feat(security): milestone1 roles inheritance, PUBLIC default, create/write split

Author: shahar-biron

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityConfiguration.java

@@ -45,8 +45,8 @@ public PrivilegeService falkorDBPrivilegeService(FalkorDBTemplate template, Falk
 	@Bean
 	@ConditionalOnMissingBean
 	public AuthenticationFalkorSecurityContextAdapter falkorDBAuthenticationAdapter(FalkorDBTemplate template,
-			PrivilegeService privilegeService) {
-		return new AuthenticationFalkorSecurityContextAdapter(template, privilegeService);
+			PrivilegeService privilegeService, FalkorDBSecurityProperties properties) {
+		return new AuthenticationFalkorSecurityContextAdapter(template, privilegeService, properties.getDefaultRole());
 	}
 
 	@Bean

spring-boot-starter-data-falkordb/src/main/java/org/springframework/boot/autoconfigure/data/falkordb/FalkorDBSecurityProperties.java

@@ -20,6 +20,11 @@ public class FalkorDBSecurityProperties {
 	 */
 	private String adminRole = "admin";
 
+	/**
+	 * Default role included for all users (parity with Python RBAC 'PUBLIC' role).
+	 */
+	private String defaultRole = org.springframework.data.falkordb.security.context.FalkorSecurityContext.DEFAULT_DEFAULT_ROLE;
+
 	/**
 	 * Whether audit logging is enabled.
 	 */
@@ -55,6 +60,14 @@ public void setAdminRole(String adminRole) {
 		this.adminRole = adminRole;
 	}
 
+	public String getDefaultRole() {
+		return this.defaultRole;
+	}
+
+	public void setDefaultRole(String defaultRole) {
+		this.defaultRole = defaultRole;
+	}
+
 	public boolean isAuditEnabled() {
 		return this.auditEnabled;
 	}

spring-boot-starter-data-falkordb/src/main/java/org/springframework/data/falkordb/security/bootstrap/FalkorDBSecurityBootstrapRunner.java

@@ -34,10 +34,28 @@ public FalkorDBSecurityBootstrapRunner(FalkorDBTemplate template, FalkorDBSecuri
 
 	@Override
 	public void run(ApplicationArguments args) {
+		ensureDefaultRole();
 		ensureAdminRole();
 		ensureAdminUser();
 	}
 
+	private void ensureDefaultRole() {
+		String role = this.properties.getDefaultRole();
+		if (!StringUtils.hasText(role)) {
+			return;
+		}
+		Map<String, Object> params = new HashMap<>();
+		params.put("name", role);
+		params.put("description", "Bootstrapped default role");
+		params.put("createdAt", Instant.now().toString());
+
+		String cypher = "MERGE (r:_Security_Role {name: $name}) "
+				+ "ON CREATE SET r.description = $description, r.immutable = true, r.createdAt = $createdAt "
+				+ "RETURN r";
+
+		this.template.query(cypher, params, FalkorDBClient.QueryResult::records);
+	}
+
 	private void ensureAdminRole() {
 		String adminRole = this.properties.getAdminRole();
 		if (!StringUtils.hasText(adminRole)) {

spring-boot-starter-data-falkordb/src/main/java/org/springframework/data/falkordb/security/integration/AuthenticationFalkorSecurityContextAdapter.java

@@ -35,9 +35,13 @@ public class AuthenticationFalkorSecurityContextAdapter {
 
 	private final PrivilegeService privilegeService;
 
-	public AuthenticationFalkorSecurityContextAdapter(FalkorDBTemplate template, PrivilegeService privilegeService) {
+	private final String defaultRole;
+
+	public AuthenticationFalkorSecurityContextAdapter(FalkorDBTemplate template, PrivilegeService privilegeService,
+			String defaultRole) {
 		this.template = template;
 		this.privilegeService = privilegeService;
+		this.defaultRole = defaultRole;
 	}
 
 	public FalkorSecurityContext fromAuthentication(Authentication authentication) {
@@ -55,20 +59,20 @@ public FalkorSecurityContext fromAuthentication(Authentication authentication) {
 			return null;
 		}
 
