fix(auth): attributes are not mapped to the claim with RestApiClaimPr…

…ovider (#961)

close #957

docs/docs/configuration/authentifications/external.md

@@ -49,12 +49,9 @@ and expect the following JSON as response :
 ````json
 {
   "roles": ["topic/read", "topic/write", "..."],
-  "attributes":
-  {
-    "topics-filter-regexp": [".*"],
-    "connects-filter-regexp": [".*"],
-    "consumer-groups-filter-regexp": [".*"]
-  }
+  "topics-filter-regexp": [".*"],
+  "connects-filter-regexp": [".*"],
+  "consumer-groups-filter-regexp": [".*"]
 }
 ````
 
@@ -69,15 +66,14 @@ akhq:
         package org.akhq.utils;
         class GroovyCustomClaimProvider implements ClaimProvider {
             @Override
-            AKHQClaimResponse generateClaim(AKHQClaimRequest request) {
-                AKHQClaimResponse a = new AKHQClaimResponse();
+            ClaimResponse generateClaim(ClaimRequest request) {
+                ClaimResponse a = new ClaimResponse();
                 a.roles = ["topic/read"]
-                a.attributes = [
-                        topicsFilterRegexp: [".*"],
-                        connectsFilterRegexp: [".*"],
-                        consumerGroupsFilterRegexp: [".*"]
-                ]
-                return a
+                a.topicsFilterRegexp: [".*"],
+                a.connectsFilterRegexp: [".*"],
+                a.consumerGroupsFilterRegexp: [".*"]
+
+        return a
             }
         }
     groups: # anything set here will not be used
@@ -86,23 +82,26 @@ akhq:
 ````java
 package org.akhq.utils;
 public interface ClaimProvider {
+    ClaimResponse generateClaim(ClaimRequest request);
+}
 
-    AKHQClaimResponse generateClaim(AKHQClaimRequest request);
+enum ClaimProviderType {
+  BASIC_AUTH,
+  LDAP,
+  OIDC
+}
+
+public class ClaimRequest {
+  ClaimProvider.ProviderType providerType;
+  String providerName;
+  String username;
+  List<String> groups;
+}
 
-    class AKHQClaimRequest{
-        ProviderType providerType;
-        String providerName;
-        String username;
-        List<String> groups;
-    }
-    class AKHQClaimResponse {
-        private List<String> roles;
-        private Map<String,Object> attributes;
-    }
-    enum ProviderType {
-        BASIC_AUTH,
-        LDAP,
-        OIDC
-    }
+public class ClaimResponse {
+    private List<String> roles;
+    private List<String> topicsFilterRegexp;
+    private List<String> connectsFilterRegexp;
+    private List<String> consumerGroupsFilterRegexp;
 }
 ````

src/main/java/org/akhq/modules/BasicAuthAuthenticationProvider.java

@@ -8,7 +8,10 @@
 import jakarta.inject.Singleton;
 import org.akhq.configs.BasicAuth;
 import org.akhq.configs.SecurityProperties;
+import org.akhq.utils.ClaimRequest;
+import org.akhq.utils.ClaimResponse;
 import org.akhq.utils.ClaimProvider;
+import org.akhq.utils.ClaimProviderType;
 import org.reactivestreams.Publisher;
 
 import java.util.Optional;
@@ -39,15 +42,15 @@ public Publisher<AuthenticationResponse> authenticate(@Nullable HttpRequest<?> h
             return Flowable.just(new AuthenticationFailed(AuthenticationFailureReason.CREDENTIALS_DO_NOT_MATCH));
         }
 
-        ClaimProvider.AKHQClaimRequest request = ClaimProvider.AKHQClaimRequest.builder()
-            .providerType(ClaimProvider.ProviderType.BASIC_AUTH)
+        ClaimRequest request = ClaimRequest.builder()
+            .providerType(ClaimProviderType.BASIC_AUTH)
             .providerName(null)
             .username(auth.getUsername())
             .groups(auth.getGroups())
             .build();
 
         try {
-            ClaimProvider.AKHQClaimResponse claim = claimProvider.generateClaim(request);
+            ClaimResponse claim = claimProvider.generateClaim(request);
             return Flowable.just(AuthenticationResponse.success(auth.getUsername(), claim.getRoles(), claim.getAttributes()));
         } catch (Exception e) {
             String claimProviderClass = claimProvider.getClass().getName();

src/main/java/org/akhq/modules/HeaderAuthenticationFetcher.java

@@ -12,7 +12,9 @@
 import io.reactivex.Flowable;
 import lombok.extern.slf4j.Slf4j;
 import org.akhq.configs.HeaderAuth;
+import org.akhq.utils.ClaimRequest;
 import org.akhq.utils.ClaimProvider;
+import org.akhq.utils.ClaimProviderType;
 import org.reactivestreams.Publisher;
 
 import java.net.InetSocketAddress;
@@ -95,9 +97,9 @@ public Publisher<Authentication> fetchAuthentication(HttpRequest<?> request) {
                     .flatMap(s -> Arrays.stream(s.split(headerAuth.getGroupsHeaderSeparator())))
                     .collect(Collectors.toList());
 
