Merge branch 'main' into custom_timezone

Author: germanosin

.github/CODEOWNERS

@@ -2,6 +2,7 @@
 
 
 # BACKEND
+gradle/libs.versions.toml   @kafbat/backend
 /build.gradle               @kafbat/backend
 /gradle.properties          @kafbat/backend
 /settings.gradle            @kafbat/backend

.github/dependabot.yml

@@ -7,14 +7,20 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
     - "scope/backend"
   groups:
-    gradle-dependencies:
+    spring-boot-dependencies:
+      patterns:
+        - "org.springframework.boot:*"
+        - "io.spring.dependency-management"
+      # We will handle major upgrades manually
+      update-types:
+        - "patch"
+        - "minor"
+    other-dependencies:
       patterns:
         - "*"
       update-types:
@@ -27,8 +33,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   ignore:
   - dependency-name: "azul/zulu-openjdk-alpine"
@@ -43,8 +47,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/frontend"
   open-pull-requests-limit: 10
   versioning-strategy: increase-if-necessary
   labels:
@@ -64,8 +66,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/devops"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"

api/build.gradle

@@ -14,7 +14,12 @@ dependencies {
     implementation project(":contract")
     implementation project(":serde-api")
     implementation libs.spring.starter.webflux
-    implementation libs.spring.starter.security
+    implementation(libs.spring.starter.security){
+        exclude group: 'com.nimbusds', module: 'nimbus-jose-jwt' because("Temporary overwrite to fix CVE-2025-53864. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
+    implementation(libs.nimbus.jose.jwt){
+        because("Fixes CVE-2025-5386. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
     implementation libs.spring.starter.actuator
     implementation libs.spring.starter.logging
     implementation libs.spring.starter.oauth2.client

api/src/main/java/io/kafbat/ui/config/auth/RoleBasedAccessControlProperties.java

@@ -1,6 +1,8 @@
 package io.kafbat.ui.config.auth;
 
+import io.kafbat.ui.model.rbac.DefaultRole;
 import io.kafbat.ui.model.rbac.Role;
+import jakarta.annotation.Nullable;
 import jakarta.annotation.PostConstruct;
 import java.util.ArrayList;
 import java.util.List;
@@ -11,13 +13,26 @@ public class RoleBasedAccessControlProperties {
 
   private final List<Role> roles = new ArrayList<>();
 
+  private DefaultRole defaultRole;
+
   @PostConstruct
   public void init() {
     roles.forEach(Role::validate);
+    if (defaultRole != null) {
+      defaultRole.validate();
+    }
   }
 
   public List<Role> getRoles() {
     return roles;
   }
 
+  public void setDefaultRole(DefaultRole defaultRole) {
+    this.defaultRole = defaultRole;
+  }
+
+  @Nullable
+  public DefaultRole getDefaultRole() {
+    return defaultRole;
+  }
 }

api/src/main/java/io/kafbat/ui/controller/AuthorizationController.java

@@ -3,10 +3,12 @@
 import io.kafbat.ui.api.AuthorizationApi;
 import io.kafbat.ui.model.ActionDTO;
 import io.kafbat.ui.model.AuthenticationInfoDTO;
+import io.kafbat.ui.model.KafkaCluster;
 import io.kafbat.ui.model.ResourceTypeDTO;
 import io.kafbat.ui.model.UserInfoDTO;
 import io.kafbat.ui.model.UserPermissionDTO;
 import io.kafbat.ui.model.rbac.Permission;
+import io.kafbat.ui.service.ClustersStorage;
 import io.kafbat.ui.service.rbac.AccessControlService;
 import java.security.Principal;
 import java.util.Collection;
@@ -29,8 +31,15 @@
 public class AuthorizationController implements AuthorizationApi {
 
   private final AccessControlService accessControlService;
+  private final ClustersStorage clustersStorage;
 
