Merge remote-tracking branch 'real-origin/main' into issues/344

Author: seono

api/build.gradle

@@ -62,6 +62,15 @@ dependencies {
     implementation libs.netty.common
     implementation libs.netty.handler
 
+
+    // Google Managed Service for Kafka IAM support
+    implementation (libs.google.managed.kafka.login.handler) {
+        exclude group: 'com.google.oauth-client', module: 'google-oauth-client'
+    }
+    implementation (libs.google.oauth.client) {
+        because("CVE Fix: It is excluded above because of a vulnerability")
+    }
+
     // Annotation processors
     implementation libs.lombok
     implementation libs.mapstruct

api/src/main/java/io/kafbat/ui/emitter/MessageFilters.java

@@ -7,6 +7,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.ImmutableCollection;
 import com.google.common.collect.ImmutableSet;
+import com.google.protobuf.NullValue;
 import dev.cel.common.CelAbstractSyntaxTree;
 import dev.cel.common.CelOptions;
 import dev.cel.common.CelValidationException;
@@ -26,6 +27,7 @@
 import io.kafbat.ui.exception.CelException;
 import io.kafbat.ui.model.TopicMessageDTO;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
@@ -38,11 +40,13 @@
 @Slf4j
 @UtilityClass
 public class MessageFilters {
+
   private static final String CEL_RECORD_VAR_NAME = "record";
   private static final String CEL_RECORD_TYPE_NAME = TopicMessageDTO.class.getSimpleName();
 
   private static final CelCompiler CEL_COMPILER = createCompiler();
   private static final CelRuntime CEL_RUNTIME = createRuntime();
+  private static final Object CELL_NULL_VALUE = NullValue.NULL_VALUE;
 
   private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
@@ -188,10 +192,34 @@ private static Object parseToJsonOrReturnAsIs(@Nullable String str) {
     }
 
     try {
-      return OBJECT_MAPPER.readValue(str, new TypeReference<Map<String, Object>>() {
-      });
+      //@formatter:off
+      var map = OBJECT_MAPPER.readValue(str, new TypeReference<Map<String, Object>>() {});
+      //@formatter:on
+      return replaceCelNulls(map);
     } catch (JsonProcessingException e) {
       return str;
     }
   }
+
+  @SuppressWarnings("unchecked")
+  private static Map<String, Object> replaceCelNulls(Map<String, Object> map) {
+    var result = new LinkedHashMap<String, Object>();
+
+    for (var entry : map.entrySet()) {
+      String key = entry.getKey();
+      Object value = entry.getValue();
+
+      if (value == null) {
+        result.put(key, CELL_NULL_VALUE);
+      } else if (value instanceof Map<?, ?>) {
+        var inner = (Map<String, Object>) value;
+        result.put(key, replaceCelNulls(inner));
+      } else {
+        result.put(key, value);
+      }
+    }
+
+    return result;
+  }
+
 }

api/src/test/java/io/kafbat/ui/emitter/MessageFiltersTest.java

@@ -201,6 +201,18 @@ void filterSpeedIsAtLeast5kPerSec() {
       assertThat(took).isLessThan(1000);
       assertThat(matched).isPositive();
     }
+
+    @Test
+    void nullFiltering() {
+      String msg = "{ \"field\": { \"inner\": null } }";
+
+      var f = celScriptFilter("record.value.field.inner == null");
+      assertTrue(f.test(msg().content(msg)));
+
+      f = celScriptFilter("record.value.field.inner != null");
+      assertFalse(f.test(msg().content(msg)));
+    }
+
   }
 
   @Test

api/src/test/java/io/kafbat/ui/service/rbac/AccessControlServiceRbacDisabledTest.java