-                ClaimProvider.AKHQClaimRequest claim =
-                    ClaimProvider.AKHQClaimRequest.builder()
-                        .providerType(ClaimProvider.ProviderType.HEADER)
+                ClaimRequest claim =
+                    ClaimRequest.builder()
+                        .providerType(ClaimProviderType.HEADER)
                         .providerName(null)
                         .username(userHeaders.get())
                         .groups(groups)

src/main/java/org/akhq/modules/LdapContextAuthenticationMapper.java

@@ -6,10 +6,14 @@
 import io.micronaut.security.authentication.AuthenticationResponse;
 import io.micronaut.security.ldap.ContextAuthenticationMapper;
 import io.micronaut.security.ldap.DefaultContextAuthenticationMapper;
+import org.akhq.utils.ClaimRequest;
+import org.akhq.utils.ClaimResponse;
 import org.akhq.utils.ClaimProvider;
 
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.akhq.utils.ClaimProviderType;
+
 import java.util.List;
 import java.util.Set;
 
@@ -21,14 +25,14 @@ public class LdapContextAuthenticationMapper implements ContextAuthenticationMap
 
     @Override
     public AuthenticationResponse map(ConvertibleValues<Object> attributes, String username, Set<String> groups) {
-        ClaimProvider.AKHQClaimRequest request = ClaimProvider.AKHQClaimRequest.builder()
-                .providerType(ClaimProvider.ProviderType.LDAP)
+        ClaimRequest request = ClaimRequest.builder()
+                .providerType(ClaimProviderType.LDAP)
                 .providerName(null)
                 .username(username)
                 .groups(List.copyOf(groups))
                 .build();
         try {
-            ClaimProvider.AKHQClaimResponse claim = claimProvider.generateClaim(request);
+            ClaimResponse claim = claimProvider.generateClaim(request);
             return AuthenticationResponse.success(username, claim.getRoles(), claim.getAttributes());
         } catch (Exception e) {
             String claimProviderClass = claimProvider.getClass().getName();

src/main/java/org/akhq/modules/OidcUserDetailsMapper.java

@@ -14,10 +14,14 @@
 import io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims;
 import io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse;
 import org.akhq.configs.Oidc;
+import org.akhq.utils.ClaimRequest;
+import org.akhq.utils.ClaimResponse;
 import org.akhq.utils.ClaimProvider;
 
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.akhq.utils.ClaimProviderType;
+
 import java.util.*;
 import java.util.stream.Collectors;
 
@@ -56,15 +60,15 @@ public AuthenticationResponse createAuthenticationResponse(String providerName,
 
         List<String> oidcGroups = getOidcGroups(provider, openIdClaims);
 
-        ClaimProvider.AKHQClaimRequest request = ClaimProvider.AKHQClaimRequest.builder()
-                .providerType(ClaimProvider.ProviderType.OIDC)
+        ClaimRequest request = ClaimRequest.builder()
+                .providerType(ClaimProviderType.OIDC)
                 .providerName(providerName)
                 .username(oidcUsername)
                 .groups(oidcGroups)
                 .build();
 
         try {
-            ClaimProvider.AKHQClaimResponse claim = claimProvider.generateClaim(request);
+            ClaimResponse claim = claimProvider.generateClaim(request);
             return AuthenticationResponse.success(oidcUsername, claim.getRoles(), claim.getAttributes());
         } catch (Exception e) {
             String claimProviderClass = claimProvider.getClass().getName();

src/main/java/org/akhq/utils/ClaimProvider.java

@@ -1,42 +1,6 @@
 package org.akhq.utils;
 
-import io.micronaut.core.annotation.Introspected;
-import lombok.Builder;
-import lombok.Getter;
-import lombok.Setter;
-
-import java.util.List;
-import java.util.Map;
-
 public interface ClaimProvider {
-
-    AKHQClaimResponse generateClaim(AKHQClaimRequest request);
-
-    enum ProviderType {
-        HEADER,
-        BASIC_AUTH,
-        LDAP,
-        OIDC
-    }
-
-    @Introspected
-    @Builder
-    @Getter
-    @Setter
-    class AKHQClaimResponse {
-        private List<String> roles;
-        private Map<String,Object> attributes;
-    }
-
-    @Introspected
-    @Builder
-    @Getter
-    @Setter
-    class AKHQClaimRequest{
-        ProviderType providerType;
-        String providerName;
-        String username;
-        List<String> groups;
-    }
+    ClaimResponse generateClaim(ClaimRequest request);
 
