Implement full ABAC (Attribute-Based Access Control) system with unified policy evaluation and Keycloak attribute management UI (#31)

* Initial plan

* Add custom attributes support for LimitAccess annotation

- Added customAttributes field to LimitAccess annotation
- Updated AccessLimitations DTO to include custom attributes
- Enhanced AccessControlAspect to validate custom attributes against user attributes
- Created CustomAttributeMapping model, repository, and service for managing mappings
- Added REST API endpoints for CRUD operations on custom attribute mappings
- Created modern UI for managing custom attribute mappings
- Added database migration for custom_attribute_mappings table
- Integrated with existing UserAttributeService for attribute validation

Co-authored-by: phrocker <[email protected]>

* Add comprehensive tests for custom attribute functionality

- Added CustomAttributeMappingServiceTest with 17 test cases
- Added AccessControlAspectCustomAttributeTest with 10 test cases
- Tests cover happy path, edge cases, validation, and error handling
- All tests passing (91 tests run, 0 failures)

Co-authored-by: phrocker <[email protected]>

* Add comprehensive documentation for custom attribute mappings feature

- Created detailed CUSTOM_ATTRIBUTE_MAPPINGS.md with usage examples
- Documented REST API endpoints and request/response formats
- Added quick start guide and configuration instructions
- Included use cases, troubleshooting, and best practices
- Added security considerations and performance notes

Co-authored-by: phrocker <[email protected]>

* Fix UserAttributeService dependency injection in AccessControlAspect

- Changed UserAttributeService from required constructor parameter to optional @lazy field injection
- Added null check in checkCustomAttribute method to handle cases where service is not available
- Removed @requiredargsconstructor and manually created constructor
- This resolves the KeycloakManager bean creation issue during application startup
- All tests passing (91/91)

Co-authored-by: phrocker <[email protected]>

* fix kafka deployment

* Fix layout and add navigation for custom attribute mappings UI

- Fixed page layout to use proper container-fluid structure with sidebar
- Changed from simple container to row/column layout matching other pages
- Added "Custom Attributes" menu item to sidebar under CAN_MANAGE_APPLICATION
- Positioned between Trust Policies and Telemetry for better organization
- Fixed CSS positioning to prevent content appearing below menu
- Build successful and ready for deployment

Co-authored-by: phrocker <[email protected]>

* Fix attribute endpoint

* Add core ABAC models and PolicyEvaluator service

- Created AttributeDefinition model for unified attribute schema across all scopes (SUBJECT, RESOURCE, ACTION, ENVIRONMENT)
- Created AttributeAssignment model for binding attributes to users, roles, endpoints, data entities
- Created AccessPolicy model for defining ABAC policies with priority and rule combination
- Created PolicyRule model for individual attribute conditions within policies
- Implemented PolicyEvaluator service as centralized evaluation engine
- Added EvaluationContext for subject/resource/action/environment attributes
- Added PolicyDecision for evaluation results
- Created repositories for all ABAC models
- Added database migration V30 for ABAC tables with indexes
- Build successful, ready for integration work

Co-authored-by: phrocker <[email protected]>

* Integrate PolicyEvaluator with AccessControlAspect and add ABAC services

- Integrated PolicyEvaluator into AccessControlAspect for ABAC-based attribute checking
- Added lazy-loaded PolicyEvaluator field to avoid circular dependencies
- Refactored checkCustomAttribute to use PolicyEvaluator when available, fallback to UserAttributeService
- Created AttributeManagementService for managing attribute definitions and assignments
- Implemented Keycloak sync method (syncUserAttributesFromKeycloak) for bidirectional attribute updates
- Created CustomAttributeMigrationService to migrate legacy CustomAttributeMapping to ABAC policies
- Added migration status tracking and automated policy generation from mappings
- All 91 tests passing with new ABAC integration

Co-authored-by: phrocker <[email protected]>

* Add ABAC REST API endpoints for policy management and migration

- Created DTOs for AccessPolicy, PolicyRule, and AttributeDefinition
- Implemented AccessPolicyController with CRUD operations
- Added migration endpoint (POST /api/v1/abac/policies/migrate)
- Added migration status endpoint (GET /api/v1/abac/policies/migration/status)
- Added policy listing (GET /api/v1/abac/policies)
- Added policy details and rules (GET /api/v1/abac/policies/{id} and {id}/rules)
- All endpoints protected with CAN_MANAGE_APPLICATION permission
- Build successful across all modules

