[KIP-554] User SCRAM credentials API (#2070)

* Check for Flaky Tests

* Initial build try

* Initial build try-(2)

* Initial build try-(3)

* ignoring flaky tests

* faster response cycle

* Final build - (1)

* PR comment Addressal

* added logtofile for protobuf_with_reference

* Removed LogToFile for protobufwithreference

* FIXME Comment for ProtobufWithReference and removed SchemaRegistry.IntegrationTests for now from semaphore

* ProtobufWithReference skipFlaky removed

* inital stubs

* Changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* changes

* Reflect librdkafka changes
Add exceptions
Remove AlterUserScramCredentialsResult
Add DescribeUserScramCredentialsReport

* Fixes and parametric examples

* Fix integration tests

* Better exception documentation

* Address comments

* Change ToString methods to
return a JSON string

* Changelog entry

* Unit tests

---------

Co-authored-by: Emanuele Sabellico <[email protected]>
Co-authored-by: Anchit Jain <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -5,6 +5,9 @@
 - References librdkafka.redist 2.2.0. Refer to the [librdkafka v2.2.0 release notes](https://github.com/confluentinc/librdkafka/releases/tag/v2.2.0) for more information.
 - [KIP-339](https://cwiki.apache.org/confluence/display/KAFKA/KIP-339%3A+Create+a+new+IncrementalAlterConfigs+API)
   IncrementalAlterConfigs API (#2005).
+- [KIP-554](https://cwiki.apache.org/confluence/display/KAFKA/KIP-554%3A+Add+Broker-side+SCRAM+Config+API):
+    User SASL/SCRAM credentials alteration and description (#2070).
+
 
 ## Fixes
 

examples/AdminClient/Program.cs

@@ -21,6 +21,7 @@
 using Confluent.Kafka.Admin;
 using System.Linq;
 using System.Collections.Generic;
+using System.Text;
 
 
 namespace Confluent.Kafka.Examples
@@ -161,6 +162,85 @@ static void PrintAclBindings(List<AclBinding> aclBindings)
             }
         }
 
+        static List<UserScramCredentialAlteration> ParseUserScramCredentialAlterations(
+            string[] args)
+        {
+            if (args.Length == 0)
+            {
+                Console.WriteLine("usage: .. <bootstrapServers> alter-user-scram-alterations " + 
+                    "UPSERT <user1> <mechanism1> <iterations1> <password1> <salt1> " +
+                    "[UPSERT <user2> <mechanism2> <iterations2> <password2> <salt2> " +
+                    "DELETE <user3> <mechanism3> ..]");
+                Environment.ExitCode = 1;
+                return null;
+            }
+            
+            var alterations = new List<UserScramCredentialAlteration>();
+            for (int i = 0; i < args.Length;) {
+                string alterationName = args[i];
+                if (alterationName == "UPSERT")
+                {
+                    if (i + 5 >= args.Length)
+                    {
+                        throw new ArgumentException(
+                            $"invalid number of arguments for alteration {alterations.Count},"+
+                            $" expected 5, got {args.Length - i - 1}");
+                    }
+
+                    string user = args[i + 1];
+                    var mechanism = Enum.Parse<ScramMechanism>(args[i + 2]);
+                    var iterations = Int32.Parse(args[i + 3]);
+                    var password = Encoding.UTF8.GetBytes(args[i + 4]);
+                    string saltString = args[i + 5];
+                    byte[] salt = null;
+                    if (saltString != "")
+                    {
+                        salt = Encoding.UTF8.GetBytes(saltString);
+                    }
+                    alterations.Add(
+                        new UserScramCredentialUpsertion
+                        {
+                            User = user,
+                            ScramCredentialInfo = new ScramCredentialInfo
+                            {
+                                Mechanism = mechanism,
+                                Iterations = iterations,
+                            },
+                            Password = password,
+                            Salt = salt,
+                        }
+                    );
+                    i += 6;
+                }
+                else if (alterationName == "DELETE")
+                {
+                    if (i + 2 >= args.Length)
+                    {
+                        throw new ArgumentException(
+                            $"invalid number of arguments for alteration {alterations.Count},"+
+                            $" expected 2, got {args.Length - i - 1}");
+                    }
+
+                    string user = args[i + 1];
+                    var mechanism = Enum.Parse<ScramMechanism>(args[i + 2]);
+                    alterations.Add(
+                        new UserScramCredentialDeletion
+                        {
+                            User = user,
+                            Mechanism = mechanism,
+                        }
+                    );
+                    i += 3;
+                }
+                else
+                {
+                    throw new ArgumentException(
+                        $"invalid alteration {alterations.Count}, must be UPSERT or DELETE");
+                }
+            }
+            return alterations;
+        }
+
         static async Task CreateAclsAsync(string bootstrapServers, string[] commandArgs)
         {
             List<AclBinding> aclBindings;
@@ -599,6 +679,84 @@ e is FormatException
             }
         }
 
