feat: add policy variable support

src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java

@@ -7,6 +7,7 @@
 
 import com.aws.greengrass.clientdevices.auth.configuration.GroupManager;
 import com.aws.greengrass.clientdevices.auth.configuration.Permission;
+import com.aws.greengrass.clientdevices.auth.exception.AttributeProviderException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
@@ -91,7 +92,7 @@ public boolean isAuthorized(AuthorizationRequest request, Session session) {
                 }
                 try {
                     return compareResource(rsc, e.getResource(session));
-                } catch (IllegalArgumentException er) {
+                } catch (AttributeProviderException er) {
                     logger.atError().setCause(er).log(er.getMessage());
                     return false;
                 }
@@ -115,7 +116,7 @@ private boolean comparePrincipal(String requestPrincipal, String policyPrincipal
     }
 
     private boolean compareOperation(Operation requestOperation, String policyOperation) {
-        if (requestOperation.toString().equals(policyOperation)) {
+        if (requestOperation.getOperationStr().equals(policyOperation)) {
             return true;
         }
         if (String.format(SERVICE_OPERATION_FORMAT, requestOperation.getService(), ANY_REGEX).equals(policyOperation)) {
@@ -125,7 +126,7 @@ private boolean compareOperation(Operation requestOperation, String policyOperat
     }
 
     private boolean compareResource(Resource requestResource, String policyResource) {
-        if (requestResource.toString().equals(policyResource)) {
+        if (requestResource.getResourceStr().equals(policyResource)) {
             return true;
         }
 
@@ -144,7 +145,8 @@ private Operation parseOperation(String operationStr) {
 
         Matcher matcher = SERVICE_OPERATION_PATTERN.matcher(operationStr);
         if (matcher.matches()) {
-            return Operation.builder().service(matcher.group(1)).action(matcher.group(2)).build();
+            return Operation.builder().operationStr(operationStr).service(matcher.group(1)).action(matcher.group(2))
+                    .build();
         }
         throw new IllegalArgumentException(String.format("Operation %s is not in the form of %s", operationStr,
                 SERVICE_OPERATION_PATTERN.pattern()));
@@ -157,7 +159,8 @@ private Resource parseResource(String resourceStr) {
 
         Matcher matcher = SERVICE_RESOURCE_PATTERN.matcher(resourceStr);
         if (matcher.matches()) {
-            return Resource.builder().service(matcher.group(1))
+            return Resource.builder().resourceStr(resourceStr)
+                    .service(matcher.group(1))
                     .resourceType(matcher.group(2))
                     .resourceName(matcher.group(3))
                     .build();
@@ -170,25 +173,17 @@ private Resource parseResource(String resourceStr) {
     @Value
     @Builder
     private static class Operation {
+        String operationStr;
         String service;
         String action;
-
-        @Override
-        public String toString() {
-            return String.format(SERVICE_OPERATION_FORMAT, service, action);
-        }
     }
 
     @Value
     @Builder
     private static class Resource {
+        String resourceStr;
         String service;
         String resourceType;
         String resourceName;
-
-        @Override
-        public String toString() {
-            return String.format(SERVICE_RESOURCE_FORMAT, service, resourceType, resourceName);
-        }
     }
 }

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/GroupConfiguration.java

@@ -101,7 +101,7 @@ private Set<Permission> convertPolicyStatementToPermission(String groupName,
                 }
                 permissions.add(
                         Permission.builder().principal(groupName).operation(operation).resource(resource)
-                                .policyVariables(findPolicyVariables(resource)).build());
+                                .resourcePolicyVariables(findPolicyVariables(resource)).build());
             }
         }
         return permissions;

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/Permission.java

@@ -5,11 +5,13 @@
 
 package com.aws.greengrass.clientdevices.auth.configuration;
 
+import com.aws.greengrass.clientdevices.auth.exception.AttributeProviderException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
 
+import java.util.Collections;
 import java.util.List;
 
 @Value
@@ -21,9 +23,10 @@ public class Permission {
 
     @NonNull String resource;
 
-    List<String> policyVariables;
+    @Builder.Default
+    List<String> resourcePolicyVariables = Collections.emptyList();
 
-    public String getResource(Session session) {
-        return PolicyVariableResolver.resolvePolicyVariables(policyVariables, resource, session);
+    public String getResource(Session session) throws AttributeProviderException {
+        return PolicyVariableResolver.resolvePolicyVariables(resourcePolicyVariables, resource, session);
     }
 }

