feat(security): milestone3 RLS enforcement + milestone4 audit query parity

Author: shahar-biron

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBAutoConfiguration.java

@@ -9,9 +9,11 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.data.falkordb.core.DefaultFalkorDBClient;
 import org.springframework.data.falkordb.core.FalkorDBClient;
 import org.springframework.data.falkordb.core.FalkorDBTemplate;
+import org.springframework.data.falkordb.core.query.FalkorDBQueryRewriter;
 import org.springframework.data.falkordb.core.mapping.DefaultFalkorDBEntityConverter;
 import org.springframework.data.falkordb.core.mapping.DefaultFalkorDBMappingContext;
 import org.springframework.data.falkordb.core.mapping.FalkorDBMappingContext;
@@ -96,9 +98,10 @@ public FalkorDBMappingContext falkorDBMappingContext() {
 	@ConditionalOnMissingBean
 	@ConditionalOnBean(FalkorDBClient.class)
 	public FalkorDBTemplate falkorDBTemplate(FalkorDBClient client,
-			FalkorDBMappingContext mappingContext) {
+			FalkorDBMappingContext mappingContext,
+			ObjectProvider<FalkorDBQueryRewriter> queryRewriterProvider) {
 		DefaultFalkorDBEntityConverter converter = new DefaultFalkorDBEntityConverter(
 				mappingContext, new EntityInstantiators(), client);
-		return new FalkorDBTemplate(client, mappingContext, converter);
+		return new FalkorDBTemplate(client, mappingContext, converter, queryRewriterProvider.getIfAvailable());
 	}
 }

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityConfiguration.java

@@ -14,6 +14,8 @@
 import org.springframework.data.falkordb.security.integration.FalkorDBSecurityContextFilter;
 import org.springframework.data.falkordb.security.integration.PrivilegeService;
 import org.springframework.data.falkordb.security.manager.RBACManager;
+import org.springframework.data.falkordb.security.rls.RowLevelSecurityQueryRewriter;
+import org.springframework.data.falkordb.core.query.FalkorDBQueryRewriter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -61,6 +63,13 @@ public RBACManager falkorDBRbacManager(FalkorDBTemplate template, FalkorDBSecuri
 		return new RBACManager(template, properties.getAdminRole());
 	}
 
+	@Bean
+	@ConditionalOnMissingBean
+	@ConditionalOnProperty(prefix = "spring.data.falkordb.security", name = "query-rewrite-enabled", havingValue = "true")
+	public FalkorDBQueryRewriter falkorDBQueryRewriter() {
+		return new RowLevelSecurityQueryRewriter();
+	}
+
 	@Bean
 	@ConditionalOnMissingBean
 	public FalkorDBSecurityContextFilter falkorDBSecurityContextFilter(

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityProperties.java

@@ -30,6 +30,14 @@ public class FalkorDBSecurityProperties {
 	 */
 	private boolean auditEnabled = true;
 
+	/**
+	 * Whether the core template should attempt query-time row-level security enforcement by
+	 * rewriting generated Cypher queries.
+	 *
+	 * Disabled by default (opt-in).
+	 */
+	private boolean queryRewriteEnabled = false;
+
 	/**
 	 * Time-to-live for cached privileges per user.
 	 */
@@ -76,6 +84,14 @@ public void setAuditEnabled(boolean auditEnabled) {
 		this.auditEnabled = auditEnabled;
 	}
 
+	public boolean isQueryRewriteEnabled() {
+		return this.queryRewriteEnabled;
+	}
+
+	public void setQueryRewriteEnabled(boolean queryRewriteEnabled) {
+		this.queryRewriteEnabled = queryRewriteEnabled;
+	}
+
 	public Duration getPrivilegeCacheTtl() {
 		return this.privilegeCacheTtl;
 	}

src/main/java/org/springframework/data/falkordb/core/FalkorDBTemplate.java

@@ -33,6 +33,9 @@
 import org.apiguardian.api.API;
 
 import org.springframework.data.domain.Sort;
+import org.springframework.data.falkordb.core.query.FalkorDBQueryRewriter;
+import org.springframework.data.falkordb.core.query.RewrittenQuery;
+import org.springframework.lang.Nullable;
 import org.springframework.data.falkordb.core.mapping.DefaultFalkorDBEntityConverter;
 import org.springframework.data.falkordb.core.mapping.DefaultFalkorDBPersistentEntity;
 import org.springframework.data.falkordb.core.mapping.FalkorDBEntityConverter;
@@ -56,14 +59,22 @@ public class FalkorDBTemplate implements FalkorDBOperations {
 
 	private final FalkorDBEntityConverter entityConverter;
 