 }

src/main/java/org/akhq/utils/ClaimProviderType.java

@@ -0,0 +1,8 @@
+package org.akhq.utils;
+
+public enum ClaimProviderType {
+    HEADER,
+    BASIC_AUTH,
+    LDAP,
+    OIDC
+}

src/main/java/org/akhq/utils/ClaimRequest.java

@@ -0,0 +1,19 @@
+package org.akhq.utils;
+
+import io.micronaut.core.annotation.Introspected;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.List;
+
+@Introspected
+@Builder
+@Getter
+@Setter
+public class ClaimRequest {
+    ClaimProviderType providerType;
+    String providerName;
+    String username;
+    List<String> groups;
+}

src/main/java/org/akhq/utils/ClaimResponse.java

@@ -0,0 +1,26 @@
+package org.akhq.utils;
+
+import io.micronaut.core.annotation.Introspected;
+import lombok.Builder;
+import lombok.Getter;
+
+import java.util.List;
+import java.util.Map;
+
+@Introspected
+@Builder
+@Getter
+public class ClaimResponse {
+    private List<String> roles;
+    private List<String> topicsFilterRegexp;
+    private List<String> connectsFilterRegexp;
+    private List<String> consumerGroupsFilterRegexp;
+
+    public Map<String, Object> getAttributes() {
+        return Map.of(
+            "topicsFilterRegexp", topicsFilterRegexp,
+            "connectsFilterRegexp", connectsFilterRegexp,
+            "consumerGroupsFilterRegexp", consumerGroupsFilterRegexp
+        );
+    }
+}

src/main/java/org/akhq/utils/GroovyClaimProvider.java

@@ -35,7 +35,7 @@ private void init() {
     }
 
     @Override
-    public AKHQClaimResponse generateClaim(AKHQClaimRequest request) {
+    public ClaimResponse generateClaim(ClaimRequest request) {
         return groovyImpl.generateClaim(request);
     }
 }

src/main/java/org/akhq/utils/LocalSecurityClaimProvider.java

@@ -2,13 +2,12 @@
 
 import io.micronaut.context.annotation.Secondary;
 import io.micronaut.core.util.StringUtils;
-import org.akhq.configs.*;
-
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.akhq.configs.*;
+
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -26,7 +25,7 @@ public class LocalSecurityClaimProvider implements ClaimProvider {
     Oidc oidcProperties;
 
     @Override
-    public AKHQClaimResponse generateClaim(AKHQClaimRequest request) {
+    public ClaimResponse generateClaim(ClaimRequest request) {
         List<UserMapping> userMappings;
         List<GroupMapping> groupMappings;
         String defaultGroup;
@@ -102,17 +101,13 @@ public List<String> mapToAkhqGroups(
         ).distinct().collect(Collectors.toList());
     }
 
-    public AKHQClaimResponse generateClaimFromAKHQGroups(String username, List<String> groups) {
-        return AKHQClaimResponse.builder()
-                .roles(getUserRoles(groups))
-                .attributes(
-                        Map.of(
-                                "topicsFilterRegexp", getAttributeMergedList(groups, "topicsFilterRegexp"),
-                                "connectsFilterRegexp", getAttributeMergedList(groups, "connectsFilterRegexp"),
-                                "consumerGroupsFilterRegexp", getAttributeMergedList(groups, "consumerGroupsFilterRegexp")
-                        )
-                )
-                .build();
+    public ClaimResponse generateClaimFromAKHQGroups(String username, List<String> groups) {
+        return ClaimResponse.builder()
+            .roles(getUserRoles(groups))
+            .topicsFilterRegexp(getAttributeMergedList(groups, "topicsFilterRegexp"))
+            .connectsFilterRegexp(getAttributeMergedList(groups, "connectsFilterRegexp"))
+            .consumerGroupsFilterRegexp(getAttributeMergedList(groups, "consumerGroupsFilterRegexp"))
+            .build();
     }
 
     /**

src/main/java/org/akhq/utils/RestApiClaimProvider.java

@@ -11,8 +11,7 @@
 @Requires(property = "akhq.security.rest.enabled", value = StringUtils.TRUE)
 @Client("${akhq.security.rest.url}")
 public interface RestApiClaimProvider extends ClaimProvider {
-
     @Post
     @Override
-    AKHQClaimResponse generateClaim(@Body AKHQClaimRequest request);
+    ClaimResponse generateClaim(@Body ClaimRequest request);
 }