feat: introduce regex option

callaertanthony · callaertanthony · commit 57d1937fabb5 · 2025-02-27T18:39:12.000+01:00
diff --git a/api/src/main/java/io/kafbat/ui/model/rbac/Subject.java b/api/src/main/java/io/kafbat/ui/model/rbac/Subject.java
@@ -4,32 +4,37 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import io.kafbat.ui.model.rbac.provider.Provider;
+import java.util.Objects;
 import lombok.Getter;
+import lombok.Setter;
 
 @Getter
 public class Subject {
 
   Provider provider;
+  @Setter
   String type;
+  @Setter
   String value;
+  @Setter
+  boolean isRegex;
 
   public void setProvider(String provider) {
     this.provider = Provider.fromString(provider.toUpperCase());
   }
 
-  public void setType(String type) {
-    this.type = type;
-  }
-
-  public void setValue(String value) {
-    this.value = value;
-  }
-
   public void validate() {
     checkNotNull(type, "Subject type cannot be null");
     checkNotNull(value, "Subject value cannot be null");
 
     checkArgument(!type.isEmpty(), "Subject type cannot be empty");
     checkArgument(!value.isEmpty(), "Subject value cannot be empty");
   }
+
+  public boolean matches(final String attribute) {
+    if (isRegex()) {
+      return Objects.nonNull(attribute) && attribute.matches(getValue());
+    }
+    return getValue().equalsIgnoreCase(attribute);
+  }
 }
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/CognitoAuthorityExtractor.java
@@ -50,7 +50,7 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_COGNITO))
             .filter(s -> s.getType().equals("user"))
-            .anyMatch(s -> principal.getName().matches(s.getValue())))
+            .anyMatch(s -> s.matches(principal.getName())))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -76,7 +76,7 @@ private Set<String> extractGroupRoles(AccessControlService acs, DefaultOAuth2Use
             .filter(s -> s.getType().equals("group"))
             .anyMatch(subject -> groups
                 .stream()
-                .anyMatch(cognitoGroup -> cognitoGroup.matches(subject.getValue()))
+                .anyMatch(subject::matches)
             ))
         .map(Role::getName)
         .collect(Collectors.toSet());
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GithubAuthorityExtractor.java
@@ -90,7 +90,7 @@ private Set<String> extractUsernameRoles(DefaultOAuth2User principal, AccessCont
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB))
             .filter(s -> s.getType().equals("user"))
-            .anyMatch(s -> username.matches(s.getValue())))
+            .anyMatch(s -> s.matches(username)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -131,7 +131,7 @@ private Mono<Set<String>> getOrganizationRoles(DefaultOAuth2User principal, Map<
                 .filter(s -> s.getType().equals(ORGANIZATION))
                 .anyMatch(subject -> orgsMap.stream()
                     .map(org -> org.get(ORGANIZATION_NAME).toString())
-                    .anyMatch(orgName -> orgName.matches(subject.getValue()))
+                    .anyMatch(subject::matches)
                 ))
             .map(Role::getName)
             .collect(Collectors.toSet()));
@@ -189,7 +189,7 @@ private Mono<Set<String>> getTeamRoles(WebClient webClient, Map<String, Object>
                 .filter(s -> s.getProvider().equals(Provider.OAUTH_GITHUB))
                 .filter(s -> s.getType().equals("team"))
                 .anyMatch(subject -> teams.stream()
-                    .anyMatch(teamName -> teamName.matches(subject.getValue()))
+                    .anyMatch(subject::matches)
                 ))
             .map(Role::getName)
             .collect(Collectors.toSet()));
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/GoogleAuthorityExtractor.java
@@ -52,7 +52,7 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .filter(s -> s.getType().equals("user"))
             .anyMatch(s -> {
               String email = principal.getAttribute(EMAIL_ATTRIBUTE_NAME);
-              return email != null && email.matches(s.getValue());
+              return s.matches(email);
             }))
         .map(Role::getName)
         .collect(Collectors.toSet());
@@ -71,7 +71,7 @@ private Set<String> extractDomainRoles(AccessControlService acs, DefaultOAuth2Us
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH_GOOGLE))
             .filter(s -> s.getType().equals("domain"))
-            .anyMatch(s -> domain.matches(s.getValue())))
+            .anyMatch(s -> s.matches(domain)))
         .map(Role::getName)
         .collect(Collectors.toSet());
   }
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java
@@ -58,9 +58,7 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH))
             .filter(s -> s.getType().equals("user"))
-            .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName,
-               principalName.matches(s.getValue())))
-            .anyMatch(s ->  principalName.matches(s.getValue())))
+            .anyMatch(s ->  s.matches(principalName)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -94,7 +92,7 @@ private Set<String> extractRoles(AccessControlService acs, DefaultOAuth2User pri
             .stream()
             .filter(s -> s.getProvider().equals(Provider.OAUTH))
             .filter(s -> s.getType().equals("role"))
-            .anyMatch(subject -> principalRoles.stream().anyMatch(s -> s.matches(subject.getValue()))))
+            .anyMatch(subject -> principalRoles.stream().anyMatch(subject::matches)))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacActiveDirectoryAuthoritiesExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacActiveDirectoryAuthoritiesExtractor.java
@@ -37,8 +37,8 @@ public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOp
             .stream()
             .filter(subject -> subject.getProvider().equals(Provider.LDAP_AD))
             .anyMatch(subject -> switch (subject.getType()) {
-              case "user" -> username.equalsIgnoreCase(subject.getValue());
-              case "group" ->  adGroups.contains(subject.getValue());
+              case "user" -> subject.matches(username);
+              case "group" ->  adGroups.stream().anyMatch(subject::matches);
               default -> false;
             })
         )
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacLdapAuthoritiesExtractor.java b/api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacLdapAuthoritiesExtractor.java
@@ -39,8 +39,8 @@ protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, St
             .stream()
             .filter(subject -> subject.getProvider().equals(Provider.LDAP))
             .anyMatch(subject -> switch (subject.getType()) {
-              case "user" -> username.equalsIgnoreCase(subject.getValue());
-              case "group" -> ldapGroups.contains(subject.getValue());
+              case "user" -> subject.matches(username);
+              case "group" -> ldapGroups.stream().anyMatch(subject::matches);
               default -> false;
             })
         )
diff --git a/api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java b/api/src/test/java/io/kafbat/ui/config/RegexBasedProviderAuthorityExtractorTest.java
@@ -174,7 +174,7 @@ void extractGoogleAuthorities() {
 
