Feature/783 verify kafka topic access (#786)

#783 verify kafka topic access UI

---------

Co-authored-by: Tomas Dlabka <[email protected]>

Author: jozefbakus

pom.xml

@@ -85,6 +85,7 @@
         <log4j.version>2.17.1</log4j.version>
         <slf4j.log4j2.version>1.7.26</slf4j.log4j2.version>
         <spring.security.ldap.version>5.6.1</spring.security.ldap.version>
+        <spring.kerberos.version>1.0.1.RELEASE</spring.kerberos.version>
         <scalatest.version>3.0.5</scalatest.version>
         <h2database.version>2.1.210</h2database.version>
         <testcontainers.postgresql.version>1.15.3</testcontainers.postgresql.version>
@@ -341,6 +342,11 @@
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-sts</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security.kerberos</groupId>
+            <artifactId>spring-security-kerberos-client</artifactId>
+            <version>${spring.kerberos.version}</version>
+        </dependency>
 
         <!-- For Liquibase yaml -->
         <dependency>

src/main/resources/application.properties

@@ -130,3 +130,12 @@ db.numThreads=4
 
 db.skip.liquibase=false
 spring.liquibase.change-log=classpath:/db_scripts/liquibase/db.changelog.yml
+
+# Confluent client config
+confluent.baseUrls=url
+confluent.authPath=/confluent/auth
+confluent.user=user-name
+confluent.base64Credentials=encoded_credentials
+confluent.clusterType=cluster-type
+confluent.kafkaClusterId=cluster-id
+confluent.retries=1

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/ApiCaller.scala

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+trait ApiCaller {
+  def call[T](fn: String => T): T
+}

