Merge branch 'main' into issues/348

Author: Haarolean

.github/workflows/e2e-run.yml

@@ -103,8 +103,8 @@ jobs:
         run: |
           mkdir -p ./e2e-tests/target/selenoid-results/video
           mkdir -p ./e2e-tests/target/selenoid-results/logs
-          docker-compose -f ./e2e-tests/selenoid/selenoid-ci.yaml up -d
-          docker-compose -f ./documentation/compose/e2e-tests.yaml up -d
+          docker compose -f ./e2e-tests/selenoid/selenoid-ci.yaml up -d
+          docker compose -f ./documentation/compose/e2e-tests.yaml up -d
 
       - name: Dump Docker logs on failure
         if: failure()

api/pom.xml

@@ -94,6 +94,18 @@
             <version>2.1.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-identity</artifactId>
+            <version>1.13.3</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>io.netty</groupId>
+                    <artifactId>netty-tcnative-boringssl-static</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>

api/src/main/java/io/kafbat/ui/config/auth/azure/AzureEntraLoginCallbackHandler.java

@@ -0,0 +1,111 @@
+package io.kafbat.ui.config.auth.azure;
+
+import static org.apache.kafka.clients.CommonClientConfigs.BOOTSTRAP_SERVERS_CONFIG;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import java.net.URI;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.AppConfigurationEntry;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
+
+@Slf4j
+public class AzureEntraLoginCallbackHandler implements AuthenticateCallbackHandler {
+
+  private static final Duration ACCESS_TOKEN_REQUEST_BLOCK_TIME = Duration.ofSeconds(10);
+
+  private static final int ACCESS_TOKEN_REQUEST_MAX_RETRIES = 6;
+
+  private static final String TOKEN_AUDIENCE_FORMAT = "%s://%s/.default";
+
+  static TokenCredential tokenCredential = new DefaultAzureCredentialBuilder().build();
+
+  private TokenRequestContext tokenRequestContext;
+
+  @Override
+  public void configure(Map<String, ?> configs,
+                        String mechanism,
+                        List<AppConfigurationEntry> jaasConfigEntries) {
+    tokenRequestContext = buildTokenRequestContext(configs);
+  }
+
+  private TokenRequestContext buildTokenRequestContext(Map<String, ?> configs) {
+    URI uri = buildEventHubsServerUri(configs);
+    String tokenAudience = buildTokenAudience(uri);
+
+    TokenRequestContext request = new TokenRequestContext();
+    request.addScopes(tokenAudience);
+    return request;
+  }
+
+  @SuppressWarnings("unchecked")
+  private URI buildEventHubsServerUri(Map<String, ?> configs) {
+    final List<String> bootstrapServers = (List<String>) configs.get(BOOTSTRAP_SERVERS_CONFIG);
+
+    if (bootstrapServers == null) {
+      final String message = BOOTSTRAP_SERVERS_CONFIG + " is missing from the Kafka configuration.";
+      log.error(message);
+      throw new IllegalArgumentException(message);
+    }
+
+    if (bootstrapServers.size() > 1) {
+      final String message =
+          BOOTSTRAP_SERVERS_CONFIG
+              + " contains multiple bootstrap servers. Only a single bootstrap server is supported.";
+      log.error(message);
+      throw new IllegalArgumentException(message);
+    }
+
+    return URI.create("https://" + bootstrapServers.get(0));
+  }
+
+  private String buildTokenAudience(URI uri) {
+    return String.format(TOKEN_AUDIENCE_FORMAT, uri.getScheme(), uri.getHost());
+  }
+
+  @Override
+  public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
+    for (Callback callback : callbacks) {
+      if (!(callback instanceof OAuthBearerTokenCallback oauthCallback)) {
+        throw new UnsupportedCallbackException(callback);
+      }
+      handleOAuthCallback(oauthCallback);
+    }
+  }
+
+  private void handleOAuthCallback(OAuthBearerTokenCallback oauthCallback) {
+    try {
+      final OAuthBearerToken token = tokenCredential
+          .getToken(tokenRequestContext)
+          .map(AzureEntraOAuthBearerToken::new)
+          .timeout(ACCESS_TOKEN_REQUEST_BLOCK_TIME)
+          .doOnError(e -> log.warn("Failed to acquire Azure token for Event Hub Authentication. Retrying.", e))
+          .retry(ACCESS_TOKEN_REQUEST_MAX_RETRIES)
+          .block();
+
+      oauthCallback.token(token);
+    } catch (RuntimeException e) {
+      final String message =
+          "Failed to acquire Azure token for Event Hub Authentication. "
+              + "Please ensure valid Azure credentials are configured.";
+      log.error(message, e);
+      oauthCallback.error("invalid_grant", message, null);
+    }
+  }
+
+  public void close() {
+    // NOOP
+  }
+
+  void setTokenCredential(TokenCredential tokenCredential) {
+    AzureEntraLoginCallbackHandler.tokenCredential = tokenCredential;
+  }
+}

