refactor: rule resolver and role binding lister (#2119)

src/main/java/run/halo/app/config/WebSecurityConfig.java

@@ -53,10 +53,8 @@ import run.halo.app.identity.authentication.ProviderSettings;
 import run.halo.app.identity.authentication.verifier.BearerTokenAuthenticationFilter;
 import run.halo.app.identity.authentication.verifier.JwtAccessTokenNonBlockedValidator;
 import run.halo.app.identity.authentication.verifier.TokenAuthenticationManagerResolver;
-import run.halo.app.identity.authorization.DefaultRoleBindingLister;
 import run.halo.app.identity.authorization.DefaultRoleGetter;
 import run.halo.app.identity.authorization.RequestInfoAuthorizationManager;
-import run.halo.app.identity.authorization.RoleBindingLister;
 import run.halo.app.identity.authorization.RoleGetter;
 import run.halo.app.identity.entrypoint.JwtAccessDeniedHandler;
 import run.halo.app.identity.entrypoint.JwtAuthenticationEntryPoint;
@@ -131,9 +129,8 @@ public class WebSecurityConfig {
     }
 
     RequestInfoAuthorizationManager requestInfoAuthorizationManager() {
-        RoleBindingLister roleBindingLister = new DefaultRoleBindingLister();
         RoleGetter roleGetter = new DefaultRoleGetter(extensionClient);
-        return new RequestInfoAuthorizationManager(roleGetter, roleBindingLister);
+        return new RequestInfoAuthorizationManager(roleGetter);
     }
 
     AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver() {

src/main/java/run/halo/app/identity/authorization/DefaultRoleBindingLister.java

@@ -1,12 +1,13 @@
 package run.halo.app.identity.authorization;
 
-import java.util.ArrayList;
 import java.util.Collections;
-import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
-import run.halo.app.extension.Metadata;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 
 /**
  * <p>Obtain the authorities from the authenticated authentication and construct it as a RoleBinding
@@ -15,67 +16,29 @@ import run.halo.app.extension.Metadata;
  * so there is no need to query from the database.</p>
  * <p>For tokens in other formats, after authentication, fill the authorities with the token into
  * the SecurityContextHolder.</p>
- * <pre>
- * kind: RoleBinding
- * metadata:
- *   name: some-name
- * subjects:
- * # You can specify more than one "subject"
- * - kind: User
- *   name: some-username
- * roleRef:
- *   kind: Role
- *   name: role-name
- * </pre>
  *
  * @author guqing
+ * @see AnonymousAuthenticationFilter
  * @since 2.0.0
  */
+@Slf4j
 public class DefaultRoleBindingLister implements RoleBindingLister {
     private static final String SCOPE_AUTHORITY_PREFIX = "SCOPE_";
     private static final String ROLE_AUTHORITY_PREFIX = "ROLE_";
 
     @Override
-    public List<RoleBinding> listRoleBindings() {
+    public Set<String> listBoundRoleNames() {
         Authentication authentication = SecurityContextHolder.getContext()
             .getAuthentication();
         if (authentication == null) {
-            return Collections.emptyList();
+            log.debug("No authentication found in SecurityContext.");
+            return Collections.emptySet();
         }
-        String username = authentication.getName();
-
-        List<String> roleNames = roleNamesFromAuthentication();
-
-        List<RoleBinding> roleBindings = new ArrayList<>(roleNames.size());
-        for (String roleName : roleNames) {
-            RoleBinding roleBinding = new RoleBinding();
-            // metadata
-            Metadata metadata = new Metadata();
-            metadata.setName(username + "_" + roleName);
-            roleBinding.setMetadata(metadata);
-
-            // role ref
-            RoleRef roleRef = new RoleRef();
-            roleRef.setKind("Role");
-            roleRef.setName(roleName);
-            roleBinding.setRoleRef(roleRef);
-
-            // subject
-            Subject subject = new Subject();
-            subject.setKind("User");
-            subject.setName(username);
-            roleBinding.setSubjects(List.of(subject));
-            roleBindings.add(roleBinding);
-        }
-        return roleBindings;
-    }
-
-    private List<String> roleNamesFromAuthentication() {
-        Authentication authentication = SecurityContextHolder.getContext()
-            .getAuthentication();
         return authentication.getAuthorities()
             .stream()
             .map(GrantedAuthority::getAuthority)
+            // Exclude anonymous user roles
+            .filter(authority -> !authority.equals("ROLE_ANONYMOUS"))
             .map(scope -> {
                 if (scope.startsWith(SCOPE_AUTHORITY_PREFIX)) {
                     return scope.replaceFirst(SCOPE_AUTHORITY_PREFIX, "");
@@ -85,6 +48,6 @@ public class DefaultRoleBindingLister implements RoleBindingLister {
                 }
                 return scope;
             })
-            .toList();
+            .collect(Collectors.toSet());
     }
 }

