feat: add PR feedbacks + fix broken tests + add new edge case tests for keycloak groups

Author: Leopold-Cramer

common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt

@@ -30,19 +30,20 @@ open class CsmRbac(
     val accessControls = mutableListOf<String>()
     objectSecurity.accessControlList.forEach {
       if (accessControls.contains(it.id)) {
-        throw IllegalArgumentException("User ${it.id} is referenced multiple times in the security")
+        throw IllegalArgumentException(
+            "Entity ${it.id} is referenced multiple times in the security")
       }
       accessControls.add(it.id)
     }
 
     // Make sure we have at least one admin
     if (!objectSecurity.accessControlList.any { it.role == ROLE_ADMIN }) {
-      val currentUserId = getCurrentAccountIdentifier(csmPlatformProperties)
-      val currentUserACL = objectSecurity.accessControlList.find { it.id == currentUserId }
-      if (currentUserACL != null) {
-        currentUserACL.role = ROLE_ADMIN
+      val currentEntityId = getCurrentAccountIdentifier(csmPlatformProperties)
+      val currentEntityACL = objectSecurity.accessControlList.find { it.id == currentEntityId }
+      if (currentEntityACL != null) {
+        currentEntityACL.role = ROLE_ADMIN
       } else {
-        objectSecurity.accessControlList.add(RbacAccessControl(currentUserId, ROLE_ADMIN))
+        objectSecurity.accessControlList.add(RbacAccessControl(currentEntityId, ROLE_ADMIN))
       }
     }
 
@@ -56,27 +57,27 @@ open class CsmRbac(
   ) {
     if (!this.check(rbacSecurity, permission, rolesDefinition))
         throw CsmAccessForbiddenException(
-            "RBAC ${rbacSecurity.id} - User does not have permission $permission")
+            "RBAC ${rbacSecurity.id} - Entity does not have permission $permission")
   }
 
   fun check(
       rbacSecurity: RbacSecurity,
       permission: String,
       rolesDefinition: RolesDefinition = getCommonRolesDefinition()
   ): Boolean {
-    logger.info("RBAC ${rbacSecurity.id} - Verifying permission $permission for user")
+    logger.info("RBAC ${rbacSecurity.id} - Verifying permission $permission for entity")
     if (!this.csmPlatformProperties.rbac.enabled) {
       logger.debug("RBAC ${rbacSecurity.id} - RBAC check not enabled")
       return true
     }
-    var userIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition)
-    if (!userIsAdminOrHasPermission) {
-      val user = getCurrentAccountIdentifier(this.csmPlatformProperties)
+    var entityIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition)
+    if (!entityIsAdminOrHasPermission) {
+      val entity = getCurrentAccountIdentifier(this.csmPlatformProperties)
       val groups = getCurrentAccountGroups(this.csmPlatformProperties)
-      userIsAdminOrHasPermission =
-          this.verifyRbac(rbacSecurity, permission, rolesDefinition, user, groups)
+      entityIsAdminOrHasPermission =
+          this.verifyRbac(rbacSecurity, permission, rolesDefinition, entity, groups)
     }
-    return userIsAdminOrHasPermission
+    return entityIsAdminOrHasPermission
   }
 
   fun setDefault(
@@ -92,33 +93,35 @@ open class CsmRbac(
     return rbacSecurity
   }
 
-  fun addUserRole(
+  fun addEntityRole(
       parentRbacSecurity: RbacSecurity,
       rbacSecurity: RbacSecurity,
-      userId: String,
+      entityId: String,
       role: String,
       rolesDefinition: RolesDefinition = getCommonRolesDefinition()
   ): RbacSecurity {
 
     if (!isAdmin(rbacSecurity, rolesDefinition)) {
-      this.checkUserExists(
+      this.checkEntityExists(
           parentRbacSecurity,
-          userId,
-          "User $userId not found in parent ${parentRbacSecurity.id} component")
+          entityId,
+          "Entity $entityId not found in parent ${parentRbacSecurity.id} component")
     }
-    return setUserRole(rbacSecurity, userId, role, rolesDefinition)
+    return setEntityRole(rbacSecurity, entityId, role, rolesDefinition)
   }
 
