Merge branch 'main' into issues/631

Author: Rupa-421

.github/workflows/cve_checks.yml

@@ -71,6 +71,7 @@ jobs:
         uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # https://github.com/aquasecurity/trivy-action/releases/tag/0.33.1
         with:
           image-ref: "ghcr.io/kafbat/kafka-ui:latest"
+          severity: "CRITICAL,HIGH"
           format: "table"
           exit-code: "1"
 

api/build.gradle

@@ -7,6 +7,16 @@ plugins {
     alias(libs.plugins.spring.dependency.management)
 }
 
+configurations.all {
+    resolutionStrategy {
+        capabilitiesResolution {
+            withCapability("org.lz4:lz4-java") {
+                select(libs.lz4.yawk.get().toString())
+            }
+        }
+    }
+}
+
 
 import com.bmuschko.gradle.docker.tasks.image.DockerBuildImage
 
@@ -33,7 +43,10 @@ dependencies {
 
     implementation libs.spring.security.ldap
 
-    implementation libs.kafka.clients
+    implementation (libs.kafka.clients) {
+        // TODO: Remove once client would fix CVE
+        exclude group: "org.lz4", module: "lz4-java"
+    }
 
     implementation libs.apache.avro
     implementation libs.apache.commons
@@ -77,10 +90,12 @@ dependencies {
     // CVE Fixes
     implementation libs.apache.commons.compress
     implementation libs.okhttp3.logging.intercepter
+    implementation libs.lz4.yawk
 
     implementation libs.modelcontextprotocol.spring.webflux
     implementation libs.victools.jsonschema.generator
 
+
     // Google Managed Service for Kafka IAM support
     implementation (libs.google.managed.kafka.login.handler) {
         exclude group: 'com.google.oauth-client', module: 'google-oauth-client'

api/src/main/java/io/kafbat/ui/controller/ConsumerGroupsController.java

@@ -12,6 +12,7 @@
 import io.kafbat.ui.model.ConsumerGroupDetailsDTO;
 import io.kafbat.ui.model.ConsumerGroupOffsetsResetDTO;
 import io.kafbat.ui.model.ConsumerGroupOrderingDTO;
+import io.kafbat.ui.model.ConsumerGroupsLagResponseDTO;
 import io.kafbat.ui.model.ConsumerGroupsPageResponseDTO;
 import io.kafbat.ui.model.PartitionOffsetDTO;
 import io.kafbat.ui.model.SortOrderDTO;
@@ -20,10 +21,13 @@
 import io.kafbat.ui.service.ConsumerGroupService;
 import io.kafbat.ui.service.OffsetsResetService;
 import io.kafbat.ui.service.mcp.McpTool;
+import java.time.Instant;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
@@ -33,6 +37,7 @@
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
+import reactor.util.function.Tuples;
 
 @RestController
 @RequiredArgsConstructor
@@ -98,6 +103,39 @@ public Mono<ResponseEntity<ConsumerGroupDetailsDTO>> getConsumerGroup(String clu
 
 
 
+  @Override
+  public Mono<ResponseEntity<ConsumerGroupsLagResponseDTO>> getConsumerGroupsLag(String clusterName,
+                                                                                 List<String> groupNames,
+                                                                                 Long lastUpdate,
+                                                                                 ServerWebExchange exchange) {
+
+    var context = AccessContext.builder()
+        .cluster(clusterName)
+        .operationName("getConsumerGroupsLag")
+        .build();
+
+    Mono<ResponseEntity<ConsumerGroupsLagResponseDTO>> result =
+        consumerGroupService.getConsumerGroupsLag(getCluster(clusterName), groupNames, Optional.ofNullable(lastUpdate))
+            .flatMap(t ->
+               Flux.fromIterable(t.getT1().entrySet())
+                .filterWhen(cg -> accessControlService.isConsumerGroupAccessible(cg.getKey(), clusterName))
+                .collectList()
+                .map(l -> l.stream().collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)))
+                .map(l -> Tuples.of(t.getT2(), l))
+            )
+            .map(t ->
+                new ConsumerGroupsLagResponseDTO(
+                    t.getT1().orElse(0L), t.getT2()
+                )
+            )
+            .map(ResponseEntity::ok)
+            .switchIfEmpty(Mono.just(ResponseEntity.notFound().build()));
+
+    return validateAccess(context)
+        .then(result)
+        .doOnEach(sig -> audit(context, sig));
+  }
+
   @Override
   public Mono<ResponseEntity<Flux<ConsumerGroupDTO>>> getTopicConsumerGroups(String clusterName,
                                                                              String topicName,