@@ -0,0 +1,173 @@
+package io.kafbat.ui.service.rbac;
+
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.CONNECT_NAME;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.CONSUMER_GROUP_NAME;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.DEV_ROLE;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.PROD_CLUSTER;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.SCHEMA_NAME;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.TOPIC_NAME;
+import static io.kafbat.ui.service.rbac.MockedRbacUtils.getAccessContext;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+
+import io.kafbat.ui.AbstractIntegrationTest;
+import io.kafbat.ui.config.auth.RbacUser;
+import io.kafbat.ui.model.ClusterDTO;
+import io.kafbat.ui.model.ConnectDTO;
+import io.kafbat.ui.model.InternalTopic;
+import io.kafbat.ui.model.rbac.AccessContext;
+import io.kafbat.ui.model.rbac.Role;
+import java.util.List;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.test.annotation.DirtiesContext;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+/**
+ * Test cases for AccessControlService when RBAC is disabled.
+ * Using PROD cluster and user DEV role for all tests.
+ */
+@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
+class AccessControlServiceRbacDisabledTest extends AbstractIntegrationTest {
+
+  @Autowired
+  AccessControlService accessControlService;
+
+  @Mock
+  SecurityContext securityContext;
+
+  @Mock
+  Authentication authentication;
+
+  @Mock
+  RbacUser user;
+
+  @BeforeEach
+  void setUp() {
+    // Mock security context
+    when(securityContext.getAuthentication()).thenReturn(authentication);
+    when(authentication.getPrincipal()).thenReturn(user);
+  }
+
+  public void withSecurityContext(Runnable runnable) {
+    try (MockedStatic<ReactiveSecurityContextHolder> ctxHolder = Mockito.mockStatic(
+        ReactiveSecurityContextHolder.class)) {
+      // Mock static method to get security context
+      ctxHolder.when(ReactiveSecurityContextHolder::getContext).thenReturn(Mono.just(securityContext));
+      runnable.run();
+    }
+  }
+
+  @Test
+  void validateAccess() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      AccessContext context = getAccessContext(PROD_CLUSTER, true);
+      Mono<Void> validateAccessMono = accessControlService.validateAccess(context);
+      StepVerifier.create(validateAccessMono)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isClusterAccessible() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      ClusterDTO clusterDto = new ClusterDTO();
+      clusterDto.setName(PROD_CLUSTER);
+      Mono<Boolean> clusterAccessibleMono = accessControlService.isClusterAccessible(clusterDto);
+      StepVerifier.create(clusterAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void filterViewableTopics() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      List<InternalTopic> topics = List.of(
+          InternalTopic.builder()
+              .name(TOPIC_NAME)
+              .build()
+      );
+      Mono<List<InternalTopic>> filterTopicsMono = accessControlService.filterViewableTopics(topics, PROD_CLUSTER);
+      StepVerifier.create(filterTopicsMono)
+          .expectNextMatches(responseTopics -> responseTopics.stream().anyMatch(t -> t.getName().equals(TOPIC_NAME)))
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isConsumerGroupAccessible() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      Mono<Boolean> consumerGroupAccessibleMono =
+          accessControlService.isConsumerGroupAccessible(CONSUMER_GROUP_NAME, PROD_CLUSTER);
+      StepVerifier.create(consumerGroupAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isSchemaAccessible() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      Mono<Boolean> consumerGroupAccessibleMono =
+          accessControlService.isSchemaAccessible(SCHEMA_NAME, PROD_CLUSTER);
+      StepVerifier.create(consumerGroupAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isConnectAccessible() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      Mono<Boolean> consumerGroupAccessibleMono =
+          accessControlService.isConnectAccessible(CONNECT_NAME, PROD_CLUSTER);
+      StepVerifier.create(consumerGroupAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void isConnectAccessibleDto() {
+    withSecurityContext(() -> {
+      when(user.groups()).thenReturn(List.of(DEV_ROLE));
+      ConnectDTO connectDto = ConnectDTO.builder()
+          .name(CONNECT_NAME)
+          .build();
+      Mono<Boolean> consumerGroupAccessibleMono =
+          accessControlService.isConnectAccessible(connectDto, PROD_CLUSTER);
+      StepVerifier.create(consumerGroupAccessibleMono)
+          .expectNext(true)
+          .expectComplete()
+          .verify();
+    });
+  }
+
+  @Test
+  void getRoles() {
+    List<Role> roles = accessControlService.getRoles();
+    assertThat(roles).isEmpty();
+  }
+
+}