add sed-style groups (roles) transform

zvonand · zvonand · commit 2ac83f1740f4 · 2025-12-04T16:33:05.000+01:00
diff --git a/docs/en/operations/external-authenticators/tokens.md b/docs/en/operations/external-authenticators/tokens.md
@@ -237,6 +237,7 @@ All this implies that the SQL-driven [Access Control and Account Management](/do
             <roles_filter>
                 \bclickhouse-[a-zA-Z0-9]+\b
             </roles_filter>
+            <roles_transform>s/-/_/g</roles_transform>
         </token>
     </user_directories>
 </clickhouse>
@@ -251,3 +252,4 @@ For now, no more than one `token` section can be defined inside `user_directorie
 - `processor` — Name of one of processors defined in `token_processors` config section described above. This parameter is mandatory and cannot be empty.
 - `common_roles` — Section with a list of locally defined roles that will be assigned to each user retrieved from the IdP. Optional.
 - `roles_filter` — Regex string for groups filtering. Only groups matching this regex will be mapped to roles. Optional.
+- `roles_transform` — Sed-style transform pattern to apply to group names before mapping to roles. Format: `s/pattern/replacement/flags`. The `g` flag applies the replacement globally (all occurrences). Example: `s/-/_/g` converts `clickhouse-grp-dba` to `clickhouse_grp_dba`. Optional.
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
@@ -18,6 +18,115 @@ namespace ErrorCodes
     extern const int BAD_ARGUMENTS;
 }
 
+namespace
+{
+    struct ParsedTransform
+    {
+        String pattern;
+        String replacement;
+        bool global;
+    };
+
+    /// Unescape a string segment
+    String unescapeSegment(const String & str, size_t start, size_t end)
+    {
+        String result;
+        result.reserve(end - start);
+        bool escaped = false;
+
+        for (size_t i = start; i < end; ++i)
+        {
+            if (escaped)
+            {
+                result += str[i];
+                escaped = false;
+            }
+            else if (str[i] == '\\')
+                escaped = true;
+            else
+                result += str[i];
+        }
+
+        return result;
+    }
+
+    /// Parse sed-style transform pattern: s/pattern/replacement/flags
+    ParsedTransform parseSedTransform(const String & transform)
+    {
+        if (transform.size() < 4 || transform[0] != 's' || transform[1] != '/')
+        {
+            throw Exception(ErrorCodes::BAD_ARGUMENTS, "Invalid roles_transform format. Expected sed-style pattern like 's/pattern/replacement/g'");
+        }
+
+        bool escaped = false;
+        size_t first_slash = 1;
+        size_t second_slash = String::npos;
+        size_t third_slash = String::npos;
+
+        // Find delimiters using simple state machine
+        for (size_t i = first_slash + 1; i < transform.size(); ++i)
+        {
+            if (escaped)
+            {
+                escaped = false;
+                continue;
+            }
+
+            if (transform[i] == '\\')
+            {
+                escaped = true;
+                continue;
+            }
+
+            if (transform[i] == '/')
+            {
+                if (second_slash == String::npos)
+                    second_slash = i;
+                else if (third_slash == String::npos)
+                    third_slash = i;
+                else
+                    throw Exception(ErrorCodes::BAD_ARGUMENTS, "Invalid roles_transform format. Too many unescaped slashes. Expected sed-style pattern like 's/pattern/replacement/g'");
+            }
+        }
+
+        if (second_slash == String::npos || third_slash == String::npos)
+            throw Exception(ErrorCodes::BAD_ARGUMENTS, "Invalid roles_transform format. Expected sed-style pattern like 's/pattern/replacement/g'");
+
+        ParsedTransform result;
+
+        result.pattern = unescapeSegment(transform, first_slash + 1, second_slash);
+
+        size_t replacement_end = (third_slash != String::npos) ? third_slash : transform.size();
+        result.replacement = unescapeSegment(transform, second_slash + 1, replacement_end);
+
+        String flags = transform.substr(third_slash + 1);
+        result.global = (flags.find('g') != String::npos);
+
+        return result;
+    }
+
+    String applyTransform(const String & input, const String & pattern, const String & replacement, bool global)
+    {
+        if (pattern.empty())
+            return input;
+
+        re2::RE2 re(pattern);
+        if (!re.ok())
+            return input;
+
+        String result = input;
+        if (global)
+        {
+            RE2::GlobalReplace(&result, re, replacement);
+        }
+        else
+        {
+            RE2::Replace(&result, re, replacement);
+        }
+        return result;
+    }
+}
+
 TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessControl & access_control_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_)
         : IAccessStorage(storage_name_), access_control(access_control_), config(config_), prefix(prefix_),
         memory_storage(storage_name_, access_control.getChangesNotifier(), false)
@@ -29,6 +138,15 @@ TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessContr
     if (config.has(prefix_str + "roles_filter"))
         roles_filter.emplace(config.getString(prefix_str + "roles_filter"));
 
+    if (config.has(prefix_str + "roles_transform"))
+    {
+        String transform = config.getString(prefix_str + "roles_transform");
+        ParsedTransform parsed = parseSedTransform(transform);
+        roles_transform_pattern = parsed.pattern;
+        roles_transform_replacement = parsed.replacement;
+        roles_transform_global = parsed.global;
+    }
+
     provider_name = config.getString(prefix_str + "processor");
     if (provider_name.empty())
         throw Exception(ErrorCodes::BAD_ARGUMENTS, "'processor' must be specified for Token user directory");
@@ -374,15 +492,30 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
         for (const auto & group: token_credentials.getGroups()) {
             if (RE2::FullMatch(group, roles_filter.value()))
             {
-                external_roles.insert(group);
-                LOG_TRACE(getLogger(), "{}: Granted role (group) {} to user", getStorageName(), user->getName());
+                String transformed_group = group;
+                if (roles_transform_pattern.has_value() && roles_transform_replacement.has_value())
+                {
+                    transformed_group = applyTransform(group, roles_transform_pattern.value(), roles_transform_replacement.value(), roles_transform_global);
+                    LOG_TRACE(getLogger(), "{}: Transformed group '{}' to '{}'", getStorageName(), group, transformed_group);
+                }
+                external_roles.insert(transformed_group);
+                LOG_TRACE(getLogger(), "{}: Granted role (group) {} to user", getStorageName(), transformed_group);
             }
         }
     }
     else
     {
         LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
-        external_roles = token_credentials.getGroups();
+        for (const auto & group: token_credentials.getGroups())
+        {
+            String transformed_group = group;
+            if (roles_transform_pattern.has_value() && roles_transform_replacement.has_value())
+            {
+                transformed_group = applyTransform(group, roles_transform_pattern.value(), roles_transform_replacement.value(), roles_transform_global);
+                LOG_TRACE(getLogger(), "{}: Transformed group '{}' to '{}'", getStorageName(), group, transformed_group);
+            }
+            external_roles.insert(transformed_group);
+        }
     }
 
     if (new_user)
diff --git a/src/Access/TokenAccessStorage.h b/src/Access/TokenAccessStorage.h
@@ -48,6 +48,9 @@ class TokenAccessStorage : public IAccessStorage
 
     String provider_name;
     std::optional<re2::RE2> roles_filter = std::nullopt;
+    std::optional<String> roles_transform_pattern = std::nullopt;
+    std::optional<String> roles_transform_replacement = std::nullopt;
+    bool roles_transform_global = false;
 
     std::set<String> common_role_names;                         // role name that should be granted to all users at all times
     mutable std::map<String, std::set<String>> user_external_roles;
