From aa6107979f7dccd3a5f9cc48c43e6a1dd189b691 Mon Sep 17 00:00:00 2001
From: thcai <thomas.cai_ext@michelin.com>
Date: Wed, 8 Jan 2025 10:57:12 +0100
Subject: [PATCH] Use role for groupBy classifier

---
 .../security/ResourceBasedSecurityRule.java     |  2 +-
 .../auth/AuthenticationRoleBinding.java         |  2 --
 .../security/auth/AuthenticationService.java    | 17 +++++++----------
 3 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/src/main/java/com/michelin/ns4kafka/security/ResourceBasedSecurityRule.java b/src/main/java/com/michelin/ns4kafka/security/ResourceBasedSecurityRule.java
index d749bdfa..794d9135 100644
--- a/src/main/java/com/michelin/ns4kafka/security/ResourceBasedSecurityRule.java
+++ b/src/main/java/com/michelin/ns4kafka/security/ResourceBasedSecurityRule.java
@@ -107,7 +107,7 @@ public SecurityRuleResult checkSecurity(HttpRequest<?> request, @Nullable Authen
 
         AuthenticationInfo authenticationInfo = AuthenticationInfo.of(authentication);
 
-        // No role binding for the target namespace. User is targeting a namespace that he is not allowed to access
+        // No role binding for the target namespace: the user is not allowed to access the target namespace
         List<AuthenticationRoleBinding> namespaceRoleBindings = authenticationInfo.getRoleBindings()
             .stream()
             .filter(roleBinding -> roleBinding.getNamespaces()
diff --git a/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationRoleBinding.java b/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationRoleBinding.java
index 4aaf4f27..7fc19b93 100644
--- a/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationRoleBinding.java
+++ b/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationRoleBinding.java
@@ -18,6 +18,4 @@ public class AuthenticationRoleBinding {
     private List<String> namespaces;
     private List<RoleBinding.Verb> verbs;
     private List<String> resourceTypes;
-
-    record VerbResourceTypes(List<RoleBinding.Verb> verbs, List<String> resourceTypes) {}
 }
diff --git a/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationService.java b/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationService.java
index 849c659a..2ab48662 100644
--- a/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationService.java
+++ b/src/main/java/com/michelin/ns4kafka/security/auth/AuthenticationService.java
@@ -50,21 +50,18 @@ public AuthenticationResponse buildAuthJwtGroups(String username, List<String> g
         return AuthenticationResponse.success(username, resourceBasedSecurityRule.computeRolesFromGroups(groups),
             Map.of(ROLE_BINDINGS, roleBindings
                 .stream()
-                // group the namespaces by verbs + resourceTypes in a mapping
-                .collect(Collectors.groupingBy(roleBinding ->
-                    new AuthenticationRoleBinding.VerbResourceTypes(
-                        new ArrayList<>(roleBinding.getSpec().getRole().getVerbs()),
-                        new ArrayList<>(roleBinding.getSpec().getRole().getResourceTypes())
-                    ),
-                    Collectors.mapping(rb -> rb.getMetadata().getNamespace(), Collectors.toList())
+                // group the namespaces by roles in a mapping
+                .collect(Collectors.groupingBy(
+                    roleBinding -> roleBinding.getSpec().getRole(),
+                    Collectors.mapping(roleBinding -> roleBinding.getMetadata().getNamespace(), Collectors.toList())
                 ))
-                // build JWT with a list of namespaces for each combination of verbs + resourceTypes
+                // build JWT with a list of namespaces for each different role
                 .entrySet()
                 .stream()
                 .map(entry -> AuthenticationRoleBinding.builder()
                     .namespaces(entry.getValue())
-                    .verbs(entry.getKey().verbs())
-                    .resourceTypes(entry.getKey().resourceTypes())
+                    .verbs(new ArrayList<>(entry.getKey().getVerbs()))
+                    .resourceTypes(new ArrayList<>(entry.getKey().getResourceTypes()))
                     .build())
                 .toList()));
     }