Added an option to disable ACL deletion for a cluster (#177)

* Add an option to disable ACL deletion for a cluster

* Improve unit tests coverage

* Improve unit tests coverage

* Force deletion directly from controllers for stream and acl

Author: Loïc GREFFIER

api/src/main/java/com/michelin/ns4kafka/controllers/AccessControlListController.java

@@ -25,19 +25,32 @@
         description = "APIs to handle cross namespace ACL")
 @Controller("/api/namespaces/{namespace}/acls")
 public class AccessControlListController extends NamespacedResourceController {
+    /**
+     * The namespace service
+     */
     @Inject
     NamespaceService namespaceService;
+
+    /**
+     * The ACL service
+     */
     @Inject
     AccessControlEntryService accessControlEntryService;
 
+    /**
+     * Get all ACLs of given namespace
+     * @param namespace The namespace
+     * @param limit The ACL scope
+     * @return A list of ACLs
+     */
     @Operation(summary = "Returns the Access Control Entry List")
     @Get("{?limit}")
     public List<AccessControlEntry> list(String namespace, Optional<AclLimit> limit) {
-        if (limit.isEmpty())
+        if (limit.isEmpty()) {
             limit = Optional.of(AclLimit.ALL);
+        }
 
         Namespace ns = getNamespace(namespace);
-
         switch (limit.get()) {
             case GRANTEE:
                 return accessControlEntryService.findAllGrantedToNamespace(ns)
@@ -69,6 +82,12 @@ public List<AccessControlEntry> list(String namespace, Optional<AclLimit> limit)
 
     }
 
+    /**
+     * Get an ACL by namespace and name
+     * @param namespace The name
+     * @param acl The ACL name
+     * @return The ACL
+     */
     @Get("/{acl}")
     public Optional<AccessControlEntry> get(String namespace, String acl) {
         return list(namespace, Optional.of(AclLimit.ALL))
@@ -77,75 +96,94 @@ public Optional<AccessControlEntry> get(String namespace, String acl) {
                 .findFirst();
     }
 
+    /**
+     * Create an ACL
+     * @param authentication The authentication entity
+     * @param namespace The namespace
+     * @param accessControlEntry The ACL
+     * @param dryrun Is dry run mode or not ?
+     * @return An HTTP response
+     */
     @Post("{?dryrun}")
     public HttpResponse<AccessControlEntry> apply(Authentication authentication, String namespace, @Valid @Body AccessControlEntry accessControlEntry, @QueryValue(defaultValue = "false") boolean dryrun) {
         Namespace ns = getNamespace(namespace);
 
         List<String> roles = (List<String>) authentication.getAttributes().get("roles");
         boolean isAdmin = roles.contains(ResourceBasedSecurityRule.IS_ADMIN);
-        // self assigned ACL (spec.grantedTo == metadata.namespace)
+        // Self assigned ACL (spec.grantedTo == metadata.namespace)
         boolean isSelfAssignedACL = namespace.equals(accessControlEntry.getSpec().getGrantedTo());
 
         List<String> validationErrors;
         if (isAdmin && isSelfAssignedACL) {
-            // validate overlapping OWNER
+            // Validate overlapping OWNER
             validationErrors = accessControlEntryService.validateAsAdmin(accessControlEntry, ns);
         } else {
             validationErrors = accessControlEntryService.validate(accessControlEntry, ns);
         }
+
         if (!validationErrors.isEmpty()) {
             throw new ResourceValidationException(validationErrors, accessControlEntry.getKind(), accessControlEntry.getMetadata().getName());
         }
+
         // AccessControlEntry spec is immutable
         // This prevents accidental updates on ACL resources already declared with the same name (with differents rules)
         Optional<AccessControlEntry> existingACL = accessControlEntryService.findByName(namespace, accessControlEntry.getMetadata().getName());
         if(existingACL.isPresent() && !existingACL.get().getSpec().equals(accessControlEntry.getSpec())){
             throw new ResourceValidationException(List.of("Invalid modification: `spec` is immutable. You can still update `metadata`"), accessControlEntry.getKind(), accessControlEntry.getMetadata().getName());
         }
 
-        //augment
         accessControlEntry.getMetadata().setCreationTimestamp(Date.from(Instant.now()));
         accessControlEntry.getMetadata().setCluster(ns.getMetadata().getCluster());
         accessControlEntry.getMetadata().setNamespace(ns.getMetadata().getName());
 
-        if(existingACL.isPresent() && existingACL.get().equals(accessControlEntry)){
+        if (existingACL.isPresent() && existingACL.get().equals(accessControlEntry)) {
             return formatHttpResponse(existingACL.get(), ApplyStatus.unchanged);
         }
+
         ApplyStatus status = existingACL.isPresent() ? ApplyStatus.changed : ApplyStatus.created;
 