   public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExchange exchange) {
+    List<UserPermissionDTO> defaultRolePermissions = accessControlService.getDefaultRole() != null
+        ? mapPermissions(
+          accessControlService.getDefaultRole().getPermissions(),
+          clustersStorage.getKafkaClusters().stream().map(KafkaCluster::getName).toList())
+        : Collections.emptyList();
+
     Mono<List<UserPermissionDTO>> permissions = AccessControlService.getUser()
         .map(user -> accessControlService.getRoles()
             .stream()
@@ -39,6 +48,8 @@ public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExch
             .flatMap(Collection::stream)
             .toList()
         )
+        // if no roles are found, return default role permissions
+        .map(userPermissions ->  userPermissions.isEmpty() ? defaultRolePermissions : userPermissions)
         .switchIfEmpty(Mono.just(Collections.emptyList()));
 
     Mono<String> userName = ReactiveSecurityContextHolder.getContext()

api/src/main/java/io/kafbat/ui/model/rbac/DefaultRole.java

@@ -0,0 +1,18 @@
+package io.kafbat.ui.model.rbac;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Data;
+
+@Data
+public class DefaultRole {
+
+  private List<Permission> permissions = new ArrayList<>();
+
+  public void validate() {
+    permissions.forEach(Permission::validate);
+    permissions.forEach(Permission::transform);
+  }
+}

api/src/main/java/io/kafbat/ui/model/rbac/Role.java

@@ -21,5 +21,4 @@ public void validate() {
     permissions.forEach(Permission::transform);
     subjects.forEach(Subject::validate);
   }
-
 }

api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java

@@ -7,6 +7,7 @@
 import io.kafbat.ui.model.ConnectDTO;
 import io.kafbat.ui.model.InternalTopic;
 import io.kafbat.ui.model.rbac.AccessContext;
+import io.kafbat.ui.model.rbac.DefaultRole;
 import io.kafbat.ui.model.rbac.Permission;
 import io.kafbat.ui.model.rbac.Role;
 import io.kafbat.ui.model.rbac.Subject;
@@ -62,7 +63,7 @@ public class AccessControlService {
 
   @PostConstruct
   public void init() {
-    if (CollectionUtils.isEmpty(properties.getRoles())) {
+    if (CollectionUtils.isEmpty(properties.getRoles()) && properties.getDefaultRole() == null) {
       log.trace("No roles provided, disabling RBAC");
       return;
     }
@@ -86,7 +87,8 @@ public void init() {
         .flatMap(Set::stream)
         .collect(Collectors.toSet());
 
-    if (!properties.getRoles().isEmpty()
+    boolean hasRolesConfigured = !properties.getRoles().isEmpty() || properties.getDefaultRole() != null;
+    if (hasRolesConfigured
         && "oauth2".equalsIgnoreCase(environment.getProperty("auth.type"))
         && (clientRegistrationRepository == null || !clientRegistrationRepository.iterator().hasNext())) {
       log.error("Roles are configured but no authentication methods are present. Authentication might fail.");
@@ -114,12 +116,20 @@ private boolean isAccessible(AuthenticatedUser user, AccessContext context) {
   }
 
   private List<Permission> getUserPermissions(AuthenticatedUser user, @Nullable String clusterName) {
-    return properties.getRoles()
-        .stream()
-        .filter(filterRole(user))
-        .filter(role -> clusterName == null || role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase))
-        .flatMap(role -> role.getPermissions().stream())
-        .toList();
+    List<Role> filteredRoles = properties.getRoles()
+            .stream()
+            .filter(filterRole(user))
+            .filter(role -> clusterName == null || role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase))
+            .toList();
+
+    // if no roles are found, check if default role is set
+    if (filteredRoles.isEmpty() && properties.getDefaultRole() != null) {
+      return properties.getDefaultRole().getPermissions();
+    }
+
+    return filteredRoles.stream()
+            .flatMap(role -> role.getPermissions().stream())
+            .toList();
   }
 
   public static Mono<AuthenticatedUser> getUser() {
@@ -132,10 +142,12 @@ public static Mono<AuthenticatedUser> getUser() {
 
