KafkaTopicACLs: filter by valid/invalid workloads (#110)

* KafkaTopicACLs: filter by valid/invalid workloads

Fixes #71

* Workloads include jobs ...

Author: thokra-nav

integration_tests/k8s_resources/kafka_acl_filter/dev/devteam/app.yaml

@@ -0,0 +1,6 @@
+apiVersion: nais.io/v1alpha1
+kind: Application
+metadata:
+  name: app1
+spec:
+  image: navikt/app-name:latest

integration_tests/k8s_resources/kafka_acl_filter/dev/devteam/topic.yaml

@@ -0,0 +1,44 @@
+apiVersion: kafka.nais.io/v1
+kind: Topic
+metadata:
+  labels:
+    team: devteam
+  name: dokument
+  namespace: devteam
+  resourceVersion: "467599169"
+  uid: 09047c15-c504-42d0-a636-286cd4a7c0ea
+spec:
+  acl:
+    - access: read
+      application: "*"
+      team: devteam
+    - access: readwrite
+      application: all
+      team: "*"
+    - access: readwrite
+      application: app1
+      team: devteam
+    - access: readwrite
+      application: app2
+      team: otherteam
+    - access: readwrite
+      application: missing
+      team: devteam
+    - access: readwrite
+      application: missing
+      team: otherteam
+    - access: readwrite
+      application: jobname-1
+      team: otherteam
+  config:
+    cleanupPolicy: delete
+    localRetentionBytes: -2
+    localRetentionHours: -2
+    maxMessageBytes: 1048588
+    minimumInSyncReplicas: 1
+    partitions: 1
+    replication: 3
+    retentionBytes: -1
+    retentionHours: 720
+    segmentHours: 168
+  pool: dev

integration_tests/k8s_resources/kafka_acl_filter/dev/otherteam/app.yaml

@@ -0,0 +1,6 @@
+apiVersion: nais.io/v1alpha1
+kind: Application
+metadata:
+  name: app2
+spec:
+  image: navikt/app-name:latest

integration_tests/k8s_resources/kafka_acl_filter/dev/otherteam/job-1.yaml

@@ -0,0 +1,7 @@
+apiVersion: nais.io/v1
+kind: Naisjob
+metadata:
+  name: jobname-1
+spec:
+  image: europe-north1-docker.pkg.dev/nais/navikt/app-name:latest
+  schedule: "0 0 * * *"

integration_tests/kafka_acl_filter.lua

@@ -0,0 +1,209 @@
+Helper.readK8sResources("k8s_resources/kafka_acl_filter")
+
+local team = Team.new("devteam", "purpose", "#slack-channel")
+local user = User.new()
+
+Test.gql("topic without filter", function(t)
+	t.addHeader("x-user-email", user:email())
+
+	t.query([[
+		{
+		  team(slug: "devteam") {
+		    environment(name: "dev") {
+		      kafkaTopic(name: "dokument") {
+		        acl {
+		          nodes {
+		            workloadName
+		            teamName
+		            access
+		          }
+		        }
+		      }
+		    }
+		  }
+		}
+	]])
+
+	t.check {
+		data = {
+			team = {
+				environment = {
+					kafkaTopic = {
+						acl = {
+							nodes = {
+								{ workloadName = "*",         teamName = "devteam",   access = "read" },
+								{ workloadName = "all",       teamName = "*",         access = "readwrite" },
+								{ workloadName = "app1",      teamName = "devteam",   access = "readwrite" },
+								{ workloadName = "app2",      teamName = "otherteam", access = "readwrite" },
+								{ workloadName = "jobname-1", teamName = "otherteam", access = "readwrite" },
+								{ workloadName = "missing",   teamName = "devteam",   access = "readwrite" },
+								{ workloadName = "missing",   teamName = "otherteam", access = "readwrite" },
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)
+
+Test.gql("topic filtering for workload", function(t)
+	t.addHeader("x-user-email", user:email())
+
+	t.query([[
+		{
+		  team(slug: "devteam") {
+		    environment(name: "dev") {
+		      kafkaTopic(name: "dokument") {
+		        acl(filter: { workload: "app1" }) {
+		          nodes {
+		            workloadName
+		            teamName
+		            access
+		          }
+		        }
+		      }
+		    }
+		  }
+		}
+	]])
+
+	t.check {
+		data = {
+			team = {
+				environment = {
+					kafkaTopic = {
+						acl = {
+							nodes = {
+								{ workloadName = "*",    teamName = "devteam", access = "read" },
+								{ workloadName = "app1", teamName = "devteam", access = "readwrite" },
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)
+
+Test.gql("topic filtering for team", function(t)
+	t.addHeader("x-user-email", user:email())
+
+	t.query([[
+		{
+		  team(slug: "devteam") {
+		    environment(name: "dev") {
+		      kafkaTopic(name: "dokument") {
+		        acl(filter: { team: "otherteam" }) {
+		          nodes {
+		            workloadName
+		            teamName
+		            access
+		          }
+		        }
+		      }
+		    }
+		  }
+		}
+	]])
+
+	t.check {
+		data = {
+			team = {
+				environment = {
+					kafkaTopic = {
+						acl = {
+							nodes = {
+								{ workloadName = "all",       teamName = "*",         access = "readwrite" },
+								{ workloadName = "app2",      teamName = "otherteam", access = "readwrite" },
+								{ workloadName = "jobname-1", teamName = "otherteam", access = "readwrite" },
+								{ workloadName = "missing",   teamName = "otherteam", access = "readwrite" },
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)
+
+Test.gql("topic filtering for valid workloads", function(t)
+	t.addHeader("x-user-email", user:email())
+
+	t.query([[
+		{
+		  team(slug: "devteam") {
+		    environment(name: "dev") {
+		      kafkaTopic(name: "dokument") {
+		        acl(filter: { validWorkloads: true }) {
+		          nodes {
+		            workloadName
+		            teamName
+		            access
+		          }
+		        }
+		      }
+		    }
+		  }
+		}
+	]])
+
+	t.check {
+		data = {
+			team = {
+				environment = {
+					kafkaTopic = {
+						acl = {
+							nodes = {
+								{ workloadName = "*",         teamName = "devteam",   access = "read" },
+								{ workloadName = "all",       teamName = "*",         access = "readwrite" },
+								{ workloadName = "app1",      teamName = "devteam",   access = "readwrite" },
+								{ workloadName = "app2",      teamName = "otherteam", access = "readwrite" },
+								{ workloadName = "jobname-1", teamName = "otherteam", access = "readwrite" },
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)
+
+Test.gql("topic filtering for invalid workloads", function(t)
+	t.addHeader("x-user-email", user:email())
+
+	t.query([[
+		{
+		  team(slug: "devteam") {
+		    environment(name: "dev") {
+		      kafkaTopic(name: "dokument") {
+		        acl(filter: { validWorkloads: false }) {
+		          nodes {
+		            workloadName
+		            teamName
+		            access
+		          }
+		        }
+		      }
+		    }
+		  }
+		}
+	]])
+
+	t.check {
+		data = {
+			team = {
+				environment = {
+					kafkaTopic = {
+						acl = {
+							nodes = {
+								{ workloadName = "missing", teamName = "devteam",   access = "readwrite" },
+								{ workloadName = "missing", teamName = "otherteam", access = "readwrite" },
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)