src/main/java/run/halo/app/identity/authorization/DefaultRuleResolver.java

@@ -2,9 +2,10 @@ package run.halo.app.identity.authorization;
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 import lombok.Data;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.util.Assert;
 
 /**
  * @author guqing
@@ -12,13 +13,13 @@ import org.springframework.security.core.userdetails.UserDetails;
  */
 @Data
 public class DefaultRuleResolver implements AuthorizationRuleResolver {
-    private static final String USER_KIND = "User";
-    RoleGetter roleGetter;
-    RoleBindingLister roleBindingLister;
 
-    public DefaultRuleResolver(RoleGetter roleGetter, RoleBindingLister roleBindingLister) {
+    private RoleGetter roleGetter;
+
+    private RoleBindingLister roleBindingLister = new DefaultRoleBindingLister();
+
+    public DefaultRuleResolver(RoleGetter roleGetter) {
         this.roleGetter = roleGetter;
-        this.roleBindingLister = roleBindingLister;
     }
 
     @Override
@@ -38,26 +39,12 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
 
     @Override
     public void visitRulesFor(UserDetails user, RuleAccumulator visitor) {
-        List<RoleBinding> roleBindings = Collections.emptyList();
+        Set<String> roleNames = roleBindingLister.listBoundRoleNames();
-        try {
-            roleBindings = roleBindingLister.listRoleBindings();
-        } catch (Exception e) {
-            if (visitor.visit(null, null, e)) {
-                return;
-            }
-        }
 
-        for (RoleBinding roleBinding : roleBindings) {
+        List<PolicyRule> rules = Collections.emptyList();
-            AppliesResult appliesResult = appliesTo(user, roleBinding.subjects);
+        for (String roleName : roleNames) {
-            if (!appliesResult.applies) {
-                continue;
-            }
-
-            Subject subject = roleBinding.subjects.get(appliesResult.subjectIndex);
-
-            List<PolicyRule> rules = Collections.emptyList();
             try {
-                Role role = roleGetter.getRole(roleBinding.roleRef.name);
+                Role role = roleGetter.getRole(roleName);
                 rules = role.getRules();
             } catch (Exception e) {
                 if (visitor.visit(null, null, e)) {
@@ -65,7 +52,7 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
                 }
             }
 
-            String source = roleBindingDescriber(roleBinding, subject);
+            String source = roleBindingDescriber(roleName, user.getUsername());
             for (PolicyRule rule : rules) {
                 if (!visitor.visit(source, rule, null)) {
                     return;
@@ -74,28 +61,12 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
         }
     }
 
-    String roleBindingDescriber(RoleBinding roleBinding, Subject subject) {
+    String roleBindingDescriber(String roleName, String subject) {
-        String describeSubject = String.format("%s %s", subject.kind, subject.name);
+        return String.format("Binding role [%s] to [%s]", roleName, subject);
-        return String.format("RoleBinding %s of %s %s to %s", roleBinding.getMetadata().getName(),
-            roleBinding.roleRef.getKind(), roleBinding.roleRef.getName(), describeSubject);
     }
 