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/AuthClient.scala

@@ -0,0 +1,158 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import org.springframework.http.{HttpEntity, HttpHeaders, HttpMethod, HttpStatus, ResponseEntity}
+import org.springframework.security.kerberos.client.KerberosRestTemplate
+import org.springframework.util.LinkedMultiValueMap
+import org.springframework.web.client.RestTemplate
+
+import scala.collection.JavaConverters._
+import scala.util.Try
+
+object AuthClient {
+
+  def apply(credentials: Credentials, apiCaller: ApiCaller, authEndpoint: String): AuthClient =
+    credentials match {
+      case standardCredentials: StandardCredentials =>
+        createStandardAuthClient(apiCaller, standardCredentials, authEndpoint)
+      case standardCredentialsBase64: StandardCredentialsBase64 =>
+        createStandardBase64AuthClient(apiCaller, standardCredentialsBase64, authEndpoint)
+      case kerberosCredentials: KerberosCredentials =>
+        createSpnegoAuthClient(apiCaller, kerberosCredentials, authEndpoint)
+    }
+
+  private def createStandardAuthClient(
+    apiCaller: ApiCaller,
+    credentials: StandardCredentials,
+    path: String
+  ): StandardAuthClient = {
+    val restTemplate = RestTemplateSingleton.instance
+    new StandardAuthClient(credentials, restTemplate, apiCaller, path)
+  }
+
+  private def createStandardBase64AuthClient(
+    apiCaller: ApiCaller,
+    credentials: StandardCredentialsBase64,
+    path: String
+  ): StandardBase64AuthClient = {
+    val restTemplate = RestTemplateSingleton.instance
+    new StandardBase64AuthClient(credentials, restTemplate, apiCaller, path)
+  }
+
+  private def createSpnegoAuthClient(
+    apiCaller: ApiCaller,
+    credentials: KerberosCredentials,
+    path: String
+  ): SpnegoAuthClient = {
+    val restTemplate = new KerberosRestTemplate(credentials.keytabLocation, credentials.username)
+    restTemplate.setErrorHandler(NoOpErrorHandler)
+    new SpnegoAuthClient(credentials, restTemplate, apiCaller, path)
+  }
+}
+
+sealed abstract class AuthClient(
+  credentials: Credentials,
+  restTemplate: RestTemplate,
+  apiCaller: ApiCaller,
+  url: String => String
+) {
+  protected val logger: Logger = LoggerFactory.getLogger(this.getClass)
+
+  @throws[UnauthorizedException]
+  def authenticate(): HttpHeaders =
+    apiCaller.call { baseUrl =>
+      val response = requestAuthentication(url(baseUrl))
+      val statusCode = response.getStatusCode
+
+      statusCode match {
+        case HttpStatus.OK =>
+          logger.info(s"Authentication successful")
+          getAuthHeaders(response)
+        case _ =>
+          throw UnauthorizedException(s"Authentication failure ($statusCode)")
+      }
+    }
+
+  protected def requestAuthentication(url: String): ResponseEntity[String]
+
+  private def getAuthHeaders(response: ResponseEntity[String]): HttpHeaders = {
+    val headers = response.getHeaders
+    val sessionCookie = headers.get("set-cookie").asScala.head
+    val csrfToken = Try(headers.get("X-CSRF-TOKEN").asScala.head).toOption
+
+    val resultHeaders = new HttpHeaders()
+
+    logger.debug(s"Session Cookie: $sessionCookie")
+    resultHeaders.add("cookie", sessionCookie)
+
+    csrfToken match {
+      case Some(ct) =>
+        logger.debug(s"CSRF Token: $ct")
+        resultHeaders.add("X-CSRF-TOKEN", ct)
+      case None =>
+        logger.debug(s"CSRF Token not found")
+    }
+
+    resultHeaders
+  }
+}
+
+class SpnegoAuthClient(
+  credentials: KerberosCredentials,
+  restTemplate: RestTemplate,
+  apiCaller: ApiCaller,
+  path: String
+) extends AuthClient(credentials, restTemplate, apiCaller, baseUrl => s"$baseUrl$path") {
+  override protected def requestAuthentication(url: String): ResponseEntity[String] = {
+    logger.info(
+      s"Authenticating via SPNEGO ($url): user `${credentials.username}`, with keytab `${credentials.keytabLocation}`"
+    )
+    restTemplate.getForEntity(url, classOf[String])
+  }
+}
+
+class StandardAuthClient(
+  credentials: StandardCredentials,
+  restTemplate: RestTemplate,
+  apiCaller: ApiCaller,
+  path: String
+) extends AuthClient(credentials, restTemplate, apiCaller, baseUrl => s"$baseUrl$path") {
+  override protected def requestAuthentication(url: String): ResponseEntity[String] = {
+    val requestParts = new LinkedMultiValueMap[String, String]
+    requestParts.add("username", credentials.username)
+    requestParts.add("password", credentials.password)
+
+    logger.info(s"Authenticating via username and password ($url): user `${credentials.username}`")
+    restTemplate.postForEntity(url, requestParts, classOf[String])
+  }
+}
+
+class StandardBase64AuthClient(
+  credentials: StandardCredentialsBase64,
+  restTemplate: RestTemplate,
+  apiCaller: ApiCaller,
+  path: String
+) extends AuthClient(credentials, restTemplate, apiCaller, baseUrl => s"$baseUrl$path") {
+  override protected def requestAuthentication(url: String): ResponseEntity[String] = {
+    val headers = new HttpHeaders()
+    headers.add("Authorization", "Basic " + credentials.base64Credentials)
+    val requestEntity = new HttpEntity(null, headers)
+    restTemplate.exchange(url, HttpMethod.GET, requestEntity, classOf[String])
+  }
+}

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/Credentials.scala

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+sealed abstract class Credentials
+
+case class StandardCredentials(username: String, password: String) extends Credentials
+
+case class StandardCredentialsBase64(base64Credentials: String) extends Credentials
+
+case class KerberosCredentials(username: String, keytabLocation: String) extends Credentials