-  fun setUserRole(
+  fun setEntityRole(
       rbacSecurity: RbacSecurity,
-      userId: String,
+      entityId: String,
       role: String,
       rolesDefinition: RolesDefinition = getCommonRolesDefinition()
   ): RbacSecurity {
-    logger.info("RBAC ${rbacSecurity.id} - Setting user $userId roles")
+    logger.info("RBAC ${rbacSecurity.id} - Setting entity $entityId roles")
     this.verifyRoleOrThrow(rbacSecurity, role, rolesDefinition)
     val currentACLRole =
-        rbacSecurity.accessControlList.firstOrNull { it.id.lowercase() == userId.lowercase() }?.role
+        rbacSecurity.accessControlList
+            .firstOrNull { it.id.lowercase() == entityId.lowercase() }
+            ?.role
     val adminRole = this.getAdminRole(rolesDefinition)
     if (currentACLRole == adminRole &&
         role != adminRole &&
@@ -127,48 +130,48 @@ open class CsmRbac(
           "RBAC ${rbacSecurity.id} - It is forbidden to unset the last administrator")
     }
     val accessList = rbacSecurity.accessControlList
-    val userAccess = accessList.find { it.id == userId }
-    if (userAccess == null) {
-      accessList.add(RbacAccessControl(userId, role))
+    val entityAccess = accessList.find { it.id == entityId }
+    if (entityAccess == null) {
+      accessList.add(RbacAccessControl(entityId, role))
     } else {
-      userAccess.role = role
+      entityAccess.role = role
     }
     return rbacSecurity
   }
 
-  fun getUsers(rbacSecurity: RbacSecurity): List<String> {
+  fun getEntities(rbacSecurity: RbacSecurity): List<String> {
     return (rbacSecurity.accessControlList.map { it.id })
   }
 
-  fun getAccessControl(rbacSecurity: RbacSecurity, userId: String): RbacAccessControl {
-    return rbacSecurity.accessControlList.find { it.id == userId }
+  fun getAccessControl(rbacSecurity: RbacSecurity, entityId: String): RbacAccessControl {
+    return rbacSecurity.accessControlList.find { it.id == entityId }
         ?: throw CsmResourceNotFoundException(
-            "User $userId not found in ${rbacSecurity.id} component")
+            "Entity $entityId not found in ${rbacSecurity.id} component")
   }
 
-  fun checkUserExists(
+  fun checkEntityExists(
       rbacSecurity: RbacSecurity,
-      userId: String,
-      exceptionUserNotFoundMessage: String
+      entityId: String,
+      exceptionEntityNotFoundMessage: String
   ): RbacAccessControl {
-    return rbacSecurity.accessControlList.find { it.id == userId }
-        ?: throw CsmResourceNotFoundException(exceptionUserNotFoundMessage)
+    return rbacSecurity.accessControlList.find { it.id == entityId }
+        ?: throw CsmResourceNotFoundException(exceptionEntityNotFoundMessage)
   }
 
-  fun removeUser(
+  fun removeEntity(
       rbacSecurity: RbacSecurity,
-      userId: String,
+      entityId: String,
       rolesDefinition: RolesDefinition = getCommonRolesDefinition()
   ): RbacSecurity {
-    logger.info("RBAC ${rbacSecurity.id} - Removing user $userId from security")
-    checkUserExists(rbacSecurity, userId, "User $userId not found")
-    val role = this.getUserRole(rbacSecurity, userId)
+    logger.info("RBAC ${rbacSecurity.id} - Removing entity $entityId from security")
+    checkEntityExists(rbacSecurity, entityId, "Entity $entityId not found")
+    val role = this.getEntityRole(rbacSecurity, entityId)
     if (role == (this.getAdminRole(rolesDefinition)) &&
         this.getAdminCount(rbacSecurity, rolesDefinition) == 1) {
       throw CsmAccessForbiddenException(
           "RBAC ${rbacSecurity.id} - It is forbidden to remove the last administrator")
     }
-    rbacSecurity.accessControlList.removeIf { it.id == userId }
+    rbacSecurity.accessControlList.removeIf { it.id == entityId }
     return rbacSecurity
   }
 