-        //dryrun checks
+        // Dry run checks
         if (dryrun) {
             return formatHttpResponse(accessControlEntry, status);
         }
+
         sendEventLog(accessControlEntry.getKind(),
                 accessControlEntry.getMetadata(),
                 status,
-                existingACL.isPresent() ? existingACL.get().getSpec() : null,
+                existingACL.<Object>map(AccessControlEntry::getSpec).orElse(null),
                 accessControlEntry.getSpec());
 
-        //store
+        // Store
         return formatHttpResponse(accessControlEntryService.create(accessControlEntry), status);
     }
 
+    /**
+     * Delete an ACL
+     * @param authentication The authentication entity
+     * @param namespace The namespace
+     * @param name The ACL name
+     * @param dryrun Is dry run mode or not ?
+     * @return An HTTP response
+     */
     @Delete("/{name}{?dryrun}")
     @Status(HttpStatus.NO_CONTENT)
     public HttpResponse<Void> delete(Authentication authentication, String namespace, String name, @QueryValue(defaultValue = "false") boolean dryrun) {
-
+        Namespace ns = getNamespace(namespace);
         AccessControlEntry accessControlEntry = accessControlEntryService
                 .findByName(namespace, name)
                 .orElseThrow(() -> new ResourceValidationException(
                         List.of("Invalid value " + name + " for name : AccessControlEntry doesn't exist in this namespace"),
                         "AccessControlEntry",
-                        name
-                        )
+                        name)
                 );
 
         List<String> roles = (List<String>) authentication.getAttributes().get("roles");
         boolean isAdmin = roles.contains(ResourceBasedSecurityRule.IS_ADMIN);
-        // self assigned ACL (spec.grantedTo == metadata.namespace)
+        // Self assigned ACL (spec.grantedTo == metadata.namespace)
         boolean isSelfAssignedACL = namespace.equals(accessControlEntry.getSpec().getGrantedTo());
+
         if (isSelfAssignedACL && !isAdmin) {
-            // prevent delete
+            // Prevent delete
             throw new ResourceValidationException(
                     List.of("Only admins can delete this AccessControlEntry"),
                     "AccessControlEntry",
@@ -158,7 +196,7 @@ public HttpResponse<Void> delete(Authentication authentication, String namespace
         }
 
         sendEventLog(accessControlEntry.getKind(), accessControlEntry.getMetadata(), ApplyStatus.deleted,accessControlEntry.getSpec(), null);
-        accessControlEntryService.delete(accessControlEntry);
+        accessControlEntryService.delete(ns, accessControlEntry);
         return HttpResponse.noContent();
     }
 

api/src/main/java/com/michelin/ns4kafka/controllers/SchemaController.java

@@ -22,14 +22,13 @@
 @ExecuteOn(TaskExecutors.IO)
 public class SchemaController extends NamespacedResourceController {
     /**
-     * Subject service
+     * The schema service
      */
     @Inject
     SchemaService schemaService;
 
     /**
      * Get all the schemas by namespace
-     *
      * @param namespace The namespace
      * @return A list of schemas
      */
@@ -41,7 +40,6 @@ public List<Schema> list(String namespace) {
 
     /**
      * Get the last version of a schema by namespace and subject
-     *
      * @param namespace The namespace
      * @param subject   The subject
      * @return A schema
@@ -59,7 +57,6 @@ public Optional<Schema> get(String namespace, String subject) {
 
     /**
      * Publish a schema
-     *
      * @param namespace The namespace
      * @param schema    The schema to create
      * @param dryrun    Does the creation is a dry run
@@ -115,7 +112,6 @@ public HttpResponse<Schema> apply(String namespace, @Valid @Body Schema schema,
 
     /**
      * Delete all schemas under the given subject
-     *
      * @param namespace The current namespace
      * @param subject   The current subject to delete
      * @param dryrun    Run in dry mode or not
@@ -158,7 +154,6 @@ public HttpResponse<Void> deleteSubject(String namespace, @PathVariable String s
 
     /**
      * Update the compatibility of a subject
-     *
      * @param namespace     The namespace
      * @param subject       The subject to update
      * @param compatibility The compatibility to apply

api/src/main/java/com/michelin/ns4kafka/controllers/StreamController.java

@@ -18,40 +18,59 @@
 @Tag(name = "Stream")
 @Controller(value = "/api/namespaces/{namespace}/streams")
 public class StreamController extends NamespacedResourceController {
-
+    /**
+     * The Kafka Streams service
+     */
     @Inject
     StreamService streamService;
 
