Change workflow condition grammar to accept the token 'not' as the negation operator instead of '!'

Closes #44880

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

model/jpa/src/main/antlr4/org/keycloak/models/workflow/conditions/expression/BooleanConditionLexer.g4

@@ -1,9 +1,13 @@
 lexer grammar BooleanConditionLexer;
 
 // --- DEFAULT_MODE (mode 0) ---
-OR  : 'OR';
-AND : 'AND';
-NOT : '!';
+
+// CASE-INSENSITIVE OPERATORS
+// We use character sets like [oO] to match both cases.
+
+OR  : [oO] [rR];             // Matches: or, OR, Or, oR
+AND : [aA] [nN] [dD];        // Matches: and, AND, And, ...
+NOT : [nN] [oO] [tT];        // Matches: not, NOT, Not, ...
 
 Identifier : [\p{L}_][\p{L}0-9_/-]*;
 

model/jpa/src/main/antlr4/org/keycloak/models/workflow/conditions/expression/BooleanConditionParser.g4

@@ -9,7 +9,7 @@ expression : expression OR andExpression | andExpression;
 
 andExpression : andExpression AND notExpression | notExpression;
 
-notExpression : '!' notExpression | atom;
+notExpression : NOT notExpression | atom;
 
 atom : LPAREN expression RPAREN // For grouping: (A OR B)
      | conditionCall

tests/base/src/test/java/org/keycloak/tests/workflow/ExpressionConditionWorkflowTest.java

@@ -61,7 +61,7 @@ public class ExpressionConditionWorkflowTest extends AbstractWorkflowTest {
 
         // we want to match members of engineering group OR users with admin role, but not those who are members of contractors group OR have attribute status=inactive
         // so only user bwayne should match this condition
-        String expression = "(is-member-of(engineering) OR has-role(admin)) AND !(is-member-of(contractors) OR has-user-attribute(status:inactive))";
+        String expression = "(is-member-of(engineering) or has-role(admin)) and not(is-member-of(contractors) or has-user-attribute(status:inactive))";
         String workflowId = createWorkflow(expression);
 
         checkWorkflowRunsForUser("bwayne", true); // matches all criteria
@@ -91,7 +91,7 @@ public class ExpressionConditionWorkflowTest extends AbstractWorkflowTest {
         managedRealm.admin().workflows().workflow(workflowId).delete().close();
 
         // now we want to match users who are not testers and also are not managers
-        expression = "!has-role(tester) AND !has-user-attribute(title:manager)";
+        expression = "Not has-role(tester) And Not has-user-attribute(title:manager)";
         workflowId = createWorkflow(expression);
 
         checkWorkflowRunsForUser("bwayne", false); // is a manager
@@ -101,7 +101,7 @@ public class ExpressionConditionWorkflowTest extends AbstractWorkflowTest {
         managedRealm.admin().workflows().workflow(workflowId).delete().close();
 
         // same thing but using the OR condition with negation - results should be equivalent
-        expression = "!(has-role(tester) OR has-user-attribute(title:manager))";
+        expression = "NOT(has-role(tester) OR has-user-attribute(title:manager))";
         workflowId = createWorkflow(expression);
 
         checkWorkflowRunsForUser("bwayne", false);
@@ -111,7 +111,7 @@ public class ExpressionConditionWorkflowTest extends AbstractWorkflowTest {
         managedRealm.admin().workflows().workflow(workflowId).delete().close();
 
         // a malformed expression should cause the condition to evaluate to false and the workflow should not be created
-        expression = ")(has-role(tester) AND OR has-user-attribute(key, value1,value2)";
+        expression = ")(has-role(tester) and or has-user-attribute(key, value1,value2)";
         workflowId = createWorkflow(expression, false);
         assertThat(workflowId, nullValue());
     }