From 0e27dc5b8f4df614aecbed19dc6423f84f1952c5 Mon Sep 17 00:00:00 2001
From: Alexis Souquiere <alexis.souquiere@gmail.com>
Date: Mon, 2 Oct 2023 14:44:26 +0200
Subject: [PATCH 1/2] Add key/value suffix for schema filtering on LITERAL ACL
 on v3 claim

---
 .../AkhqClaimProviderController.java          | 25 +++++++++++++------
 .../AkhqClaimProviderControllerV3Test.java    |  4 +--
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java b/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
index 0371a864..118a5506 100644
--- a/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
+++ b/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
@@ -189,13 +189,24 @@ public AkhqClaimResponseV3 generateClaimV3(@Valid @Body AkhqClaimRequest request
 
         // Add the same pattern and cluster filtering for SCHEMA as the TOPIC ones
         result.addAll(result.stream()
-            .filter(g -> g.role.equals(config.getRoles().get(AccessControlEntry.ResourceType.TOPIC)))
-            .map(g -> AkhqClaimResponseV3.Group.builder()
-                .role(config.getRoles().get(AccessControlEntry.ResourceType.SCHEMA))
-                .patterns(g.getPatterns())
-                .clusters(g.getClusters())
-                .build()
-            ).toList());
+                .filter(g -> g.role.equals(config.getRoles().get(AccessControlEntry.ResourceType.TOPIC)))
+                .map(g -> {
+                            List<String> patterns = new ArrayList<>(
+                                    g.getPatterns().stream().filter(p -> p.contains(".*")).toList());
+
+                            // For literal Topic ACL, we need to add the -key or -value prefix to the schema pattern
+                            patterns.addAll(g.getPatterns().stream()
+                                    .filter(p -> !p.contains(".*"))
+                                    .map(p -> p.replace("\\E$", "-\\E(key|value)$"))
+                                    .toList());
+
+                            return AkhqClaimResponseV3.Group.builder()
+                                    .role(config.getRoles().get(AccessControlEntry.ResourceType.SCHEMA))
+                                    .patterns(patterns)
+                                    .clusters(g.getClusters())
+                                    .build();
+                        }
+                ).toList());
 
         return AkhqClaimResponseV3.builder()
             .groups(result.isEmpty() ? null : Map.of("group", result))
diff --git a/src/test/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderControllerV3Test.java b/src/test/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderControllerV3Test.java
index e25a516f..43db538a 100644
--- a/src/test/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderControllerV3Test.java
+++ b/src/test/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderControllerV3Test.java
@@ -493,8 +493,8 @@ void generateClaimAndOptimizePatterns() {
         );
         Assertions.assertEquals("registry-read", groups.get(2).getRole());
         Assertions.assertEquals(
-            List.of("^\\Qproject1.\\E.*$", "^\\Qproject2.topic2\\E$", "^\\Qproject2.topic2a\\E$",
-                "^\\Qproject2.topic3\\E$", "^\\Qproject3.\\E.*$"),
+            List.of("^\\Qproject1.\\E.*$", "^\\Qproject3.\\E.*$", "^\\Qproject2.topic2-\\E(key|value)$",
+                    "^\\Qproject2.topic2a-\\E(key|value)$", "^\\Qproject2.topic3-\\E(key|value)$"),
             groups.get(2).getPatterns()
         );
     }

From 0a26ad52df0fc8af68645b4d33b9481eef57d71e Mon Sep 17 00:00:00 2001
From: Alexis Souquiere <alexis.souquiere@gmail.com>
Date: Mon, 2 Oct 2023 15:46:46 +0200
Subject: [PATCH 2/2] Updating literal/prefixed tests

---
 .../ns4kafka/controllers/AkhqClaimProviderController.java  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java b/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
index 118a5506..c738ea02 100644
--- a/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
+++ b/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java
@@ -191,12 +191,13 @@ public AkhqClaimResponseV3 generateClaimV3(@Valid @Body AkhqClaimRequest request
         result.addAll(result.stream()
                 .filter(g -> g.role.equals(config.getRoles().get(AccessControlEntry.ResourceType.TOPIC)))
                 .map(g -> {
+                            // Takes all the PREFIXED patterns as-is
                             List<String> patterns = new ArrayList<>(
-                                    g.getPatterns().stream().filter(p -> p.contains(".*")).toList());
+                                    g.getPatterns().stream().filter(p -> p.endsWith("\\E.*$")).toList());
 
-                            // For literal Topic ACL, we need to add the -key or -value prefix to the schema pattern
+                            // Add -key or -value prefix to the schema pattern for LITERAL patterns
                             patterns.addAll(g.getPatterns().stream()
-                                    .filter(p -> !p.contains(".*"))
+                                    .filter(p -> p.endsWith("\\E$"))
                                     .map(p -> p.replace("\\E$", "-\\E(key|value)$"))
                                     .toList());