api/src/main/java/io/kafbat/ui/config/auth/azure/AzureEntraOAuthBearerToken.java

@@ -0,0 +1,62 @@
+package io.kafbat.ui.config.auth.azure;
+
+import com.azure.core.credential.AccessToken;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.JWTParser;
+import java.text.ParseException;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.stream.Collectors;
+import org.apache.kafka.common.errors.SaslAuthenticationException;
+import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
+
+public class AzureEntraOAuthBearerToken implements OAuthBearerToken {
+
+  private final AccessToken accessToken;
+  private final JWTClaimsSet claims;
+
+  public AzureEntraOAuthBearerToken(AccessToken accessToken) {
+    this.accessToken = accessToken;
+
+    try {
+      claims = JWTParser.parse(accessToken.getToken()).getJWTClaimsSet();
+    } catch (ParseException exception) {
+      throw new SaslAuthenticationException("Unable to parse the access token", exception);
+    }
+  }
+
+  @Override
+  public String value() {
+    return accessToken.getToken();
+  }
+
+  @Override
+  public Long startTimeMs() {
+    return claims.getIssueTime().getTime();
+  }
+
+  @Override
+  public long lifetimeMs() {
+    return claims.getExpirationTime().getTime();
+  }
+
+  @Override
+  public Set<String> scope() {
+    // Referring to
+    // https://docs.microsoft.com/azure/active-directory/develop/access-tokens#payload-claims, the
+    // scp
+    // claim is a String which is presented as a space separated list.
+    return Arrays
+        .stream(((String) claims.getClaim("scp")).split(" "))
+        .collect(Collectors.toSet());
+  }
+
+  @Override
+  public String principalName() {
+    return (String) claims.getClaim("upn");
+  }
+
+  public boolean isExpired() {
+    return accessToken.isExpired();
+  }
+}

api/src/main/java/io/kafbat/ui/controller/AccessController.java

@@ -45,33 +45,34 @@ public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExch
         .map(SecurityContext::getAuthentication)
         .map(Principal::getName);
 
+    var builder = AuthenticationInfoDTO.builder()
+        .rbacEnabled(accessControlService.isRbacEnabled());
+
     return userName
         .zipWith(permissions)
-        .map(data -> {
-          var dto = new AuthenticationInfoDTO(accessControlService.isRbacEnabled());
-          dto.setUserInfo(new UserInfoDTO(data.getT1(), data.getT2()));
-          return dto;
-        })
-        .switchIfEmpty(Mono.just(new AuthenticationInfoDTO(accessControlService.isRbacEnabled())))
+        .map(data -> (AuthenticationInfoDTO) builder
+            .userInfo(new UserInfoDTO(data.getT1(), data.getT2()))
+            .build()
+        )
+        .switchIfEmpty(Mono.just(builder.build()))
         .map(ResponseEntity::ok);
   }
 
   private List<UserPermissionDTO> mapPermissions(List<Permission> permissions, List<String> clusters) {
     return permissions
         .stream()
-        .map(permission -> {
-          UserPermissionDTO dto = new UserPermissionDTO();
-          dto.setClusters(clusters);
-          dto.setResource(ResourceTypeDTO.fromValue(permission.getResource().toString().toUpperCase()));
-          dto.setValue(permission.getValue());
-          dto.setActions(permission.getParsedActions()
-              .stream()
-              .map(p -> p.name().toUpperCase())
-              .map(this::mapAction)
-              .filter(Objects::nonNull)
-              .toList());
-          return dto;
-        })
+        .map(permission -> (UserPermissionDTO) UserPermissionDTO.builder()
+            .clusters(clusters)
+            .resource(ResourceTypeDTO.fromValue(permission.getResource().toString().toUpperCase()))
+            .value(permission.getValue())
+            .actions(permission.getParsedActions()
+                .stream()
+                .map(p -> p.name().toUpperCase())
+                .map(this::mapAction)
+                .filter(Objects::nonNull)
+                .toList())
+            .build()
+        )
         .toList();
   }
 

api/src/main/java/io/kafbat/ui/controller/KsqlController.java

@@ -53,6 +53,7 @@ public Mono<ResponseEntity<KsqlCommandV2ResponseDTO>> executeKsql(String cluster
   }
 