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/CrossHostApiCaller.scala

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+import org.apache.commons.lang3.exception.ExceptionUtils
+import org.slf4j.LoggerFactory
+import org.springframework.web.client
+import org.springframework.web.client.ResourceAccessException
+import za.co.absa.hyperdrive.trigger.api.rest.client.CrossHostApiCaller.logger
+
+import scala.annotation.tailrec
+import scala.util.Failure
+import scala.util.Random
+import scala.util.Try
+
+class CrossHostApiCaller private (apiBaseUrls: Vector[String], maxTryCount: Int, private var currentHostIndex: Int)
+    extends ApiCaller {
+  def baseUrlsCount: Int = apiBaseUrls.size
+
+  def currentBaseUrl: String = apiBaseUrls(currentHostIndex)
+
+  def nextBaseUrl(): String = {
+    currentHostIndex = (currentHostIndex + 1) % baseUrlsCount
+    currentBaseUrl
+  }
+
+  override def call[T](fn: String => T): T = {
+    def logFailure(error: Throwable, url: String, attemptNumber: Int, nextUrl: Option[String]): Unit = {
+      val rootCause = ExceptionUtils.getRootCauseMessage(error)
+      val switching = nextUrl.map(s => s", switching host to $s").getOrElse("")
+      logger.warn(s"Request failed on host $url (attempt $attemptNumber of $maxTryCount)$switching - $rootCause")
+    }
+
+    @tailrec
+    def attempt(url: String, attemptNumber: Int, urlsTried: Int): Try[T] = {
+      val result = Try {
+        fn(url)
+      }.recoverWith { case e @ (_: ResourceAccessException | _: client.RestClientException) =>
+        Failure(ApiClientException("Server non-responsive", e))
+      }
+      // using match instead of recoverWith to make the function @tailrec
+      result match {
+        case Failure(e: RetryableException) if attemptNumber < maxTryCount =>
+          logFailure(e, url, attemptNumber, None)
+          attempt(url, attemptNumber + 1, urlsTried)
+        case Failure(e: RetryableException) if urlsTried < baseUrlsCount =>
+          val nextUrl = nextBaseUrl()
+          logFailure(e, url, attemptNumber, Option(nextUrl))
+          attempt(nextUrl, 1, urlsTried + 1)
+        case _ => result
+      }
+    }
+
+    attempt(currentBaseUrl, 1, 1).get
+  }
+}
+
+object CrossHostApiCaller {
+  private val logger = LoggerFactory.getLogger(classOf[CrossHostApiCaller])
+
+  final val DefaultUrlsRetryCount: Int = 0
+
+  private def createInstance(
+    apiBaseUrls: Seq[String],
+    urlsRetryCount: Int,
+    startWith: Option[Int]
+  ): CrossHostApiCaller = {
+    val maxTryCount: Int = (
+      if (urlsRetryCount < 0) {
+        logger.warn(
+          s"Urls retry count cannot be negative ($urlsRetryCount). Using default number of retries instead ($DefaultUrlsRetryCount)."
+        ) // scalastyle:ignore maxLineLength
+        DefaultUrlsRetryCount
+      } else {
+        urlsRetryCount
+      }
+    ) + 1
+    val currentHostIndex = startWith.getOrElse(Random.nextInt(Math.max(apiBaseUrls.size, 1)))
+    new CrossHostApiCaller(apiBaseUrls.toVector, maxTryCount, currentHostIndex)
+  }
+
+  def apply(
+    apiBaseUrls: Seq[String],
+    urlsRetryCount: Int = DefaultUrlsRetryCount,
+    startWith: Option[Int] = None
+  ): CrossHostApiCaller =
+    createInstance(apiBaseUrls, urlsRetryCount, startWith)
+}

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/CustomException.scala

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+abstract class RetryableException(message: String, cause: Throwable) extends Exception(message, cause)
+
+final case class ApiClientException(private val message: String, private val cause: Throwable = None.orNull)
+    extends RetryableException(message, cause)
+
+final case class UnauthorizedException(private val message: String, private val cause: Throwable = None.orNull)
+    extends Exception(message, cause)
+
+final case class NotFoundException(private val message: String, private val cause: Throwable = None.orNull)
+    extends Exception(message, cause)

src/main/scala/za/co/absa/hyperdrive/trigger/api/rest/client/NoOpErrorHandler.scala

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2018 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.hyperdrive.trigger.api.rest.client
+
+import org.springframework.http.client.ClientHttpResponse
+import org.springframework.web.client.ResponseErrorHandler
+
+object NoOpErrorHandler extends ResponseErrorHandler {
+  override def hasError(response: ClientHttpResponse): Boolean = false
+
+  override def handleError(response: ClientHttpResponse): Unit = {}
+}