feat: Publication rule service should use roles of API key #1341 (#1342)

Author: astsiapanay

server/src/main/java/com/epam/aidial/core/server/security/RuleMatcher.java

@@ -7,6 +7,7 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.regex.Pattern;
 
 @UtilityClass
@@ -22,20 +23,16 @@ public boolean match(ProxyContext context, Collection<Rule> rules) {
             return true;
         }
 
-        ExtractedClaims claims = context.getExtractedClaims();
-        if (claims == null) {
-            return false;
-        }
-
-        Map<String, List<String>> userClaims = claims.userClaims();
+        Map<String, List<String>> userClaims = Optional.ofNullable(context.getExtractedClaims())
+                .map(ExtractedClaims::userClaims).orElse(null);
 
         for (Rule rule : rules) {
             String targetClaim = rule.getSource();
             List<String> sources;
             if (targetClaim.equals("roles")) {
-                sources = claims.userRoles();
+                sources = context.getUserRoles();
             } else {
-                sources = userClaims.get(targetClaim);
+                sources = userClaims == null ? null : userClaims.get(targetClaim);
             }
 
             if (sources == null) {

server/src/test/java/com/epam/aidial/core/server/security/AccessServiceTest.java

@@ -311,8 +311,7 @@ public void testGetOwnResourcesAccessForChainedSchemaRichApplication_NotAnApplic
     public void testGetAdminAccess_WhenPublicResource() {
         ResourceDescriptor resource = new ResourceDescriptor(ResourceTypes.FILE, "file.json", List.of(), "bucket", "public/", false);
         ApplicationSchemaService applicationSchemaService = mock(ApplicationSchemaService.class);
-        ExtractedClaims extractedClaims = new ExtractedClaims("sub", List.of("admin"), "hash", Map.of(), null, "userName");
-        when(context.getExtractedClaims()).thenReturn(extractedClaims);
+        when(context.getUserRoles()).thenReturn(List.of("admin"));
         when(context.getApiKeyData()).thenReturn(new ApiKeyData());
         AccessService accessService = new AccessService(encryptionService, shareService, ruleService,
                 applicationSchemaService,
@@ -335,8 +334,7 @@ public void testGetAdminAccess_WhenReviewResource() {
         String reviewLocation = "/Users/sub/publications/123/";
         ResourceDescriptor resource = new ResourceDescriptor(ResourceTypes.FILE, "file.json", List.of(), "bucket", reviewLocation, false);
         ApplicationSchemaService applicationSchemaService = mock(ApplicationSchemaService.class);
-        ExtractedClaims extractedClaims = new ExtractedClaims("sub", List.of("admin"), "hash", Map.of(), null, "userName");
-        when(context.getExtractedClaims()).thenReturn(extractedClaims);
+        when(context.getUserRoles()).thenReturn(List.of("admin"));
         when(context.getApiKeyData()).thenReturn(new ApiKeyData());
         AccessService accessService = new AccessService(encryptionService, shareService, ruleService,
                 applicationSchemaService,
@@ -380,8 +378,7 @@ public void testGetAdminAccess_WhenPrivateResource() {
     public void testGetAdminAccess_WhenSourceFolderOfCodeApp() {
         ResourceDescriptor resource = new ResourceDescriptor(ResourceTypes.FILE, "app.py", List.of(), "bucket", "public/deployments/123/", false);
         ApplicationSchemaService applicationSchemaService = mock(ApplicationSchemaService.class);
-        ExtractedClaims extractedClaims = new ExtractedClaims("sub", List.of("admin"), "hash", Map.of(), null, "userName");
-        when(context.getExtractedClaims()).thenReturn(extractedClaims);
+        when(context.getUserRoles()).thenReturn(List.of("admin"));
         when(context.getApiKeyData()).thenReturn(new ApiKeyData());
         AccessService accessService = new AccessService(encryptionService, shareService, ruleService,
                 applicationSchemaService,

