BE: RBAC: remove default role clusters

Author: seono

api/src/main/java/io/kafbat/ui/controller/AuthorizationController.java

@@ -3,10 +3,12 @@
 import io.kafbat.ui.api.AuthorizationApi;
 import io.kafbat.ui.model.ActionDTO;
 import io.kafbat.ui.model.AuthenticationInfoDTO;
+import io.kafbat.ui.model.KafkaCluster;
 import io.kafbat.ui.model.ResourceTypeDTO;
 import io.kafbat.ui.model.UserInfoDTO;
 import io.kafbat.ui.model.UserPermissionDTO;
 import io.kafbat.ui.model.rbac.Permission;
+import io.kafbat.ui.service.ClustersStorage;
 import io.kafbat.ui.service.rbac.AccessControlService;
 import java.security.Principal;
 import java.util.Collection;
@@ -29,12 +31,13 @@
 public class AuthorizationController implements AuthorizationApi {
 
   private final AccessControlService accessControlService;
+  private final ClustersStorage clustersStorage;
 
   public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExchange exchange) {
     List<UserPermissionDTO> defaultRolePermissions = accessControlService.getDefaultRole() != null
         ? mapPermissions(
           accessControlService.getDefaultRole().getPermissions(),
-          accessControlService.getDefaultRole().getClusters())
+          clustersStorage.getKafkaClusters().stream().map(KafkaCluster::getName).toList())
         : Collections.emptyList();
 
     Mono<List<UserPermissionDTO>> permissions = AccessControlService.getUser()

api/src/main/java/io/kafbat/ui/model/rbac/DefaultRole.java

@@ -9,11 +9,9 @@
 @Data
 public class DefaultRole {
 
-  private List<String> clusters;
   private List<Permission> permissions = new ArrayList<>();
 
   public void validate() {
-    checkArgument(clusters != null && !clusters.isEmpty(), "Default role clusters cannot be empty");
     permissions.forEach(Permission::validate);
     permissions.forEach(Permission::transform);
   }

api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java

@@ -15,7 +15,6 @@
 import io.kafbat.ui.model.rbac.permission.ConsumerGroupAction;
 import io.kafbat.ui.model.rbac.permission.SchemaAction;
 import io.kafbat.ui.model.rbac.permission.TopicAction;
-import io.kafbat.ui.service.ClustersStorage;
 import io.kafbat.ui.service.rbac.extractor.CognitoAuthorityExtractor;
 import io.kafbat.ui.service.rbac.extractor.GithubAuthorityExtractor;
 import io.kafbat.ui.service.rbac.extractor.GoogleAuthorityExtractor;
@@ -55,7 +54,6 @@ public class AccessControlService {
   @Nullable
   private final InMemoryReactiveClientRegistrationRepository clientRegistrationRepository;
   private final RoleBasedAccessControlProperties properties;
-  private final ClustersStorage clustersStorage;
   private final Environment environment;
 
   @Getter
@@ -148,10 +146,7 @@ private boolean isClusterAccessible(String clusterName, AuthenticatedUser user)
         .filter(filterRole(user))
         .anyMatch(role -> role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase));
 
-    if (!isAccessible && properties.getDefaultRole() != null) {
-      return properties.getDefaultRole().getClusters().stream().anyMatch(clusterName::equalsIgnoreCase);
-    }
-    return isAccessible;
+    return isAccessible || properties.getDefaultRole() != null;
   }
 
   public Mono<Boolean> isClusterAccessible(ClusterDTO cluster) {

api/src/test/java/io/kafbat/ui/service/rbac/AccessControlServiceDefaultRoleRbacEnabledTest.java

@@ -1,30 +1,24 @@
 package io.kafbat.ui.service.rbac;
 
 import static io.kafbat.ui.service.rbac.MockedRbacUtils.DEFAULT_ROLE;
-import static io.kafbat.ui.service.rbac.MockedRbacUtils.DEV_CLUSTER;
 import static io.kafbat.ui.service.rbac.MockedRbacUtils.PROD_CLUSTER;
 import static io.kafbat.ui.service.rbac.MockedRbacUtils.getAccessContext;
-import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import io.kafbat.ui.AbstractIntegrationTest;
 import io.kafbat.ui.config.auth.RbacUser;
 import io.kafbat.ui.config.auth.RoleBasedAccessControlProperties;
 import io.kafbat.ui.model.ClusterDTO;
-import io.kafbat.ui.model.KafkaCluster;
 import io.kafbat.ui.model.rbac.AccessContext;
 import io.kafbat.ui.model.rbac.DefaultRole;
-import io.kafbat.ui.model.rbac.Role;
-import io.kafbat.ui.service.ClustersStorage;
 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mock;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.context.SecurityContext;
@@ -55,9 +49,6 @@ public class AccessControlServiceDefaultRoleRbacEnabledTest extends AbstractInte
   @Mock
   DefaultRole defaultRole;
 
-  @Mock
-  ClustersStorage clustersStorage;
-
   @BeforeEach
   void setUp() {
 

api/src/test/java/io/kafbat/ui/service/rbac/MockedRbacUtils.java

@@ -102,9 +102,6 @@ public static Role getDevRole() {
   }
 
   public static DefaultRole getDefaultRole() {
-    DefaultRole role = new DefaultRole();
-    role.setClusters(List.of(DEV_CLUSTER, PROD_CLUSTER));
-
     Permission topicViewPermission = new Permission();
     topicViewPermission.setResource(Resource.TOPIC.name());
     topicViewPermission.setActions(List.of(TopicAction.VIEW.name()));
@@ -131,6 +128,7 @@ public static DefaultRole getDefaultRole() {
         schemaPermission,
         connectPermission
     );
+    DefaultRole role = new DefaultRole();
     role.setPermissions(permissions);
     role.validate();
     return role;