feat(security): add RBAC secure context, audit, bootstrap, and secure repositories

Author: shahar-biron

spring-boot-starter-data-falkordb/pom.xml

@@ -66,6 +66,13 @@
             <artifactId>spring-boot-starter</artifactId>
         </dependency>
 
+        <!-- Optional: validation annotations used by configuration properties -->
+        <dependency>
+            <groupId>jakarta.validation</groupId>
+            <artifactId>jakarta.validation-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Spring Data FalkorDB -->
         <dependency>
             <groupId>com.falkordb</groupId>
@@ -87,6 +94,24 @@
             <optional>true</optional>
         </dependency>
 
+        <!-- Spring Security Core for RBAC integration -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+        </dependency>
+
+        <!-- Optional: only needed if using FalkorDBSecurityContextFilter (servlet integration) -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Test Dependencies -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBProperties.java

@@ -42,7 +42,3 @@ public void setDatabase(String database) {
 		this.database = database;
 	}
 }
-	public void setDatabase(String database) {
-		this.database = database;
-	}
-}

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBRepositoriesAutoConfiguration.java

@@ -8,14 +8,16 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.data.falkordb.core.FalkorDBTemplate;
 import org.springframework.data.falkordb.repository.FalkorDBRepository;
-import org.springframework.data.falkordb.repository.config.EnableFalkorDBRepositories;
 import org.springframework.data.falkordb.repository.config.FalkorDBRepositoryConfigurationExtension;
 import org.springframework.data.falkordb.repository.support.FalkorDBRepositoryFactoryBean;
 
 /**
  * Auto-configuration for Spring Data FalkorDB Repositories.
  * Only activates if FalkorDBTemplate bean is available.
  *
+ * This configuration is used when RBAC security is disabled
+ * (or not explicitly enabled).
+ *
  * @author Shahar Biron
  * @since 1.0
  */
@@ -26,6 +28,8 @@
 		FalkorDBRepositoryConfigurationExtension.class})
 @ConditionalOnProperty(prefix = "spring.data.falkordb.repositories", name = "enabled",
 		havingValue = "true", matchIfMissing = true)
+@ConditionalOnProperty(prefix = "spring.data.falkordb.security", name = "enabled",
+		havingValue = "false", matchIfMissing = true)
 @Import(FalkorDBRepositoriesRegistrar.class)
 public class FalkorDBRepositoriesAutoConfiguration {
 	// Configuration handled by the registrar

