feat: add more streams acls and option for describe topic acls (#36)

Author: devshawn

src/main/java/com/devshawn/kafka/gitops/MainCommand.java

@@ -12,7 +12,7 @@
 import java.util.concurrent.Callable;
 
 @Command(name = "kafka-gitops",
-        version = "0.2.8",
+        version = "0.2.9-SNAPSHOT",
         exitCodeOnInvalidInput = 0,
         subcommands = {
                 AccountCommand.class,

src/main/java/com/devshawn/kafka/gitops/StateManager.java

@@ -5,6 +5,7 @@
 import com.devshawn.kafka.gitops.config.KafkaGitopsConfigLoader;
 import com.devshawn.kafka.gitops.config.ManagerConfig;
 import com.devshawn.kafka.gitops.domain.confluent.ServiceAccount;
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.plan.DesiredPlan;
 import com.devshawn.kafka.gitops.domain.state.AclDetails;
 import com.devshawn.kafka.gitops.domain.state.CustomAclDetails;
@@ -53,6 +54,8 @@ public class StateManager {
     private PlanManager planManager;
     private ApplyManager applyManager;
 
+    private boolean describeAclEnabled = false;
+
     public StateManager(ManagerConfig managerConfig, ParserService parserService) {
         initializeLogger(managerConfig.isVerboseRequested());
         this.managerConfig = managerConfig;
@@ -69,6 +72,7 @@ public DesiredStateFile getAndValidateStateFile() {
         DesiredStateFile desiredStateFile = parserService.parseStateFile();
         validateTopics(desiredStateFile);
         validateCustomAcls(desiredStateFile);
+        this.describeAclEnabled = StateUtil.isDescribeTopicAclEnabled(desiredStateFile);
         return desiredStateFile;
     }
 
@@ -107,12 +111,11 @@ public void createServiceAccounts() {
         AtomicInteger count = new AtomicInteger();
         if (isConfluentCloudEnabled(desiredStateFile)) {
             desiredStateFile.getServices().forEach((name, service) -> {
-                createServiceAccount(name, serviceAccounts, count);
+                createServiceAccount(name, serviceAccounts, count, false);
             });
 
             desiredStateFile.getUsers().forEach((name, user) -> {
-                String serviceAccountName = String.format("user-%s", name);
-                createServiceAccount(serviceAccountName, serviceAccounts, count);
+                createServiceAccount(name, serviceAccounts, count, true);
             });
         } else {
             throw new ConfluentCloudException("Confluent Cloud must be enabled in the state file to use this command.");
@@ -123,9 +126,9 @@ public void createServiceAccounts() {
         }
     }
 
-    private void createServiceAccount(String name, List<ServiceAccount> serviceAccounts, AtomicInteger count) {
+    private void createServiceAccount(String name, List<ServiceAccount> serviceAccounts, AtomicInteger count, boolean isUser) {
         if (serviceAccounts.stream().noneMatch(it -> it.getName().equals(name))) {
-            confluentCloudService.createServiceAccount(name);
+            confluentCloudService.createServiceAccount(name, isUser);
             LogUtil.printSimpleSuccess(String.format("Successfully created service account: %s", name));
             count.getAndIncrement();
         }
@@ -169,7 +172,7 @@ private void generateConfluentCloudServiceAcls(DesiredState.Builder desiredState
             Optional<ServiceAccount> serviceAccount = serviceAccounts.stream().filter(it -> it.getName().equals(name)).findFirst();
             String serviceAccountId = serviceAccount.orElseThrow(() -> new ServiceAccountNotFoundException(name)).getId();
 