api/src/main/java/io/kafbat/ui/controller/KafkaConnectController.java

@@ -3,8 +3,6 @@
 import static io.kafbat.ui.model.ConnectorActionDTO.RESTART;
 import static io.kafbat.ui.model.ConnectorActionDTO.RESTART_ALL_TASKS;
 import static io.kafbat.ui.model.ConnectorActionDTO.RESTART_FAILED_TASKS;
-import static io.kafbat.ui.model.rbac.permission.ConnectAction.RESET_OFFSETS;
-import static io.kafbat.ui.model.rbac.permission.ConnectAction.VIEW;
 
 import io.kafbat.ui.api.KafkaConnectApi;
 import io.kafbat.ui.model.ConnectDTO;
@@ -20,6 +18,7 @@
 import io.kafbat.ui.model.TopicsResponseDTO;
 import io.kafbat.ui.model.rbac.AccessContext;
 import io.kafbat.ui.model.rbac.permission.ConnectAction;
+import io.kafbat.ui.model.rbac.permission.ConnectorAction;
 import io.kafbat.ui.service.KafkaConnectService;
 import io.kafbat.ui.service.mcp.McpTool;
 import java.util.Comparator;
@@ -107,7 +106,7 @@ public Mono<ResponseEntity<ConnectorDTO>> getConnector(String clusterName, Strin
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.VIEW)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW)
         .operationName("getConnector")
         .build();
 
@@ -124,9 +123,8 @@ public Mono<ResponseEntity<Void>> deleteConnector(String clusterName, String con
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.DELETE)
+        .connectorActions(connectName, connectorName, ConnectorAction.DELETE)
         .operationName("deleteConnector")
-        .operationParams(Map.of(CONNECTOR_NAME, connectName))
         .build();
 
     return validateAccess(context).then(
@@ -182,7 +180,7 @@ public Mono<ResponseEntity<Map<String, Object>>> getConnectorConfig(String clust
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.VIEW)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW)
         .operationName("getConnectorConfig")
         .build();
 
@@ -201,9 +199,8 @@ public Mono<ResponseEntity<ConnectorDTO>> setConnectorConfig(String clusterName,
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.VIEW, ConnectAction.EDIT)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW, ConnectorAction.EDIT)
         .operationName("setConnectorConfig")
-        .operationParams(Map.of(CONNECTOR_NAME, connectorName))
         .build();
 
     return validateAccess(context).then(
@@ -218,14 +215,10 @@ public Mono<ResponseEntity<Void>> updateConnectorState(String clusterName, Strin
                                                          String connectorName,
                                                          ConnectorActionDTO action,
                                                          ServerWebExchange exchange) {
-    ConnectAction[] connectActions;
-    connectActions = new ConnectAction[] {ConnectAction.VIEW, ConnectAction.OPERATE};
-
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, connectActions)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW, ConnectorAction.OPERATE)
         .operationName("updateConnectorState")
-        .operationParams(Map.of(CONNECTOR_NAME, connectorName))
         .build();
 
     return validateAccess(context).then(
@@ -242,9 +235,8 @@ public Mono<ResponseEntity<Flux<TaskDTO>>> getConnectorTasks(String clusterName,
                                                                ServerWebExchange exchange) {
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.VIEW)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW)
         .operationName("getConnectorTasks")
-        .operationParams(Map.of(CONNECTOR_NAME, connectorName))
         .build();
 
     return validateAccess(context).thenReturn(
@@ -261,9 +253,8 @@ public Mono<ResponseEntity<Void>> restartConnectorTask(String clusterName, Strin
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, ConnectAction.VIEW, ConnectAction.OPERATE)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW, ConnectorAction.OPERATE)
         .operationName("restartConnectorTask")
-        .operationParams(Map.of(CONNECTOR_NAME, connectorName))
         .build();
 
     return validateAccess(context).then(
@@ -324,15 +315,16 @@ private Comparator<FullConnectorInfoDTO> getConnectorsComparator(ConnectorColumn
   }
 