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariableResolver.java

@@ -5,57 +5,53 @@
 
 package com.aws.greengrass.clientdevices.auth.configuration;
 
+import com.aws.greengrass.clientdevices.auth.exception.AttributeProviderException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
-import com.aws.greengrass.util.Coerce;
 import com.aws.greengrass.util.Pair;
 import org.apache.commons.lang3.StringUtils;
+import software.amazon.awssdk.utils.ImmutableMap;
 
-import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 public final class PolicyVariableResolver {
-    private static final Map<String, Pair<String,String>> policyVariableMap;
     private static final String THING_NAMESPACE = "Thing";
     private static final String THING_NAME_ATTRIBUTE = "ThingName";
 
-    static {
-        Map<String, Pair<String,String>> map = new HashMap<>();
-
-        map.put("${iot:Connection.Thing.ThingName}",
-                new Pair<>(THING_NAMESPACE, THING_NAME_ATTRIBUTE));
-
-        policyVariableMap = Collections.unmodifiableMap(map);
-    }
+    private static final Map<String, Pair<String,String>> policyVariableToAttributeProvider = ImmutableMap.of(
+            "${iot:Connection.Thing.ThingName}", new Pair<>(THING_NAMESPACE, THING_NAME_ATTRIBUTE)
+    );
 
     private PolicyVariableResolver() {
     }
 
     /**
      * Utility method to replace policy variables in the resource with device attributes.
      *
-     * @param policyVariables list of policy variables in resource
-     * @param resource resource to resolve
+     * @param policyVariables list of policy variables in permission format
+     * @param format permission format to resolve
      * @param session current device session
      * @return updated resource
+     * @throws AttributeProviderException when unable to find a policy variable value
      */
-    public static String resolvePolicyVariables(List<String> policyVariables, String resource, Session session) {
-        if (policyVariables == null || policyVariables.isEmpty()) {
-            return resource;
+    public static String resolvePolicyVariables(List<String> policyVariables, String format, Session session)
+            throws AttributeProviderException {
+        if (policyVariables.isEmpty()) {
+            return format;
         }
-        String substitutedResource = resource;
+        String substitutedFormat = format;
         for (String policyVariable : policyVariables) {
-            String attributeNamespace = policyVariableMap.get(policyVariable).getLeft();
-            String attributeName = policyVariableMap.get(policyVariable).getRight();
-            String policyVariableValue = Coerce.toString(session.getSessionAttribute(attributeNamespace,
-                    attributeName));
+            String attributeNamespace = policyVariableToAttributeProvider.get(policyVariable).getLeft();
+            String attributeName = policyVariableToAttributeProvider.get(policyVariable).getRight();
+            String policyVariableValue = session.getSessionAttribute(attributeNamespace, attributeName).toString();
             if (policyVariableValue == null) {
-                throw new IllegalArgumentException("No attribute found for current session");
+                throw new AttributeProviderException(
+                        String.format("No attribute found for policy variable %s in current session", policyVariable));
             } else {
-                substitutedResource = StringUtils.replace(substitutedResource, policyVariable, policyVariableValue);
+                // StringUtils.replace() is faster than String.replace() since it does not use regex
+                substitutedFormat = StringUtils.replace(substitutedFormat, policyVariable, policyVariableValue);
             }
         }
-        return substitutedResource;
+        return substitutedFormat;
     }
 }

src/main/java/com/aws/greengrass/clientdevices/auth/exception/AttributeProviderException.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.aws.greengrass.clientdevices.auth.exception;
+
+public class AttributeProviderException extends Exception {
+    private static final long serialVersionUID = -1L;
+
+    public AttributeProviderException(String message) {
+        super(message);
+    }
+
+    public AttributeProviderException(Throwable e) {
+        super(e);
+    }
+
+    public AttributeProviderException(String message, Throwable e) {
+        super(message, e);
+    }
+}

src/main/java/com/aws/greengrass/clientdevices/auth/iot/Certificate.java

@@ -129,11 +129,8 @@ public String getNamespace() {
 
     @Override
     public DeviceAttribute getDeviceAttribute(String attributeName) {
-        if ("CertificateId".equals(attributeName)) {
-            return new StringLiteralAttribute(getCertificateId());
-        }
-        // TODO: Return other possible DeviceAttributes
-        return null;
+        // TODO: Support other DeviceAttributes
+        return new StringLiteralAttribute(getCertificateId());
     }
 