-            service.getAcls(name).forEach(aclDetails -> {
+            service.getAcls(buildGetAclOptions(name)).forEach(aclDetails -> {
                 aclDetails.setPrincipal(String.format("User:%s", serviceAccountId));
                 desiredState.putAcls(String.format("%s-%s", name, index.getAndSet(index.get() + 1)), aclDetails.build());
             });
@@ -213,7 +216,7 @@ private void generateConfluentCloudUserAcls(DesiredState.Builder desiredState, D
     private void generateServiceAcls(DesiredState.Builder desiredState, DesiredStateFile desiredStateFile) {
         desiredStateFile.getServices().forEach((name, service) -> {
             AtomicReference<Integer> index = new AtomicReference<>(0);
-            service.getAcls(name).forEach(aclDetails -> {
+            service.getAcls(buildGetAclOptions(name)).forEach(aclDetails -> {
                 desiredState.putAcls(String.format("%s-%s", name, index.getAndSet(index.get() + 1)), buildAclDetails(name, aclDetails));
             });
 
@@ -274,6 +277,10 @@ private List<String> getPrefixedTopicsToIgnore(DesiredStateFile desiredStateFile
         return topics;
     }
 
+    private GetAclOptions buildGetAclOptions(String serviceName) {
+        return new GetAclOptions.Builder().setServiceName(serviceName).setDescribeAclEnabled(describeAclEnabled).build();
+    }
+
     private void validateCustomAcls(DesiredStateFile desiredStateFile) {
         desiredStateFile.getCustomServiceAcls().forEach((service, details) -> {
             try {
@@ -307,7 +314,6 @@ private void validateTopics(DesiredStateFile desiredStateFile) {
                 throw new ValidationException("The default replication factor must be a positive integer.");
             }
         }
-
     }
 
     private boolean isConfluentCloudEnabled(DesiredStateFile desiredStateFile) {

src/main/java/com/devshawn/kafka/gitops/domain/options/GetAclOptions.java

@@ -0,0 +1,16 @@
+package com.devshawn.kafka.gitops.domain.options;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.inferred.freebuilder.FreeBuilder;
+
+@FreeBuilder
+@JsonDeserialize(builder = GetAclOptions.Builder.class)
+public interface GetAclOptions {
+
+    String getServiceName();
+
+    Boolean getDescribeAclEnabled();
+
+    class Builder extends GetAclOptions_Builder {
+    }
+}

src/main/java/com/devshawn/kafka/gitops/domain/state/AbstractService.java

@@ -30,6 +30,19 @@ public AclDetails.Builder generateWriteACL(String topic, Optional<String> princi
         return builder;
     }
 
+    public AclDetails.Builder generateDescribeAcl(String topic, Optional<String> principal) {
+        AclDetails.Builder builder = new AclDetails.Builder()
+                .setHost("*")
+                .setName(topic)
+                .setOperation("DESCRIBE")
+                .setPermission("ALLOW")
+                .setPattern("LITERAL")
+                .setType("TOPIC");
+
+        principal.ifPresent(builder::setPrincipal);
+        return builder;
+    }
+
     public AclDetails.Builder generatePrefixedTopicACL(String topic, Optional<String> principal, String operation) {
         AclDetails.Builder builder = new AclDetails.Builder()
                 .setHost("*")
@@ -55,4 +68,17 @@ public AclDetails.Builder generateConsumerGroupAcl(String consumerGroupId, Optio
         principal.ifPresent(builder::setPrincipal);
         return builder;
     }
+
+    public AclDetails.Builder generateClusterAcl(Optional<String> principal, String operation) {
+        AclDetails.Builder builder = new AclDetails.Builder()
+                .setHost("*")
+                .setName("kafka-cluster")
+                .setOperation(operation)
+                .setPermission("ALLOW")
+                .setPattern("LITERAL")
+                .setType("CLUSTER");
+
+        principal.ifPresent(builder::setPrincipal);
+        return builder;
+    }
 }

src/main/java/com/devshawn/kafka/gitops/domain/state/ServiceDetails.java

@@ -1,5 +1,6 @@
 package com.devshawn.kafka.gitops.domain.state;
 
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.state.service.ApplicationService;
 import com.devshawn.kafka.gitops.domain.state.service.KafkaConnectService;
 import com.devshawn.kafka.gitops.domain.state.service.KafkaStreamsService;
@@ -18,7 +19,7 @@ public abstract class ServiceDetails extends AbstractService {
 
     public String type;
 
