Implement a RBAC authorities extractor to support subject-level role matching

[Haarolean]

• Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)

• Implement an RBAC authorities extractor to support subject-level role matching
  Before that, matching could be done just on the role name level:

rbac:
  roles:
    - name: "memelords"

Now it's aligned more with the behavior present at other extractors:

rbac:
  roles:
    - name: "<anything here>"
  subjects:
        - provider: ldap
          type: group
          value: "memelord"

The previous matching stays intact as well.

• Expand search with group search filter and subtree search flag to provide a more flexible configuration. Closes RBAC: LDAP: Support group search filter filter and subtree search #3883

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

• No need to
• Manually (please, describe, if necessary)
• Unit checks
• Integration checks
• Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
• My changes generate no new warnings (e.g. Sonar is happy)
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

[truongnnt]

I found as if we define group-role-attribute not equal cn then we will got an exception.
And, if role from LDAP is multiple then authorization only return one
This is my config

auth:
type: LDAP
spring:
ldap:
urls: ldap://localhost:10389
base: "cn={0},ou=people,dc=planetexpress,dc=com"
admin-user: "cn=admin,dc=planetexpress,dc=com"
admin-password: "GoodNewsEveryone"
user-filter-search-base: "dc=planetexpress,dc=com"
user-filter-search-filter: "(&(uid={0})(objectClass=inetOrgPerson))"
group-role-attribute: "role"
group-filter-search-base: "(&(DistinguishedName={0})(cn={1}))"
group-filter-search-base: "ou=people,dc=planetexpress,dc=com" # required for RBAC

I suggest solution as:
Change LdapSecurityConfig.class

public DefaultLdapAuthoritiesPopulator ldapAuthoritiesExtractor(ApplicationContext context, BaseLdapPathContextSource contextSource, AccessControlService acs)

var rbacEnabled = acs != null && acs.isRbacEnabled();
DefaultLdapAuthoritiesPopulator extractor;

if (rbacEnabled) {
  extractor = new RbacLdapAuthoritiesExtractor(context, contextSource, props.getGroupFilterSearchBase());
} else {
  extractor = new DefaultLdapAuthoritiesPopulator(contextSource, props.getGroupFilterSearchBase());
}

Optional.ofNullable(props.getGroupFilterSearchFilter()).ifPresent(extractor::setGroupSearchFilter);
Optional.ofNullable(props.getGroupRoleAttribute()).ifPresent(extractor::setGroupRoleAttribute); // Add this line
extractor.setRolePrefix("");
extractor.setConvertToUpperCase(false);
extractor.setSearchSubtree(true);
return extractor;

Change RbacLdapAuthoritiesExtractor

private Set getRoles(String userDn, String username)

var groupSearchBase = props.getGroupFilterSearchBase();
Assert.notNull(groupSearchBase, "groupSearchBase is empty");
var groupRoleAttribute = getGroupRoleAttribute(); // Change way to getGroupRoleAttribute

log.trace(
    "Searching for roles for user [{}] with DN [{}], groupRoleAttribute [{}] and filter [{}] in search base [{}]",
    username, userDn, groupRoleAttribute, getGroupSearchFilter(), groupSearchBase);

var ldapTemplate = getLdapTemplate();
ldapTemplate.setIgnoreNameNotFoundException(true);

Set<Map<String, List<String>>> userRoles = ldapTemplate.searchForMultipleAttributeValues(
    groupSearchBase, getGroupSearchFilter(), new String[] {userDn, username},
    new String[] {groupRoleAttribute});

return userRoles.stream()
    .map(record -> record.get(groupRoleAttribute)) // Change way get role to map
    .flatMap(roles -> roles.stream())                          // Change way get role to map
    .peek(group -> log.trace("Found LDAP group [{}] for user [{}]", group, username))
    .collect(Collectors.toSet());