-    AppliesResult appliesTo(UserDetails user, List<Subject> bindingSubjects) {
+    public void setRoleBindingLister(RoleBindingLister roleBindingLister) {
-        for (int i = 0; i < bindingSubjects.size(); i++) {
+        Assert.notNull(roleBindingLister, "The roleBindingLister must not be null.");
-            if (appliesToUser(user, bindingSubjects.get(i))) {
+        this.roleBindingLister = roleBindingLister;
-                return new AppliesResult(true, i);
-            }
-        }
-        return new AppliesResult(false, 0);
-    }
-
-    boolean appliesToUser(UserDetails user, Subject subject) {
-        if (USER_KIND.equals(subject.kind)) {
-            return StringUtils.equals(user.getUsername(), subject.name);
-        }
-        return false;
-    }
-
-    record AppliesResult(boolean applies, int subjectIndex) {
     }
 }

src/main/java/run/halo/app/identity/authorization/NonResourceRuleInfo.java

@@ -1,8 +0,0 @@
-package run.halo.app.identity.authorization;
-
-/**
- * @author guqing
- * @since 2.0.0
- */
-public class NonResourceRuleInfo {
-}

src/main/java/run/halo/app/identity/authorization/PolicyRuleInfo.java

@@ -1,12 +0,0 @@
-package run.halo.app.identity.authorization;
-
-import java.util.List;
-
-/**
- * @author guqing
- * @since 2.0.0
- */
-public class PolicyRuleInfo {
-    List<ResourceRuleInfo> resourceRules;
-    List<NonResourceRuleInfo> nonResourceRules;
-}

src/main/java/run/halo/app/identity/authorization/RequestInfoAuthorizationManager.java

@@ -26,9 +26,8 @@ public class RequestInfoAuthorizationManager
 
     private AuthorizationRuleResolver ruleResolver;
 
-    public RequestInfoAuthorizationManager(RoleGetter roleGetter,
+    public RequestInfoAuthorizationManager(RoleGetter roleGetter) {
-        RoleBindingLister roleBindingLister) {
+        this.ruleResolver = new DefaultRuleResolver(roleGetter);
-        this.ruleResolver = new DefaultRuleResolver(roleGetter, roleBindingLister);
     }
 
     @Override

src/main/java/run/halo/app/identity/authorization/ResourceRuleInfo.java

@@ -1,8 +0,0 @@
-package run.halo.app.identity.authorization;
-
-/**
- * @author guqing
- * @since 2.0.0
- */
-public class ResourceRuleInfo {
-}

src/main/java/run/halo/app/identity/authorization/RoleBindingLister.java

@@ -1,6 +1,6 @@
 package run.halo.app.identity.authorization;
 
-import java.util.List;
+import java.util.Set;
 
 /**
  * @author guqing
@@ -9,5 +9,5 @@ import java.util.List;
 @FunctionalInterface
 public interface RoleBindingLister {
 
-    List<RoleBinding> listRoleBindings();
+    Set<String> listBoundRoleNames();
 }

src/test/java/run/halo/app/authorization/DefaultRoleBindingListerTest.java

@@ -2,14 +2,13 @@ package run.halo.app.authorization;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
-import java.util.List;
+import java.util.Set;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import run.halo.app.identity.authorization.DefaultRoleBindingLister;
-import run.halo.app.identity.authorization.RoleBinding;
 
 /**
  * Tests for {@link DefaultRoleBindingLister}.
@@ -30,30 +29,15 @@ public class DefaultRoleBindingListerTest {
     @Test
     @WithMockUser(username = "test", roles = {"readPost", "readTag"})
     void listWhenAuthorizedWithTwoRoles() {
-        List<RoleBinding> roleBindings = roleBindingLister.listRoleBindings();
+        Set<String> roleBindings = roleBindingLister.listBoundRoleNames();
         assertThat(roleBindings).isNotNull();
         assertThat(roleBindings.size()).isEqualTo(2);
-
+        assertThat(roleBindings).containsAll(Set.of("readPost", "readTag"));
-        RoleBinding readPostRoleBinding = roleBindings.get(0);
-        assertThat(readPostRoleBinding.getMetadata()).isNotNull();
-        assertThat(readPostRoleBinding.getMetadata().getName()).isNotNull();
-        assertThat(readPostRoleBinding.getSubjects()).allMatch(subject ->
-            "test".equals(subject.getName())
-                && "User".equals(subject.getKind()));
-        assertThat(readPostRoleBinding.getRoleRef().getName()).isEqualTo("readPost");
-
-        RoleBinding readTagRoleBinding = roleBindings.get(1);
-        assertThat(readTagRoleBinding.getMetadata()).isNotNull();
-        assertThat(readTagRoleBinding.getMetadata().getName()).isNotNull();
-        assertThat(readTagRoleBinding.getSubjects()).allMatch(subject ->
-            "test".equals(subject.getName())
-                && "User".equals(subject.getKind()));
-        assertThat(readTagRoleBinding.getRoleRef().getName()).isEqualTo("readTag");
     }
 
