#1059 add readonly access to demo user for RBAC validation

Author: challamani-ms

calm-hub/keycloak-dev/device-code-flow.sh

@@ -54,7 +54,7 @@ poll_token() {
 #Start token polling
 poll_token
 
-echo -e "\nPress enter to create a sample user-access details associated to finos"
+echo -e "\nPress enter to create a sample user-access details associated to finos namespace."
 read
 if [[ -n $ACCESS_TOKEN ]]; then
   curl -X POST --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \

calm-hub/mongo/init-mongo.js

@@ -42,10 +42,10 @@ if (db.counters.countDocuments({ _id: "flowStoreCounter" }) === 1) {
     print("flowStoreCounter already exists, no initialization needed");
 }
 
-if (db.counters.countDocuments({ _id: "userAccessStoreCounter" }) === 1) {
+if (db.counters.countDocuments({ _id: "userAccessStoreCounter" }) === 0) {
     db.counters.insertOne({
         _id: "userAccessStoreCounter",
-        sequence_value: 4
+        sequence_value: 6
     });
     print("Initialized userAccessStoreCounter with sequence_value 4");
 } else {
@@ -2691,5 +2691,26 @@ db.userAccess.insertMany([
         "permission": "write",
         "namespace": "traderx",
         "resourceType": "all"
+    },
+    {
+        "userAccessId": NumberInt(4),
+        "username": "demo",
+        "permission": "read",
+        "namespace": "finos",
+        "resourceType": "all"
+    },
+    {
+        "userAccessId": NumberInt(5),
+        "username": "demo",
+        "permission": "read",
+        "namespace": "traderx",
+        "resourceType": "all"
+    },
+    {
+        "userAccessId": NumberInt(6),
+        "username": "demo",
+        "permission": "read",
+        "namespace": "workshop",
+        "resourceType": "all"
     }
 ]);

calm-hub/src/main/java/org/finos/calm/security/UserAccessValidator.java

@@ -12,19 +12,36 @@
 
 import java.util.List;
 
+/**
+ * Validates whether a user is authorized to access a particular resource based on
+ * their assigned permissions and namespaces.
+ *
+ * This validator is active only when the 'secure' profile is enabled.
+ */
 @ApplicationScoped
 @IfBuildProfile("secure")
 public class UserAccessValidator {
 
     private static final Logger log = LoggerFactory.getLogger(UserAccessValidator.class);
     private final UserAccessStore userAccessStore;
 
+    /**
+     * Constructs a new UserAccessValidator with the provided UserAccessStore.
+     *
+     * @param userAccessStore the store used to retrieve user access permissions
+     */
     public UserAccessValidator(UserAccessStore userAccessStore) {
         this.userAccessStore = userAccessStore;
     }
 
+    /**
+     * Validates whether a user has sufficient access rights to perform an action on a given resource.
+     * If validation fails, a {@link ForbiddenException} is thrown.
+     *
+     * @param userRequestAttributes the request attributes including username, HTTP method, namespace, and path
+     * @throws ForbiddenException if the user is not authorized
+     */
     public void validate(UserRequestAttributes userRequestAttributes) {
-
         String action = mapHttpMethodToPermission(userRequestAttributes.requestMethod());
         String requestPath = userRequestAttributes.path();
 
@@ -35,6 +52,7 @@ public void validate(UserRequestAttributes userRequestAttributes) {
 
         try {
             List<UserAccess> userAccesses = userAccessStore.getUserAccessForUsername(userRequestAttributes.username());
+
             boolean authorized = userAccesses.stream().anyMatch(userAccess -> {
                 boolean resourceMatches = (UserAccess.ResourceType.all == userAccess.getResourceType())
                         || requestPath.contains(userAccess.getResourceType().name());
@@ -45,35 +63,53 @@ public void validate(UserRequestAttributes userRequestAttributes) {
             });
 
             if (!authorized) {
-                log.warn("Access denied for user [{}] to path [{}] with action [{}]", userRequestAttributes.username(),
-                        userRequestAttributes.path(),
-                        action);
+                log.warn("Access denied for user [{}] to path [{}] with action [{}]",
+                        userRequestAttributes.username(), userRequestAttributes.path(), action);
                 throw new ForbiddenException("Access denied.");
             }
 
         } catch (UserAccessNotFoundException ex) {
-            log.error("No access permissions assigned to the user: [{}]", userRequestAttributes.username(), ex.getMessage());
+            log.error("No access permissions assigned to the user: [{}]", userRequestAttributes.username(), ex);
             throw new ForbiddenException("Access denied.");
         }
     }
 
-    //TODO: How to protect GET - /calm/namespaces endpoint by maintaining namespace specific user grants.
+    /**
+     * Checks whether the request targets the default-accessible endpoint.
+     *
+     * @param userRequestAttributes the attributes of the incoming user request
+     * @return true if the endpoint is accessible by default, false otherwise
+     */
     private boolean isDefaultAccessibleResource(UserRequestAttributes userRequestAttributes) {
+        //TODO: How to protect GET - /calm/namespaces endpoint, by maintaining namespace specific user grants.
         return "/calm/namespaces".equals(userRequestAttributes.path()) &&
                 "get".equalsIgnoreCase(userRequestAttributes.requestMethod().toLowerCase());
     }
 
+    /**
+     * Maps HTTP methods to access permissions.
+     *
+     * @param method the HTTP method
+     * @return "write" for modifying methods, "read" otherwise
+     */
     private String mapHttpMethodToPermission(String method) {
         return switch (method) {
             case "POST", "PUT", "PATCH", "DELETE" -> "write";
             default -> "read";
         };
     }
 
+    /**
+     * Checks whether the user's permission level allows the requested action.
+     *
+     * @param userPermission   the user's assigned permission
+     * @param requestedAction  the action the user is attempting to perform
+     * @return true if the permission is sufficient, false otherwise
+     */
     private boolean permissionAllows(UserAccess.Permission userPermission, String requestedAction) {
         return switch (userPermission) {
             case write -> requestedAction.equals("write") || requestedAction.equals("read");
             case read -> requestedAction.equals("read");
         };
     }
-}
+}