-    public List<AclDetails.Builder> getAcls(String serviceName) {
+    public List<AclDetails.Builder> getAcls(GetAclOptions options) {
         throw new UnsupportedOperationException("Method getAcls is not implemented.");
     }
 }

src/main/java/com/devshawn/kafka/gitops/domain/state/service/ApplicationService.java

@@ -1,7 +1,9 @@
 package com.devshawn.kafka.gitops.domain.state.service;
 
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.state.AclDetails;
 import com.devshawn.kafka.gitops.domain.state.ServiceDetails;
+import com.devshawn.kafka.gitops.util.HelperUtil;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import org.inferred.freebuilder.FreeBuilder;
@@ -24,12 +26,18 @@ public abstract class ApplicationService extends ServiceDetails {
     public abstract List<String> getConsumes();
 
     @Override
-    public List<AclDetails.Builder> getAcls(String serviceName) {
+    public List<AclDetails.Builder> getAcls(GetAclOptions options) {
         List<AclDetails.Builder> acls = new ArrayList<>();
         getProduces().forEach(topic -> acls.add(generateWriteACL(topic, getPrincipal())));
         getConsumes().forEach(topic -> acls.add(generateReadAcl(topic, getPrincipal())));
+
+        if (options.getDescribeAclEnabled()) {
+            List<String> allTopics = HelperUtil.uniqueCombine(getConsumes(), getProduces());
+            allTopics.forEach(topic -> acls.add(generateDescribeAcl(topic, getPrincipal())));
+        }
+
         if (!getConsumes().isEmpty()) {
-            String groupId = getGroupId().isPresent() ? getGroupId().get() : serviceName;
+            String groupId = getGroupId().isPresent() ? getGroupId().get() : options.getServiceName();
             acls.add(generateConsumerGroupAcl(groupId, getPrincipal(), "READ"));
         }
         return acls;

src/main/java/com/devshawn/kafka/gitops/domain/state/service/KafkaConnectService.java

@@ -1,6 +1,7 @@
 package com.devshawn.kafka.gitops.domain.state.service;
 
 
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.state.AclDetails;
 import com.devshawn.kafka.gitops.domain.state.ServiceDetails;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -29,18 +30,21 @@ public abstract class KafkaConnectService extends ServiceDetails {
     public abstract Map<String, KafkaConnectorDetails> getConnectors();
 
     @Override
-    public List<AclDetails.Builder> getAcls(String serviceName) {
+    public List<AclDetails.Builder> getAcls(GetAclOptions options) {
         List<AclDetails.Builder> acls = new ArrayList<>();
         getProduces().forEach(topic -> acls.add(generateWriteACL(topic, getPrincipal())));
-        acls.addAll(getConnectWorkerAcls(serviceName));
+        if (options.getDescribeAclEnabled()) {
+            getProduces().forEach(topic -> acls.add(generateDescribeAcl(topic, getPrincipal())));
+        }
+        acls.addAll(getConnectWorkerAcls(options));
         return acls;
     }
 
-    private List<AclDetails.Builder> getConnectWorkerAcls(String serviceName) {
-        String groupId = getGroupId().isPresent() ? getGroupId().get() : serviceName;
-        String configTopic = getConfigTopic(serviceName);
-        String offsetTopic = getOffsetTopic(serviceName);
-        String statusTopic = getStatusTopic(serviceName);
+    private List<AclDetails.Builder> getConnectWorkerAcls(GetAclOptions options) {
+        String groupId = getGroupId().isPresent() ? getGroupId().get() : options.getServiceName();
+        String configTopic = getConfigTopic(options.getServiceName());
+        String offsetTopic = getOffsetTopic(options.getServiceName());
+        String statusTopic = getStatusTopic(options.getServiceName());
 