internal/graph/gengql/generated.go

@@ -119,6 +119,7 @@ type KafkaTopicAclEdge {
 input KafkaTopicAclFilter {
 	team: Slug
 	workload: String
+	validWorkloads: Boolean
 }
 
 input KafkaTopicOrder {

internal/graph/schema/kafka.graphqls

@@ -140,8 +140,9 @@ func (e KafkaTopicACLOrderField) MarshalGQL(w io.Writer) {
 }
 
 type KafkaTopicACLFilter struct {
-	Team     *slug.Slug `json:"team,omitempty"`
-	Workload *string    `json:"workload,omitempty"`
+	Team           *slug.Slug `json:"team,omitempty"`
+	Workload       *string    `json:"workload,omitempty"`
+	ValidWorkloads *bool      `json:"validWorkloads,omitempty"`
 }
 
 func toKafkaTopicConfiguration(cfg *kafka_nais_io_v1.Config) *KafkaTopicConfiguration {

internal/persistence/kafkatopic/models.go

@@ -5,6 +5,9 @@ import (
 	"strings"
 
 	"github.com/nais/api/internal/graph/sortfilter"
+	"github.com/nais/api/internal/slug"
+	"github.com/nais/api/internal/workload/application"
+	"github.com/nais/api/internal/workload/job"
 )
 
 var (
@@ -22,7 +25,7 @@ func init() {
 
 	SortFilterTopicACL.RegisterSort("TOPIC_NAME", func(ctx context.Context, a, b *KafkaTopicACL) int {
 		return strings.Compare(a.TopicName, b.TopicName)
-	})
+	}, "CONSUMER", "TEAM_SLUG", "ACCESS")
 	SortFilterTopicACL.RegisterSort("TEAM_SLUG", func(ctx context.Context, a, b *KafkaTopicACL) int {
 		return strings.Compare(a.TeamName, b.TeamName)
 	})
@@ -42,6 +45,22 @@ func init() {
 			return false
 		}
 
+		if filter.ValidWorkloads != nil {
+			if v.WorkloadName == "*" || v.WorkloadName == "" {
+				return *filter.ValidWorkloads
+			}
+			if v.TeamName == "*" || v.TeamName == "" {
+				return *filter.ValidWorkloads
+			}
+
+			if _, err := application.Get(ctx, slug.Slug(v.TeamName), v.EnvironmentName, v.WorkloadName); err != nil {
+				if _, err := job.Get(ctx, slug.Slug(v.TeamName), v.EnvironmentName, v.WorkloadName); err != nil {
+					return !*filter.ValidWorkloads
+				}
+			}
+			return *filter.ValidWorkloads
+		}
+
 		return true
 	})
 }