extend system allowed role support to have wildcards and multiple values

[havetisyan]

Description

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the system's capability to manage "system-allowed" roles within the OAuth token scope. Previously limited to a single, exact role, the system can now recognize multiple such roles and interpret wildcard patterns in their definitions. This enhancement provides greater flexibility in configuring access control, allowing administrators to define broader categories of roles that bypass certain domain limits, thereby streamlining the management of privileged access.

Highlights

• Multiple System-Allowed Roles: The system now supports defining multiple roles as "system-allowed" instead of being limited to a single one.
• Wildcard Support for Roles: System-allowed roles can now include wildcard characters (''), enabling more flexible pattern matching (e.g., 'domain:role.' or '*:role.admin').
• New 'isSystemAllowedRoles' Method: A dedicated utility method was introduced to handle the logic for checking if a given role matches any of the configured system-allowed roles, incorporating both exact and wildcard matching.
• Enhanced Test Coverage: Comprehensive unit tests have been added to validate the new wildcard and multiple role functionalities, covering various edge cases and patterns.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request extends the system allowed role support to handle multiple values and wildcards. The changes are mostly in OAuthTokenScope.java to switch from a single string to a set for allowed roles and to implement wildcard matching. The new functionality is well-tested with new unit tests in OAuthTokenScopeTest.java and an integration test in ZTSImplTest.java.

My main feedback is on the implementation of the wildcard-to-regex conversion in isSystemAllowedRoles. The current approach is susceptible to bugs if role names contain regex metacharacters (like '.'), potentially leading to overly permissive matching. I've suggested a more robust implementation to address this security concern. Otherwise, the changes look good and align with the PR's objective.