         List<AclDetails.Builder> acls = new ArrayList<>();
         acls.add(generateReadAcl(configTopic, getPrincipal()));
@@ -50,7 +54,7 @@ private List<AclDetails.Builder> getConnectWorkerAcls(String serviceName) {
         acls.add(generateWriteACL(offsetTopic, getPrincipal()));
         acls.add(generateWriteACL(statusTopic, getPrincipal()));
         acls.add(generateConsumerGroupAcl(groupId, getPrincipal(), "READ"));
-        getConnectors().forEach((connectorName, connector) -> acls.addAll(connector.getAcls(connectorName, getPrincipal())));
+        getConnectors().forEach((connectorName, connector) -> acls.addAll(connector.getAcls(connectorName, getPrincipal(), options)));
         return acls;
     }
 

src/main/java/com/devshawn/kafka/gitops/domain/state/service/KafkaConnectorDetails.java

@@ -1,7 +1,9 @@
 package com.devshawn.kafka.gitops.domain.state.service;
 
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.state.AbstractService;
 import com.devshawn.kafka.gitops.domain.state.AclDetails;
+import com.devshawn.kafka.gitops.util.HelperUtil;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import org.inferred.freebuilder.FreeBuilder;
 
@@ -17,10 +19,16 @@ public abstract class KafkaConnectorDetails extends AbstractService {
 
     public abstract List<String> getConsumes();
 
-    public List<AclDetails.Builder> getAcls(String connectorName, Optional<String> principal) {
+    public List<AclDetails.Builder> getAcls(String connectorName, Optional<String> principal, GetAclOptions options) {
         List<AclDetails.Builder> acls = new ArrayList<>();
         getProduces().forEach(topic -> acls.add(generateWriteACL(topic, principal)));
         getConsumes().forEach(topic -> acls.add(generateReadAcl(topic, principal)));
+
+        if (options.getDescribeAclEnabled()) {
+            List<String> allTopics = HelperUtil.uniqueCombine(getConsumes(), getProduces());
+            allTopics.forEach(topic -> acls.add(generateDescribeAcl(topic, principal)));
+        }
+
         if (!getConsumes().isEmpty()) {
             acls.add(generateConsumerGroupAcl(String.format("connect-%s", connectorName), principal, "READ"));
         }

src/main/java/com/devshawn/kafka/gitops/domain/state/service/KafkaStreamsService.java

@@ -1,7 +1,9 @@
 package com.devshawn.kafka.gitops.domain.state.service;
 
+import com.devshawn.kafka.gitops.domain.options.GetAclOptions;
 import com.devshawn.kafka.gitops.domain.state.AclDetails;
 import com.devshawn.kafka.gitops.domain.state.ServiceDetails;
+import com.devshawn.kafka.gitops.util.HelperUtil;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import org.inferred.freebuilder.FreeBuilder;
@@ -24,11 +26,15 @@ public abstract class KafkaStreamsService extends ServiceDetails {
     public abstract List<String> getConsumes();
 
     @Override
-    public List<AclDetails.Builder> getAcls(String serviceName) {
+    public List<AclDetails.Builder> getAcls(GetAclOptions options) {
         List<AclDetails.Builder> acls = new ArrayList<>();
         getProduces().forEach(topic -> acls.add(generateWriteACL(topic, getPrincipal())));
         getConsumes().forEach(topic -> acls.add(generateReadAcl(topic, getPrincipal())));
-        acls.addAll(getInternalAcls(serviceName));
+        if (options.getDescribeAclEnabled()) {
+            List<String> allTopics = HelperUtil.uniqueCombine(getConsumes(), getProduces());
+            allTopics.forEach(topic -> acls.add(generateDescribeAcl(topic, getPrincipal())));
+        }
+        acls.addAll(getInternalAcls(options.getServiceName()));
         return acls;
     }
 
@@ -45,6 +51,8 @@ private List<AclDetails.Builder> getInternalAcls(String serviceName) {
         acls.add(generatePrefixedTopicACL(applicationId, getPrincipal(), "DESCRIBE_CONFIGS"));
         acls.add(generateConsumerGroupAcl(applicationId, getPrincipal(), "READ"));
         acls.add(generateConsumerGroupAcl(applicationId, getPrincipal(), "DESCRIBE"));
+        acls.add(generateConsumerGroupAcl(applicationId, getPrincipal(), "DELETE"));
+        acls.add(generateClusterAcl(getPrincipal(), "DESCRIBE_CONFIGS"));
         return acls;
     }
 

src/main/java/com/devshawn/kafka/gitops/domain/state/settings/Settings.java

@@ -13,6 +13,8 @@ public interface Settings {
 
     Optional<SettingsTopics> getTopics();
 
