `true`, a random UUID is generated. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: boolean*
 sasl.oauthbearer.assertion.claim.nbf.seconds |  *  | 0 .. 2147483647 |            60 | low        | Assertion not before time in seconds. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: integer*
 sasl.oauthbearer.assertion.claim.sub     |  *  |                 |               | low        | JWT subject claim. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*
 sasl.oauthbearer.assertion.jwt.template.file |  *  |                 |               | low        | Path to the JWT template file. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*

src/rdhttp.c

@@ -248,6 +248,7 @@ static void rd_http_ssl_configure(rd_kafka_t *rk, CURL *hreq_curl) {
                         curl_easy_setopt(hreq_curl, CURLOPT_CAPATH, NULL);
                 }
         } else if (!force_probe && rk->rk_conf.https.ca_pem) {
+#if CURL_AT_LEAST_VERSION(7, 77, 0)
                 struct curl_blob ca_blob = {
                     .data  = rk->rk_conf.https.ca_pem,
                     .len   = strlen(rk->rk_conf.https.ca_pem),
@@ -256,6 +257,7 @@ static void rd_http_ssl_configure(rd_kafka_t *rk, CURL *hreq_curl) {
                              "Setting `https` CA certs from "
                              "configured PEM string");
                 curl_easy_setopt(hreq_curl, CURLOPT_CAINFO_BLOB, &ca_blob);
+#endif
                 /* Only the blob should be set, no default paths. */
                 curl_easy_setopt(hreq_curl, CURLOPT_CAINFO, NULL);
                 curl_easy_setopt(hreq_curl, CURLOPT_CAPATH, NULL);

src/rdkafka_conf.c

@@ -56,6 +56,10 @@
 #include <windows.h>
 #endif
 
+#ifdef WITH_OAUTHBEARER_OIDC
+#include <curl/curl.h>
+#endif
+
 struct rd_kafka_property {
         rd_kafka_conf_scope_t scope;
         const char *name;
@@ -1179,7 +1183,7 @@ static const struct rd_kafka_property rd_kafka_properties[] = {
      _UNSUPPORTED_OIDC},
     {_RK_GLOBAL, "sasl.oauthbearer.assertion.claim.jti.include", _RK_C_BOOL,
      _RK(sasl.oauthbearer.assertion.claim.jti_include),
-     "JWT ID claim. When set to `true`a random UUID is generated. "
+     "JWT ID claim. When set to `true`, a random UUID is generated. "
      "Only used when `sasl.oauthbearer.method` is set to \"oidc\" and JWT "
      "assertion is needed.",
      0, 1, 0, _UNSUPPORTED_OIDC},
@@ -3960,11 +3964,17 @@ const char *rd_kafka_conf_finalize(rd_kafka_type_t cltype,
         if (conf->https.ca_location && conf->https.ca_pem)
                 return "`https.ca.location` and `https.ca.pem` "
                        "are mutually exclusive";
+
         if (conf->https.ca_location &&
             rd_strcmp(conf->https.ca_location, "probe") &&
             !rd_file_stat(conf->https.ca_location, NULL))
                 return "`https.ca.location` must be "
                        "an existing file or directory";
+
+#if !CURL_AT_LEAST_VERSION(7, 77, 0)
+        if (conf->https.ca_pem)
+                return "`https.ca.pem` requires libcurl 7.77.0 or later";
+#endif
 #endif