   @Override
-  public Mono<ResponseEntity<Void>> resetConnectorOffsets(String clusterName, String connectName,
+  public Mono<ResponseEntity<Void>> resetConnectorOffsets(
+      String clusterName,
+      String connectName,
       String connectorName,
       ServerWebExchange exchange) {
 
     var context = AccessContext.builder()
         .cluster(clusterName)
-        .connectActions(connectName, VIEW, RESET_OFFSETS)
+        .connectorActions(connectName, connectorName, ConnectorAction.VIEW, ConnectorAction.RESET_OFFSETS)
         .operationName("resetConnectorOffsets")
-        .operationParams(Map.of(CONNECTOR_NAME, connectorName))
         .build();
 
     return validateAccess(context).then(

api/src/main/java/io/kafbat/ui/mapper/ConsumerGroupMapper.java

@@ -1,16 +1,25 @@
 package io.kafbat.ui.mapper;
 
+import io.kafbat.ui.api.model.ConsumerGroupLag;
+import io.kafbat.ui.api.model.ConsumerGroupState;
 import io.kafbat.ui.model.BrokerDTO;
 import io.kafbat.ui.model.ConsumerGroupDTO;
 import io.kafbat.ui.model.ConsumerGroupDetailsDTO;
+import io.kafbat.ui.model.ConsumerGroupLagDTO;
 import io.kafbat.ui.model.ConsumerGroupStateDTO;
 import io.kafbat.ui.model.ConsumerGroupTopicPartitionDTO;
 import io.kafbat.ui.model.InternalConsumerGroup;
 import io.kafbat.ui.model.InternalTopicConsumerGroup;
+import io.kafbat.ui.service.metrics.scrape.ScrapedClusterState;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.apache.kafka.common.Node;
 import org.apache.kafka.common.TopicPartition;
 

api/src/main/java/io/kafbat/ui/model/InternalConsumerGroup.java

@@ -1,5 +1,7 @@
 package io.kafbat.ui.model;
 
+import static io.kafbat.ui.util.ConsumerGroupUtil.calculateConsumerLag;
+
 import java.util.Collection;
 import java.util.Map;
 import java.util.Optional;
@@ -56,22 +58,6 @@ public static InternalConsumerGroup create(
     return builder.build();
   }
 
-  private static Long calculateConsumerLag(Map<TopicPartition, Long> offsets, Map<TopicPartition, Long> endOffsets) {
-    Long consumerLag = null;
-    // consumerLag should be undefined if no committed offsets found for topic
-    if (!offsets.isEmpty()) {
-      consumerLag = offsets.entrySet().stream()
-          .mapToLong(e ->
-              Optional.ofNullable(endOffsets)
-                  .map(o -> o.get(e.getKey()))
-                  .map(o -> o - e.getValue())
-                  .orElse(0L)
-          ).sum();
-    }
-
-    return consumerLag;
-  }
-
   private static Integer calculateTopicNum(Map<TopicPartition, Long> offsets, Collection<InternalMember> members) {
 
     return (int) Stream.concat(

api/src/main/java/io/kafbat/ui/model/rbac/AccessContext.java

@@ -9,6 +9,7 @@
 import io.kafbat.ui.model.rbac.permission.ClientQuotaAction;
 import io.kafbat.ui.model.rbac.permission.ClusterConfigAction;
 import io.kafbat.ui.model.rbac.permission.ConnectAction;
+import io.kafbat.ui.model.rbac.permission.ConnectorAction;
 import io.kafbat.ui.model.rbac.permission.ConsumerGroupAction;
 import io.kafbat.ui.model.rbac.permission.KsqlAction;
 import io.kafbat.ui.model.rbac.permission.PermissibleAction;
@@ -19,7 +20,9 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.springframework.security.access.AccessDeniedException;
 
 public record AccessContext(String cluster,
@@ -34,26 +37,33 @@ public interface ResourceAccess {
 
