From bd2c6fdbb32df6a4c87e6340ba70ab95e4c0d192 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Wed, 6 Nov 2024 13:54:36 +0100 Subject: [PATCH 1/4] Issues/300: rbac now supports regex for values --- .../extractor/OauthAuthorityExtractor.java | 4 +- .../ProviderAuthorityExtractorTest.java | 68 +++++++++++++++++++ api/src/test/resources/roles_definition.yaml | 34 ++++++++++ 3 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java create mode 100644 api/src/test/resources/roles_definition.yaml diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java index 6d14ab870..1712b6410 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java @@ -60,7 +60,7 @@ private Set extractUsernameRoles(AccessControlService acs, DefaultOAuth2 .filter(s -> s.getType().equals("user")) .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName, s.getValue().equalsIgnoreCase(principalName))) - .anyMatch(s -> s.getValue().equalsIgnoreCase(principalName))) + .anyMatch(s -> principalName.matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet()); @@ -96,7 +96,7 @@ private Set extractRoles(AccessControlService acs, DefaultOAuth2User pri .filter(s -> s.getType().equals("role")) .anyMatch(subject -> { var roleName = subject.getValue(); - return principalRoles.contains(roleName); + return principalRoles.stream().anyMatch(s -> s.matches(subject.getValue())); }) ) .map(Role::getName) diff --git a/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java b/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java new file mode 100644 index 000000000..7ce5af2a7 --- /dev/null +++ b/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java @@ -0,0 +1,68 @@ +package io.kafbat.ui.config; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.when; + +import io.kafbat.ui.config.auth.OAuthProperties; +import io.kafbat.ui.model.rbac.Role; +import io.kafbat.ui.service.rbac.AccessControlService; +import io.kafbat.ui.service.rbac.extractor.OauthAuthorityExtractor; +import io.kafbat.ui.service.rbac.extractor.ProviderAuthorityExtractor; +import io.kafbat.ui.util.AccessControlServiceMock; +import java.io.InputStream; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import lombok.SneakyThrows; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2User; +import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.introspector.BeanAccess; + +public class ProviderAuthorityExtractorTest { + + + private final AccessControlService accessControlService = new AccessControlServiceMock().getMock(); + Yaml yaml; + ProviderAuthorityExtractor extractor; + + @BeforeEach + void setUp() { + yaml = new Yaml(); + yaml.setBeanAccess(BeanAccess.FIELD); + extractor = new OauthAuthorityExtractor(); + + InputStream rolesFile = this.getClass() + .getClassLoader() + .getResourceAsStream("roles_definition.yaml"); + + Role[] roleArray = yaml.loadAs(rolesFile, Role[].class); + when(accessControlService.getRoles()).thenReturn(List.of(roleArray)); + + } + + @SneakyThrows + @Test + void ExtractAuthoritiesFromRegex() { + + OAuth2User oauth2User = new DefaultOAuth2User( + AuthorityUtils.createAuthorityList("SCOPE_message:read"), + Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "john@kafka.com"), + "user_name"); + + HashMap additionalParams = new HashMap<>(); + OAuthProperties.OAuth2Provider oAuth2Provider = new OAuthProperties.OAuth2Provider(); + oAuth2Provider.setCustomParams(Map.of("roles-field", "role_definition")); + additionalParams.put("provider", oAuth2Provider); + + Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); + + assertEquals(Set.of("viewer", "admin"), roles); + + } + +} diff --git a/api/src/test/resources/roles_definition.yaml b/api/src/test/resources/roles_definition.yaml new file mode 100644 index 000000000..9428df22f --- /dev/null +++ b/api/src/test/resources/roles_definition.yaml @@ -0,0 +1,34 @@ +- name: 'admin' + subjects: + - provider: 'OAUTH' + value: 'ROLE-[A-Z]+' + type: 'role' + clusters: + - local + - remote + permissions: + - resource: APPLICATIONCONFIG + actions: [ all ] +- name: 'viewer' + subjects: + - provider: 'LDAP' + value: 'CS-XXX' + type: 'kafka-viewer' + - provider: 'OAUTH' + value: '.