Skip to content

[RORDEV-1562] Separate ROR KBN authentication and authorization rules #1163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Oct 11, 2025
Merged

[RORDEV-1562] Separate ROR KBN authentication and authorization rules #1163

merged 19 commits into from
Oct 11, 2025

Conversation

mgoworko
Copy link
Collaborator

@mgoworko mgoworko commented Sep 20, 2025
edited by coderabbitai bot
Loading

🚀Added separate ROR KBN authentication and authorization rules

Summary by CodeRabbit

  • New Features

    • Split combined KBN rule into separate authentication and authorization rules that compose; JWT handling centralized for KBN flows.

  • Refactor

    • Rule ordering, decoder selection, variable usage and local-user resolution updated to recognize the new rule types; group-matching logic unified and improved; impersonation-warning handling expanded.

  • Tests

    • Added extensive unit and integration tests covering decoding, YAML configs, JWT signatures, authn/authz flows and groups logic.

@mgoworko mgoworko marked this pull request as ready for review September 21, 2025 13:19
@coderabbitai coderabbitai

This comment was marked as outdated.

Sign in to view
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@mgoworko mgoworko requested a review from coutoPL September 21, 2025 14:50
coutoPL
coutoPL requested changes Oct 3, 2025
View reviewed changes
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coutoPL
coutoPL approved these changes Oct 5, 2025
View reviewed changes
Copy link
Collaborator

@coutoPL coutoPL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

coderabbitai[bot]

This comment was marked as outdated.

Sign in to view

coderabbitai[bot]

This comment was marked as outdated.

Sign in to view

mgoworko
mgoworko commented Oct 6, 2025
View reviewed changes
Copy link
Collaborator Author

@mgoworko mgoworko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Description of the changes after e2e tests:

@mgoworko mgoworko requested a review from coutoPL October 6, 2025 16:24
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as outdated.

Sign in to view

coutoPL
coutoPL requested changes Oct 9, 2025
View reviewed changes
...ain/scala/tech/beshu/ror/accesscontrol/factory/decoders/rules/auth/RorKbnRulesDecoders.scala Outdated
val rule = new RorKbnAuthorizationRule(settings)
Right(RuleDefinition.create[RorKbnAuthorizationRule](rule))
case (Some(_), None) =>
Left(RulesLevelCreationError(Message(s"Cannot create ${RorKbnAuthorizationRule.Name.name.show} - missing groups settings")))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe "missing groups logic"? And maybe it'd be good to add this link to the doc too?

https://github.com/beshu-tech/readonlyrest-docs/blob/master/details/authorization-rules-details.md#checking-groups-logic

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this link in both places. Is it correct, that this section is not published on docs.readonlyrest.com ? (At least I couldn't find it)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not. During adding the new rules descriptions, could you please check why?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On docs.readonlyrest.com the authorization-rules-details.md document is linked as redirection to Github repo blob, not a document exposed on the website. I'm not sure if it is correct, but the links are in this PR are done the same way, so it is consistent.

@mgoworko mgoworko requested a review from coutoPL October 10, 2025 18:45
coderabbitai[bot]

This comment was marked as outdated.

Sign in to view

coutoPL
coutoPL approved these changes Oct 10, 2025
View reviewed changes
Copy link
Collaborator

@coutoPL coutoPL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mgoworko mgoworko merged commit 6dbd71d into sscarduzio:develop Oct 11, 2025
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coutoPL coutoPL coutoPL approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mgoworko @coutoPL