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityConfiguration.java

@@ -0,0 +1,79 @@
+package org.springframework.boot.autoconfigure.data.falkordb;
+
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.falkordb.core.FalkorDBTemplate;
+import org.springframework.data.falkordb.security.audit.AuditLogger;
+import org.springframework.data.falkordb.security.bootstrap.FalkorDBSecurityBootstrapRunner;
+import org.springframework.data.falkordb.security.integration.AuthenticationFalkorSecurityContextAdapter;
+import org.springframework.data.falkordb.security.integration.FalkorDBSecurityContextFilter;
+import org.springframework.data.falkordb.security.integration.PrivilegeService;
+import org.springframework.data.falkordb.security.manager.RBACManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * Auto-configuration for FalkorDB RBAC/Security integration with Spring Security.
+ *
+ * Provides beans to bridge Spring Security's {@link Authentication} to
+ * {@link org.springframework.data.falkordb.security.context.FalkorSecurityContext}
+ * and a {@link OncePerRequestFilter} that populates the Falkor context per request.
+ *
+ * Note: the filter is provided as a bean but is not automatically wired into the
+ * Spring Security filter chain. Applications should register it explicitly in
+ * their {@code SecurityFilterChain} configuration.
+ */
+@AutoConfiguration(after = FalkorDBAutoConfiguration.class)
+@ConditionalOnClass({ SecurityContextHolder.class, Authentication.class, OncePerRequestFilter.class })
+@ConditionalOnBean(FalkorDBTemplate.class)
+@ConditionalOnProperty(prefix = "spring.data.falkordb.security", name = "enabled", havingValue = "true")
+@EnableConfigurationProperties(FalkorDBSecurityProperties.class)
+public class FalkorDBSecurityConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public PrivilegeService falkorDBPrivilegeService(FalkorDBTemplate template, FalkorDBSecurityProperties properties) {
+		return new PrivilegeService(template, properties.getPrivilegeCacheTtl());
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public AuthenticationFalkorSecurityContextAdapter falkorDBAuthenticationAdapter(FalkorDBTemplate template,
+			PrivilegeService privilegeService) {
+		return new AuthenticationFalkorSecurityContextAdapter(template, privilegeService);
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public AuditLogger falkorDBAuditLogger(FalkorDBTemplate template, FalkorDBSecurityProperties properties) {
+		return new AuditLogger(template, properties.isAuditEnabled());
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public RBACManager falkorDBRbacManager(FalkorDBTemplate template, FalkorDBSecurityProperties properties) {
+		return new RBACManager(template, properties.getAdminRole());
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public FalkorDBSecurityContextFilter falkorDBSecurityContextFilter(
+			AuthenticationFalkorSecurityContextAdapter adapter) {
+		return new FalkorDBSecurityContextFilter(adapter);
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	@ConditionalOnProperty(prefix = "spring.data.falkordb.security.bootstrap", name = "enabled", havingValue = "true")
+	public FalkorDBSecurityBootstrapRunner falkorDBSecurityBootstrapRunner(FalkorDBTemplate template,
+			FalkorDBSecurityProperties properties) {
+		return new FalkorDBSecurityBootstrapRunner(template, properties);
+	}
+
+}

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityProperties.java

@@ -0,0 +1,116 @@
+package org.springframework.boot.autoconfigure.data.falkordb;
+
+import java.time.Duration;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * Configuration properties for FalkorDB RBAC / security integration.
+ */
+@ConfigurationProperties(prefix = "spring.data.falkordb.security")
+public class FalkorDBSecurityProperties {
+
+	/**
+	 * Whether RBAC security is enabled.
+	 */
+	private boolean enabled = false;
+
+	/**
+	 * Name of the administrative role.
+	 */
+	private String adminRole = "admin";
+
+	/**
+	 * Whether audit logging is enabled.
+	 */
+	private boolean auditEnabled = true;
+
+	/**
+	 * Time-to-live for cached privileges per user.
+	 */
+	private Duration privilegeCacheTtl = Duration.ofMinutes(1);
+
+	/**
+	 * Bootstrap settings for creating initial admin role/user.
+	 */
+	private final Bootstrap bootstrap = new Bootstrap();
+
+	public Bootstrap getBootstrap() {
+		return this.bootstrap;
+	}
+
+	public boolean isEnabled() {
+		return this.enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
+	public String getAdminRole() {
+		return this.adminRole;
+	}
+
+	public void setAdminRole(String adminRole) {
+		this.adminRole = adminRole;
+	}
+
+	public boolean isAuditEnabled() {
+		return this.auditEnabled;
+	}
+
+	public void setAuditEnabled(boolean auditEnabled) {
+		this.auditEnabled = auditEnabled;
+	}
+
+	public Duration getPrivilegeCacheTtl() {
+		return this.privilegeCacheTtl;
+	}
+
+	public void setPrivilegeCacheTtl(Duration privilegeCacheTtl) {
+		this.privilegeCacheTtl = privilegeCacheTtl;
+	}
+
+	public static class Bootstrap {
+
+		/**
+		 * Enable bootstrap logic.
+		 */
+		private boolean enabled = false;
+
+		/**
+		 * Create (or ensure) an admin user at startup.
+		 */
+		private String adminUsername;
+
+		/**
+		 * Optional email for the bootstrapped admin user.
+		 */
+		private String adminEmail;
+
+		public boolean isEnabled() {
+			return this.enabled;
+		}
+
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
+		public String getAdminUsername() {
+			return this.adminUsername;
+		}
+
+		public void setAdminUsername(String adminUsername) {
+			this.adminUsername = adminUsername;
+		}
+
+		public String getAdminEmail() {
+			return this.adminEmail;
+		}
+
+		public void setAdminEmail(String adminEmail) {
+			this.adminEmail = adminEmail;
+		}
+	}
+
+}