*@kafka.com' + type: 'user' + clusters: + - remote + permissions: + - resource: APPLICATIONCONFIG + actions: [ all ] +- name: 'editor' + subjects: + - provider: 'OAUTH' + value: 'ROLE_EDITOR' + type: 'role' + clusters: + - local + permissions: + - resource: APPLICATIONCONFIG + actions: [ all ] From 33b4a54c0c384daf10ba34cb47df0161ec53ffc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Wed, 6 Nov 2024 15:23:48 +0100 Subject: [PATCH 2/4] Issues/300: fix checkstyle --- .../kafbat/ui/config/ProviderAuthorityExtractorTest.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java b/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java index 7ce5af2a7..39a0e8b07 100644 --- a/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java +++ b/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java @@ -47,7 +47,7 @@ void setUp() { @SneakyThrows @Test - void ExtractAuthoritiesFromRegex() { + void extractAuthoritiesFromRegex() { OAuth2User oauth2User = new DefaultOAuth2User( AuthorityUtils.createAuthorityList("SCOPE_message:read"), @@ -55,9 +55,9 @@ void ExtractAuthoritiesFromRegex() { "user_name"); HashMap additionalParams = new HashMap<>(); - OAuthProperties.OAuth2Provider oAuth2Provider = new OAuthProperties.OAuth2Provider(); - oAuth2Provider.setCustomParams(Map.of("roles-field", "role_definition")); - additionalParams.put("provider", oAuth2Provider); + OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); + provider.setCustomParams(Map.of("roles-field", "role_definition")); + additionalParams.put("provider", provider); Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); From f15fc925364efb98b1d82b01223a153bac3b39a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Tue, 12 Nov 2024 14:54:58 +0100 Subject: [PATCH 3/4] Issues/300: Other extractors handle regex as values. --- .../extractor/CognitoAuthorityExtractor.java | 4 +- .../extractor/GithubAuthorityExtractor.java | 6 +- .../extractor/GoogleAuthorityExtractor.java | 7 +- .../extractor/OauthAuthorityExtractor.java | 8 +- .../ProviderAuthorityExtractorTest.java | 68 -------- ...exBasedProviderAuthorityExtractorTest.java | 159 ++++++++++++++++++ api/src/test/resources/roles_definition.yaml | 15 ++ 7 files changed, 186 insertions(+), 81 deletions(-) delete mode 100644 api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java create mode 100644 api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java index a246b8910..e75666d83 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java @@ -50,7 +50,7 @@ private Set extractUsernameRoles(AccessControlService acs, DefaultOAuth2 .stream() .filter(s -> s.getProvider().equals(Provider.OAUTH_COGNITO)) .filter(s -> s.getType().equals("user")) - .anyMatch(s -> s.getValue().equalsIgnoreCase(principal.getName()))) + .anyMatch(s -> principal.getName() != null && principal.getName().matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet()); @@ -76,7 +76,7 @@ private Set extractGroupRoles(AccessControlService acs, DefaultOAuth2Use .filter(s -> s.getType().equals("group")) .anyMatch(subject -> groups .stream() - .anyMatch(cognitoGroup -> cognitoGroup.equalsIgnoreCase(subject.getValue())) + .anyMatch(cognitoGroup -> cognitoGroup.matches(subject.getValue())) )) .map(Role::getName) .collect(Collectors.toSet()); diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java index b50e76a16..f08e266d3 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java @@ -90,7 +90,7 @@ private Set extractUsernameRoles(DefaultOAuth2User principal, AccessCont .stream() .