     @Test
     void listWhenUnauthorizedThenEmpty() {
-        List<RoleBinding> roleBindings = roleBindingLister.listRoleBindings();
+        Set<String> roleBindings = roleBindingLister.listBoundRoleNames();
         assertThat(roleBindings).isEmpty();
     }
 }

src/test/java/run/halo/app/authorization/RequestInfoResolverTest.java

@@ -5,6 +5,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import org.apache.commons.lang3.RegExUtils;
 import org.junit.jupiter.api.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -21,9 +22,6 @@ import run.halo.app.identity.authorization.RbacRequestEvaluation;
 import run.halo.app.identity.authorization.RequestInfo;
 import run.halo.app.identity.authorization.RequestInfoFactory;
 import run.halo.app.identity.authorization.Role;
-import run.halo.app.identity.authorization.RoleBinding;
-import run.halo.app.identity.authorization.RoleRef;
-import run.halo.app.identity.authorization.Subject;
 
 /**
  * Tests for {@link RequestInfoFactory}.
@@ -135,29 +133,12 @@ public class RequestInfoResolverTest {
             metadata.setName("ruleReadPost");
             role.setMetadata(metadata);
             return role;
-        }, () -> {
-            // role binding lister
-            RoleBinding roleBinding = new RoleBinding();
-            Metadata metadata = new Metadata();
-            metadata.setName("admin_ruleReadPost");
-            roleBinding.setMetadata(metadata);
-
-            Subject subject = new Subject();
-            subject.setName("admin");
-            subject.setKind("User");
-            subject.setApiGroup("");
-            roleBinding.setSubjects(List.of(subject));
-
-            RoleRef roleRef = new RoleRef();
-            roleRef.setKind("Role");
-            roleRef.setName("ruleReadPost");
-            roleRef.setApiGroup("");
-            roleBinding.setRoleRef(roleRef);
-
-            return List.of(roleBinding);
         });
+        // list bound role names
+        ruleResolver.setRoleBindingLister(() -> Set.of("ruleReadPost"));
 
         User user = new User("admin", "123456", AuthorityUtils.createAuthorityList("ruleReadPost"));
+
         // resolve user rules
         List<PolicyRule> rules = ruleResolver.rulesFor(user);
         assertThat(rules).isNotNull();
@@ -175,7 +156,6 @@ public class RequestInfoResolverTest {
         }
     }
 
-
     public record NonApiCase(String url, boolean expected){}
 
     public record ErrorCases(String desc, String url) {}

src/test/java/run/halo/app/integration/security/TestWebSecurityConfig.java

@@ -59,9 +59,6 @@ import run.halo.app.identity.authentication.verifier.TokenAuthenticationManagerR
 import run.halo.app.identity.authorization.PolicyRule;
 import run.halo.app.identity.authorization.RequestInfoAuthorizationManager;
 import run.halo.app.identity.authorization.Role;
-import run.halo.app.identity.authorization.RoleBinding;
-import run.halo.app.identity.authorization.RoleRef;
-import run.halo.app.identity.authorization.Subject;
 import run.halo.app.identity.entrypoint.Oauth2LogoutHandler;
 import run.halo.app.infra.properties.JwtProperties;
 import run.halo.app.infra.utils.HaloUtils;
@@ -140,27 +137,6 @@ public class TestWebSecurityConfig {
             metadata.setName("ruleReadPost");
             role.setMetadata(metadata);
             return role;
-        }, () -> {
-            // role binding lister
-            RoleBinding roleBinding = new RoleBinding();
-
-            Metadata metadata = new Metadata();
-            metadata.setName("userRoleBinding");
-            roleBinding.setMetadata(metadata);
-
-            Subject subject = new Subject();
-            subject.setName("test_user");
-            subject.setKind("User");
-            subject.setApiGroup("");
-            roleBinding.setSubjects(List.of(subject));
-
-            RoleRef roleRef = new RoleRef();
-            roleRef.setKind("Role");
-            roleRef.setName("ruleReadPost");
-            roleRef.setApiGroup("");
-            roleBinding.setRoleRef(roleRef);
-
-            return List.of(roleBinding);
         });
     }