     OAuth2User oauth2User = new DefaultOAuth2User(
         AuthorityUtils.createAuthorityList("SCOPE_message:read"),
-        Map.of("hd", "test.domain.com", "email", "john@kafka.com"),
+        Map.of("hd", "memelord.lol", "email", "john@kafka.com"),
         "email");
 
     HashMap<String, Object> additionalParams = new HashMap<>();
diff --git a/api/src/test/resources/roles_definition.yaml b/api/src/test/resources/roles_definition.yaml
@@ -3,12 +3,13 @@
     - provider: 'OAUTH'
       value: 'ROLE-[A-Z]+'
       type: 'role'
+      isRegex: 'true'
     - provider: 'OAUTH_COGNITO'
-      value: 'ROLE-[A-Z]+'
+      value: 'ROLE-ADMIN'
       type: 'group'
     - provider: 'OAUTH_GOOGLE'
-      value: '.*.domain.com'
       type: 'domain'
+      value: 'memelord.lol'
   clusters:
     - local
     - remote
@@ -23,14 +24,17 @@
     - provider: 'OAUTH'
       value: '.*@kafka.com'
       type: 'user'
+      isRegex: 'true'
     - provider: 'OAUTH_COGNITO'
       value: '.*@kafka.com'
       type: 'user'
+      isRegex: 'true'
     - provider: 'OAUTH_GITHUB'
       value: '.*@kafka.com'
       type: 'user'
+      isRegex: 'true'
     - provider: 'OAUTH_GOOGLE'
-      value: '.*@kafka.com'
+      value: 'john@kafka.com'
       type: 'user'
   clusters:
     - remote