+    /**
+     * Get all the Kafka Streams by namespace
+     * @param namespace The namespace
+     * @return A list of Kafka Streams
+     */
     @Get("/")
     List<KafkaStream> list(String namespace){
         Namespace ns = getNamespace(namespace);
         return streamService.findAllForNamespace(ns);
 
     }
 
+    /**
+     * Get a Kafka Streams by namespace and name
+     * @param namespace The name
+     * @param stream The Kafka Streams name
+     * @return The Kafka Streams
+     */
     @Get("/{stream}")
-    Optional<KafkaStream> get(String namespace,String stream){
+    Optional<KafkaStream> get(String namespace, String stream){
 
         Namespace ns = getNamespace(namespace);
         return streamService.findByName(ns, stream);
 
     }
 
+    /**
+     * Create a Kafka Streams
+     * @param namespace The namespace
+     * @param stream The Kafka Stream
+     * @param dryrun Is dry run mode or not ?
+     * @return An HTTP response
+     */
     @Post("/{?dryrun}")
     HttpResponse<KafkaStream> apply(String namespace,@Body @Valid KafkaStream stream, @QueryValue(defaultValue = "false") boolean dryrun){
         Namespace ns = getNamespace(namespace);
-
-        //Creation of the correct ACLs
         if (!streamService.isNamespaceOwnerOfKafkaStream(ns, stream.getMetadata().getName())) {
             throw new ResourceValidationException(List.of("Invalid value " + stream.getMetadata().getName()
                     + " for name: Namespace not OWNER of underlying Topic prefix and Group prefix"), "Stream", stream.getMetadata().getName());
         }
-        //Augment the Stream
+
+        // Augment the Stream
         stream.getMetadata().setCreationTimestamp(Date.from(Instant.now()));
         stream.getMetadata().setCluster(ns.getMetadata().getCluster());
         stream.getMetadata().setNamespace(ns.getMetadata().getName());
 
-        //Creation of the correct ACLs
+        // Creation of the correct ACLs
         Optional<KafkaStream> existingStream = streamService.findByName(ns, stream.getMetadata().getName());
         if (existingStream.isPresent() && existingStream.get().equals(stream)){
             return formatHttpResponse(stream, ApplyStatus.unchanged);
@@ -62,16 +81,23 @@ HttpResponse<KafkaStream> apply(String namespace,@Body @Valid KafkaStream stream
         if (dryrun) {
             return formatHttpResponse(stream, status);
         }
+
         sendEventLog(stream.getKind(),
                 stream.getMetadata(),
                 status,
                 null,
                 null);
 
         return formatHttpResponse(streamService.create(stream), status);
-
     }
 
+    /**
+     * Delete a Kafka Streams
+     * @param namespace The namespace
+     * @param stream The Kafka Streams
+     * @param dryrun Is dry run mode or not ?
+     * @return An HTTP response
+     */
     @Status(HttpStatus.NO_CONTENT)
     @Delete("/{stream}{?dryrun}")
     HttpResponse delete(String namespace,String stream, @QueryValue(defaultValue = "false") boolean dryrun){
@@ -80,22 +106,24 @@ HttpResponse delete(String namespace,String stream, @QueryValue(defaultValue = "
             throw new ResourceValidationException(List.of("Invalid value " + stream
                     + " for name: Namespace not OWNER of underlying Topic prefix and Group prefix"), "Stream", stream);
         }
-        // exists ?
+
         Optional<KafkaStream> optionalStream = streamService.findByName(ns, stream);
 
-        if (optionalStream.isEmpty())
+        if (optionalStream.isEmpty()) {
             return HttpResponse.notFound();
+        }
 
         if (dryrun) {
             return HttpResponse.noContent();
         }
+
         var streamToDelete = optionalStream.get();
         sendEventLog(streamToDelete.getKind(),
                 streamToDelete.getMetadata(),
                 ApplyStatus.deleted,
                 null,
                 null);
-        streamService.delete(optionalStream.get());
+        streamService.delete(ns, optionalStream.get());
         return HttpResponse.noContent();
     }
 }

api/src/main/java/com/michelin/ns4kafka/controllers/TopicController.java

@@ -178,6 +178,7 @@ public List<Topic> importResources(String namespace, @QueryValue(defaultValue =
         if (dryrun) {
             return unsynchronizedTopics;
         }
+
         List<Topic> synchronizedTopics = unsynchronizedTopics.stream()
                 .map(topic -> {
                     sendEventLog("Topic", topic.getMetadata(), ApplyStatus.created, null, topic.getSpec());