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityRepositoriesAutoConfiguration.java

@@ -0,0 +1,32 @@
+package org.springframework.boot.autoconfigure.data.falkordb;
+
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Import;
+import org.springframework.data.falkordb.core.FalkorDBTemplate;
+import org.springframework.data.falkordb.repository.FalkorDBRepository;
+import org.springframework.data.falkordb.repository.config.FalkorDBRepositoryConfigurationExtension;
+import org.springframework.data.falkordb.security.repository.FalkorDBSecurityRepositoryFactoryBean;
+
+/**
+ * Auto-configuration for security-aware Spring Data FalkorDB repositories.
+ * Uses {@link FalkorDBSecurityRepositoryFactoryBean} to create
+ * {@link org.springframework.data.falkordb.security.repository.SecureFalkorDBRepository}
+ * instances when RBAC security is enabled.
+ */
+@AutoConfiguration(after = FalkorDBAutoConfiguration.class)
+@ConditionalOnClass({ FalkorDBTemplate.class, FalkorDBRepository.class })
+@ConditionalOnBean(FalkorDBTemplate.class)
+@ConditionalOnMissingBean({ FalkorDBSecurityRepositoryFactoryBean.class,
+		FalkorDBRepositoryConfigurationExtension.class })
+@ConditionalOnProperty(prefix = "spring.data.falkordb.repositories", name = "enabled",
+		havingValue = "true", matchIfMissing = true)
+@ConditionalOnProperty(prefix = "spring.data.falkordb.security", name = "enabled",
+		havingValue = "true")
+@Import(FalkorDBSecurityRepositoriesRegistrar.class)
+public class FalkorDBSecurityRepositoriesAutoConfiguration {
+	// Configuration handled by the security registrar
+}

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityRepositoriesRegistrar.java

@@ -0,0 +1,38 @@
+package org.springframework.boot.autoconfigure.data.falkordb;
+
+import java.lang.annotation.Annotation;
+
+import org.springframework.boot.autoconfigure.data.AbstractRepositoryConfigurationSourceSupport;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.falkordb.repository.config.EnableFalkorDBRepositories;
+import org.springframework.data.falkordb.repository.config.FalkorDBRepositoryConfigurationExtension;
+import org.springframework.data.falkordb.security.repository.FalkorDBSecurityRepositoryFactoryBean;
+import org.springframework.data.repository.config.RepositoryConfigurationExtension;
+
+/**
+ * Registrar variant that enables FalkorDB repositories using the
+ * security-aware {@link FalkorDBSecurityRepositoryFactoryBean}.
+ */
+class FalkorDBSecurityRepositoriesRegistrar extends AbstractRepositoryConfigurationSourceSupport {
+
+	@Override
+	protected Class<? extends Annotation> getAnnotation() {
+		return EnableFalkorDBRepositories.class;
+	}
+
+	@Override
+	protected Class<?> getConfiguration() {
+		return EnableFalkorDBSecurityRepositoriesConfiguration.class;
+	}
+
+	@Override
+	protected RepositoryConfigurationExtension getRepositoryConfigurationExtension() {
+		return new FalkorDBRepositoryConfigurationExtension();
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableFalkorDBRepositories(repositoryFactoryBeanClass = FalkorDBSecurityRepositoryFactoryBean.class)
+	static class EnableFalkorDBSecurityRepositoriesConfiguration {
+	}
+
+}