     Resource resourceType();
 
-    Collection<PermissibleAction> requestedActions();
+    Collection<? extends PermissibleAction> requestedActions();
 
     boolean isAccessible(List<Permission> userPermissions);
+
+    @Nullable
+    ResourceAccess fallback();
   }
 
   record SingleResourceAccess(@Nullable String name,
                               Resource resourceType,
-                              Collection<PermissibleAction> requestedActions) implements ResourceAccess {
+                              Collection<? extends PermissibleAction> requestedActions,
+                              @Nullable ResourceAccess fallback) implements ResourceAccess {
 
-    SingleResourceAccess(@Nullable String name,
-                         Resource resourceType,
-                         Collection<PermissibleAction> requestedActions) {
+    SingleResourceAccess {
       Preconditions.checkArgument(!requestedActions.isEmpty(), "actions not present");
-      this.name = name;
-      this.resourceType = resourceType;
-      this.requestedActions = requestedActions;
     }
 
-    SingleResourceAccess(Resource type, List<PermissibleAction> requestedActions) {
-      this(null, type, requestedActions);
+    SingleResourceAccess(@Nullable String name, Resource type, List<? extends PermissibleAction> requestedActions) {
+      this(name, type, requestedActions, null);
+    }
+
+    SingleResourceAccess(Resource type, List<? extends PermissibleAction> requestedActions, ResourceAccess fallback) {
+      this(null, type, requestedActions, fallback);
+    }
+
+    SingleResourceAccess(Resource type, List<? extends PermissibleAction> requestedActions) {
+      this(null, type, requestedActions, null);
     }
 
     @Override
@@ -77,7 +87,8 @@ public boolean isAccessible(List<Permission> userPermissions) throws AccessDenie
           .flatMap(p -> p.getParsedActions().stream())
           .collect(Collectors.toSet());
 
-      return allowedActions.containsAll(requestedActions);
+      return allowedActions.containsAll(requestedActions)
+          || Optional.ofNullable(fallback).map(e -> e.isAccessible(userPermissions)).orElse(false);
     }
   }
 
@@ -130,6 +141,18 @@ public AccessContextBuilder connectActions(String connect, ConnectAction... acti
       return this;
     }
 
+    public AccessContextBuilder connectorActions(String connect, String connector, ConnectorAction... actions) {
+      accessedResources.add(
+          new SingleResourceAccess(String.join("/", connect, connector), Resource.CONNECTOR, List.of(actions),
+              new SingleResourceAccess(
+                  connect, Resource.CONNECT,
+                  Stream.of(actions).map(ConnectorAction::getConnectAction).toList()
+              )
+          )
+      );
+      return this;
+    }
+
     public AccessContextBuilder schemaActions(String schema, SchemaAction... actions) {
       accessedResources.add(new SingleResourceAccess(schema, Resource.SCHEMA, List.of(actions)));
       return this;

api/src/main/java/io/kafbat/ui/model/rbac/Resource.java

@@ -6,6 +6,7 @@
 import io.kafbat.ui.model.rbac.permission.ClientQuotaAction;
 import io.kafbat.ui.model.rbac.permission.ClusterConfigAction;
 import io.kafbat.ui.model.rbac.permission.ConnectAction;
+import io.kafbat.ui.model.rbac.permission.ConnectorAction;
 import io.kafbat.ui.model.rbac.permission.ConsumerGroupAction;
 import io.kafbat.ui.model.rbac.permission.KsqlAction;
 import io.kafbat.ui.model.rbac.permission.PermissibleAction;
@@ -36,6 +37,8 @@ public enum Resource {
 
   CONNECT(ConnectAction.values(), ConnectAction.ALIASES),
 
+  CONNECTOR(ConnectorAction.values()),
+
   KSQL(KsqlAction.values()),
 
   ACL(AclAction.values()),