feat: add cli support for Apache Kafka native ACLs

aiven · Nov 19, 2024 · d822e79 · d822e79
1 parent b368495
commit d822e79
Show file tree

Hide file tree

Showing 3 changed files with 203 additions and 0 deletions.
diff --git a/aiven/client/cli.py b/aiven/client/cli.py
@@ -6176,6 +6176,104 @@ def service__alloydbomni__google_cloud_private_key__delete(self) -> None:
             layout = ["client_email", "private_key_id"]
             self.print_response(output, json=self.args.json, table_layout=layout)
 
+    @arg.project
+    @arg.service_name
+    @arg(
+        "--operation",
+        help="Operation that is being allowed or denied.",
+        required=True,
+        choices=[
+            "Describe",
+            "DescribeConfigs",
+            "Alter",
+            "IdempotentWrite",
+            "Read",
+            "Delete",
+            "Create",
+            "ClusterAction",
+            "All",
+            "Write",
+            "AlterConfigs",
+            "CreateTokens",
+            "DescribeTokens",
+        ],
+    )
+    @arg(
+        "--resource-name",
+        help=(
+            "The resource to which ACLs should be added, when using LITERAL resource pattern type, "
+            "a name of '*' matches all resources of the selected type"
+        ),
+        required=True,
+    )
+    @arg(
+        "--resource-type",
+        help="Topic resource type to which ACLs should be added",
+        required=False,
+        choices=["Any", "Topic", "Group", "Cluster", "TransactionalId", "DelegationToken"],
+    )
+    @arg(
+        "--resource-pattern-type",
+        help="The type of the resource pattern",
+        required=False,
+        choices=["LITERAL", "PREFIXED"],
+        default="LITERAL",
+    )
+    @arg(
+        "--permission-type",
+        help="The type of the resource pattern",
+        required=True,
+        choices=["ALLOW", "DENY"],
+    )
+    @arg(
+        "--host",
+        help="The host for the ACLs, a value of '*' matched all hosts",
+        required=False,
+        default="*",
+    )
+    @arg(
+        "--principal",
+        help="The principal for the ACLs, must be in the form principalType:name",
+        required=True,
+    )
+    def service__kafka_acl_add(self) -> None:
+        """Add a Kafka native ACL entry"""
+        response = self.client.service_kafka_native_acl_add(
+            project=self.get_project(),
+            service=self.args.service_name,
+            principal=self.args.principal,
+            host=self.args.host,
+            resource_name=self.args.resource_name,
+            resource_type=self.args.resource_type,
+            resource_pattern_type=self.args.resource_pattern_type,
+            operation=self.args.operation,
+            permission_type=self.args.permission_type,
+        )
+        print(response["message"])
+
+    @arg.project
+    @arg.service_name
+    @arg.json
+    def service__kafka_acl_list(self) -> None:
+        """List Kafka native ACL entries"""
+        response = self.client.service_kafka_native_acl_list(
+            project=self.get_project(),
+            service=self.args.service_name,
+        )
+        acls = response.get("kafka_acl", [])
+        layout = ["id", "principal", "operation", "resourceName", "resourceType", "patternType", "permissionType"]
+        self.print_response(acls, json=self.args.json, table_layout=layout)
+
+    @arg.project
+    @arg.service_name
+    @arg("acl_id", help="ID of the ACL entry to delete")
+    def service__kafka_acl_delete(self) -> None:
+        """Delete a Kafka ACL entry"""
+        response = self.client.service_kafka_native_acl_delete(
+            project=self.get_project(), service=self.args.service_name, acl_id=self.args.acl_id
+        )
+        print(response["message"])
+
 
 if __name__ == "__main__":
     AivenCLI().main()
diff --git a/aiven/client/client.py b/aiven/client/client.py
@@ -2919,3 +2919,45 @@ def alloydbomni_google_cloud_private_key_show(self, *, project: str, service: st
                 "google_cloud_private_key",
             ),
         )
+
+    def service_kafka_native_acl_add(
+        self,
+        project: str,
+        service: str,
+        principal: str,
+        host: str,
+        resource_name: str,
+        resource_type: str,
+        resource_pattern_type: str,
+        operation: str,
+        permission_type: str,
+    ) -> Mapping:
+        return self.verify(
+            self.post,
+            self.build_path("project", project, "service", service, "kafka", "acl"),
+            body={
+                "principal": principal,
+                "host": host,
+                "resourceName": resource_name,
+                "resourceType": resource_type,
+                "patternType": resource_pattern_type,
+                "operation": operation,
+                "permissionType": permission_type,
+            },
+        )
+
+    def service_kafka_native_acl_list(
+        self,
+        project: str,
+        service: str,
+    ) -> dict[str, Any]:
+        return self.verify(
+            self.get,
+            self.build_path("project", project, "service", service, "kafka", "acl"),
+        )
+
+    def service_kafka_native_acl_delete(self, project: str, service: str, acl_id: str) -> Mapping:
+        return self.verify(
+            self.delete,
+            self.build_path("project", project, "service", service, "kafka", "acl", acl_id),
+        )
diff --git a/tests/test_cli.py b/tests/test_cli.py
@@ -1992,3 +1992,66 @@ def test_byoc_tags_replace() -> None:
             "byoc_resource_tag:byoc_resource_tag:key_3": "byoc_resource_tag:keep-the-whole-value-3",
         },
     )
+
+
+def test_service__kafka_acl_add() -> None:
+    aiven_client = mock.Mock(spec_set=AivenClient)
+    aiven_client.service_kafka_native_acl_add.return_value = {"message": "added"}
+    args = [
+        "service",
+        "kafka-acl-add",
+        "kafka-1",
+        "--project=project1",
+        "--principal=User:alice",
+        "--operation=Describe",
+        "--resource-name=some-topic",
+        "--resource-type=Topic",
+        "--permission-type=ALLOW",
+        "--resource-pattern-type=LITERAL",
+    ]
+    build_aiven_cli(aiven_client).run(args=args)
+    aiven_client.service_kafka_native_acl_add.assert_called_once_with(
+        project="project1",
+        service="kafka-1",
+        principal="User:alice",
+        host="*",
+        resource_name="some-topic",
+        resource_type="Topic",
+        resource_pattern_type="LITERAL",
+        operation="Describe",
+        permission_type="ALLOW",
+    )
+
+
+def test_service__kafka_acl_list() -> None:
+    aiven_client = mock.Mock(spec_set=AivenClient)
+    aiven_client.service_kafka_native_acl_list.return_value = {"kafka_acl": []}
+    args = [
+        "service",
+        "kafka-acl-list",
+        "kafka-1",
+        "--project=project1",
+    ]
+    build_aiven_cli(aiven_client).run(args=args)
+    aiven_client.service_kafka_native_acl_list.assert_called_once_with(
+        project="project1",
+        service="kafka-1",
+    )
+
+
+def test_service__kafka_acl_delete() -> None:
+    aiven_client = mock.Mock(spec_set=AivenClient)
+    aiven_client.service_kafka_native_acl_delete.return_value = {"message": "added"}
+    args = [
+        "service",
+        "kafka-acl-delete",
+        "kafka-1",
+        "acl4f549bfee6a",
+        "--project=project1",
+    ]
+    build_aiven_cli(aiven_client).run(args=args)
+    aiven_client.service_kafka_native_acl_delete.assert_called_once_with(
+        project="project1",
+        service="kafka-1",
+        acl_id="acl4f549bfee6a",
+    )