Issues/300: rbac now supports regex for values

Author: François

api/src/main/java/io/kafbat/ui/service/rbac/extractor/OauthAuthorityExtractor.java

@@ -60,7 +60,7 @@ private Set<String> extractUsernameRoles(AccessControlService acs, DefaultOAuth2
             .filter(s -> s.getType().equals("user"))
             .peek(s -> log.trace("[{}] matches [{}]? [{}]", s.getValue(), principalName,
                 s.getValue().equalsIgnoreCase(principalName)))
-            .anyMatch(s -> s.getValue().equalsIgnoreCase(principalName)))
+            .anyMatch(s -> principalName.matches(s.getValue())))
         .map(Role::getName)
         .collect(Collectors.toSet());
 
@@ -96,7 +96,7 @@ private Set<String> extractRoles(AccessControlService acs, DefaultOAuth2User pri
             .filter(s -> s.getType().equals("role"))
             .anyMatch(subject -> {
               var roleName = subject.getValue();
-              return principalRoles.contains(roleName);
+              return principalRoles.stream().anyMatch(s -> s.matches(subject.getValue()));
             })
         )
         .map(Role::getName)

api/src/test/java/io/kafbat/ui/config/ProviderAuthorityExtractorTest.java

@@ -0,0 +1,68 @@
+package io.kafbat.ui.config;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.when;
+
+import io.kafbat.ui.config.auth.OAuthProperties;
+import io.kafbat.ui.model.rbac.Role;
+import io.kafbat.ui.service.rbac.AccessControlService;
+import io.kafbat.ui.service.rbac.extractor.OauthAuthorityExtractor;
+import io.kafbat.ui.service.rbac.extractor.ProviderAuthorityExtractor;
+import io.kafbat.ui.util.AccessControlServiceMock;
+import java.io.InputStream;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.introspector.BeanAccess;
+
+public class ProviderAuthorityExtractorTest {
+
+
+  private final AccessControlService accessControlService = new AccessControlServiceMock().getMock();
+  Yaml yaml;
+  ProviderAuthorityExtractor extractor;
+
+  @BeforeEach
+  void setUp() {
+    yaml = new Yaml();
+    yaml.setBeanAccess(BeanAccess.FIELD);
+    extractor = new OauthAuthorityExtractor();
+
+    InputStream rolesFile = this.getClass()
+        .getClassLoader()
+        .getResourceAsStream("roles_definition.yaml");
+
+    Role[] roleArray = yaml.loadAs(rolesFile, Role[].class);
+    when(accessControlService.getRoles()).thenReturn(List.of(roleArray));
+
+  }
+
+  @SneakyThrows
+  @Test
+  void ExtractAuthoritiesFromRegex() {
+
+    OAuth2User oauth2User = new DefaultOAuth2User(
+        AuthorityUtils.createAuthorityList("SCOPE_message:read"),
+        Map.of("role_definition", Set.of("ROLE-ADMIN", "ANOTHER-ROLE"), "user_name", "[email protected]"),
+        "user_name");
+
+    HashMap<String, Object> additionalParams = new HashMap<>();
+    OAuthProperties.OAuth2Provider oAuth2Provider = new OAuthProperties.OAuth2Provider();
+    oAuth2Provider.setCustomParams(Map.of("roles-field", "role_definition"));
+    additionalParams.put("provider", oAuth2Provider);
+
+    Set<String> roles = extractor.extract(accessControlService, oauth2User, additionalParams).block();
+
+    assertEquals(Set.of("viewer", "admin"), roles);
+
+  }
+
+}

api/src/test/resources/roles_definition.yaml

@@ -0,0 +1,34 @@
+- name: 'admin'
+  subjects:
+    - provider: 'OAUTH'
+      value: 'ROLE-[A-Z]+'
+      type: 'role'
+  clusters:
+    - local
+    - remote
+  permissions:
+    - resource: APPLICATIONCONFIG
+      actions: [ all ]
+- name: 'viewer'
+  subjects:
+    - provider: 'LDAP'
+      value: 'CS-XXX'
+      type: 'kafka-viewer'
+    - provider: 'OAUTH'
+      value: '.*@kafka.com'
+      type: 'user'
+  clusters:
+    - remote
+  permissions:
+    - resource: APPLICATIONCONFIG
+      actions: [ all ]
+- name: 'editor'
+  subjects:
+    - provider: 'OAUTH'
+      value: 'ROLE_EDITOR'
+      type: 'role'
+  clusters:
+    - local
+  permissions:
+    - resource: APPLICATIONCONFIG
+      actions: [ all ]