server/src/test/java/com/epam/aidial/core/server/security/RuleMatcherTest.java

@@ -13,101 +13,169 @@ class RuleMatcherTest {
 
     @Test
     void testUserRoleRules() {
-        verify(rule("roles", Rule.Function.TRUE), true, "any-role");
-        verify(rule("roles", Rule.Function.FALSE), false, "any-role");
-
-        verify(rule("roles", Rule.Function.EQUAL, "admin"), true, "admin");
-        verify(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin");
-        verify(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin2");
-        verify(rule("roles", Rule.Function.EQUAL, "AdMin"), true, "admin");
-
-        verify(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin");
-        verify(rule("roles", Rule.Function.CONTAIN, "admin1"), false, "admin");
-        verify(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin2");
-        verify(rule("roles", Rule.Function.CONTAIN, "dmi"), true, "admin");
-        verify(rule("roles", Rule.Function.CONTAIN, "manager"), true, "Delivery Manager");
-
-        verify(rule("roles", Rule.Function.REGEX, ".*"), true, "any");
-        verify(rule("roles", Rule.Function.REGEX, "(admin|user)"), true, "user");
-        verify(rule("roles", Rule.Function.REGEX, "(admin|user)$"), false, "user2");
+
+        // test access by access token
+
+        verifyOnAccessToken(rule("roles", Rule.Function.TRUE), true, "any-role");
+        verifyOnAccessToken(rule("roles", Rule.Function.FALSE), false, "any-role");
+
+        verifyOnAccessToken(rule("roles", Rule.Function.EQUAL, "admin"), true, "admin");
+        verifyOnAccessToken(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin");
+        verifyOnAccessToken(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin2");
+        verifyOnAccessToken(rule("roles", Rule.Function.EQUAL, "AdMin"), true, "admin");
+
+        verifyOnAccessToken(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin");
+        verifyOnAccessToken(rule("roles", Rule.Function.CONTAIN, "admin1"), false, "admin");
+        verifyOnAccessToken(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin2");
+        verifyOnAccessToken(rule("roles", Rule.Function.CONTAIN, "dmi"), true, "admin");
+        verifyOnAccessToken(rule("roles", Rule.Function.CONTAIN, "manager"), true, "Delivery Manager");
+
+        verifyOnAccessToken(rule("roles", Rule.Function.REGEX, ".*"), true, "any");
+        verifyOnAccessToken(rule("roles", Rule.Function.REGEX, "(admin|user)"), true, "user");
+        verifyOnAccessToken(rule("roles", Rule.Function.REGEX, "(admin|user)$"), false, "user2");
+
+        // test access by API key
+
+        verifyOnApiKey(rule("roles", Rule.Function.TRUE), true, "any-role");
+        verifyOnApiKey(rule("roles", Rule.Function.FALSE), false, "any-role");
+
+        verifyOnApiKey(rule("roles", Rule.Function.EQUAL, "admin"), true, "admin");
+        verifyOnApiKey(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin");
+        verifyOnApiKey(rule("roles", Rule.Function.EQUAL, "admin1"), false, "admin2");
+        verifyOnApiKey(rule("roles", Rule.Function.EQUAL, "AdMin"), true, "admin");
+
+        verifyOnApiKey(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin");
+        verifyOnApiKey(rule("roles", Rule.Function.CONTAIN, "admin1"), false, "admin");
+        verifyOnApiKey(rule("roles", Rule.Function.CONTAIN, "admin"), true, "admin2");
+        verifyOnApiKey(rule("roles", Rule.Function.CONTAIN, "dmi"), true, "admin");
+        verifyOnApiKey(rule("roles", Rule.Function.CONTAIN, "manager"), true, "Delivery Manager");
+
+        verifyOnApiKey(rule("roles", Rule.Function.REGEX, ".*"), true, "any");
+        verifyOnApiKey(rule("roles", Rule.Function.REGEX, "(admin|user)"), true, "user");
+        verifyOnApiKey(rule("roles", Rule.Function.REGEX, "(admin|user)$"), false, "user2");
     }
 
     @Test
     void testUserClaimRules() {
-        verify(List.of(rule("title", Rule.Function.TRUE)),
+        // test access by access token
+
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.TRUE)),
                 List.of("user1"), Map.of("title", List.of("Software Engineer")), true);
-        verify(List.of(rule("title", Rule.Function.FALSE)),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.FALSE)),
                 List.of("user2"), Map.of("title", List.of("Software Engineer")), false);
 
-        verify(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer")),
                 List.of("admin"), Map.of("title", List.of("Software Engineer")), true);
-        verify(List.of(rule("title", Rule.Function.EQUAL, "Engineer")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.EQUAL, "Engineer")),
                 List.of("user"), Map.of("title", List.of("Software Engineer")), false);
 
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
                 List.of("admin"), Map.of("email", List.of("foo_bar@example.com")), true);
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
                 List.of("user"), Map.of("email", List.of("foo_bar@mail.com")), false);
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
                 List.of("user"), Map.of(), false);
 