     /**

src/main/java/com/aws/greengrass/clientdevices/auth/iot/Thing.java

@@ -164,11 +164,8 @@ public String getNamespace() {
 
     @Override
     public DeviceAttribute getDeviceAttribute(String attributeName) {
-        if ("ThingName".equals(attributeName)) {
-            return new WildcardSuffixAttribute(thingName);
-        }
-        // TODO: Return other possible DeviceAttributes
-        return null;
+        // TODO: Support other DeviceAttributes
+        return new WildcardSuffixAttribute(thingName);
     }
 
     /**

src/test/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthServiceTest.java

@@ -198,19 +198,19 @@ void GIVEN_valid_group_configuration_WHEN_start_service_THEN_instantiated_config
 
         Permission[] tempSensorPermissions =
                 {Permission.builder().principal("myTemperatureSensors").operation("mqtt" + ":connect")
-                        .resource("mqtt:clientId:foo").policyVariables(Collections.emptyList()).build(),
+                        .resource("mqtt:clientId:foo").build(),
                         Permission.builder().principal("myTemperatureSensors").operation("mqtt:publish")
-                                .resource("mqtt:topic:temperature").policyVariables(Collections.emptyList()).build(),
+                                .resource("mqtt:topic:temperature").build(),
                         Permission.builder().principal("myTemperatureSensors").operation("mqtt:publish")
-                                .resource("mqtt:topic:humidity").policyVariables(Collections.emptyList()).build()};
+                                .resource("mqtt:topic:humidity").build()};
         assertThat(permissionMap.get("myTemperatureSensors"), containsInAnyOrder(tempSensorPermissions));
         Permission[] humidSensorPermissions =
                 {Permission.builder().principal("myHumiditySensors").operation("mqtt:connect")
-                        .resource("mqtt:clientId:foo").policyVariables(Collections.emptyList()).build(),
+                        .resource("mqtt:clientId:foo").build(),
                         Permission.builder().principal("myHumiditySensors").operation("mqtt:publish")
-                                .resource("mqtt:topic:temperature").policyVariables(Collections.emptyList()).build(),
+                                .resource("mqtt:topic:temperature").build(),
                         Permission.builder().principal("myHumiditySensors").operation("mqtt:publish")
-                                .resource("mqtt:topic:humidity").policyVariables(Collections.emptyList()).build()};
+                                .resource("mqtt:topic:humidity").build()};
         assertThat(permissionMap.get("myHumiditySensors"), containsInAnyOrder(humidSensorPermissions));
     }
 

src/test/java/com/aws/greengrass/clientdevices/auth/DeviceAuthClientTest.java

@@ -111,7 +111,7 @@ void GIVEN_sessionHasPolicyVariablesPermission_WHEN_canDevicePerform_THEN_author
         when(groupManager.getApplicablePolicyPermissions(session)).thenReturn(Collections.singletonMap("group1",
                 Collections.singleton(Permission.builder().operation("mqtt:publish")
                                 .resource("mqtt:topic:${iot:Connection.Thing.ThingName}").principal("group1")
-                        .policyVariables(THING_NAME_POLICY_VARIABLE).build())));
+                        .resourcePolicyVariables(THING_NAME_POLICY_VARIABLE).build())));
 
         boolean authorized = authClient.canDevicePerform(constructPolicyVariableAuthorizationRequest(thingName));
 

src/test/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtilsTest.java

@@ -7,6 +7,7 @@
 
 import com.aws.greengrass.clientdevices.auth.configuration.GroupManager;
 import com.aws.greengrass.clientdevices.auth.configuration.Permission;
+import com.aws.greengrass.clientdevices.auth.exception.AttributeProviderException;
 import com.aws.greengrass.clientdevices.auth.iot.Certificate;
 import com.aws.greengrass.clientdevices.auth.iot.CertificateFake;
 import com.aws.greengrass.clientdevices.auth.iot.InvalidCertificateException;
@@ -56,18 +57,20 @@ void beforeEach() throws InvalidCertificateException {
     }
 
