CLOUDP-300256: Allow unset db-user scope (#2120)

* Allow unset db-user scope by sending an empty set

internal/controller/atlasdatabaseuser/databaseuser_test.go

@@ -651,6 +651,7 @@ func TestDbuLifeCycle(t *testing.T) {
 									Name: "user-pass",
 								},
 								DatabaseName: "admin",
+								Scopes:       []akov2.ScopeSpec{},
 							},
 						},
 						nil,
@@ -1160,6 +1161,7 @@ func TestUpdate(t *testing.T) {
 						Name: "user-pass",
 					},
 					DatabaseName: "admin",
+					Scopes:       []akov2.ScopeSpec{},
 				},
 			},
 			dbUserService: func() dbuser.AtlasUsersService {

internal/translation/dbuser/conversion.go

@@ -85,6 +85,9 @@ func normalize(spec *akov2.AtlasDatabaseUserSpec) error {
 			a.Name+string(a.Type),
 			b.Name+string(b.Type))
 	})
+	if spec.Scopes == nil {
+		spec.Scopes = []akov2.ScopeSpec{}
+	}
 	if spec.DeleteAfterDate != "" { // enforce date format
 		operatorDeleteDate, err := timeutil.ParseISO8601(spec.DeleteAfterDate)
 		if err != nil {
@@ -178,7 +181,7 @@ func rolesToAtlas(roles []akov2.RoleSpec) *[]admin.DatabaseUserRole {
 
 func scopesToAtlas(scopes []akov2.ScopeSpec) *[]admin.UserScope {
 	if len(scopes) == 0 {
-		return nil
+		return &[]admin.UserScope{}
 	}
 	atlasScopes := []admin.UserScope{}
 	for _, scope := range scopes {
@@ -199,9 +202,9 @@ func dateFromAtlas(date *time.Time) string {
 
 func scopesFromAtlas(scopes []admin.UserScope) ([]akov2.ScopeSpec, error) {
 	if len(scopes) == 0 {
-		return nil, nil
+		return []akov2.ScopeSpec{}, nil
 	}
-	specScopes := []akov2.ScopeSpec{}
+	specScopes := make([]akov2.ScopeSpec, 0, len(scopes))
 	for _, scope := range scopes {
 		scopeType, err := scopeTypeFromAtlas(scope.Type)
 		if err != nil {

internal/translation/dbuser/conversion_test.go

@@ -46,7 +46,7 @@ func TestNewUser(t *testing.T) {
 		{
 			title:        "Empty spec returns empty user",
 			spec:         &akov2.AtlasDatabaseUserSpec{},
-			expectedUser: &dbuser.User{AtlasDatabaseUserSpec: &akov2.AtlasDatabaseUserSpec{}},
+			expectedUser: &dbuser.User{AtlasDatabaseUserSpec: &akov2.AtlasDatabaseUserSpec{Scopes: []akov2.ScopeSpec{}}},
 		},
 
 		{
@@ -490,5 +490,6 @@ func defaultTestSpec() *akov2.AtlasDatabaseUserSpec {
 	return &akov2.AtlasDatabaseUserSpec{
 		DatabaseName: testDB,
 		Username:     testUsername,
+		Scopes:       []akov2.ScopeSpec{},
 	}
 }

internal/translation/dbuser/dbuser_test.go

@@ -73,8 +73,15 @@ func TestAtlasUsersGet(t *testing.T) {
 				mockUsersAPI.EXPECT().GetDatabaseUserExecute(admin.GetDatabaseUserApiRequest{ApiService: mockUsersAPI}).Return(
 					expectedUser, &http.Response{StatusCode: http.StatusOK}, nil)
 			},
-			expectedUser: &User{AtlasDatabaseUserSpec: &akov2.AtlasDatabaseUserSpec{DatabaseName: db, Username: username}, ProjectID: projectID},
-			expectedErr:  nil,
+			expectedUser: &User{
+				ProjectID: projectID,
+				AtlasDatabaseUserSpec: &akov2.AtlasDatabaseUserSpec{
+					DatabaseName: db,
+					Username:     username,
+					Scopes:       []akov2.ScopeSpec{},
+				},
+			},
+			expectedErr: nil,
 		},
 		{
 			name: "User not found",

internal/translation/dbuser/internal_test.go

@@ -116,6 +116,7 @@ func defaultTestUser() *User {
 		AtlasDatabaseUserSpec: &akov2.AtlasDatabaseUserSpec{
 			DatabaseName: testDB,
 			Username:     testUsername,
+			Scopes:       []akov2.ScopeSpec{},
 		},
 		Password:  testPassword,
 		ProjectID: testProjectID,

test/int/databaseuser_unprotected_test.go

@@ -279,12 +279,13 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 		It("Adds connection secret when new deployment is created", Label("user-add-secret"), func() {
 			secondDeployment := &akov2.AtlasDeployment{}
 
-			By("Creating a database user", func() {
+			By("Creating a database user for existing deployment only", func() {
 				passwordSecret := buildPasswordSecret(testNamespace.Name, UserPasswordSecret, DBUserPassword)
 				Expect(k8sClient.Create(context.Background(), &passwordSecret)).To(Succeed())
 
 				testDBUser1 = akov2.NewDBUser(testNamespace.Name, dbUserName1, dbUserName1, projectName).
 					WithPasswordSecret(UserPasswordSecret).
+					WithScope(akov2.DeploymentScopeType, testDeployment.GetDeploymentName()).
 					WithRole("readWriteAnyDatabase", "admin", "")
 				Expect(k8sClient.Create(context.Background(), testDBUser1)).To(Succeed())
 
@@ -306,7 +307,25 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 				}).WithTimeout(20 * time.Minute).WithPolling(PollingInterval).Should(BeTrue())
 			})
 
-			By("Validating connection secrets were created", func() {
+			By("Validating connection secrets for second deployment were not created", func() {
+				validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser1)
+
+				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser1)).Should(Succeed())
+				Expect(tryConnect(testProject.ID(), *secondDeployment, *testDBUser1)).ShouldNot(Succeed())
+			})
+
+			By("Removing database user scope for first deployment", func() {
+				Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(testDBUser1), testDBUser1)).Should(Succeed())
+				testDBUser1.Spec.Scopes = nil
+
+				Expect(k8sClient.Update(context.Background(), testDBUser1)).To(Succeed())
+
+				Eventually(func() bool {
+					return resources.CheckCondition(k8sClient, testDBUser1, api.TrueCondition(api.ReadyType))
+				}).WithTimeout(databaseUserTimeout).WithPolling(PollingInterval).Should(BeTrue())
+			})
+
+			By("Validating connection secrets for both deployments were created", func() {
 				validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser1)
 				validateSecret(k8sClient, *testProject, *secondDeployment, *testDBUser1)