Co-authored-by: phrocker <[email protected]>

* Complete Phase 2: Add tests, scheduler, and comprehensive ABAC documentation

- Added PolicyEvaluatorTest with 6 comprehensive test cases
- Added AttributeManagementServiceTest with 9 test cases covering all service methods
- Created KeycloakAttributeSyncScheduler for periodic attribute synchronization
- Added ABAC_IMPLEMENTATION_GUIDE.md with complete usage examples and best practices
- All 103 tests passing (12 new ABAC tests added)
- Build successful across all 15 modules
- Phase 2 now 100% complete

Co-authored-by: phrocker <[email protected]>

* Add comprehensive Keycloak attribute management UI and REST APIs

- Created user_attributes.html for managing user attributes from Keycloak
- Created attribute_definitions.html for managing attribute schemas
- Added AttributeManagementController with REST APIs for CRUD operations
- Added UserAttributesViewController for serving UI pages
- Created AttributeAssignmentDTO and SyncStatusDTO for data transfer
- Enhanced AttributeManagementService with methods for CRUD and sync
- Updated KeycloakAttributeSyncScheduler with sync status tracking
- Added repository methods for attribute queries
- Updated sidebar with links to User Attributes and Attribute Definitions pages
- All ABAC modules compile successfully

Co-authored-by: phrocker <[email protected]>

* Fix issues with build

* Fix KeycloakAttributeSyncScheduler dependency injection issue

- Made KeycloakAttributeSyncScheduler optional in AttributeManagementController
- Removed @requiredargsconstructor and added manual constructor
- Added @Autowired(required = false) for optional dependency injection
- Added null checks in sync endpoints to handle when scheduler is disabled
- Sync endpoints now return appropriate messages when sync is disabled
- Build successful with all modules compiling correctly

Co-authored-by: phrocker <[email protected]>

* Update

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: phrocker <[email protected]>
Co-authored-by: Marc Parisi <[email protected]>

Author: Copilot

api/src/main/java/io/sentrius/sso/controllers/CustomErrorHandler.java

@@ -42,6 +42,7 @@ public Object handleError(HttpServletRequest request, HttpServletResponse respon
 
         // Log as needed
         log.error("Error occurred: Status code {}, message {}", statusCode, message, ex);
+        log.error(response.toString());
 
         boolean isAjax = "XMLHttpRequest".equals(request.getHeader("X-Requested-With"));
         if (isAjax) {

api/src/main/java/io/sentrius/sso/controllers/api/CustomAttributeMappingController.java