     @Test
-    void GIVEN_single_permission_with_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource() {
+    void GIVEN_single_permission_with_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource()
+            throws AttributeProviderException {
         Permission policyVariablePermission =
                 Permission.builder().principal("some-principal").operation("some-operation")
-                        .resource("/msg/${iot:Connection.Thing.ThingName}").policyVariables(THING_NAME_POLICY_VARIABLE).build();
+                        .resource("/msg/${iot:Connection.Thing.ThingName}").resourcePolicyVariables(THING_NAME_POLICY_VARIABLE).build();
 
         Permission permission = Permission.builder().principal("some-principal").operation("some-operation")
                 .resource("/msg/b").build();
         assertThat(policyVariablePermission.getResource(session).equals(permission.getResource()), is(true));
     }
 
     @Test
-    void GIVEN_single_permission_with_invalid_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource() {
+    void GIVEN_single_permission_with_invalid_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource()
+            throws AttributeProviderException {
         Permission policyVariablePermission =
                 Permission.builder().principal("some-principal").operation("some-operation")
                         .resource("/msg/${iot:Connection.Thing.ThingName/}").build();
@@ -80,7 +83,8 @@ void GIVEN_single_permission_with_invalid_policy_variable_WHEN_get_permission_re
     }
 
     @Test
-    void GIVEN_single_permission_with_nonexistent_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource() {
+    void GIVEN_single_permission_with_nonexistent_policy_variable_WHEN_get_permission_resource_THEN_return_updated_permission_resource()
+            throws AttributeProviderException {
         Permission policyVariablePermission =
                 Permission.builder().principal("some-principal").operation("some-operation")
                         .resource("/msg/${iot:Connection.Thing.RealThing}").build();
@@ -93,11 +97,12 @@ void GIVEN_single_permission_with_nonexistent_policy_variable_WHEN_get_permissio
     }
 
     @Test
-    void GIVEN_single_permission_with_multiple_policy_variables_WHEN_get_permission_resource_THEN_return_updated_permission_resource() {
+    void GIVEN_single_permission_with_multiple_policy_variables_WHEN_get_permission_resource_THEN_return_updated_permission_resource()
+            throws AttributeProviderException {
         Permission policyVariablePermission =
                 Permission.builder().principal("some-principal").operation("some-operation")
                         .resource("/msg/${iot:Connection.Thing.ThingName}/${iot:Connection.Thing.ThingName}/src")
-                        .policyVariables(THING_NAME_POLICY_VARIABLE).build();
+                        .resourcePolicyVariables(THING_NAME_POLICY_VARIABLE).build();
 
         Permission permission = Permission.builder().principal("some-principal").operation("some-operation")
                 .resource("/msg/b/b/src").build();
@@ -107,11 +112,12 @@ void GIVEN_single_permission_with_multiple_policy_variables_WHEN_get_permission_
     }
 
     @Test
-    void GIVEN_single_permission_with_multiple_invalid_policy_variables_WHEN_get_permission_resource_THEN_return_updated_permission_resource() {
+    void GIVEN_single_permission_with_multiple_invalid_policy_variables_WHEN_get_permission_resource_THEN_return_updated_permission_resource()
+            throws AttributeProviderException {
         Permission policyVariablePermission =
                 Permission.builder().principal("some-principal").operation("some-operation")
                         .resource("/msg/${iot:Connection.Thing.ThingName}/${iot:Connection}.Thing.RealThing}/src")
-                        .policyVariables(THING_NAME_POLICY_VARIABLE).build();
+                        .resourcePolicyVariables(THING_NAME_POLICY_VARIABLE).build();
 
         Permission permission = Permission.builder().principal("some-principal").operation("some-operation")
                 .resource("/msg/b/b/src").build();
@@ -229,7 +235,7 @@ private Map<String, Set<Permission>> prepareGroupVariablePermissionsData() {
         Permission[] sensorPermission =
                 {Permission.builder().principal("sensor").operation("mqtt:publish").resource("mqtt:topic:a").build(),
                         Permission.builder().principal("sensor").operation("mqtt:*").resource("mqtt:topic:${iot:Connection.Thing.ThingName}")
-                                .policyVariables(THING_NAME_POLICY_VARIABLE).build(),
+                                .resourcePolicyVariables(THING_NAME_POLICY_VARIABLE).build(),
                         Permission.builder().principal("sensor").operation("mqtt:subscribe")
                                 .resource("mqtt:topic:device:${iot:Connection.FakeThing.ThingName}").build(),
                         Permission.builder().principal("sensor").operation("mqtt:connect").resource("*").build(),};