use of io.strimzi.api.kafka.model.KafkaUser in project strimzi-kafka-operator by strimzi.
the class KafkaUserModelTest method testFromCrdScramShaUserWithEmptyPasswordThrows.
@Test
public void testFromCrdScramShaUserWithEmptyPasswordThrows() {
KafkaUser emptyPassword = new KafkaUserBuilder(scramShaUser).editSpec().withNewKafkaUserScramSha512ClientAuthentication().withNewPassword().endPassword().endKafkaUserScramSha512ClientAuthentication().endSpec().build();
InvalidResourceException e = assertThrows(InvalidResourceException.class, () -> {
KafkaUserModel.fromCrd(emptyPassword, UserOperatorConfig.DEFAULT_SECRET_PREFIX, UserOperatorConfig.DEFAULT_STRIMZI_ACLS_ADMIN_API_SUPPORTED, false);
});
assertThat(e.getMessage(), is("Resource requests custom SCRAM-SHA-512 password but doesn't specify the secret name and/or key"));
}
use of io.strimzi.api.kafka.model.KafkaUser in project strimzi-kafka-operator by strimzi.
the class KafkaUserOperatorTest method testReconcileAll.
@Test
public void testReconcileAll(VertxTestContext context) {
CrdOperator mockCrdOps = mock(CrdOperator.class);
SecretOperator mockSecretOps = mock(SecretOperator.class);
SimpleAclOperator aclOps = mock(SimpleAclOperator.class);
ScramCredentialsOperator scramOps = mock(ScramCredentialsOperator.class);
QuotasOperator quotasOps = mock(QuotasOperator.class);
KafkaUser newTlsUser = ResourceUtils.createKafkaUserTls();
newTlsUser.getMetadata().setName("new-tls-user");
KafkaUser newScramShaUser = ResourceUtils.createKafkaUserScramSha();
newScramShaUser.getMetadata().setName("new-scram-sha-user");
KafkaUser existingTlsUser = ResourceUtils.createKafkaUserTls();
existingTlsUser.getMetadata().setName("existing-tls-user");
Secret clientsCa = ResourceUtils.createClientsCaCertSecret();
Secret existingTlsUserSecret = ResourceUtils.createUserSecretTls();
existingTlsUserSecret.getMetadata().setName("existing-tls-user");
Secret existingScramShaUserSecret = ResourceUtils.createUserSecretScramSha();
existingScramShaUserSecret.getMetadata().setName("existing-scram-sha-user");
KafkaUser existingScramShaUser = ResourceUtils.createKafkaUserTls();
existingScramShaUser.getMetadata().setName("existing-scram-sha-user");
when(mockCrdOps.listAsync(eq(ResourceUtils.NAMESPACE), eq(Optional.of(new LabelSelector(null, Labels.fromMap(ResourceUtils.LABELS).toMap()))))).thenReturn(Future.succeededFuture(Arrays.asList(newTlsUser, newScramShaUser, existingTlsUser, existingScramShaUser)));
when(mockSecretOps.list(eq(ResourceUtils.NAMESPACE), eq(Labels.fromMap(ResourceUtils.LABELS).withStrimziKind(KafkaUser.RESOURCE_KIND)))).thenReturn(Arrays.asList(existingTlsUserSecret, existingScramShaUserSecret));
when(aclOps.getAllUsers()).thenReturn(Future.succeededFuture(new HashSet<String>(Arrays.asList("existing-tls-user", "second-deleted-user"))));
when(scramOps.getAllUsers()).thenReturn(Future.succeededFuture(List.of("existing-tls-user", "deleted-scram-sha-user")));
when(quotasOps.getAllUsers()).thenReturn(Future.succeededFuture(Set.of("existing-tls-user", "quota-user")));
when(mockCrdOps.get(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(newTlsUser);
when(mockCrdOps.get(eq(newScramShaUser.getMetadata().getNamespace()), eq(newScramShaUser.getMetadata().getName()))).thenReturn(newScramShaUser);
when(mockCrdOps.get(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(existingTlsUser);
when(mockCrdOps.get(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingScramShaUser.getMetadata().getName()))).thenReturn(existingScramShaUser);
when(mockCrdOps.getAsync(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(newTlsUser));
when(mockCrdOps.getAsync(eq(newScramShaUser.getMetadata().getNamespace()), eq(newScramShaUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(newScramShaUser));
when(mockCrdOps.getAsync(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(existingTlsUser));
when(mockCrdOps.getAsync(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingScramShaUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(existingScramShaUser));
when(mockCrdOps.updateStatusAsync(any(), any())).thenReturn(Future.succeededFuture());
when(mockSecretOps.get(eq(clientsCa.getMetadata().getNamespace()), eq(clientsCa.getMetadata().getName()))).thenReturn(clientsCa);