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB)) .filter(s -> s.getType().equals("user")) - .anyMatch(s -> s.getValue().equals(username))) + .anyMatch(s -> username.matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet()); @@ -131,7 +131,7 @@ private Mono> getOrganizationRoles(DefaultOAuth2User principal, Map< .filter(s -> s.getType().equals(ORGANIZATION)) .anyMatch(subject -> orgsMap.stream() .map(org -> org.get(ORGANIZATION_NAME).toString()) - .anyMatch(orgName -> orgName.equalsIgnoreCase(subject.getValue())) + .anyMatch(orgName -> orgName.matches(subject.getValue())) )) .map(Role::getName) .collect(Collectors.toSet())); @@ -189,7 +189,7 @@ private Mono> getTeamRoles(WebClient webClient, Map .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB)) .filter(s -> s.getType().equals("team")) .anyMatch(subject -> teams.stream() - .anyMatch(teamName -> teamName.equalsIgnoreCase(subject.getValue())) + .anyMatch(teamName -> teamName.matches(subject.getValue())) )) .map(Role::getName) .collect(Collectors.toSet())); diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java index 8ea6d2108..c323e7ffd 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java @@ -50,7 +50,10 @@ private Set extractUsernameRoles(AccessControlService acs, DefaultOAuth2 .stream() .filter(s -> s.getProvider().equals(Provider.OAUTH_GOOGLE)) .filter(s -> s.getType().equals("user")) - .anyMatch(s -> s.getValue().equalsIgnoreCase(principal.getAttribute(EMAIL_ATTRIBUTE_NAME)))) + .anyMatch(s -> { + String email = principal.getAttribute(EMAIL_ATTRIBUTE_NAME); + return email != null && email.matches(s.getValue()); + })) .map(Role::getName) .collect(Collectors.toSet()); } @@ -68,7 +71,7 @@ private Set extractDomainRoles(AccessControlService acs, DefaultOAuth2Us .stream() .filter(s -> s.getProvider().equals(Provider.OAUTH_GOOGLE)) .filter(s -> s.getType().equals("domain")) - .anyMatch(s -> s.getValue().equals(domain))) + .anyMatch(s -> domain.matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet()); } diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java index 1712b6410..7bf19c61a 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java @@ -60,7 +60,7 @@ private Set extractUsernameRoles(AccessControlService acs, DefaultOAuth2 .filter(s -> s.getType().equals("user")) .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName, s.getValue().equalsIgnoreCase(principalName))) - .anyMatch(s -> principalName.matches(s.getValue()))) + .anyMatch(s -> principalName != null && principalName.matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet()); @@ -94,11 +94,7 @@ private Set extractRoles(AccessControlService acs, DefaultOAuth2User pri .stream() .filter(s -> s.getProvider().equals(Provider.OAUTH)) .filter(s -> s.getType().equals("role")) - .anyMatch(subject -> { - var roleName = subject.getValue(); - return principalRoles.stream().anyMatch(s -> s.matches(subject.getValue())); - }) - ) + .anyMatch(subject -> principalRoles.stream().anyMatch(s -> s.matches(subject.getValue())))) .map(Role::getName) .collect(Collectors.toSet()); diff --git a/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java b/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java deleted file mode 100644 index 39a0e8b07..000000000 --- a/api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java +++ /dev/null @@ -1,68 +0,0 @@ -package io.kafbat.ui.config; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.mockito.Mockito.when; - -import io.kafbat.ui.config.auth.OAuthProperties; -import io.kafbat.ui.model.rbac.Role; -import io.kafbat.ui.service.rbac.AccessControlService; -import io.kafbat.ui.service.rbac.extractor.OauthAuthorityExtractor; -import io.kafbat.ui.service.rbac.extractor.ProviderAuthorityExtractor; -import io.kafbat.ui.util.AccessControlServiceMock; -import java.io.InputStream; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; -import lombok.SneakyThrows; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.oauth2.core.user.DefaultOAuth2User; -import org.springframework.security.oauth2.core.user.OAuth2User; -import org.yaml.snakeyaml.Yaml; -import org.yaml.snakeyaml.introspector.BeanAccess; - -public class ProviderAuthorityExtractorTest { - - - private final