fix(kafka): use ScramCredentialDeletion for KafkaUser DELETE operations (#733)

UserChangeHandler incorrectly called handleScramSha256/handleScramSha512
(which build UserScramCredentialUpsertion) for DELETE operations, silently
re-creating the user with a random password instead of removing it.

Add deleteScramSha256/deleteScramSha512 methods to KafkaUserService that
construct UserScramCredentialDeletion, and wire them into the DELETE case.

Author: fhussonnois

providers/jikkou-provider-kafka/src/main/java/io/streamthoughts/jikkou/kafka/change/user/UserChangeHandler.java

@@ -76,10 +76,10 @@ yield switch (authentication) {
                                 yield switch (authentication) {
                                     // SCRAM_SHA_256
                                     case V1KafkaUserAuthentication.ScramSha256 auth ->
-                                        KafkaUserService.handleScramSha256(userName, auth);
+                                        KafkaUserService.deleteScramSha256(userName, auth);
                                     // SCRAM_SHA_512
                                     case V1KafkaUserAuthentication.ScramSha512 auth ->
-                                        KafkaUserService.handleScramSha512(userName, auth);
+                                        KafkaUserService.deleteScramSha512(userName, auth);
                                 };
                             }
                         };

providers/jikkou-provider-kafka/src/main/java/io/streamthoughts/jikkou/kafka/reconciler/service/KafkaUserService.java

@@ -24,6 +24,7 @@
 import org.apache.kafka.clients.admin.ScramCredentialInfo;
 import org.apache.kafka.clients.admin.ScramMechanism;
 import org.apache.kafka.clients.admin.UserScramCredentialAlteration;
+import org.apache.kafka.clients.admin.UserScramCredentialDeletion;
 import org.apache.kafka.clients.admin.UserScramCredentialUpsertion;
 import org.apache.kafka.clients.admin.UserScramCredentialsDescription;
 import org.jetbrains.annotations.NotNull;
@@ -129,6 +130,18 @@ public static Pair<V1KafkaUserAuthentication, UserScramCredentialAlteration> han
         );
     }
 
+    public static Pair<V1KafkaUserAuthentication, UserScramCredentialAlteration> deleteScramSha512(String userName,
+                                                                                                   V1KafkaUserAuthentication.ScramSha512 auth) {
+        var alteration = new UserScramCredentialDeletion(userName, ScramMechanism.SCRAM_SHA_512);
+        return Pair.of(auth, alteration);
+    }
+
+    public static Pair<V1KafkaUserAuthentication, UserScramCredentialAlteration> deleteScramSha256(String userName,
+                                                                                                   V1KafkaUserAuthentication.ScramSha256 auth) {
+        var alteration = new UserScramCredentialDeletion(userName, ScramMechanism.SCRAM_SHA_256);
+        return Pair.of(auth, alteration);
+    }
+
     private V1KafkaUserAuthentication map(final ScramCredentialInfo info) {
         ScramMechanism mechanism = info.mechanism();
         return switch (mechanism) {

providers/jikkou-provider-kafka/src/test/java/io/streamthoughts/jikkou/kafka/change/user/UserChangeComputerTest.java

