RBAC: Make it possible to use regex for values (#663)

Co-authored-by: François <[email protected]>
Co-authored-by: Roman Zabaluev <[email protected]>
Co-authored-by: Callaert Anthony <[email protected]>

Author: 4 people

api/src/main/java/io/kafbat/ui/model/rbac/Subject.java

@@ -3,27 +3,19 @@
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import io.kafbat.ui.model.rbac.provider.Provider;
-import lombok.Getter;
+import java.util.Objects;
+import lombok.Data;
 
-@Getter
+@Data
 public class Subject {
 
   Provider provider;
   String type;
   String value;
-
-  public void setProvider(String provider) {
-    this.provider = Provider.fromString(provider.toUpperCase());
-  }
-
-  public void setType(String type) {
-    this.type = type;
-  }
-
-  public void setValue(String value) {
-    this.value = value;
-  }
+  @JsonProperty("isRegex")
+  boolean isRegex;
 
   public void validate() {
     checkNotNull(type, "Subject type cannot be null");
@@ -32,4 +24,11 @@ public void validate() {
     checkArgument(!type.isEmpty(), "Subject type cannot be empty");
     checkArgument(!value.isEmpty(), "Subject value cannot be empty");
   }
+
+  public boolean matches(final String attribute) {
+    if (isRegex) {
+      return Objects.nonNull(attribute) && attribute.matches(this.value);
+    }
+    return this.value.equalsIgnoreCase(attribute);
+  }
 }

api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java

@@ -50,7 +50,7 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_COGNITO))
             .filter(s -> s.getType().equals("user"))
-            .anyMatch(s -> s.getValue().equalsIgnoreCase(principal.getName())))
+            .anyMatch(s -> s.matches(principal.getName())))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -76,7 +76,7 @@ private Set<String> extractGroupRoles(AccessControlService acs, DefaultOAuth2Use
             .filter(s -> s.getType().equals("group"))
             .anyMatch(subject -> groups
                 .stream()
-                .anyMatch(cognitoGroup -> cognitoGroup.equalsIgnoreCase(subject.getValue()))
+                .anyMatch(subject::matches)
             ))
         .map(Role::getName)
         .collect(Collectors.toSet());

api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java

@@ -90,7 +90,7 @@ private Set<String> extractUsernameRoles(DefaultOAuth2User principal, AccessCont
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB))
             .filter(s -> s.getType().equals("user"))
-            .anyMatch(s -> s.getValue().equals(username)))
+            .anyMatch(s -> s.matches(username)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -131,7 +131,7 @@ private Mono<Set<String>> getOrganizationRoles(DefaultOAuth2User principal, Map<
                 .filter(s -> s.getType().equals(ORGANIZATION))
                 .anyMatch(subject -> orgsMap.stream()
                     .map(org -> org.get(ORGANIZATION_NAME).toString())
-                    .anyMatch(orgName -> orgName.equalsIgnoreCase(subject.getValue()))
+                    .anyMatch(subject::matches)
                 ))
             .map(Role::getName)
             .collect(Collectors.toSet()));
@@ -189,7 +189,7 @@ private Mono<Set<String>> getTeamRoles(WebClient webClient, Map<String, Object>
                 .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB))
                 .filter(s -> s.getType().equals("team"))
                 .anyMatch(subject -> teams.stream()
-                    .anyMatch(teamName -> teamName.equalsIgnoreCase(subject.getValue()))
+                    .anyMatch(subject::matches)
                 ))
             .map(Role::getName)
             .collect(Collectors.toSet()));

api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java

@@ -50,7 +50,10 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_GOOGLE))
             .filter(s -> s.getType().equals("user"))
-            .anyMatch(s -> s.getValue().equalsIgnoreCase(principal.getAttribute(EMAIL_ATTRIBUTE_NAME))))
+            .anyMatch(s -> {
+              String email = principal.getAttribute(EMAIL_ATTRIBUTE_NAME);
+              return s.matches(email);
+            }))
         .map(Role::getName)
         .collect(Collectors.toSet());
   }
@@ -68,7 +71,7 @@ private Set<String> extractDomainRoles(AccessControlService acs, DefaultOAuth2Us
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_GOOGLE))
             .filter(s -> s.getType().equals("domain"))
-            .anyMatch(s -> s.getValue().equals(domain)))
+            .anyMatch(s -> s.matches(domain)))
         .map(Role::getName)
         .collect(Collectors.toSet());
   }

api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java

@@ -58,9 +58,8 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH))
             .filter(s -> s.getType().equals("user"))
-            .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName,
-                s.getValue().equalsIgnoreCase(principalName)))
-            .anyMatch(s -> s.getValue().equalsIgnoreCase(principalName)))
+            .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName,  s.matches(principalName)))
+            .anyMatch(s ->  s.matches(principalName)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -94,11 +93,7 @@ private Set<String> extractRoles(AccessControlService acs, DefaultOAuth2User pri
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH))
             .filter(s -> s.getType().equals("role"))
-            .anyMatch(subject -> {
-              var roleName = subject.getValue();
-              return principalRoles.contains(roleName);
-            })
-        )
+            .anyMatch(subject -> principalRoles.stream().anyMatch(subject::matches)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 

api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacActiveDirectoryAuthoritiesExtractor.java

