kroxylicious-authorizer: Add the Authorizer API (kroxylicious#2899)

* kroxylicious-authorizer: Add the Authorizer API

* This is a new interface intended for use as a service in Filters which do authorization.
* This API is intentionally quite abstract.
* It does not prescribe any particular type of access control. e.g. it could be implemented using ACLs or RBAC.
* The evaluation could be in-process, or perhaps externalised (think https://www.openpolicyagent.org/ or https://openfga.dev/).
* Nor does it prescribe what things are having access controlled.
* A future PR will add an implementation of this API in terms of access control lists described in file referenced from the filter configuration. However, this API is very intentionally not limited to that implementation.
* A another future PR will add such a Filter which implements authorization over the familiar Kafka entities (topics, consumer groups, etc), however this API is very intentionally not limited to that use case.

Signed-off-by: Tom Bentley <tbentley@redhat.com>

Author: tombentley

kroxylicious-authorizer-api/pom.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright Kroxylicious Authors.
+
+    Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.kroxylicious</groupId>
+        <artifactId>kroxylicious-parent</artifactId>
+        <version>0.18.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>kroxylicious-authorizer-api</artifactId>
+    <name>Authorizer Plugin API</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.github.spotbugs</groupId>
+            <artifactId>spotbugs-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/Action.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+import java.util.Objects;
+
+/**
+ * An action encapsulates an operation on a given resource identified by a name.
+ * @param operation The operation (and the resource type)
+ * @param resourceName The resource name
+ */
+public record Action(
+                     ResourceType<?> operation,
+                     String resourceName) {
+
+    public Action {
+        Objects.requireNonNull(operation);
+        Objects.requireNonNull(resourceName);
+    }
+
+    @SuppressWarnings({ "rawtypes", "unchecked", "java:S1452" })
+    public Class<? extends ResourceType<?>> resourceTypeClass() {
+        return (Class) operation.getClass();
+    }
+
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/AuthorizeResult.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import io.kroxylicious.proxy.authentication.Subject;
+
+/**
+ * Represents the outcome of a call to {@link Authorizer#authorize(io.kroxylicious.proxy.authentication.Subject, List)}
+ * @param allowed The allowed actions.
+ * @param denied The denied actions.
+ */
+public record AuthorizeResult(
+                              Subject subject,
+                              List<Action> allowed,
+                              List<Action> denied) {
+
+    public AuthorizeResult {
+        Objects.requireNonNull(allowed);
+        Objects.requireNonNull(denied);
+    }
+
+    /**
+     * Returns a list of the names of all the resources which the {@link #subject()}
+     * is allowed to perform the given {@code operation} on.
+     * @param operation The operation.
+     * @return The names of the allowed resources.
+     */
+    public List<String> allowed(ResourceType<?> operation) {
+        return allowed().stream()
+                .filter(a -> a.operation().equals(operation))
+                .map(Action::resourceName)
+                .toList();
+    }
+
+    /**
+     * Returns a list of the names of all the resources which the {@link #subject()}
+     * is denied from performing the given {@code operation} on.
+     * @param operation The operation.
+     * @return The names of the denied resources.
+     */
+    public List<String> denied(ResourceType<?> operation) {
+        return denied().stream()
+                .filter(a -> a.operation().equals(operation))
+                .map(Action::resourceName)
+                .toList();
+    }
+
+    /**
+     * Returns the decision about whether the given {@link #subject()} is allowed to perform the given
+     * {@code operation} on the resource with the given {@code resourceName}.
+     * @param operation The operation that would be performed on the resource.
+     * @param resourceName The name of the resource that the operation would be performed on.
+     * @return The decision.
+     */
+    public Decision decision(ResourceType<?> operation, String resourceName) {
+        return allowed().stream()
+                .anyMatch(a -> a.operation().equals(operation)
+                        && a.resourceName().equals(resourceName)) ? Decision.ALLOW : Decision.DENY;
+    }
+
+    /**
+     * Partitions the given {@code items}, whose names can be obtained via the given {@code toName} function, into two lists
+     * based on whether the {@link #subject()} is allowed to perform the given {@code operation} on them.
+     * @param items The items to partition
+     * @param operation The operation
+     * @param toName A function that returns the name of each item.
+     * @return A pair of lists of the items which the subject is allowed to, or denied from, performing the operation on.
+     * It is guaranteed that there is always an entry for both {@code ALLOW} and {@code DENY} in the returned map.
+     * @param <T> The type of item.
+     */
+    public <T> Map<Decision, List<T>> partition(Collection<T> items, ResourceType<?> operation, Function<T, String> toName) {
+        HashMap<Decision, List<T>> byDecision = items.stream().collect(Collectors.groupingBy(
+                item -> decision(operation, toName.apply(item)),
+                HashMap::new,
+                Collectors.toList()));
+        byDecision.putIfAbsent(Decision.ALLOW, List.of());
+        byDecision.putIfAbsent(Decision.DENY, List.of());
+        return byDecision;
+    }
+
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/Authorizer.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.CompletionStage;
+
+import io.kroxylicious.proxy.authentication.Subject;
+
+/**
+ * <p>Abstracts making an allow/deny decision about some {@link Subject} performing some {@link Action} on a resource.
+ * In other words, this is an access control policy decision point.</p>
+ *
