fix role mapping

Author: zvonand

src/Access/TokenAccessStorage.cpp

@@ -20,13 +20,15 @@ namespace ErrorCodes
 
 TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessControl & access_control_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_)
         : IAccessStorage(storage_name_), access_control(access_control_), config(config_), prefix(prefix_),
-          roles_filter(config.getString(prefix.empty() ? "" : prefix + "." + "roles_filter", "")),
         memory_storage(storage_name_, access_control.getChangesNotifier(), false)
 {
     std::lock_guard lock(mutex);
 
     const String prefix_str = (prefix.empty() ? "" : prefix + ".");
 
+    if (config.has(prefix_str + "roles_filter"))
+        roles_filter.emplace(config.getString(prefix_str + "roles_filter"));
+
     provider_name = config.getString(prefix_str + "processor");
     if (provider_name.empty())
         throw Exception(ErrorCodes::BAD_ARGUMENTS, "'processor' must be specified for Token user directory");
@@ -35,7 +37,7 @@ TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessContr
     if (config.has(prefix_str + "common_roles"))
     {
         Poco::Util::AbstractConfiguration::Keys role_names;
-        config.keys(prefix_str + "roles", role_names);
+        config.keys(prefix_str + "common_roles", role_names);
 
         common_roles_cfg.insert(role_names.begin(), role_names.end());
     }
@@ -369,21 +371,22 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
         throwAddressNotAllowed(address);
 
     std::set<String> external_roles;
-    if (!roles_filter.ok())
-    {
-        external_roles = token_credentials.getGroups();
-        LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
-    }
-    else
+    if (roles_filter.has_value() && roles_filter.value().ok())
     {
+        LOG_TRACE(getLogger(), "{}: External role filter found, applying only matching groups", getStorageName());
         for (const auto & group: token_credentials.getGroups()) {
-            if (RE2::FullMatch(group, roles_filter))
+            if (RE2::FullMatch(group, roles_filter.value()))
             {
                 external_roles.insert(group);
                 LOG_TRACE(getLogger(), "{}: Granted role (group) {} to user", getStorageName(), user->getName());
             }
         }
     }
+    else
+    {
+        LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
+        external_roles = token_credentials.getGroups();
+    }
 
     if (new_user)
     {

src/Access/TokenAccessStorage.h

@@ -48,7 +48,7 @@ class TokenAccessStorage : public IAccessStorage
     const String & prefix;
 
     String provider_name;
-    re2::RE2 roles_filter;
+    std::optional<re2::RE2> roles_filter = std::nullopt;
 
     std::set<String> common_role_names;                         // role name that should be granted to all users at all times
     mutable std::map<String, std::size_t> external_role_hashes;

src/Access/TokenProcessorsOpaque.cpp

@@ -30,17 +30,23 @@ namespace
         return jsonValue.get<picojson::object>();
     }
 
-    template<typename ValueType = std::string>
-    ValueType getValueByKey(const picojson::object & jsonObject, const std::string & key) {
+    template<typename ValueType = std::string, bool throw_on_exception = true>
+    std::optional<ValueType> getValueByKey(const picojson::object & jsonObject, const std::string & key) {
         auto it = jsonObject.find(key); // Find the key in the object
         if (it == jsonObject.end())
         {
-            throw std::runtime_error("Key not found: " + key);
+            if constexpr (throw_on_exception)
+                throw std::runtime_error("Key not found: " + key);
+            else
+                return std::nullopt;
         }
 
         const picojson::value & value = it->second;
         if (!value.is<ValueType>()) {
-            throw std::runtime_error("Value for key '" + key + "' has incorrect type.");
+            if constexpr (throw_on_exception)
+                throw std::runtime_error("Value for key '" + key + "' has incorrect type.");
+            else
+                return std::nullopt;
         }
 
         return value.get<ValueType>();
@@ -94,11 +100,9 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         throw Exception(ErrorCodes::AUTHENTICATION_FAILED,
                         "{}: Specified username_claim {} not found in token", processor_name, username_claim);
 
-    bool has_email = user_info_json.contains("email");
-    if (has_email)
-        user_info["email"] = getValueByKey(user_info_json, "email");
+    user_info["email"] = getValueByKey<std::string, false>(user_info_json, "email").value_or("");
 
-    user_info[username_claim] = getValueByKey(user_info_json, username_claim);
+    user_info[username_claim] = getValueByKey(user_info_json, username_claim).value();
 