@@ -184,47 +187,46 @@ open class CsmRbac(
 
   internal fun verifyAdminRole(
       rbacSecurity: RbacSecurity,
-      user: String?,
-      groups: List<String>?,
+      user: String,
+      groups: List<String>,
       rolesDefinition: RolesDefinition
   ): Boolean {
     logger.debug("RBAC ${rbacSecurity.id} - Verifying if $user has default admin rbac role")
-    var isAdmin = false
-    groups?.forEach {
-      if (this.getUserRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition)) {
-        isAdmin = true
-      }
-    }
-    if (user != null) {
-      if (this.getUserRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition)) {
-        isAdmin = true
-      }
-    }
-    logger.debug("RBAC ${rbacSecurity.id} - $user have default admin rbac role: $isAdmin")
+    val isAdmin =
+        if (rbacSecurity.accessControlList.any() { it.id == user }) {
+          this.getEntityRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition)
+        } else {
+          groups.any {
+            this.getEntityRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition)
+          } ||
+              this.getEntityRole(rbacSecurity, rbacSecurity.default) ==
+                  this.getAdminRole(rolesDefinition)
+        }
+    logger.debug("RBAC ${rbacSecurity.id} - $user has default admin rbac role: $isAdmin")
     return isAdmin
   }
 
-  internal fun verifyUser(
+  internal fun verifyEntity(
       rbacSecurity: RbacSecurity,
       permission: String,
       rolesDefinition: RolesDefinition,
       user: String,
       groups: List<String>
   ): Boolean {
-    logger.debug("RBAC ${rbacSecurity.id} - Verifying $user has permission in ACL: $permission")
-    var isAuthorized = false
-    groups.forEach {
-      if (this.verifyPermissionFromRole(
-          permission, getUserRole(rbacSecurity, it), rolesDefinition)) {
-        isAuthorized = true
-      }
-    }
-    if (user.isNotEmpty()) {
-      if (this.verifyPermissionFromRole(
-          permission, getUserRole(rbacSecurity, user), rolesDefinition))
-          isAuthorized = true
-    }
-    logger.debug("RBAC ${rbacSecurity.id} - $user has permission $permission in ACL: $isAuthorized")
+    logger.debug(
+        "RBAC ${rbacSecurity.id} - Verifying $user or one of $groups has permission in ACL: $permission")
+    val isAuthorized =
+        if (rbacSecurity.accessControlList.any() { it.id == user }) {
+          verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, user), rolesDefinition)
+        } else {
+          groups.any {
+            verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, it), rolesDefinition)
+          } ||
+              verifyPermissionFromRole(
+                  permission, getEntityRole(rbacSecurity, rbacSecurity.default), rolesDefinition)
+        }
+    logger.debug(
+        "RBAC ${rbacSecurity.id} - $user or one of $groups has permission $permission in ACL: $isAuthorized")
     return isAuthorized
   }
 
@@ -249,7 +251,7 @@ open class CsmRbac(
       groups: List<String>
   ): Boolean {
     return (this.verifyDefault(rbacSecurity, permission, rolesDefinition) ||
-        this.verifyUser(rbacSecurity, permission, rolesDefinition, user, groups))
+        this.verifyEntity(rbacSecurity, permission, rolesDefinition, user, groups))
   }
 
   internal fun verifyPermissionFromRole(
@@ -268,9 +270,9 @@ open class CsmRbac(
     return rolesDefinition[role] ?: listOf()
   }
 
-  internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String {
+  internal fun getEntityRole(rbacSecurity: RbacSecurity, entity: String): String {
     return rbacSecurity.accessControlList
-        .firstOrNull { it.id.lowercase() == user.lowercase() }
+        .firstOrNull { it.id.lowercase() == entity.lowercase() }
         ?.role ?: rbacSecurity.default
   }
 
@@ -290,8 +292,8 @@ open class CsmRbac(
         throw CsmClientException("RBAC ${rbacSecurity.id} - Role $role does not exist")
   }
 
-  internal fun verifyPermission(permission: String, userPermissions: List<String>): Boolean {
-    return userPermissions.contains(permission)
+  internal fun verifyPermission(permission: String, entityPermissions: List<String>): Boolean {
+    return entityPermissions.contains(permission)
   }
 
   internal fun verifyPermissionFromRoles(
@@ -303,9 +305,9 @@ open class CsmRbac(
   }
 
   internal fun isAdminToken(rbacSecurity: RbacSecurity): Boolean {
-    logger.debug("RBAC ${rbacSecurity.id} - Verifying if user has platform admin role in token")
+    logger.debug("RBAC ${rbacSecurity.id} - Verifying if entity has platform admin role in token")
     val isAdmin = csmAdmin.verifyCurrentRolesAdmin()
-    logger.debug("RBAC ${rbacSecurity.id} - user has platform admin role in token: $isAdmin")
+    logger.debug("RBAC ${rbacSecurity.id} - entity has platform admin role in token: $isAdmin")
     return isAdmin
   }