@@ -0,0 +1,157 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) The original authors
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+package io.streamthoughts.jikkou.kafka.change.user;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+import io.streamthoughts.jikkou.core.models.ObjectMeta;
+import io.streamthoughts.jikkou.core.models.change.ResourceChange;
+import io.streamthoughts.jikkou.core.reconciler.Operation;
+import io.streamthoughts.jikkou.kafka.model.user.V1KafkaUser;
+import io.streamthoughts.jikkou.kafka.model.user.V1KafkaUserAuthentication;
+import io.streamthoughts.jikkou.kafka.model.user.V1KafkaUserSpec;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+
+class UserChangeComputerTest {
+
+    private final UserChangeComputer computer = new UserChangeComputer();
+    private final UserChangeComputer.UserChangeFactory factory = new UserChangeComputer.UserChangeFactory();
+
+    @Test
+    void shouldComputeCreateChangeForNewUser() {
+        // Given
+        V1KafkaUser after = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512("password", 8192, null)
+        ));
+
+        // When
+        List<ResourceChange> changes = computer.computeChanges(List.of(), List.of(after));
+
+        // Then
+        assertEquals(1, changes.size());
+        ResourceChange change = changes.getFirst();
+        assertEquals(Operation.CREATE, change.getSpec().getOp());
+        assertEquals("testuser", change.getMetadata().getName());
+
+        var stateChanges = change.getSpec().getChanges().all();
+        assertEquals(1, stateChanges.size());
+        assertEquals(Operation.CREATE, stateChanges.getFirst().getOp());
+        assertNotNull(stateChanges.getFirst().getAfter());
+    }
+
+    @Test
+    void shouldCreateDeleteChangeForScramSha512User() {
+        // Given
+        V1KafkaUser before = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512(null, 8192, null)
+        ));
+
+        // When
+        ResourceChange change = factory.createChangeForDelete("testuser", before);
+
+        // Then
+        assertEquals(Operation.DELETE, change.getSpec().getOp());
+        assertEquals("testuser", change.getMetadata().getName());
+
+        var stateChanges = change.getSpec().getChanges().all();
+        assertEquals(1, stateChanges.size());
+        assertEquals(Operation.DELETE, stateChanges.getFirst().getOp());
+        assertNotNull(stateChanges.getFirst().getBefore());
+
+        V1KafkaUserAuthentication.ScramSha512 beforeAuth =
+            (V1KafkaUserAuthentication.ScramSha512) stateChanges.getFirst().getBefore();
+        assertEquals(8192, beforeAuth.iterations());
+    }
+
+    @Test
+    void shouldCreateDeleteChangeForScramSha256User() {
+        // Given
+        V1KafkaUser before = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha256(null, 4096, null)
+        ));
+
+        // When
+        ResourceChange change = factory.createChangeForDelete("testuser", before);
+
+        // Then
+        assertEquals(Operation.DELETE, change.getSpec().getOp());
+
+        var stateChanges = change.getSpec().getChanges().all();
+        assertEquals(1, stateChanges.size());
+        assertEquals(Operation.DELETE, stateChanges.getFirst().getOp());
+
+        V1KafkaUserAuthentication.ScramSha256 beforeAuth =
+            (V1KafkaUserAuthentication.ScramSha256) stateChanges.getFirst().getBefore();
+        assertEquals(4096, beforeAuth.iterations());
+    }
+
+    @Test
+    void shouldCreateDeleteChangeWithMultipleAuthentications() {
+        // Given
+        V1KafkaUser before = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512(null, 8192, null),
+            new V1KafkaUserAuthentication.ScramSha256(null, 4096, null)
+        ));
+
+        // When
+        ResourceChange change = factory.createChangeForDelete("testuser", before);
+
+        // Then
+        assertEquals(Operation.DELETE, change.getSpec().getOp());
+
+        var stateChanges = change.getSpec().getChanges().all();
+        assertEquals(2, stateChanges.size());
+        stateChanges.forEach(sc -> assertEquals(Operation.DELETE, sc.getOp()));
+    }
+
+    @Test
+    void shouldComputeUpdateChangeForExistingUser() {
+        // Given
+        V1KafkaUser before = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512(null, 8192, null)
+        ));
+        V1KafkaUser after = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha256("newpassword", 4096, null)
+        ));
+
+        // When
+        List<ResourceChange> changes = computer.computeChanges(List.of(before), List.of(after));
+
+        // Then
+        assertEquals(1, changes.size());
+        assertEquals("testuser", changes.getFirst().getMetadata().getName());
+    }
+
+    @Test
+    void shouldComputeNoChangeForIdenticalUser() {
+        // Given
+        V1KafkaUser before = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512(null, 8192, null)
+        ));
+        V1KafkaUser after = buildUser("testuser", List.of(
+            new V1KafkaUserAuthentication.ScramSha512(null, 8192, null)
+        ));
+
+        // When
+        List<ResourceChange> changes = computer.computeChanges(List.of(before), List.of(after));
+
+        // Then
+        assertEquals(1, changes.size());
+        assertEquals(Operation.NONE, changes.getFirst().getSpec().getOp());
+    }
+
+    private static V1KafkaUser buildUser(String name, List<V1KafkaUserAuthentication> authentications) {
+        return V1KafkaUser.builder()
+            .withMetadata(new ObjectMeta(name))
+            .withSpec(V1KafkaUserSpec.builder()
+                .withAuthentications(authentications)
+                .build())
+            .build();
+    }
+}