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*")),
                 List.of("admin"), Map.of("title", List.of("Developer")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, "(Developer|Manager)")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, "(Developer|Manager)")),
                 List.of("user"), Map.of("title", List.of("Manager")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$")),
                 List.of("user"), Map.of("title", List.of("Senior Delivery Manager")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$")),
                 List.of("user"), Map.of("title", List.of("Manager Senior")), false);
+
+        // test access by API key
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.TRUE)),
+                List.of("user1"), false);
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer")),
+                List.of("admin"), false);
+
+        verifyOnApiKey(List.of(rule("email", Rule.Function.CONTAIN, "@example.com")),
+                List.of("admin"), false);
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.REGEX, ".*")),
+                List.of("admin"), false);
     }
 
     @Test
     void testCombinedRules() {
-        verify(List.of(rule("title", Rule.Function.TRUE), rule("roles", Rule.Function.EQUAL, "dial")),
+        // test access by access token
+
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.TRUE), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user1"), Map.of("title", List.of("Software Engineer")), true);
-        verify(List.of(rule("title", Rule.Function.TRUE), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.TRUE), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("dial"), Map.of(), true);
-        verify(List.of(rule("title", Rule.Function.CONTAIN, "Software"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.CONTAIN, "Software"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("custom"), Map.of("title", List.of("System Engineer")), false);
 
-        verify(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("admin"), Map.of("title", List.of("Software Engineer")), true);
-        verify(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("dial"), Map.of("title", List.of("Manager")), true);
-        verify(List.of(rule("title", Rule.Function.EQUAL, "Engineer"),  rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.EQUAL, "Engineer"),  rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user"), Map.of("title", List.of("Software Engineer")), false);
 
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("admin"), Map.of("email", List.of("foo_bar@example.com")), true);
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("dial"), Map.of("email", List.of("foo_bar@example2.com")), true);
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user"), Map.of("email", List.of("foo_bar@mail.com")), false);
-        verify(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user"), Map.of(), false);
 
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("admin"), Map.of("title", List.of("Developer")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, "^Developer$"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, "^Developer$"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("dial"), Map.of("title", List.of("Manager")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, "(Developer|Manager)"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, "(Developer|Manager)"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("dial"), Map.of("title", List.of("Human Resource")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user"), Map.of("title", List.of("Senior Delivery Manager")), true);
-        verify(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$"), rule("roles", Rule.Function.EQUAL, "dial")),
+        verifyOnAccessToken(List.of(rule("title", Rule.Function.REGEX, ".*(Manager|Developer)$"), rule("roles", Rule.Function.EQUAL, "dial")),
                 List.of("user"), Map.of("title", List.of("Manager Senior")), false);
+
+        // test access by API key
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.TRUE), rule("roles", Rule.Function.EQUAL, "dial")),
+                List.of("user1"), false);
+
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.EQUAL, "Software Engineer"), rule("roles", Rule.Function.EQUAL, "dial")),
+                List.of("admin"), false);
+
+        verifyOnApiKey(List.of(rule("email", Rule.Function.CONTAIN, "@example.com"), rule("roles", Rule.Function.EQUAL, "dial")),
+                List.of("admin"), false);
+
+        verifyOnApiKey(List.of(rule("title", Rule.Function.REGEX, ".*"), rule("roles", Rule.Function.EQUAL, "dial")),
+                List.of("admin"), false);
     }
 
-    void verify(List<Rule> rules, List<String> userRoles, Map<String, List<String>> userClaims, boolean expected) {
+    void verifyOnAccessToken(List<Rule> rules, List<String> userRoles, Map<String, List<String>> userClaims, boolean expected) {
         ProxyContext context = Mockito.mock(ProxyContext.class);
+        Mockito.when(context.getUserRoles()).thenReturn(userRoles);
         ExtractedClaims claims = new ExtractedClaims("sub", userRoles, "hash", userClaims, null, null);
         Mockito.when(context.getExtractedClaims()).thenReturn(claims);
         boolean actual = RuleMatcher.match(context, rules);
         Assertions.assertEquals(expected, actual);
     }
 
-    void verify(Rule rule, boolean expected, String... roles) {
-        verify(List.of(rule), List.of(roles), Map.of(), expected);
+    void verifyOnAccessToken(Rule rule, boolean expected, String... roles) {
+        verifyOnAccessToken(List.of(rule), List.of(roles), Map.of(), expected);
+    }
+
+    void verifyOnApiKey(List<Rule> rules, List<String> userRoles, boolean expected) {
+        ProxyContext context = Mockito.mock(ProxyContext.class);
+        Mockito.when(context.getUserRoles()).thenReturn(userRoles);
+        boolean actual = RuleMatcher.match(context, rules);
+        Assertions.assertEquals(expected, actual);
+    }
+
+    void verifyOnApiKey(Rule rule, boolean expected, String... roles) {
+        verifyOnApiKey(List.of(rule), List.of(roles), expected);
     }
 
     Rule rule(String source, Rule.Function function, String... targets) {