     String user_name = user_info[username_claim];
 
@@ -109,11 +113,11 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
 
     auto token_info = getObjectFromURI(Poco::URI("https://www.googleapis.com/oauth2/v3/tokeninfo"), token);
     if (token_info.contains("exp"))
-        const_cast<TokenCredentials &>(credentials).setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp"))));
+        const_cast<TokenCredentials &>(credentials).setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));
 
     /// Groups info can only be retrieved if user email is known.
     /// If no email found in user info, we skip this step and there are no external roles for the user.
-    if (has_email)
+    if (!user_info["email"].empty())
     {
         std::set<String> external_groups_names;
         const Poco::URI get_groups_uri = Poco::URI("https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups?query=member_key_id==" + user_info["email"] + "'");
@@ -139,10 +143,13 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
                 }
 
                 auto group_data = group.get<picojson::object>();
-                String group_name = getValueByKey(group_data["groupKey"].get<picojson::object>(), "id");
-                external_groups_names.insert(group_name);
-                LOG_TRACE(getLogger("TokenAuthentication"),
-                          "{}: User {}: new external group {}", processor_name, user_name, group_name);
+                String group_name = getValueByKey<std::string, false>(group_data["groupKey"].get<picojson::object>(), "id").value_or("");
+                if (!group_name.empty())
+                {
+                    external_groups_names.insert(group_name);
+                    LOG_TRACE(getLogger("TokenAuthentication"),
+                              "{}: User {}: new external group {}", processor_name, user_name, group_name);
+                }
             }
 
             const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
@@ -172,7 +179,7 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential
     try
     {
         picojson::object user_info_json = getObjectFromURI(Poco::URI("https://graph.microsoft.com/oidc/userinfo"), token);
-        String username = getValueByKey(user_info_json, username_claim);
+        String username = getValueByKey(user_info_json, username_claim).value();
         if (!username.empty())
         {
             /// Credentials are passed as const everywhere up the flow, so we have to comply,
@@ -224,9 +231,15 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential
             }
 
             auto group_data = group.get<picojson::object>();
-            String group_name = getValueByKey(group_data, "id");
-            external_groups_names.insert(group_name);
-            LOG_TRACE(getLogger("TokenAuthentication"), "{}: User {}: new external group {}", processor_name, credentials.getUserName(), group_name);
+            if (!group_data.contains("displayName"))
+                continue;
+
+            String group_name = getValueByKey<std::string, false>(group_data, "displayName").value_or("");
+            if (!group_name.empty())
+            {
+                external_groups_names.insert(group_name);
+                LOG_TRACE(getLogger("TokenAuthentication"), "{}: User {}: new external group {}", processor_name, credentials.getUserName(), group_name);
+            }
         }
     }
     catch (const Exception & e)
@@ -282,7 +295,7 @@ OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,
     if (!openid_config.contains("userinfo_endpoint") || !openid_config.contains("introspection_endpoint"))
         throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "{}: Cannot extract userinfo_endpoint or introspection_endpoint from OIDC configuration, consider manual configuration.", processor_name);
 
-    if (!openid_config.contains("jwks_uri"))
+    if (openid_config.contains("jwks_uri"))
     {
         LOG_TRACE(getLogger("TokenAuthentication"), "{}: JWKS URI set, local JWT processing will be attempted", processor_name_);
         jwt_validator.emplace(processor_name_ + "jwks_val",
@@ -291,7 +304,7 @@ OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,
                               groups_claim_,
                               "",
                               verifier_leeway_,
-                              getValueByKey(openid_config, "jwks_uri"),
+                              getValueByKey(openid_config, "jwks_uri").value(),
                               jwks_cache_lifetime_);
     }
 }
@@ -308,7 +321,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         {
             auto decoded_token = jwt::decode(token);
             user_info_json = decoded_token.get_payload_json();
-            username = getValueByKey(user_info_json, username_claim);
+            username = getValueByKey(user_info_json, username_claim).value();
 
             /// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.
             if (decoded_token.has_expires_at())
@@ -326,7 +339,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         try
         {
             user_info_json = getObjectFromURI(userinfo_endpoint, token);
-            username = getValueByKey(user_info_json, username_claim);
+            username = getValueByKey(user_info_json, username_claim).value();
         }
         catch (...)
         {