@@ -37,8 +37,8 @@ public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOp
             .stream()
             .filter(subject -> subject.getProvider().equals(Provider.LDAP_AD))
             .anyMatch(subject -> switch (subject.getType()) {
-              case "user" -> username.equalsIgnoreCase(subject.getValue());
-              case "group" ->  adGroups.contains(subject.getValue());
+              case "user" -> subject.matches(username);
+              case "group" ->  adGroups.stream().anyMatch(subject::matches);
               default -> false;
             })
         )

api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacLdapAuthoritiesExtractor.java

@@ -39,8 +39,8 @@ protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, St
             .stream()
             .filter(subject -> subject.getProvider().equals(Provider.LDAP))
             .anyMatch(subject -> switch (subject.getType()) {
-              case "user" -> username.equalsIgnoreCase(subject.getValue());
-              case "group" -> ldapGroups.contains(subject.getValue());
+              case "user" -> subject.matches(username);
+              case "group" -> ldapGroups.stream().anyMatch(subject::matches);
               default -> false;
             })
         )

api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java

@@ -0,0 +1,196 @@
+package io.kafbat.ui.config;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.oauth2.client.registration.ClientRegistration.withRegistrationId;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
+import com.fasterxml.jackson.dataformat.yaml.YAMLMapper;
+import io.kafbat.ui.config.auth.OAuthProperties;
+import io.kafbat.ui.model.rbac.Role;
+import io.kafbat.ui.service.rbac.AccessControlService;
+import io.kafbat.ui.service.rbac.extractor.CognitoAuthorityExtractor;
+import io.kafbat.ui.service.rbac.extractor.GithubAuthorityExtractor;
+import io.kafbat.ui.service.rbac.extractor.GoogleAuthorityExtractor;
+import io.kafbat.ui.service.rbac.extractor.OauthAuthorityExtractor;
+import io.kafbat.ui.service.rbac.extractor.ProviderAuthorityExtractor;
+import io.kafbat.ui.util.AccessControlServiceMock;
+import java.io.IOException;
+import java.io.InputStream;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+public class RegexBasedProviderAuthorityExtractorTest {
+
+
+  private final AccessControlService accessControlService = new AccessControlServiceMock().getMock();
+  ProviderAuthorityExtractor extractor;
+
+  @BeforeEach
+  void setUp() throws IOException {
+
+    YAMLMapper mapper = new YAMLMapper();
+
+    InputStream rolesFile = this.getClass()
+        .getClassLoader()
+        .getResourceAsStream("roles_definition.yaml");
+
+    Role[] roles = mapper.readValue(rolesFile, Role[].class);
+
+    when(accessControlService.getRoles()).thenReturn(List.of(roles));
+
+  }
+
+  @SneakyThrows
+  @Test
+  void extractOauth2Authorities() {
+
+    extractor = new OauthAuthorityExtractor();
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "[email protected]"),
+        "user_name");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+    OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider();
+    provider.setCustomParams(Map.of("roles-field", "role_definition"));
+    additionalParams.put("provider", provider);
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertNotNull(roles);
+    assertEquals(Set.of("viewer", "admin"), roles);
+    assertFalse(roles.contains("no one's role"));
+
+  }
+
+  @SneakyThrows
+  @Test()
+  void extractOauth2Authorities_blankEmail() {
+
+    extractor = new OauthAuthorityExtractor();
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", ""),
+        "user_name");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+    OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider();
+    provider.setCustomParams(Map.of("roles-field", "role_definition"));
+    additionalParams.put("provider", provider);
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertNotNull(roles);
+    assertFalse(roles.contains("viewer"));
+    assertTrue(roles.contains("admin"));
+
+  }
+
+  @SneakyThrows
+  @Test
+  void extractCognitoAuthorities() {
+
+    extractor = new CognitoAuthorityExtractor();
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("cognito:groups", List.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "[email protected]"),
+        "user_name");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+
+    OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider();
+    provider.setCustomParams(Map.of("roles-field", "role_definition"));
+    additionalParams.put("provider", provider);
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertNotNull(roles);
+    assertEquals(Set.of("viewer", "admin"), roles);
+    assertFalse(roles.contains("no one's role"));
+
+  }
+
+  @SneakyThrows
+  @Test
+  void extractGithubAuthorities() {
+
+    extractor = new GithubAuthorityExtractor();
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("login", "[email protected]"),
+        "login");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+
+    OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider();
+    additionalParams.put("provider", provider);
+
+    additionalParams.put("request", new OAuth2UserRequest(
+        withRegistrationId("registration-1")
+            .clientId("client-1")
+            .clientSecret("secret")
+            .redirectUri("https://client.com")
+            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+            .authorizationUri("https://provider.com/oauth2/authorization")
+            .tokenUri("https://provider.com/oauth2/token")
+            .clientName("Client 1")
+            .build(),
+        new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "XXXX", Instant.now(),
+            Instant.now().plus(10, ChronoUnit.HOURS))));
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertNotNull(roles);
+    assertEquals(Set.of("viewer"), roles);
+    assertFalse(roles.contains("no one's role"));
+
+  }
+
+  @SneakyThrows
+  @Test
+  void extractGoogleAuthorities() {
+
+    extractor = new GoogleAuthorityExtractor();
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("hd", "memelord.lol", "email", "[email protected]"),
+        "email");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+
+    OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider();
+    provider.setCustomParams(Map.of("roles-field", "role_definition"));
+    additionalParams.put("provider", provider);
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertNotNull(roles);
+    assertEquals(Set.of("viewer", "admin"), roles);
+    assertFalse(roles.contains("no one's role"));
+
+  }
+
+}