when(mockSecretOps.get(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(null);
when(mockSecretOps.get(eq(newScramShaUser.getMetadata().getNamespace()), eq(newScramShaUser.getMetadata().getName()))).thenReturn(null);
when(mockSecretOps.get(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(existingTlsUserSecret);
when(mockSecretOps.get(eq(existingScramShaUser.getMetadata().getNamespace()), eq(existingScramShaUser.getMetadata().getName()))).thenReturn(existingScramShaUserSecret);
Set<String> createdOrUpdated = new CopyOnWriteArraySet<>();
Set<String> deleted = new CopyOnWriteArraySet<>();
Checkpoint async = context.checkpoint();
Promise reconcileAllCompleted = Promise.promise();
KafkaUserOperator op = new KafkaUserOperator(vertx, mockCertManager, mockCrdOps, mockSecretOps, scramOps, quotasOps, aclOps, ResourceUtils.createUserOperatorConfig(ResourceUtils.LABELS)) {
@Override
public Future<KafkaUserStatus> createOrUpdate(Reconciliation reconciliation, KafkaUser resource) {
createdOrUpdated.add(resource.getMetadata().getName());
return Future.succeededFuture(new KafkaUserStatus());
}
@Override
public Future<Boolean> delete(Reconciliation reconciliation) {
deleted.add(reconciliation.name());
return Future.succeededFuture(Boolean.TRUE);
}
};
// call reconcileAll and pass in promise to the handler to run assertions on completion
op.reconcileAll("test", ResourceUtils.NAMESPACE, ar -> reconcileAllCompleted.complete());
reconcileAllCompleted.future().compose(v -> context.verify(() -> {
assertThat(createdOrUpdated, is(new HashSet(asList("new-tls-user", "existing-tls-user", "new-scram-sha-user", "existing-scram-sha-user"))));
assertThat(deleted, is(new HashSet(asList("quota-user", "second-deleted-user", "deleted-scram-sha-user"))));
async.flag();
}));
}
use of io.strimzi.api.kafka.model.KafkaUser in project strimzi-kafka-operator by strimzi.
the class KafkaUserOperatorTest method testReconcileAllWithKRaft.
// In KRaft mode, SCRAM-SHA-512 API is currently not supported. This test is used to check the mode to disable it.
// It should be possible to remove this after KRaft in Kafka supports SCRAM-SHA-512
@Test
public void testReconcileAllWithKRaft(VertxTestContext context) {
CrdOperator mockCrdOps = mock(CrdOperator.class);
SecretOperator mockSecretOps = mock(SecretOperator.class);
SimpleAclOperator aclOps = mock(SimpleAclOperator.class);
ScramCredentialsOperator scramOps = mock(ScramCredentialsOperator.class);
QuotasOperator quotasOps = mock(QuotasOperator.class);
KafkaUser newTlsUser = ResourceUtils.createKafkaUserTls();
newTlsUser.getMetadata().setName("new-tls-user");
KafkaUser existingTlsUser = ResourceUtils.createKafkaUserTls();
existingTlsUser.getMetadata().setName("existing-tls-user");
Secret clientsCa = ResourceUtils.createClientsCaCertSecret();
Secret existingTlsUserSecret = ResourceUtils.createUserSecretTls();
existingTlsUserSecret.getMetadata().setName("existing-tls-user");
when(mockCrdOps.listAsync(eq(ResourceUtils.NAMESPACE), eq(Optional.of(new LabelSelector(null, Labels.fromMap(ResourceUtils.LABELS).toMap()))))).thenReturn(Future.succeededFuture(Arrays.asList(newTlsUser, existingTlsUser)));
when(mockSecretOps.list(eq(ResourceUtils.NAMESPACE), eq(Labels.fromMap(ResourceUtils.LABELS).withStrimziKind(KafkaUser.RESOURCE_KIND)))).thenReturn(Arrays.asList(existingTlsUserSecret));
when(aclOps.getAllUsers()).thenReturn(Future.succeededFuture(new HashSet<String>(Arrays.asList("existing-tls-user", "second-deleted-user"))));
when(quotasOps.getAllUsers()).thenReturn(Future.succeededFuture(Set.of("existing-tls-user", "quota-user")));
when(mockCrdOps.get(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(newTlsUser);
when(mockCrdOps.get(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(existingTlsUser);
when(mockCrdOps.getAsync(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(newTlsUser));
when(mockCrdOps.getAsync(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(Future.succeededFuture(existingTlsUser));
when(mockCrdOps.updateStatusAsync(any(), any())).thenReturn(Future.succeededFuture());
when(mockSecretOps.get(eq(clientsCa.getMetadata().getNamespace()), eq(clientsCa.getMetadata().getName()))).thenReturn(clientsCa);
