From 3d93b0e5c281b6e8476816b14b5adb9e125ac3ea Mon Sep 17 00:00:00 2001
From: Guillaume Duval <117720964+g-duval@users.noreply.github.com>
Date: Tue, 17 Dec 2024 14:31:04 +0100
Subject: [PATCH] Update recipients-resolver config for Kessel relations Api
 (#3216)

---
 .../config/RecipientsResolverConfig.java      | 33 +++++++++
 .../resolver/kessel/KesselService.java        | 71 +++++++++++++++++--
 2 files changed, 98 insertions(+), 6 deletions(-)

diff --git a/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/config/RecipientsResolverConfig.java b/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/config/RecipientsResolverConfig.java
index 70f3558c75..2214975e42 100644
--- a/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/config/RecipientsResolverConfig.java
+++ b/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/config/RecipientsResolverConfig.java
@@ -10,6 +10,7 @@
 import jakarta.enterprise.event.Startup;
 import jakarta.inject.Inject;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.project_kessel.clients.authn.AuthenticationConfig;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -36,6 +37,10 @@ public class RecipientsResolverConfig {
     private static final String MBOP_ENV = "notifications.recipients-resolver.mbop.env";
     private static final String KESSEL_TARGET_URL = "notifications.recipients-resolver.kessel.target-url";
     private static final String KESSEL_USE_SECURE_CLIENT = "relations-api.is-secure-clients";
+    private static final String KESSEL_CLIENT_ID = "relations-api.authn.client.id";
+    private static final String KESSEL_CLIENT_SECRET = "relations-api.authn.client.secret";
+    private static final String KESSEL_CLIENT_ISSUER = "relations-api.authn.client.issuer";
+    private static final String KESSEL_CLIENT_MODE = "relations-api.authn.mode";
 
     /*
      * Unleash configuration
@@ -83,6 +88,18 @@ public class RecipientsResolverConfig {
     @ConfigProperty(name = KESSEL_TARGET_URL, defaultValue = "localhost:9000")
     String kesselTargetUrl;
 
+    @ConfigProperty(name = KESSEL_CLIENT_ID)
+    Optional<String> kesselClientId;
+
+    @ConfigProperty(name = KESSEL_CLIENT_SECRET)
+    Optional<String> kesselClientSecret;
+
+    @ConfigProperty(name = KESSEL_CLIENT_ISSUER)
+    Optional<String> kesselClientIssuer;
+
+    @ConfigProperty(name = KESSEL_CLIENT_MODE)
+    AuthenticationConfig.AuthMode kesselClientMode;
+
     /**
      * Is the gRPC client supposed to connect to a secure, HTTPS endpoint?
      */
@@ -211,4 +228,20 @@ public Optional<URI> getQuarkusItServiceKeystore() {
     public Optional<String> getQuarkusItServicePassword() {
         return quarkusItServicePassword;
     }
+
+    public Optional<String> getKesselClientId() {
+        return kesselClientId;
+    }
+
+    public Optional<String> getKesselClientSecret() {
+        return kesselClientSecret;
+    }
+
+    public Optional<String> getKesselClientIssuer() {
+        return kesselClientIssuer;
+    }
+
+    public AuthenticationConfig.AuthMode getKesselClientMode() {
+        return kesselClientMode;
+    }
 }
diff --git a/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/resolver/kessel/KesselService.java b/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/resolver/kessel/KesselService.java
index 523c6469b3..db451f40c6 100644
--- a/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/resolver/kessel/KesselService.java
+++ b/recipients-resolver/src/main/java/com/redhat/cloud/notifications/recipients/resolver/kessel/KesselService.java
@@ -10,10 +10,12 @@
 import org.project_kessel.api.relations.v1beta1.ObjectReference;
 import org.project_kessel.api.relations.v1beta1.ObjectType;
 import org.project_kessel.relations.client.LookupClient;
+import org.project_kessel.relations.client.RelationsConfig;
 import org.project_kessel.relations.client.RelationsGrpcClientsManager;
 
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.Optional;
 import java.util.Set;
 
 @ApplicationScoped
@@ -30,15 +32,72 @@ public class KesselService {
 
     @PostConstruct
     void postConstruct() {
-        RelationsGrpcClientsManager clientsManager;
-        if (recipientsResolverConfig.isKesselUseSecureClient()) {
-            clientsManager = RelationsGrpcClientsManager.forSecureClients(recipientsResolverConfig.getKesselTargetUrl());
-        } else {
-            clientsManager = RelationsGrpcClientsManager.forInsecureClients(recipientsResolverConfig.getKesselTargetUrl());
-        }
+        RelationsConfig kesselRelationsConfig = getKesselRelationsConfig();
+
+        RelationsGrpcClientsManager clientsManager = RelationsGrpcClientsManager.forClientsWithConfig(kesselRelationsConfig);
+
         lookupClient = clientsManager.getLookupClient();
     }
 
+    private RelationsConfig getKesselRelationsConfig() {
+        RelationsConfig kesselRelationsConfig = new RelationsConfig() {
+            @Override
+            public boolean isSecureClients() {
+                return recipientsResolverConfig.isKesselUseSecureClient();
+            }
+
+            @Override
+            public String targetUrl() {
+                return recipientsResolverConfig.getKesselTargetUrl();
+            }
+
+            @Override
+            public Optional<AuthenticationConfig> authenticationConfig() {
+                AuthenticationConfig authenticationConfig = new AuthenticationConfig() {
+                    @Override
+                    public org.project_kessel.clients.authn.AuthenticationConfig.AuthMode mode() {
+                        return recipientsResolverConfig.getKesselClientMode();
+                    }
+
+                    @Override
+                    public Optional<OIDCClientCredentialsConfig> clientCredentialsConfig() {
+                        OIDCClientCredentialsConfig clientCredentialsConfig = new OIDCClientCredentialsConfig() {
+                            @Override
+                            public String issuer() {
+                                return recipientsResolverConfig.getKesselClientIssuer().get();
+                            }
+
+                            @Override
+                            public String clientId() {
+                                return recipientsResolverConfig.getKesselClientId().get();
+                            }
+
+                            @Override
+                            public String clientSecret() {
+                                return recipientsResolverConfig.getKesselClientSecret().get();
+                            }
+
+                            @Override
+                            public Optional<String[]> scope() {
+                                return Optional.empty();
+                            }
+
+                            @Override
+                            public Optional<String> oidcClientCredentialsMinterImplementation() {
+                                return Optional.empty();
+                            }
+                        };
+
+                        return Optional.of(clientCredentialsConfig);
+                    }
+                };
+
+                return Optional.of(authenticationConfig);
+            }
+        };
+        return kesselRelationsConfig;
+    }
+
     public Set<String> lookupSubjects(RecipientsAuthorizationCriterion recipientsAuthorizationCriterion) {
         Set<String> userNames = new HashSet<>();
         LookupSubjectsRequest request = getLookupSubjectsRequest(recipientsAuthorizationCriterion);