+    Optional<SettingsServices> getServices();
+
     Optional<SettingsFiles> getFiles();
 
     class Builder extends Settings_Builder {

src/main/java/com/devshawn/kafka/gitops/domain/state/settings/SettingsServices.java

@@ -0,0 +1,16 @@
+package com.devshawn.kafka.gitops.domain.state.settings;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.inferred.freebuilder.FreeBuilder;
+
+import java.util.Optional;
+
+@FreeBuilder
+@JsonDeserialize(builder = SettingsServices.Builder.class)
+public interface SettingsServices {
+
+    Optional<SettingsServicesAcls> getAcls();
+
+    class Builder extends SettingsServices_Builder {
+    }
+}

src/main/java/com/devshawn/kafka/gitops/domain/state/settings/SettingsServicesAcls.java

@@ -0,0 +1,16 @@
+package com.devshawn.kafka.gitops.domain.state.settings;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.inferred.freebuilder.FreeBuilder;
+
+import java.util.Optional;
+
+@FreeBuilder
+@JsonDeserialize(builder = SettingsServicesAcls.Builder.class)
+public interface SettingsServicesAcls {
+
+    Optional<Boolean> getDescribeTopicEnabled();
+
+    class Builder extends SettingsServicesAcls_Builder {
+    }
+}

src/main/java/com/devshawn/kafka/gitops/service/ConfluentCloudService.java

@@ -30,11 +30,12 @@ public List<ServiceAccount> getServiceAccounts() {
         }
     }
 
-    public ServiceAccount createServiceAccount(String name) {
+    public ServiceAccount createServiceAccount(String name, boolean isUser) {
         log.info("Creating service account {} in Confluent Cloud via ccloud tool.", name);
         try {
-            String description = String.format("Service account: %s", name);
-            String result = execCmd(new String[]{"ccloud", "service-account", "create", name, "--description", description, "-o", "json"});
+            String serviceName = isUser ? String.format("user-%s", name) : name;
+            String description = isUser ? String.format("User: %s", name) : String.format("Service account: %s", name);
+            String result = execCmd(new String[]{"ccloud", "service-account", "create", serviceName, "--description", description, "-o", "json"});
             return objectMapper.readValue(result, ServiceAccount.class);
         } catch (IOException ex) {
             throw new ConfluentCloudException(String.format("There was an error creating Confluent Cloud service account: %s.", name));

src/main/java/com/devshawn/kafka/gitops/util/HelperUtil.java

@@ -0,0 +1,15 @@
+package com.devshawn.kafka.gitops.util;
+
+import java.util.ArrayList;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+public class HelperUtil {
+
+    public static List<String> uniqueCombine(List<String> listOne, List<String> listTwo) {
+        Set<String> set = new LinkedHashSet<>(listOne);
+        set.addAll(listTwo);
+        return new ArrayList<>(set);
+    }
+}

src/main/java/com/devshawn/kafka/gitops/util/StateUtil.java

@@ -13,4 +13,11 @@ public static Optional<Integer> fetchReplication(DesiredStateFile desiredStateFi
         }
         return Optional.empty();
     }
+
+    public static boolean isDescribeTopicAclEnabled(DesiredStateFile desiredStateFile) {
+        return desiredStateFile.getSettings().isPresent() && desiredStateFile.getSettings().get().getServices().isPresent()
+                && desiredStateFile.getSettings().get().getServices().get().getAcls().isPresent()
+                && desiredStateFile.getSettings().get().getServices().get().getAcls().get().getDescribeTopicEnabled().isPresent()
+                && desiredStateFile.getSettings().get().getServices().get().getAcls().get().getDescribeTopicEnabled().get();
+    }
 }