AccessControlService accessControlService = new AccessControlServiceMock().getMock(); - Yaml yaml; - ProviderAuthorityExtractor extractor; - - @BeforeEach - void setUp() { - yaml = new Yaml(); - yaml.setBeanAccess(BeanAccess.FIELD); - extractor = new OauthAuthorityExtractor(); - - InputStream rolesFile = this.getClass() - .getClassLoader() - .getResourceAsStream("roles_definition.yaml"); - - Role[] roleArray = yaml.loadAs(rolesFile, Role[].class); - when(accessControlService.getRoles()).thenReturn(List.of(roleArray)); - - } - - @SneakyThrows - @Test - void extractAuthoritiesFromRegex() { - - OAuth2User oauth2User = new DefaultOAuth2User( - AuthorityUtils.createAuthorityList("SCOPE_message:read"), - Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "john@kafka.com"), - "user_name"); - - HashMap additionalParams = new HashMap<>(); - OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); - provider.setCustomParams(Map.of("roles-field", "role_definition")); - additionalParams.put("provider", provider); - - Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); - - assertEquals(Set.of("viewer", "admin"), roles); - - } - -} diff --git a/api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java b/api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java new file mode 100644 index 000000000..7eb8c8bf1 --- /dev/null +++ b/api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java @@ -0,0 +1,159 @@ +package io.kafbat.ui.config; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.when; +import static org.springframework.security.oauth2.client.registration.ClientRegistration.withRegistrationId; + +import io.kafbat.ui.config.auth.OAuthProperties; +import io.kafbat.ui.model.rbac.Role; +import io.kafbat.ui.service.rbac.AccessControlService; +import io.kafbat.ui.service.rbac.extractor.CognitoAuthorityExtractor; +import io.kafbat.ui.service.rbac.extractor.GithubAuthorityExtractor; +import io.kafbat.ui.service.rbac.extractor.GoogleAuthorityExtractor; +import io.kafbat.ui.service.rbac.extractor.OauthAuthorityExtractor; +import io.kafbat.ui.service.rbac.extractor.ProviderAuthorityExtractor; +import io.kafbat.ui.util.AccessControlServiceMock; +import java.io.InputStream; +import java.time.Instant; +import java.time.temporal.ChronoUnit; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import lombok.SneakyThrows; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2User; +import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.introspector.BeanAccess; + +public class RegexBasedProviderAuthorityExtractorTest { + + + private final AccessControlService accessControlService = new AccessControlServiceMock().getMock(); + Yaml yaml; + ProviderAuthorityExtractor extractor; + + @BeforeEach + void setUp() { + yaml = new Yaml(); + yaml.setBeanAccess(BeanAccess.FIELD); + + InputStream rolesFile = this.getClass() + .getClassLoader() + .getResourceAsStream("roles_definition.yaml"); + + Role[] roleArray = yaml.loadAs(rolesFile, Role[].class); + when(accessControlService.getRoles()).thenReturn(List.of(roleArray)); + + } + + @SneakyThrows + @Test + void extractOauth2Authorities() { + + extractor = new OauthAuthorityExtractor(); + + OAuth2User oauth2User = new DefaultOAuth2User( + AuthorityUtils.createAuthorityList("SCOPE_message:read"), + Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "john@kafka.com"), + "user_name"); + + HashMap additionalParams = new HashMap<>(); + OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); + provider.setCustomParams(Map.of("roles-field", "role_definition")); + additionalParams.put("provider", provider); + + Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); + + assertEquals(Set.of("viewer", "admin"), roles); + + } + + @SneakyThrows + @Test + void extractCognitoAuthorities() { + + extractor = new CognitoAuthorityExtractor(); + + OAuth2User oauth2User = new DefaultOAuth2User( + AuthorityUtils.createAuthorityList("SCOPE_message:read"), + Map.of("cognito:groups", List.