   @Override
+  @SuppressWarnings("unchecked")
   public Mono<ResponseEntity<Flux<KsqlResponseDTO>>> openKsqlResponsePipe(String clusterName,
                                                                           String pipeId,
                                                                           ServerWebExchange exchange) {

api/src/main/java/io/kafbat/ui/controller/TopicsController.java

@@ -1,9 +1,10 @@
 package io.kafbat.ui.controller;
 
+import static io.kafbat.ui.model.rbac.permission.TopicAction.ANALYSIS_RUN;
+import static io.kafbat.ui.model.rbac.permission.TopicAction.ANALYSIS_VIEW;
 import static io.kafbat.ui.model.rbac.permission.TopicAction.CREATE;
 import static io.kafbat.ui.model.rbac.permission.TopicAction.DELETE;
 import static io.kafbat.ui.model.rbac.permission.TopicAction.EDIT;
-import static io.kafbat.ui.model.rbac.permission.TopicAction.MESSAGES_READ;
 import static io.kafbat.ui.model.rbac.permission.TopicAction.VIEW;
 import static java.util.stream.Collectors.toList;
 
@@ -272,7 +273,7 @@ public Mono<ResponseEntity<Void>> analyzeTopic(String clusterName, String topicN
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .topicActions(topicName, MESSAGES_READ)
+        .topicActions(topicName, ANALYSIS_RUN)
         .operationName("analyzeTopic")
         .build();
 
@@ -288,7 +289,7 @@ public Mono<ResponseEntity<Void>> cancelTopicAnalysis(String clusterName, String
                                                         ServerWebExchange exchange) {
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .topicActions(topicName, MESSAGES_READ)
+        .topicActions(topicName, ANALYSIS_RUN)
         .operationName("cancelTopicAnalysis")
         .build();
 
@@ -306,7 +307,7 @@ public Mono<ResponseEntity<TopicAnalysisDTO>> getTopicAnalysis(String clusterNam
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .topicActions(topicName, MESSAGES_READ)
+        .topicActions(topicName, ANALYSIS_VIEW)
         .operationName("getTopicAnalysis")
         .build();
 
@@ -350,18 +351,12 @@ private Comparator<InternalTopic> getComparatorForTopic(
     if (orderBy == null) {
       return defaultComparator;
     }
-    switch (orderBy) {
-      case TOTAL_PARTITIONS:
-        return Comparator.comparing(InternalTopic::getPartitionCount);
-      case OUT_OF_SYNC_REPLICAS:
-        return Comparator.comparing(t -> t.getReplicas() - t.getInSyncReplicas());
-      case REPLICATION_FACTOR:
-        return Comparator.comparing(InternalTopic::getReplicationFactor);
-      case SIZE:
-        return Comparator.comparing(InternalTopic::getSegmentSize);
-      case NAME:
-      default:
-        return defaultComparator;
-    }
+    return switch (orderBy) {
+      case TOTAL_PARTITIONS -> Comparator.comparing(InternalTopic::getPartitionCount);
+      case OUT_OF_SYNC_REPLICAS -> Comparator.comparing(t -> t.getReplicas() - t.getInSyncReplicas());
+      case REPLICATION_FACTOR -> Comparator.comparing(InternalTopic::getReplicationFactor);
+      case SIZE -> Comparator.comparing(InternalTopic::getSegmentSize);
+      default -> defaultComparator;
+    };
   }
 }

api/src/main/java/io/kafbat/ui/model/rbac/permission/TopicAction.java

@@ -13,6 +13,8 @@ public enum TopicAction implements PermissibleAction {
   MESSAGES_READ(VIEW),
   MESSAGES_PRODUCE(VIEW),
   MESSAGES_DELETE(VIEW, EDIT),
+  ANALYSIS_VIEW(VIEW),
+  ANALYSIS_RUN(VIEW, ANALYSIS_VIEW),
 
   ;