+	private final @Nullable FalkorDBQueryRewriter queryRewriter;
+
 	public FalkorDBTemplate(FalkorDBClient falkorDBClient, FalkorDBMappingContext mappingContext,
 			FalkorDBEntityConverter entityConverter) {
+		this(falkorDBClient, mappingContext, entityConverter, null);
+	}
+
+	public FalkorDBTemplate(FalkorDBClient falkorDBClient, FalkorDBMappingContext mappingContext,
+			FalkorDBEntityConverter entityConverter, @Nullable FalkorDBQueryRewriter queryRewriter) {
 		Assert.notNull(falkorDBClient, "FalkorDBClient must not be null");
 		Assert.notNull(mappingContext, "FalkorDBMappingContext must not be null");
 		Assert.notNull(entityConverter, "FalkorDBEntityConverter must not be null");
 
 		this.falkorDBClient = falkorDBClient;
 		this.mappingContext = mappingContext;
+		this.queryRewriter = queryRewriter;
 
 		// If the entity converter is DefaultFalkorDBEntityConverter and doesn't have a
 		// client,
@@ -165,14 +176,9 @@ public <T> Optional<T> findById(Object id, Class<T> clazz) {
 		String primaryLabel = getPrimaryLabel(persistentEntity);
 
 		String cypher = "MATCH (n:" + primaryLabel + ") WHERE id(n) = $id RETURN n";
-		Map<String, Object> parameters = Collections.singletonMap("id", id);
+		Map<String, Object> parameters = Collections.singletonMap("id", normalizeInternalId(id));
 
-		return this.falkorDBClient.query(cypher, parameters, result -> {
-			for (FalkorDBClient.Record record : result.records()) {
-				return Optional.of(this.entityConverter.read(clazz, record));
-			}
-			return Optional.empty();
-		});
+		return queryForObject(cypher, parameters, clazz);
 	}
 
 	@Override
@@ -191,15 +197,10 @@ public <T> List<T> findAllById(Iterable<?> ids, Class<T> clazz) {
 		String primaryLabel = getPrimaryLabel(persistentEntity);
 
 		String cypher = "MATCH (n:" + primaryLabel + ") WHERE id(n) IN $ids RETURN n";
-		Map<String, Object> parameters = Collections.singletonMap("ids", idList);
+		Map<String, Object> parameters = Collections.singletonMap("ids",
+				idList.stream().map(this::normalizeInternalId).collect(Collectors.toList()));
 
-		return this.falkorDBClient.query(cypher, parameters, result -> {
-			List<T> entities = new ArrayList<>();
-			for (FalkorDBClient.Record record : result.records()) {
-				entities.add(this.entityConverter.read(clazz, record));
-			}
-			return entities;
-		});
+		return query(cypher, parameters, clazz);
 	}
 
 	@Override
@@ -211,13 +212,7 @@ public <T> List<T> findAll(Class<T> clazz) {
 
 		String cypher = "MATCH (n:" + primaryLabel + ") RETURN n";
 
-		return this.falkorDBClient.query(cypher, Collections.emptyMap(), result -> {
-			List<T> entities = new ArrayList<>();
-			for (FalkorDBClient.Record record : result.records()) {
-				entities.add(this.entityConverter.read(clazz, record));
-			}
-			return entities;
-		});
+		return query(cypher, Collections.emptyMap(), clazz);
 	}
 
 	@Override
@@ -238,13 +233,7 @@ public <T> List<T> findAll(Class<T> clazz, Sort sort) {
 			cypher.append(orderBy);
 		}
 
-		return this.falkorDBClient.query(cypher.toString(), Collections.emptyMap(), result -> {
-			List<T> entities = new ArrayList<>();
-			for (FalkorDBClient.Record record : result.records()) {
-				entities.add(this.entityConverter.read(clazz, record));
-			}
-			return entities;
-		});
+		return query(cypher.toString(), Collections.emptyMap(), clazz);
 	}
 
 	@Override
@@ -256,7 +245,9 @@ public <T> long count(Class<T> clazz) {
 
 		String cypher = "MATCH (n:" + primaryLabel + ") RETURN count(n) as count";
 