+ * <p>{@code Authorizer} is a flexible abstraction, while it assumes that resources have names, it
+ * doesn't prescribe any specific kinds of resource or operations. Instead, resource kinds and the operations they support
+ * are represented as subclasses of {@link ResourceType}.</p>
+ */
+public interface Authorizer {
+
+    /**
+     * Determines whether the given {@code subject} is allowed to perform the given {@code actions}.
+     * The implementation must ensure that the returned authorization partitions all the given {@code actions}
+     * between {@link AuthorizeResult#allowed()} and {@link AuthorizeResult#denied()}.
+     * @param subject The subject.
+     * @param actions The actions.
+     * @return The outcome. The returned stage should fail with an {@link AuthorizerException} if the authorizer was not able to
+     * make a decision.
+     */
+    CompletionStage<AuthorizeResult> authorize(Subject subject, List<Action> actions);
+
+    /**
+     * <p>Returns the types of resource that this authorizer is able to make decisions about.
+     * If this is not known to the implementation it should return empty.</p>
+     *
+     * <p>This is provided so that an access control policy enforcement point can confirm that it
+     * is capable of providing access control to all the resource types in the access control policy
+     * backing this authorizer.</p>
+     *
+     * @return the types of resource that this authorizer is able to make decisions about.
+     */
+    Optional<Set<Class<? extends ResourceType<?>>>> supportedResourceTypes();
+
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/AuthorizerException.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+/**
+ * An exception to be thrown if an {@link Authorizer} cannot be built, or is not able to make a decision.
+ */
+public class AuthorizerException extends RuntimeException {
+    public AuthorizerException(String message) {
+        super(message);
+    }
+
+    public AuthorizerException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/AuthorizerService.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+import javax.annotation.concurrent.ThreadSafe;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.UnknownNullness;
+
+/**
+ * Service interface for {@link Authorizer Authorizers}.
+ * @param <C> The config type
+ */
+@ThreadSafe
+public interface AuthorizerService<C> {
+
+    /**
+     * Initialises the service.  This method must be invoked exactly once
+     * before {@link #build()} is called.
+     *
+     * @param config Service configuration
+     * @throws AuthorizerException If the service could not be initialized
+     */
+    void initialize(@UnknownNullness C config);
+
+    /**
+     * Builds an Authorizer service.
+     * {@link #initialize(C)} must have been called before this method is invoked.
+     *
+     * @return the authorizer
+     * @throws IllegalStateException if the service has not been initialised or the service is closed.
+     * @throws AuthorizerException If the authorizer could not be built
+     */
+    @NonNull
+    Authorizer build() throws IllegalStateException;
+
+    /**
+     * Closes the service. Once the service is closed, the building of new instances or the
+     * continued use of previously built instances is not allowed. The effect using an instance
+     * after the service that created it is closed is undefined.
+     * <br/>
+     * Implementations of this method must be idempotent.
+     * <br/>
+     * Close implementations must tolerate the closing of service that has not been initialized or
+     * one for which initialization did not fully complete without further exception.
+     */
+    default void close() {
+    }
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/Decision.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+/**
+ * An authorization decision about whether a particular subject is allowed to perform a
+ * specific operation on a particular resource.
+ */
+public enum Decision {
+    /**
+     * The subject is allowed to perform the operation on the resource.
+     */
+    ALLOW,
+
+    /**
+     * The subject is not allowed to perform the operation on the resource.
+     */
+    DENY;
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/ResourceType.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.authorizer.service;
+
+import java.util.Set;
+
+/**
+ * A {@code ResourceType} is an {@code enum} of the possible operations on a resource of a particular type.
+ * We use a one-enum-per-resource-type pattern so that the {@link Class} an implementation also
+ * serves to identify the resource type.
+ * For this reason, implementations of this interface should be named for the type of resource
+ * (for example {@code Topic}, or {@code ConsumerGroup}) rather than the operations
+ * enumerated (so not {@code TopicOperations} or {@code ConsumerGroupOperations}).
+ * @param <S> The self type.
+ */
+public interface ResourceType<S extends Enum<S> & ResourceType<S>> {
+
+    default Set<S> implies() {
+        // TODO This is actually really tricky to model in a way that works for different Authorizer implementations
+        // Allowing operations to express implication makes in-process authorization evaluations easier
+        // because we can just call the method (either before or after querying internal data structures).
+        // But it means an operation is more than just its name.
+        // Which makes like harder for Authz-as-a-Service because either:
+        // 1. they need to model the implication, in their backend representation of the rules
+        // 2. Or else their Java client needs to use the implication to expand the set of actions being queried
+        // prior to calling the service.
+        // Either choice ends up coupling the Authz-as-a-Service Authorizer to particular Operation implementations
+        return Set.of();
+    }
+}

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/package-info.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+/**
+ * Provides an abstract API for authorizing subjects to perform actions.
+ */
+@ReturnValuesAreNonnullByDefault
+@DefaultAnnotationForParameters(NonNull.class)
+@DefaultAnnotation(NonNull.class)
+package io.kroxylicious.authorizer.service;
+
+import edu.umd.cs.findbugs.annotations.DefaultAnnotation;
+import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;