Fix missing RBAC cluster check

Haarolean · Haarolean · commit f4459a7c06bb · 2024-04-30T16:40:27.000+04:00
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java b/api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java
@@ -27,6 +27,7 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import javax.annotation.Nullable;
+import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.collections.CollectionUtils;
@@ -54,7 +55,9 @@ public class AccessControlService {
   private final RoleBasedAccessControlProperties properties;
   private final Environment environment;
 
+  @Getter
   private boolean rbacEnabled = false;
+  @Getter
   private Set<ProviderAuthorityExtractor> oauthExtractors = Collections.emptySet();
 
   @PostConstruct
@@ -107,12 +110,14 @@ private boolean isAccessible(AuthenticatedUser user, AccessContext context) {
     if (context.cluster() != null && !isClusterAccessible(context.cluster(), user)) {
       return false;
     }
-    return context.isAccessible(getUserPermissions(user));
+    return context.isAccessible(getUserPermissions(user, context.cluster()));
   }
 
-  private List<Permission> getUserPermissions(AuthenticatedUser user) {
-    return properties.getRoles().stream()
+  private List<Permission> getUserPermissions(AuthenticatedUser user, String clusterName) {
+    return properties.getRoles()
+        .stream()
         .filter(filterRole(user))
+        .filter(role -> role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase))
         .flatMap(role -> role.getPermissions().stream())
         .toList();
   }
@@ -188,10 +193,6 @@ public Mono<Boolean> isConnectAccessible(String connectName, String clusterName)
     );
   }
 
-  public Set<ProviderAuthorityExtractor> getOauthExtractors() {
-    return oauthExtractors;
-  }
-
   public List<Role> getRoles() {
     if (!rbacEnabled) {
       return Collections.emptyList();
@@ -203,7 +204,4 @@ private Predicate<Role> filterRole(AuthenticatedUser user) {
     return role -> user.groups().contains(role.getName());
   }
 
-  public boolean isRbacEnabled() {
-    return rbacEnabled;
-  }
 }
