Prototype applying georchestra access rules

Note the patterns changed from Pattern to String
to use Ant patterns instead of Java regex.

Rule uri's should be updated accordingly.

src/main/java/org/georchestra/gateway/config/RoleBasedAccessRule.java

@@ -19,14 +19,13 @@
 package org.georchestra.gateway.config;
 
 import java.util.List;
-import java.util.regex.Pattern;
 
 import lombok.Data;
 
 @Data
 public class RoleBasedAccessRule {
 
-    private List<Pattern> interceptUrl;
+    private List<String> interceptUrl;
     private boolean anonymous;
     private List<String> allowedRoles;
 }

src/main/java/org/georchestra/gateway/security/GatewaySecurityAutoconfiguration.java

@@ -18,37 +18,69 @@
  */
 package org.georchestra.gateway.security;
 
+import java.util.List;
+
+import org.georchestra.gateway.config.GatewayConfigProperties;
+import org.georchestra.gateway.config.RoleBasedAccessRule;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec;
+import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec.Access;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
 @Configuration
 @EnableWebFluxSecurity
 public class GatewaySecurityAutoconfiguration {
 
-    private @Value("${ldap.enabled:false}") boolean ldapEnabled;
+	private @Value("${ldap.enabled:false}") boolean ldapEnabled;
+	private @Autowired GatewayConfigProperties config;
+
+	@Bean
+	SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
+		// disable csrf and cors or the websocket connection gets a 403 Forbidden.
+		// Revisit.
+		http.csrf().disable().cors().disable();
+
+		// enable oauth2 and http basic auth
+		http.oauth2Login();
+
+		if (ldapEnabled) {
+			http.httpBasic().and().formLogin();
+		}
+		// configure path matchers
+		applyAccessRules(http);
+//		http.authorizeExchange()//
+//				.pathMatchers("/", "/header/**").permitAll()//
+//				.pathMatchers("/ws/**").permitAll()//
+//				.pathMatchers("/**").authenticated();
 
-    @Bean
-    SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
-        // disable csrf and cors or the websocket connection gets a 403 Forbidden.
-        // Revisit.
-        http.csrf().disable().cors().disable();
+		return http.build();
+	}
 
-        // enable oauth2 and http basic auth
-        http.oauth2Login();
+	private ServerHttpSecurity applyAccessRules(ServerHttpSecurity http) {
+		AuthorizeExchangeSpec authorizeExchange = http.authorizeExchange();
 
-        if (ldapEnabled) {
-            http.httpBasic().and().formLogin();
-        }
-        // configure path matchers
-        http.authorizeExchange()//
-                .pathMatchers("/", "/header/**").permitAll()//
-                .pathMatchers("/ws/**").permitAll()//
-                .pathMatchers("/**").authenticated();
+		for (RoleBasedAccessRule rule : config.getGlobalAccessRules()) {
+			List<String> antPatterns = rule.getInterceptUrl();
+			boolean anonymous = rule.isAnonymous();
+			List<String> allowedRoles = rule.getAllowedRoles();
+			Access access = authorizeExchange.pathMatchers(antPatterns.toArray(String[]::new));
+			if (anonymous) {
+				log.info("Access rule: {} anonymous");
+				access.permitAll();
+			}else {
+				log.info("Access rule: {} has any role: {}", antPatterns, allowedRoles);
+				access.hasAnyAuthority(allowedRoles.toArray(String[]::new));
+			}
+		}
 
-        return http.build();
-    }
+		return http;
+	}
 }