+        static async Task DescribeUserScramCredentialsAsync(string bootstrapServers, string[] commandArgs)
+        {          
+            var users = commandArgs.ToList();
+            var timeout = TimeSpan.FromSeconds(30);
+            using (var adminClient = new AdminClientBuilder(new AdminClientConfig { BootstrapServers = bootstrapServers }).Build())
+            {
+                try
+                {
+                    var descResult = await adminClient.DescribeUserScramCredentialsAsync(users, new DescribeUserScramCredentialsOptions() { RequestTimeout = timeout });
+                    foreach (var description in descResult.UserScramCredentialsDescriptions)
+                    {
+                        Console.WriteLine($"  User: {description.User}");
+                        foreach (var scramCredentialInfo in description.ScramCredentialInfos)
+                        {
+                            Console.WriteLine($"    Mechanism: {scramCredentialInfo.Mechanism}");
+                            Console.WriteLine($"      Iterations: {scramCredentialInfo.Iterations}");
+                        }
+                    }
+                }
+                catch (DescribeUserScramCredentialsException e)
+                {
+                    Console.WriteLine($"An error occurred describing user SCRAM credentials" +
+                                       " for some users:");
+                    foreach (var description in e.Results.UserScramCredentialsDescriptions)
+                    {
+                        Console.WriteLine($"  User: {description.User}");
+                        Console.WriteLine($"    Error: {description.Error}");
+                        if (!description.Error.IsError)
+                        {
+                            foreach (var scramCredentialInfo in description.ScramCredentialInfos)
+                            {
+                                Console.WriteLine($"    Mechanism: {scramCredentialInfo.Mechanism}");
+                                Console.WriteLine($"      Iterations: {scramCredentialInfo.Iterations}");
+                            }
+                        }
+                    }
+                }
+                catch (KafkaException e)
+                {
+                    Console.WriteLine($"An error occurred describing user SCRAM credentials: {e}");
+                    Environment.ExitCode = 1;
+                }
+            }
+        }
+
+        static async Task AlterUserScramCredentialsAsync(string bootstrapServers, string[] commandArgs)
+        {
+            var alterations = ParseUserScramCredentialAlterations(commandArgs);
+            if (alterations == null)
+                return;
+
+            var timeout = TimeSpan.FromSeconds(30);
+            using (var adminClient = new AdminClientBuilder(new AdminClientConfig { BootstrapServers = bootstrapServers }).Build())
+            {
+                try
+                {
+                    await adminClient.AlterUserScramCredentialsAsync(alterations,
+                        new AlterUserScramCredentialsOptions() { RequestTimeout = timeout });
+                    Console.WriteLine("All AlterUserScramCredentials operations completed successfully");
+                }
+                catch (AlterUserScramCredentialsException e)
+                {
+                    Console.WriteLine($"An error occurred altering user SCRAM credentials" +
+                                       " for some users:");
+                    foreach (var result in e.Results)
+                    {
+                        Console.WriteLine($"  User: {result.User}");
+                        Console.WriteLine($"    Error: {result.Error}");
+                    }
+                }
+                catch (KafkaException e)
+                {
+                    Console.WriteLine($"An error occurred altering user SCRAM credentials: {e}");
+                    Environment.ExitCode = 1;
+                }
+            }
+        }
+
         public static async Task Main(string[] args)
         {
             if (args.Length < 2)
@@ -609,7 +767,9 @@ public static async Task Main(string[] args)
                         "describe-acls", "delete-acls",
                         "list-consumer-groups", "describe-consumer-groups",
                         "list-consumer-group-offsets", "alter-consumer-group-offsets",
-                        "incremental-alter-configs"
+                        "incremental-alter-configs", "describe-user-scram-credentials", 
+                        "alter-user-scram-credentials"
+
                     }) +
                     " ..");
                 Environment.ExitCode = 1;
@@ -658,6 +818,12 @@ public static async Task Main(string[] args)
                 case "incremental-alter-configs":
                     await IncrementalAlterConfigsAsync(bootstrapServers, commandArgs);
                     break;
+                case "describe-user-scram-credentials":
+                    await DescribeUserScramCredentialsAsync(bootstrapServers, commandArgs);
+                    break;
+                case "alter-user-scram-credentials":
+                    await AlterUserScramCredentialsAsync(bootstrapServers, commandArgs);
+                    break;
                 default:
                     Console.WriteLine($"unknown command: {command}");
                     break;