-		Set<Role> roles = new HashSet<>(user.getRoles());
-		// Optionally, intersect with Spring Security authorities
 		Set<String> springAuthorities = extractAuthorityNames(authentication);
-		roles.removeIf(role -> !springAuthorities.isEmpty() && !springAuthorities.contains(role.getName()));
+		Set<String> roleNames = extractRoleNames(user, springAuthorities);
+
+		// Expand role inheritance from graph if possible
+		roleNames.addAll(resolveInheritedRoleNames(roleNames));
 
-		Set<Privilege> privileges = this.privilegeService.loadPrivileges(username, roles);
+		Set<Privilege> privileges = this.privilegeService.loadPrivileges(username, roleNames);
 
-		return new FalkorSecurityContext(user, roles, privileges);
+		return new FalkorSecurityContext(user, roleNames, privileges, this.defaultRole);
 	}
 
 	private User loadUserByUsername(String username) {
 		String cypher = "MATCH (u:_Security_User {username: $username})-[:HAS_ROLE]->(r:_Security_Role) "
-				+ "OPTIONAL MATCH (r)<-[:GRANTED_TO]-(p:_Security_Privilege) "
-				+ "RETURN u, collect(DISTINCT r) as roles, collect(DISTINCT p) as privileges";
+				+ "RETURN u";
 		return this.template.query(cypher, Collections.singletonMap("username", username), result -> {
 			for (org.springframework.data.falkordb.core.FalkorDBClient.Record record : result.records()) {
 				User u = this.template.getConverter().read(User.class, record);
@@ -92,4 +96,50 @@ private Set<String> extractAuthorityNames(Authentication authentication) {
 		return names;
 	}
 
+	private Set<String> extractRoleNames(User user, Set<String> springAuthorities) {
+		Set<String> roleNames = new HashSet<>();
+		if (user != null && user.getRoles() != null && !user.getRoles().isEmpty()) {
+			for (Role role : user.getRoles()) {
+				if (role != null && role.getName() != null) {
+					roleNames.add(role.getName());
+				}
+			}
+		}
+		// If the user has no graph roles, fall back to Spring authorities as role names
+		if (roleNames.isEmpty() && springAuthorities != null && !springAuthorities.isEmpty()) {
+			roleNames.addAll(springAuthorities);
+		}
+		// Intersect with Spring authorities if present
+		if (springAuthorities != null && !springAuthorities.isEmpty()) {
+			roleNames.removeIf(rn -> !springAuthorities.contains(rn));
+		}
+		if (this.defaultRole != null && !this.defaultRole.isBlank()) {
+			roleNames.add(this.defaultRole);
+		}
+		return roleNames;
+	}
+
+	private Set<String> resolveInheritedRoleNames(Set<String> roleNames) {
+		if (roleNames == null || roleNames.isEmpty()) {
+			return Collections.emptySet();
+		}
+		try {
+			String cypher = "MATCH (r:_Security_Role) WHERE r.name IN $roleNames "
+					+ "OPTIONAL MATCH (r)-[:INHERITS_FROM*0..]->(p:_Security_Role) "
+					+ "RETURN DISTINCT p";
+			List<Role> roles = this.template.query(cypher,
+					Collections.singletonMap("roleNames", roleNames), Role.class);
+			Set<String> inherited = new HashSet<>();
+			for (Role r : roles) {
+				if (r != null && r.getName() != null) {
+					inherited.add(r.getName());
+				}
+			}
+			return inherited;
+		}
+		catch (Exception ignored) {
+			return Collections.emptySet();
+		}
+	}
+
 }

spring-boot-starter-data-falkordb/src/main/java/org/springframework/data/falkordb/security/integration/PrivilegeService.java

@@ -45,7 +45,20 @@ public PrivilegeService(FalkorDBTemplate template, Duration ttl) {
 	}
 
 	public Set<Privilege> loadPrivileges(String username, Set<Role> roles) {
-		if (username == null || roles == null || roles.isEmpty()) {
+		if (roles == null || roles.isEmpty()) {
+			return Collections.emptySet();
+		}
+		Set<String> roleNames = new HashSet<>();
+		for (Role role : roles) {
+			if (role != null && role.getName() != null) {
+				roleNames.add(role.getName());
+			}
+		}
+		return loadPrivileges(username, roleNames);
+	}
+
+	public Set<Privilege> loadPrivileges(String username, java.util.Collection<String> roleNames) {
+		if (username == null || roleNames == null || roleNames.isEmpty()) {
 			return Collections.emptySet();
 		}
 