   private boolean isClusterAccessible(String clusterName, AuthenticatedUser user) {
     Assert.isTrue(StringUtils.isNotEmpty(clusterName), "cluster value is empty");
-    return properties.getRoles()
+    boolean isAccessible = properties.getRoles()
         .stream()
         .filter(filterRole(user))
         .anyMatch(role -> role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase));
+    
+    return isAccessible || properties.getDefaultRole() != null;
   }
 
   public Mono<Boolean> isClusterAccessible(ClusterDTO cluster) {
@@ -200,6 +212,10 @@ public List<Role> getRoles() {
     return Collections.unmodifiableList(properties.getRoles());
   }
 
+  public DefaultRole getDefaultRole() {
+    return properties.getDefaultRole();
+  }
+
   private Predicate<Role> filterRole(AuthenticatedUser user) {
     return role -> user.groups().contains(role.getName());
   }

api/src/test/java/io/kafbat/ui/service/rbac/AccessControlServiceDefaultRoleRbacEnabledTest.java

@@ -0,0 +1,102 @@
+package io.kafbat.ui.service.rbac;
+
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.DEFAULT_ROLE;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.PROD_CLUSTER;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.getAccessContext;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import io.kafbat.ui.AbstractIntegrationTest;
+import io.kafbat.ui.config.auth.RbacUser;
+import io.kafbat.ui.config.auth.RoleBasedAccessControlProperties;
+import io.kafbat.ui.model.ClusterDTO;
+import io.kafbat.ui.model.rbac.AccessContext;
+import io.kafbat.ui.model.rbac.DefaultRole;
+import java.util.List;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.util.ReflectionTestUtils;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+
+/**
+ * Test class for AccessControlService with default role and RBAC enabled.
+ */
+@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
+public class AccessControlServiceDefaultRoleRbacEnabledTest extends AbstractIntegrationTest {
+
+  @Autowired
+  AccessControlService accessControlService;
+
+  @Mock
+  SecurityContext securityContext;
+
+  @Mock
+  Authentication authentication;
+
+  @Mock
+  RbacUser user;
+
+  @Mock
+  DefaultRole defaultRole;
+
+  @BeforeEach
+  void setUp() {
+
+    RoleBasedAccessControlProperties properties = mock();
+    defaultRole = MockedRbacUtils.getDefaultRole();
+    when(properties.getDefaultRole()).thenReturn(defaultRole);
+    when(properties.getRoles()).thenReturn(List.of()); // Return empty list for roles
+
+
+    ReflectionTestUtils.setField(accessControlService, "properties", properties);
+    ReflectionTestUtils.setField(accessControlService, "rbacEnabled", true);
+
+    // Mock security context
+    when(securityContext.getAuthentication()).thenReturn(authentication);
+    when(authentication.getPrincipal()).thenReturn(user);
+  }
+
+  public void withSecurityContext(Runnable runnable) {
+    try (MockedStatic<ReactiveSecurityContextHolder> ctxHolder = Mockito.mockStatic(
+        ReactiveSecurityContextHolder.class)) {
+      // Mock static method to get security context
+      ctxHolder.when(ReactiveSecurityContextHolder::getContext).thenReturn(Mono.just(securityContext));
+      runnable.run();
+    }
+  }
+
+  @Test
+  void validateAccess() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEFAULT_ROLE));
+      AccessContext context = getAccessContext(PROD_CLUSTER, true);
+      Mono<Void> validateAccessMono = accessControlService.validateAccess(context);
+      StepVerifier.create(validateAccessMono)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isClusterAccessible() {
+    withSecurityContext(() -> {
+      ClusterDTO clusterDto = new ClusterDTO();
+      clusterDto.setName(PROD_CLUSTER);
+      Mono<Boolean> clusterAccessibleMono = accessControlService.isClusterAccessible(clusterDto);
+      StepVerifier.create(clusterAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+}