-		return this.falkorDBClient.query(cypher, Collections.emptyMap(), result -> {
+		RewrittenQuery rq = maybeRewrite(cypher, Collections.emptyMap(), clazz);
+
+		return this.falkorDBClient.query(rq.getCypher(), rq.getParameters(), result -> {
 			for (FalkorDBClient.Record record : result.records()) {
 				Object count = record.get("count");
 				return (count instanceof Number) ? ((Number) count).longValue() : 0L;
@@ -274,9 +265,11 @@ public <T> boolean existsById(Object id, Class<T> clazz) {
 		String primaryLabel = getPrimaryLabel(persistentEntity);
 
 		String cypher = "MATCH (n:" + primaryLabel + ") WHERE id(n) = $id RETURN count(n) > 0 as exists";
-		Map<String, Object> parameters = Collections.singletonMap("id", id);
+		Map<String, Object> parameters = Collections.singletonMap("id", normalizeInternalId(id));
 
-		return this.falkorDBClient.query(cypher, parameters, result -> {
+		RewrittenQuery rq = maybeRewrite(cypher, parameters, clazz);
+
+		return this.falkorDBClient.query(rq.getCypher(), rq.getParameters(), result -> {
 			for (FalkorDBClient.Record record : result.records()) {
 				Object exists = record.get("exists");
 				return (exists instanceof Boolean) ? (Boolean) exists : false;
@@ -294,7 +287,7 @@ public <T> void deleteById(Object id, Class<T> clazz) {
 		String primaryLabel = getPrimaryLabel(persistentEntity);
 
 		String cypher = "MATCH (n:" + primaryLabel + ") WHERE id(n) = $id DELETE n";
-		Map<String, Object> parameters = Collections.singletonMap("id", id);
+		Map<String, Object> parameters = Collections.singletonMap("id", normalizeInternalId(id));
 
 		this.falkorDBClient.query(cypher, parameters);
 	}
@@ -315,7 +308,8 @@ public <T> void deleteAllById(Iterable<?> ids, Class<T> clazz) {
 		String primaryLabel = getPrimaryLabel(persistentEntity);
 
 		String cypher = "MATCH (n:" + primaryLabel + ") WHERE id(n) IN $ids DELETE n";
-		Map<String, Object> parameters = Collections.singletonMap("ids", idList);
+		Map<String, Object> parameters = Collections.singletonMap("ids",
+				idList.stream().map(this::normalizeInternalId).collect(Collectors.toList()));
 
 		this.falkorDBClient.query(cypher, parameters);
 	}
@@ -338,7 +332,9 @@ public <T> List<T> query(String cypher, Map<String, Object> parameters, Class<T>
 		Assert.notNull(parameters, "Parameters must not be null");
 		Assert.notNull(clazz, "Class must not be null");
 
-		return this.falkorDBClient.query(cypher, parameters, result -> {
+		RewrittenQuery rq = maybeRewrite(cypher, parameters, clazz);
+
+		return this.falkorDBClient.query(rq.getCypher(), rq.getParameters(), result -> {
 			List<T> entities = new ArrayList<>();
 			for (FalkorDBClient.Record record : result.records()) {
 				entities.add(this.entityConverter.read(clazz, record));
@@ -353,7 +349,9 @@ public <T> Optional<T> queryForObject(String cypher, Map<String, Object> paramet
 		Assert.notNull(parameters, "Parameters must not be null");
 		Assert.notNull(clazz, "Class must not be null");
 
-		return this.falkorDBClient.query(cypher, parameters, result -> {
+		RewrittenQuery rq = maybeRewrite(cypher, parameters, clazz);
+
+		return this.falkorDBClient.query(rq.getCypher(), rq.getParameters(), result -> {
 			for (FalkorDBClient.Record record : result.records()) {
 				return Optional.of(this.entityConverter.read(clazz, record));
 			}
@@ -368,7 +366,15 @@ public <T> T query(String cypher, Map<String, Object> parameters,
 		Assert.notNull(parameters, "Parameters must not be null");
 		Assert.notNull(resultMapper, "Result mapper must not be null");
 
-		return this.falkorDBClient.query(cypher, parameters, resultMapper);
+		RewrittenQuery rq = maybeRewrite(cypher, parameters, null);
+		return this.falkorDBClient.query(rq.getCypher(), rq.getParameters(), resultMapper);
+	}
+
+	private RewrittenQuery maybeRewrite(String cypher, Map<String, Object> parameters, @Nullable Class<?> domainType) {
+		if (this.queryRewriter == null) {
+			return RewrittenQuery.of(cypher, parameters);
+		}
+		return this.queryRewriter.rewrite(cypher, parameters, domainType);
 	}
 
 	/**
@@ -389,14 +395,29 @@ public FalkorDBMappingContext getMappingContext() {
 		return this.mappingContext;
 	}
 