@@ -54,7 +67,7 @@ public Set<Privilege> loadPrivileges(String username, Set<Role> roles) {
 			return entry.privileges;
 		}
 
-		Set<Privilege> loaded = loadPrivilegesFromGraph(roles);
+		Set<Privilege> loaded = loadPrivilegesFromGraph(roleNames);
 		this.cache.put(username, new CacheEntry(loaded, Instant.now().plus(this.ttl)));
 		return loaded;
 	}
@@ -75,14 +88,8 @@ public void invalidateAll() {
 		this.cache.clear();
 	}
 
-	private Set<Privilege> loadPrivilegesFromGraph(Set<Role> roles) {
-		Set<String> roleNames = new HashSet<>();
-		for (Role role : roles) {
-			if (role != null && role.getName() != null) {
-				roleNames.add(role.getName());
-			}
-		}
-		if (roleNames.isEmpty()) {
+	private Set<Privilege> loadPrivilegesFromGraph(java.util.Collection<String> roleNames) {
+		if (roleNames == null || roleNames.isEmpty()) {
 			return Collections.emptySet();
 		}
 

src/main/java/org/springframework/data/falkordb/security/context/FalkorSecurityContext.java

@@ -4,7 +4,9 @@
 
 package org.springframework.data.falkordb.security.context;
 
+import java.util.ArrayDeque;
 import java.util.Collections;
+import java.util.Deque;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
@@ -15,22 +17,51 @@
 import org.springframework.data.falkordb.security.model.Privilege;
 import org.springframework.data.falkordb.security.model.Role;
 import org.springframework.data.falkordb.security.model.User;
+import org.springframework.lang.Nullable;
+import org.springframework.util.StringUtils;
 
 /**
  * Falkor-specific security context used for RBAC checks.
  */
 @API(status = API.Status.EXPERIMENTAL, since = "1.0")
 public class FalkorSecurityContext {
 
+	/**
+	 * Default role name included for all users unless explicitly disabled.
+	 */
+	public static final String DEFAULT_DEFAULT_ROLE = "PUBLIC";
+
 	private final User user;
 
 	private final Set<String> effectiveRoles;
 
 	private final Set<Privilege> privileges;
 
 	public FalkorSecurityContext(User user, Set<Role> roles, Set<Privilege> privileges) {
+		this(user, roles, privileges, DEFAULT_DEFAULT_ROLE);
+	}
+
+	public FalkorSecurityContext(User user, Set<Role> roles, Set<Privilege> privileges, @Nullable String defaultRole) {
+		this.user = Objects.requireNonNull(user, "user must not be null");
+		this.effectiveRoles = Collections.unmodifiableSet(computeEffectiveRoleNames(roles, defaultRole));
+		this.privileges = Collections.unmodifiableSet(new HashSet<>(privileges));
+	}
+
+	public FalkorSecurityContext(User user, java.util.Collection<String> effectiveRoleNames, Set<Privilege> privileges) {
+		this(user, effectiveRoleNames, privileges, DEFAULT_DEFAULT_ROLE);
+	}
+
+	public FalkorSecurityContext(User user, java.util.Collection<String> effectiveRoleNames, Set<Privilege> privileges,
+			@Nullable String defaultRole) {
 		this.user = Objects.requireNonNull(user, "user must not be null");
-		this.effectiveRoles = Collections.unmodifiableSet(extractRoleNames(roles));
+		Set<String> names = new HashSet<>();
+		if (effectiveRoleNames != null) {
+			names.addAll(effectiveRoleNames);
+		}
+		if (StringUtils.hasText(defaultRole)) {
+			names.add(defaultRole);
+		}
+		this.effectiveRoles = Collections.unmodifiableSet(names);
 		this.privileges = Collections.unmodifiableSet(new HashSet<>(privileges));
 	}
 