@@ -0,0 +1,244 @@
+package io.sentrius.sso.controllers.api;
+
+import io.sentrius.sso.core.annotations.LimitAccess;
+import io.sentrius.sso.core.config.SystemOptions;
+import io.sentrius.sso.core.controllers.BaseController;
+import io.sentrius.sso.core.dto.CustomAttributeMappingDTO;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
+import io.sentrius.sso.core.model.customattributes.CustomAttributeMapping;
+import io.sentrius.sso.core.services.ErrorOutputService;
+import io.sentrius.sso.core.services.UserService;
+import io.sentrius.sso.core.services.customattributes.CustomAttributeMappingService;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Slf4j
+@RestController
+@RequestMapping("/api/v1/custom-attribute-mappings")
+public class CustomAttributeMappingController extends BaseController {
+
+    private final CustomAttributeMappingService customAttributeMappingService;
+
+    public CustomAttributeMappingController(
+            CustomAttributeMappingService customAttributeMappingService,
+            UserService userService,
+            SystemOptions systemOptions,
+            ErrorOutputService errorOutputService) {
+        super(userService, systemOptions, errorOutputService);
+        this.customAttributeMappingService = customAttributeMappingService;
+    }
+
+    /**
+     * Get all custom attribute mappings
+     */
+    @GetMapping
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<List<CustomAttributeMappingDTO>> getAllMappings(
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.debug("Getting all custom attribute mappings");
+        
+        try {
+            List<CustomAttributeMapping> mappings = customAttributeMappingService.getAllMappings();
+            List<CustomAttributeMappingDTO> dtos = mappings.stream()
+                    .map(this::convertToDTO)
+                    .collect(Collectors.toList());
+            
+            return ResponseEntity.ok(dtos);
+            
+        } catch (Exception e) {
+            log.error("Error getting custom attribute mappings", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Get mappings for a specific endpoint
+     */
+    @GetMapping("/endpoint")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<List<CustomAttributeMappingDTO>> getMappingsByEndpoint(
+            @RequestParam String endpoint,
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.debug("Getting custom attribute mappings for endpoint: {}", endpoint);
+        
+        try {
+            List<CustomAttributeMapping> mappings = customAttributeMappingService.getMappingsByEndpoint(endpoint);
+            List<CustomAttributeMappingDTO> dtos = mappings.stream()
+                    .map(this::convertToDTO)
+                    .collect(Collectors.toList());
+            
+            return ResponseEntity.ok(dtos);
+            
+        } catch (Exception e) {
+            log.error("Error getting custom attribute mappings for endpoint: {}", endpoint, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Create a new custom attribute mapping
+     */
+    @PostMapping
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<CustomAttributeMappingDTO> createMapping(
+            @RequestBody CustomAttributeMappingDTO dto,
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.info("Creating custom attribute mapping for endpoint: {}", dto.getEndpoint());
+        
+        try {
+            CustomAttributeMapping mapping = customAttributeMappingService.createMapping(
+                    dto.getEndpoint(),
+                    dto.getAttributeName(),
+                    dto.getRequiredValue(),
+                    dto.getDescription()
+            );
+            
+            CustomAttributeMappingDTO responseDTO = convertToDTO(mapping);
+            return ResponseEntity.ok(responseDTO);
+            
+        } catch (IllegalArgumentException e) {
+            log.warn("Invalid mapping data: {}", e.getMessage());
+            return ResponseEntity.badRequest().build();
+        } catch (Exception e) {
+            log.error("Error creating custom attribute mapping", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Update an existing custom attribute mapping
+     */
+    @PutMapping("/{id}")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<CustomAttributeMappingDTO> updateMapping(
+            @PathVariable Long id,
+            @RequestBody CustomAttributeMappingDTO dto,
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.info("Updating custom attribute mapping: {}", id);
+        
+        try {
+            CustomAttributeMapping mapping = customAttributeMappingService.updateMapping(
+                    id,
+                    dto.getEndpoint(),
+                    dto.getAttributeName(),
+                    dto.getRequiredValue(),
+                    dto.getDescription(),
+                    dto.getIsActive()
+            );
+            
+            if (mapping == null) {
+                return ResponseEntity.notFound().build();
+            }
+            
+            CustomAttributeMappingDTO responseDTO = convertToDTO(mapping);
+            return ResponseEntity.ok(responseDTO);
+            
+        } catch (IllegalArgumentException e) {
+            log.warn("Invalid mapping data: {}", e.getMessage());
+            return ResponseEntity.badRequest().build();
+        } catch (Exception e) {
+            log.error("Error updating custom attribute mapping: {}", id, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Delete a custom attribute mapping
+     */
+    @DeleteMapping("/{id}")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<Void> deleteMapping(
+            @PathVariable Long id,
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.info("Deleting custom attribute mapping: {}", id);
+        
+        try {
+            boolean deleted = customAttributeMappingService.deleteMapping(id);
+            
+            if (deleted) {
+                return ResponseEntity.ok().build();
+            } else {
+                return ResponseEntity.notFound().build();
+            }
+            
+        } catch (Exception e) {
+            log.error("Error deleting custom attribute mapping: {}", id, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Get all unique endpoints that have custom attribute mappings
+     */
+    @GetMapping("/endpoints")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<List<String>> getAllEndpoints(
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.debug("Getting all endpoints with custom attribute mappings");
+        
+        try {
+            List<String> endpoints = customAttributeMappingService.getAllEndpoints();
+            return ResponseEntity.ok(endpoints);
+            
+        } catch (Exception e) {
+            log.error("Error getting endpoints", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Get all unique attribute names used in mappings
+     */
+    @GetMapping("/attribute-names")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public ResponseEntity<List<String>> getAllAttributeNames(
+            HttpServletRequest request, 
+            HttpServletResponse response) {
+        
+        log.debug("Getting all attribute names");
+        
+        try {
+            List<String> attributeNames = customAttributeMappingService.getAllAttributeNames();
+            return ResponseEntity.ok(attributeNames);
+            
+        } catch (Exception e) {
+            log.error("Error getting attribute names", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    /**
+     * Convert entity to DTO
+     */
+    private CustomAttributeMappingDTO convertToDTO(CustomAttributeMapping mapping) {
+        return CustomAttributeMappingDTO.builder()
+                .id(mapping.getId())
+                .endpoint(mapping.getEndpoint())
+                .attributeName(mapping.getAttributeName())
+                .requiredValue(mapping.getRequiredValue())
+                .description(mapping.getDescription())
+                .isActive(mapping.getIsActive())
+                .createdAt(mapping.getCreatedAt())
+                .updatedAt(mapping.getUpdatedAt())
+                .build();
+    }
+}