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "john@kafka.com"), + "user_name"); + + HashMap additionalParams = new HashMap<>(); + + OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); + provider.setCustomParams(Map.of("roles-field", "role_definition")); + additionalParams.put("provider", provider); + + Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); + + assertEquals(Set.of("viewer", "admin"), roles); + + } + + @SneakyThrows + @Test + void extractGithubAuthorities() { + + extractor = new GithubAuthorityExtractor(); + + OAuth2User oauth2User = new DefaultOAuth2User( + AuthorityUtils.createAuthorityList("SCOPE_message:read"), + Map.of("login", "john@kafka.com"), + "login"); + + HashMap additionalParams = new HashMap<>(); + + OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); + additionalParams.put("provider", provider); + + additionalParams.put("request", new OAuth2UserRequest( + withRegistrationId("registration-1") + .clientId("client-1") + .clientSecret("secret") + .redirectUri("https://client.com") + .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) + .authorizationUri("https://provider.com/oauth2/authorization") + .tokenUri("https://provider.com/oauth2/token") + .clientName("Client 1") + .build(), + new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "XXXX", Instant.now(), + Instant.now().plus(10, ChronoUnit.HOURS)))); + + Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); + + assertEquals(Set.of("viewer"), roles); + + } + + @SneakyThrows + @Test + void extractGoogleAuthorities() { + + extractor = new GoogleAuthorityExtractor(); + + OAuth2User oauth2User = new DefaultOAuth2User( + AuthorityUtils.createAuthorityList("SCOPE_message:read"), + Map.of("hd", "test.domain.com", "email", "john@kafka.com"), + "email"); + + HashMap additionalParams = new HashMap<>(); + + OAuthProperties.OAuth2Provider provider = new OAuthProperties.OAuth2Provider(); + provider.setCustomParams(Map.of("roles-field", "role_definition")); + additionalParams.put("provider", provider); + + Set roles = extractor.extract(accessControlService, oauth2User, additionalParams).block(); + + assertEquals(Set.of("viewer", "admin"), roles); + + } + +} diff --git a/api/src/test/resources/roles_definition.yaml b/api/src/test/resources/roles_definition.yaml index 9428df22f..25e22b8a1 100644 --- a/api/src/test/resources/roles_definition.yaml +++ b/api/src/test/resources/roles_definition.yaml @@ -3,6 +3,12 @@ - provider: 'OAUTH' value: 'ROLE-[A-Z]+' type: 'role' + - provider: 'OAUTH_COGNITO' + value: 'ROLE-[A-Z]+' + type: 'group' + - provider: 'OAUTH_GOOGLE' + value: '.*.domain.com' + type: 'domain' clusters: - local - remote @@ -17,6 +23,15 @@ - provider: 'OAUTH' value: '.*@kafka.com' type: 'user' + - provider: 'OAUTH_COGNITO' + value: '.*@kafka.com' + type: 'user' + - provider: 'OAUTH_GITHUB' + value: '.*@kafka.com' + type: 'user' + - provider: 'OAUTH_GOOGLE' + value: '.*@kafka.com' + type: 'user' clusters: - remote permissions: From 1c47f7c097c88c31cd1fcfdb7141a0c49b90c361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Tue, 12 Nov 2024 15:52:54 +0100 Subject: [PATCH 4/4] Issues/300: Log message now reflects the new matching strategy --- .../ui/service/rbac/extractor/OauthAuthorityExtractor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java index 7bf19c61a..8812301a1 100644 --- a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java +++ b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java @@ -59,7 +59,7 @@ private Set extractUsernameRoles(AccessControlService acs, DefaultOAuth2 .filter(s -> s.getProvider().equals(Provider.OAUTH)) .filter(s -> s.getType().equals("user")) .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName, - s.getValue().equalsIgnoreCase(principalName))) + principalName != null && principalName.matches(s.getValue()))) .anyMatch(s -> principalName != null && principalName.matches(s.getValue()))) .map(Role::getName) .collect(Collectors.toSet());