@@ -70,19 +101,41 @@ private boolean resourceMatches(String privilegeResource, String requestedResour
 		if (privilegeResource == null || requestedResource == null) {
 			return false;
 		}
-		// MVP: exact match; can be extended to patterns later
+		if ("*".equals(privilegeResource)) {
+			return true;
+		}
+		// Matches any property on a specific resource, e.g. com.foo.Entity.*
+		if (privilegeResource.endsWith(".*")) {
+			String prefix = privilegeResource.substring(0, privilegeResource.length() - 2);
+			return requestedResource.startsWith(prefix + ".");
+		}
+		// Default: exact match
 		return privilegeResource.equals(requestedResource);
 	}
 
-	private Set<String> extractRoleNames(Set<Role> roles) {
+	private Set<String> computeEffectiveRoleNames(@Nullable Set<Role> roles, @Nullable String defaultRole) {
+		Set<String> names = new HashSet<>();
+		if (StringUtils.hasText(defaultRole)) {
+			names.add(defaultRole);
+		}
 		if (roles == null || roles.isEmpty()) {
-			return Collections.emptySet();
+			return names;
 		}
-		Set<String> names = new HashSet<>();
-		for (Role role : roles) {
-			if (role != null && role.getName() != null) {
+
+		Set<Role> visited = new HashSet<>();
+		Deque<Role> stack = new ArrayDeque<>(roles);
+		while (!stack.isEmpty()) {
+			Role role = stack.pop();
+			if (role == null || !visited.add(role)) {
+				continue;
+			}
+			if (StringUtils.hasText(role.getName())) {
 				names.add(role.getName());
 			}
+			Set<Role> parents = role.getParentRoles();
+			if (parents != null && !parents.isEmpty()) {
+				stack.addAll(parents);
+			}
 		}
 		return names;
 	}

src/main/java/org/springframework/data/falkordb/security/repository/SecureFalkorDBRepository.java

@@ -49,13 +49,16 @@ public class SecureFalkorDBRepository<T, ID>
 
 	private final AuditLogger auditLogger;
 
+	private final FalkorDBEntityInformation<T, ID> entityInformation;
+
 	private final org.springframework.data.falkordb.repository.FalkorDBRepository<T, ID> delegate;
 
 	public SecureFalkorDBRepository(FalkorDBOperations operations,
 			FalkorDBEntityInformation<T, ID> entityInformation,
 			@org.springframework.lang.Nullable AuditLogger auditLogger) {
 		this.domainType = entityInformation.getJavaType();
 		this.metadata = SecurityMetadataUtils.resolveMetadata(this.domainType);
+		this.entityInformation = entityInformation;
 		this.delegate = new DelegateRepository<>(operations, entityInformation);
 		this.auditLogger = auditLogger;
 	}
@@ -119,17 +122,20 @@ public boolean existsById(ID id) {
 
 	@Override
 	public <S extends T> S save(S entity) {
-		// MVP: treat all save operations as WRITE
-		require(Action.WRITE);
+		Action action = isNewEntity(entity) ? Action.CREATE : Action.WRITE;
+		require(action);
+		// Apply WRITE property deny rules to both CREATE and WRITE
 		validateWrite(entity);
 		return delegate.save(entity);
 	}
 
 	@Override
 	public <S extends T> List<S> saveAll(Iterable<S> entities) {
-		require(Action.WRITE);
 		List<S> list = new ArrayList<>();
 		for (S entity : entities) {
+			Action action = isNewEntity(entity) ? Action.CREATE : Action.WRITE;
+			require(action);
+			// Apply WRITE property deny rules to both CREATE and WRITE
 			validateWrite(entity);
 			list.add(entity);
 		}
@@ -214,6 +220,13 @@ public <S extends T, R> R findBy(Example<S> example,
 
 	// --- Internal helpers ---
 
+	private <S extends T> boolean isNewEntity(S entity) {
+		if (entity == null) {
+			return true;
+		}
+		return this.entityInformation.isNew(entity);
+	}
+
 	private void require(Action action) {
 		FalkorSecurityContext ctx = FalkorSecurityContextHolder.getContext();
 		if (ctx == null) {