+	private Object normalizeInternalId(Object id) {
+		if (id instanceof Long) {
+			Long l = (Long) id;
+			if (l >= Integer.MIN_VALUE && l <= Integer.MAX_VALUE) {
+				return l.intValue();
+			}
+		}
+		return id;
+	}
+
 	private String getPrimaryLabel(DefaultFalkorDBPersistentEntity<?> persistentEntity) {
 		// Get the primary label from the @Node annotation
 		Node nodeAnnotation = persistentEntity.getType().getAnnotation(Node.class);
 		if (nodeAnnotation != null) {
 			if (!nodeAnnotation.primaryLabel().isEmpty()) {
 				return nodeAnnotation.primaryLabel();
 			}
-			else if (nodeAnnotation.labels().length > 0) {
+			// Note: @AliasFor is not applied when reading the annotation via plain reflection.
+			// We therefore need to check both value() and labels().
+			if (nodeAnnotation.value().length > 0) {
+				return nodeAnnotation.value()[0];
+			}
+			if (nodeAnnotation.labels().length > 0) {
 				return nodeAnnotation.labels()[0];
 			}
 		}

src/main/java/org/springframework/data/falkordb/core/mapping/DefaultFalkorDBEntityConverter.java

@@ -203,10 +203,12 @@ public final void write(final Object source, final Map<String, Object> sink) {
 	 */
 	private Object convertValueForFalkorDB(final Object value, final FalkorDBPersistentProperty property) {
 		if (value instanceof LocalDateTime) {
-			// Convert LocalDateTime to ISO string format that FalkorDB
-			// can handle. Using ISO_LOCAL_DATE_TIME format.
+			// Convert LocalDateTime to ISO string format that FalkorDB can handle.
 			return ((LocalDateTime) value).format(DateTimeFormatter.ISO_LOCAL_DATE_TIME);
 		}
+		if (value instanceof java.time.Instant) {
+			return DateTimeFormatter.ISO_INSTANT.format((java.time.Instant) value);
+		}
 
 		// Apply intern() function for low-cardinality string properties
 		if (property != null && property.isInterned() && value instanceof String) {
@@ -352,7 +354,14 @@ else if (targetType == String.class) {
 					return LocalDateTime.parse(strValue, DateTimeFormatter.ISO_LOCAL_DATE_TIME);
 				}
 				catch (Exception ex) {
-					// If parsing fails, return null
+					return null;
+				}
+			}
+			if (targetType == java.time.Instant.class) {
+				try {
+					return java.time.Instant.parse(strValue);
+				}
+				catch (Exception ex) {
 					return null;
 				}
 			}
@@ -661,6 +670,11 @@ private Object saveEntityAndGetId(Object entity, FalkorDBPersistentEntity<?> per
 		org.springframework.data.falkordb.core.schema.Node nodeAnn = persistentEntity.getType()
 				.getAnnotation(org.springframework.data.falkordb.core.schema.Node.class);
 		if (nodeAnn != null) {
+			for (String label : nodeAnn.value()) {
+				if (label != null && !label.isEmpty() && !label.equals(primaryLabel)) {
+					labels.add(label);
+				}
+			}
 			for (String label : nodeAnn.labels()) {
 				if (label != null && !label.isEmpty() && !label.equals(primaryLabel)) {
 					labels.add(label);
@@ -780,7 +794,10 @@ private String getPrimaryLabel(FalkorDBPersistentEntity<?> entity) {
 			if (!nodeAnnotation.primaryLabel().isEmpty()) {
 				return nodeAnnotation.primaryLabel();
 			}
-			else if (nodeAnnotation.labels().length > 0) {
+			if (nodeAnnotation.value().length > 0) {
+				return nodeAnnotation.value()[0];
+			}
+			if (nodeAnnotation.labels().length > 0) {
 				return nodeAnnotation.labels()[0];
 			}
 		}

src/main/java/org/springframework/data/falkordb/core/query/FalkorDBQueryRewriter.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 FalkorDB Ltd.
+ */
+
+package org.springframework.data.falkordb.core.query;
+
+import java.util.Map;
+
+import org.springframework.lang.Nullable;
+
+/**
+ * Hook to allow rewriting or augmenting Cypher queries prior to execution.
+ *
+ * Intended use: row-level security / policy enforcement.
+ */
+@FunctionalInterface
+public interface FalkorDBQueryRewriter {
+
+	RewrittenQuery rewrite(String cypher, Map<String, Object> parameters, @Nullable Class<?> domainType);
+
+}