when(mockSecretOps.get(eq(newTlsUser.getMetadata().getNamespace()), eq(newTlsUser.getMetadata().getName()))).thenReturn(null);
when(mockSecretOps.get(eq(existingTlsUser.getMetadata().getNamespace()), eq(existingTlsUser.getMetadata().getName()))).thenReturn(existingTlsUserSecret);
Set<String> createdOrUpdated = new CopyOnWriteArraySet<>();
Set<String> deleted = new CopyOnWriteArraySet<>();
Checkpoint async = context.checkpoint();
Promise reconcileAllCompleted = Promise.promise();
KafkaUserOperator op = new KafkaUserOperator(vertx, mockCertManager, mockCrdOps, mockSecretOps, scramOps, quotasOps, aclOps, ResourceUtils.createUserOperatorConfig(ResourceUtils.LABELS, true, true, "12")) {
@Override
public Future<KafkaUserStatus> createOrUpdate(Reconciliation reconciliation, KafkaUser resource) {
createdOrUpdated.add(resource.getMetadata().getName());
return Future.succeededFuture(new KafkaUserStatus());
}
@Override
public Future<Boolean> delete(Reconciliation reconciliation) {
deleted.add(reconciliation.name());
return Future.succeededFuture(Boolean.TRUE);
}
};
// call reconcileAll and pass in promise to the handler to run assertions on completion
op.reconcileAll("test", ResourceUtils.NAMESPACE, ar -> reconcileAllCompleted.complete());
reconcileAllCompleted.future().compose(v -> context.verify(() -> {
assertThat(createdOrUpdated, is(new HashSet(asList("new-tls-user", "existing-tls-user"))));
assertThat(deleted, is(new HashSet(asList("quota-user", "second-deleted-user"))));
verify(scramOps, never()).getAllUsers();
async.flag();
}));
}
use of io.strimzi.api.kafka.model.KafkaUser in project strimzi-kafka-operator by strimzi.
the class KafkaUserOperatorTest method testUserStatusReady.
@Test
public void testUserStatusReady(VertxTestContext context) {
CrdOperator mockCrdOps = mock(CrdOperator.class);
SecretOperator mockSecretOps = mock(SecretOperator.class);
SimpleAclOperator aclOps = mock(SimpleAclOperator.class);
ScramCredentialsOperator scramOps = mock(ScramCredentialsOperator.class);
QuotasOperator quotasOps = mock(QuotasOperator.class);
KafkaUser user = ResourceUtils.createKafkaUserTls();
Secret clientsCa = ResourceUtils.createClientsCaCertSecret();
Secret clientsCaKey = ResourceUtils.createClientsCaKeySecret();
when(mockSecretOps.getAsync(anyString(), eq(clientsCa.getMetadata().getName()))).thenReturn(Future.succeededFuture(clientsCa));
when(mockSecretOps.getAsync(anyString(), eq(clientsCaKey.getMetadata().getName()))).thenReturn(Future.succeededFuture(clientsCaKey));
when(mockSecretOps.getAsync(anyString(), eq(user.getMetadata().getName()))).thenReturn(Future.succeededFuture(null));
when(mockCrdOps.getAsync(anyString(), anyString())).thenReturn(Future.succeededFuture(user));
when(mockCrdOps.get(anyString(), anyString())).thenReturn(user);
when(mockSecretOps.reconcile(any(), anyString(), anyString(), any(Secret.class))).thenReturn(Future.succeededFuture());
when(aclOps.reconcile(any(), anyString(), any())).thenReturn(Future.succeededFuture());
when(scramOps.reconcile(any(), any(), any())).thenReturn(Future.succeededFuture());
ArgumentCaptor<KafkaUser> userCaptor = ArgumentCaptor.forClass(KafkaUser.class);
when(mockCrdOps.updateStatusAsync(any(), userCaptor.capture())).thenReturn(Future.succeededFuture());
when(quotasOps.reconcile(any(), any(), any())).thenReturn(Future.succeededFuture());
KafkaUserOperator op = new KafkaUserOperator(vertx, mockCertManager, mockCrdOps, mockSecretOps, scramOps, quotasOps, aclOps, ResourceUtils.createUserOperatorConfig());
Checkpoint async = context.checkpoint();
op.reconcile(new Reconciliation("test-trigger", KafkaUser.RESOURCE_KIND, ResourceUtils.NAMESPACE, ResourceUtils.NAME)).onComplete(context.succeeding(v -> context.verify(() -> {
List<KafkaUser> capturedStatuses = userCaptor.getAllValues();
assertThat(capturedStatuses.get(0).getStatus().getUsername(), is("CN=user"));
assertThat(capturedStatuses.get(0).getStatus().getConditions().get(0).getStatus(), is("True"));
assertThat(capturedStatuses.get(0).getStatus().getConditions().get(0).getType(), is("Ready"));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.KafkaUser in project strimzi-kafka-operator by strimzi.