src/Confluent.Kafka/Admin/AlterUserScramCredentialsException.cs

@@ -0,0 +1,50 @@
+// Copyright 2023 Confluent Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Refer to LICENSE for more information.
+
+using System.Collections.Generic;
+
+
+namespace Confluent.Kafka.Admin
+{
+    /// <summary>
+    ///     Represents an error that occurred during an alter user
+    ///     scram credentials operation.
+    /// </summary>
+    public class AlterUserScramCredentialsException : KafkaException
+    {
+        /// <summary>
+        ///     Initializes a new instance of AlterUserScramCredentialsException.
+        /// </summary>
+        /// <param name="results">
+        ///     The result corresponding to all users in the request
+        ///     (whether or not they were in error). At least one of these
+        ///     results will be in error.
+        /// </param>
+        public AlterUserScramCredentialsException(List<AlterUserScramCredentialsReport> results)
+            : base(new Error(ErrorCode.Local_Partial,
+                "An error occurred altering user SCRAM credentials, check individual result elements"))
+        {
+            Results = results;
+        }
+
+        /// <summary>
+        ///     The result corresponding to all users in the request
+        ///     (whether or not they were in error). At least one of these
+        ///     results will be in error.
+        /// </summary>
+        public List<AlterUserScramCredentialsReport> Results { get; }
+    }
+}

src/Confluent.Kafka/Admin/AlterUserScramCredentialsOptions.cs

@@ -0,0 +1,37 @@
+// Copyright 2023 Confluent Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Refer to LICENSE for more information.
+
+using System;
+
+
+namespace Confluent.Kafka.Admin
+{
+    /// <summary>
+    ///     Options for the AlterUserScramCredentials method.
+    /// </summary>
+    public class AlterUserScramCredentialsOptions
+    {
+        /// <summary>
+        ///     The overall request timeout, including broker lookup, request
+        ///     transmission, operation time on broker, and response. If set
+        ///     to null, the default request timeout for the AdminClient will
+        ///     be used.
+        ///
+        ///     Default: null
+        /// </summary>
+        public TimeSpan? RequestTimeout { get; set; }
+    }
+}

src/Confluent.Kafka/Admin/AlterUserScramCredentialsReport.cs

@@ -0,0 +1,48 @@
+// Copyright 2023 Confluent Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Refer to LICENSE for more information.
+
+
+namespace Confluent.Kafka.Admin
+{
+    /// <summary>
+    ///     The per-user result for an alter user scram credentials request,
+    ///     including errors.
+    /// </summary>
+    public class AlterUserScramCredentialsReport
+    {
+        /// <summary>
+        ///     Username for the performed Alteration.
+        /// </summary>
+        public string User { get; set; }
+
+        /// <summary>
+        ///     Error of the performed Alteration.
+        /// </summary>
+        public Error Error { get; set; }
+
+        /// <summary>
+        ///     Returns a JSON representation of the AlterUserScramCredentialsReport object.
+        /// </summary>
+        /// <returns>
+        ///     A JSON representation the AlterUserScramCredentialsReport object.
+        /// </returns>
+        public override string ToString()
+        {
+            return $"{{\"User\": {User.Quote()}, " + 
+                   $"\"Error\": {Error.ToString().Quote()}}}";
+        }
+    }
+}