Require Any Roles

- adding the inclusion of a 'require-any-role' on the resource to waive the default operation and permit as only as one of the roles is present

CHANGELOG.md

 
+#### **2.2.3 (Unreleased)**
+
+FEATURES:
+* Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a `require-any-role` [#PR387](https://github.com/gambol99/keycloak-proxy/pull/387)
+
 #### **2.2.2**
 
 FEATURES:

middleware.go

@@ -289,7 +289,7 @@ func (r *oauthProxy) admissionMiddleware(resource *Resource) func(http.Handler)
 			user := scope.Identity
 
 			// @step: we need to check the roles
-			if !hasAccess(resource.Roles, user.roles, true) {
+			if !hasAccess(resource.Roles, user.roles, !resource.RequireAnyRole) {
 				r.log.Warn("access denied, invalid roles",
 					zap.String("access", "denied"),
 					zap.String("email", user.email),

middleware_test.go

@@ -577,6 +577,38 @@ func TestWhiteListedRequests(t *testing.T) {
 	newFakeProxy(cfg).RunTests(t, requests)
 }
 
+func TestRequireAnyRoles(t *testing.T) {
+	cfg := newFakeKeycloakConfig()
+	cfg.Resources = []*Resource{
+		{
+			URL:            "/require_any_role/*",
+			Methods:        allHTTPMethods,
+			RequireAnyRole: true,
+			Roles:          []string{"admin", "guest"},
+		},
+	}
+	requests := []fakeRequest{
+		{
+			URI:          "/require_any_role/test",
+			ExpectedCode: http.StatusUnauthorized,
+		},
+		{
+			URI:           "/require_any_role/test",
+			HasToken:      true,
+			Roles:         []string{"guest"},
+			ExpectedCode:  http.StatusOK,
+			ExpectedProxy: true,
+		},
+		{
+			URI:          "/require_any_role/test",
+			HasToken:     true,
+			Roles:        []string{"guest1"},
+			ExpectedCode: http.StatusForbidden,
+		},
+	}
+	newFakeProxy(cfg).RunTests(t, requests)
+}
+
 func TestGroupPermissionsMiddleware(t *testing.T) {
 	cfg := newFakeKeycloakConfig()
 	cfg.Resources = []*Resource{