the class KafkaUserOperatorTest method testUpdateUserNoAuthenticationAndNoAuthorization.
/**
* Tests what happens when the TlsClientAuthentication and SimpleAuthorization are disabled for the user
* (delete entries from the spec of the KafkaUser resource)
*/
@Test
public void testUpdateUserNoAuthenticationAndNoAuthorization(VertxTestContext context) {
CrdOperator mockCrdOps = mock(CrdOperator.class);
SecretOperator mockSecretOps = mock(SecretOperator.class);
SimpleAclOperator aclOps = mock(SimpleAclOperator.class);
ScramCredentialsOperator scramOps = mock(ScramCredentialsOperator.class);
QuotasOperator quotasOps = mock(QuotasOperator.class);
ArgumentCaptor<String> secretNamespaceCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<String> secretNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<Secret> secretCaptor = ArgumentCaptor.forClass(Secret.class);
when(mockSecretOps.reconcile(any(), secretNamespaceCaptor.capture(), secretNameCaptor.capture(), secretCaptor.capture())).thenReturn(Future.succeededFuture());
when(mockSecretOps.getAsync(anyString(), eq(ResourceUtils.NAME))).thenReturn(Future.succeededFuture(null));
when(scramOps.reconcile(any(), any(), any())).thenReturn(Future.succeededFuture());
ArgumentCaptor<String> aclNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<Set<SimpleAclRule>> aclRulesCaptor = ArgumentCaptor.forClass(Set.class);
when(aclOps.reconcile(any(), aclNameCaptor.capture(), aclRulesCaptor.capture())).thenReturn(Future.succeededFuture());
KafkaUser user = ResourceUtils.createKafkaUserTls();
user.getSpec().setAuthorization(null);
user.getSpec().setAuthentication(null);
when(mockCrdOps.getAsync(anyString(), anyString())).thenReturn(Future.succeededFuture(user));
when(mockCrdOps.updateStatusAsync(any(), any(KafkaUser.class))).thenReturn(Future.succeededFuture());
KafkaUserOperator op = new KafkaUserOperator(vertx, mockCertManager, mockCrdOps, mockSecretOps, scramOps, quotasOps, aclOps, ResourceUtils.createUserOperatorConfig());
when(quotasOps.reconcile(any(), any(), any())).thenReturn(Future.succeededFuture());
Checkpoint async = context.checkpoint();
op.createOrUpdate(new Reconciliation("test-trigger", KafkaUser.RESOURCE_KIND, ResourceUtils.NAMESPACE, ResourceUtils.NAME), user).onComplete(context.succeeding(v -> context.verify(() -> {
List<String> capturedNames = secretNameCaptor.getAllValues();
assertThat(capturedNames, hasSize(1));
assertThat(capturedNames.get(0), is(ResourceUtils.NAME));
List<String> capturedNamespaces = secretNamespaceCaptor.getAllValues();
assertThat(capturedNamespaces, hasSize(1));
assertThat(capturedNamespaces.get(0), is(ResourceUtils.NAMESPACE));
List<Secret> capturedSecrets = secretCaptor.getAllValues();
assertThat(capturedSecrets, hasSize(1));
Secret captured = capturedSecrets.get(0);
assertThat(captured, is(nullValue()));
List<String> capturedAclNames = aclNameCaptor.getAllValues();
assertThat(capturedAclNames, hasSize(2));
assertThat(capturedAclNames.get(0), is(KafkaUserModel.getTlsUserName(ResourceUtils.NAME)));
assertThat(capturedAclNames.get(1), is(KafkaUserModel.getScramUserName(ResourceUtils.NAME)));
List<Set<SimpleAclRule>> capturedAcls = aclRulesCaptor.getAllValues();
assertThat(capturedAcls, hasSize(2));
assertThat(capturedAcls.get(0), is(nullValue()));
assertThat(capturedAcls.get(1), is(nullValue()));
async.flag();
})));
}
Aggregations