feat: add thing attribute variable support

benchmark/src/main/java/com/aws/greengrass/clientdevices/auth/benchmark/AuthorizationBenchmarks.java

@@ -16,6 +16,7 @@
 import com.aws.greengrass.clientdevices.auth.exception.AuthorizationException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
 import com.aws.greengrass.clientdevices.auth.session.SessionManager;
+import com.aws.greengrass.clientdevices.auth.session.attribute.Attribute;
 import com.aws.greengrass.clientdevices.auth.session.attribute.AttributeProvider;
 import com.aws.greengrass.clientdevices.auth.session.attribute.DeviceAttribute;
 import com.aws.greengrass.clientdevices.auth.session.attribute.StringLiteralAttribute;
@@ -173,19 +174,19 @@ private FakeSession(String thingName, boolean isComponent) {
         }
 
         @Override
-        public AttributeProvider getAttributeProvider(String attributeProviderNameSpace) {
+        public AttributeProvider getAttributeProvider(String namespace) {
             throw new UnsupportedOperationException();
         }
 
         @Override
-        public DeviceAttribute getSessionAttribute(String ns, String name) {
-            if ("Component".equalsIgnoreCase(ns) && name.equalsIgnoreCase("component")) {
+        public DeviceAttribute getSessionAttribute(Attribute attribute) {
+            if ("Component".equalsIgnoreCase(attribute.getNamespace()) && attribute.getName().equalsIgnoreCase("component")) {
                 return isComponent ? new StringLiteralAttribute("component") : null;
             }
-            if ("Thing".equalsIgnoreCase(ns) && name.equalsIgnoreCase("thingName")) {
+            if ("Thing".equalsIgnoreCase(attribute.getNamespace()) && attribute.getName().equalsIgnoreCase("thingName")) {
                    return new WildcardSuffixAttribute(thingName);
             }
-            throw new UnsupportedOperationException(String.format("Attribute %s.%s not supported", ns, name));
+            throw new UnsupportedOperationException(String.format("Attribute %s.%s not supported", attribute.getNamespace(), attribute.getName()));
         }
     }
 

src/main/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthService.java

@@ -25,6 +25,7 @@
 import com.aws.greengrass.clientdevices.auth.connectivity.ConnectivityInfoCache;
 import com.aws.greengrass.clientdevices.auth.exception.PolicyException;
 import com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider;
+import com.aws.greengrass.clientdevices.auth.iot.ThingAttributesCache;
 import com.aws.greengrass.clientdevices.auth.metrics.MetricsEmitter;
 import com.aws.greengrass.clientdevices.auth.metrics.handlers.AuthorizeClientDeviceActionsMetricHandler;
 import com.aws.greengrass.clientdevices.auth.metrics.handlers.CertificateSubscriptionEventHandler;
@@ -130,6 +131,8 @@ private void initializeInfrastructure() {
         RuntimeConfiguration runtimeConfiguration = RuntimeConfiguration.from(getRuntimeConfig());
         context.put(RuntimeConfiguration.class, runtimeConfiguration);
         context.get(ConnectivityInfoCache.class).setRuntimeConfiguration(runtimeConfiguration);
+        ThingAttributesCache thingAttributesCache = context.get(ThingAttributesCache.class);
+        ThingAttributesCache.setInstance(thingAttributesCache);
         NetworkStateProvider networkState = context.get(NetworkStateProvider.class);
         networkState.registerHandler(context.get(CISShadowMonitor.class));
         networkState.registerHandler(context.get(BackgroundCertificateRefresh.class));
@@ -228,6 +231,7 @@ protected void startup() throws InterruptedException {
     @Override
     protected void shutdown() throws InterruptedException {
         super.shutdown();
+        context.get(ThingAttributesCache.class).stopPeriodicRefresh();
         context.get(CertificateManager.class).stopMonitors();
         context.get(BackgroundCertificateRefresh.class).stop();
         context.get(MetricsEmitter.class).stop();
@@ -278,6 +282,15 @@ private void updateDeviceGroups() {
             return;
         }
 
+        // periodically refresh device attributes from cloud, for usage in policy variables
+        if (groupConfiguration.isHasDeviceAttributeVariables()) {
+            logger.atTrace().log("enabling thing-attribute cache");
+            ThingAttributesCache.instance().ifPresent(ThingAttributesCache::startPeriodicRefresh);
+        } else {
+            logger.atTrace().log("disabling thing-attribute cache");
+            ThingAttributesCache.instance().ifPresent(ThingAttributesCache::stopPeriodicRefresh);
+        }
+
         context.get(GroupManager.class).setGroupConfiguration(groupConfiguration);
     }
 

src/main/java/com/aws/greengrass/clientdevices/auth/DeviceAuthClient.java

@@ -11,6 +11,7 @@
 import com.aws.greengrass.clientdevices.auth.iot.Component;
 import com.aws.greengrass.clientdevices.auth.session.Session;
 import com.aws.greengrass.clientdevices.auth.session.SessionManager;
+import com.aws.greengrass.clientdevices.auth.session.attribute.Attribute;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
 import software.amazon.awssdk.utils.StringInputStream;
@@ -136,7 +137,7 @@ public boolean canDevicePerform(AuthorizationRequest request) throws Authorizati
         }
         // Allow all operations from internal components
         // Keep the workaround above (ALLOW_ALL_SESSION) for Moquette since it is using the older session management
-        if (session.getSessionAttribute(Component.NAMESPACE, "component") != null) {
+        if (session.getSessionAttribute(Attribute.COMPONENT) != null) {
             return true;
         }
 

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/ExpressionVisitor.java

@@ -12,6 +12,7 @@
 import com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionVisitor;
 import com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleNode;
 import com.aws.greengrass.clientdevices.auth.session.Session;
+import com.aws.greengrass.clientdevices.auth.session.attribute.Attribute;
 import com.aws.greengrass.clientdevices.auth.session.attribute.DeviceAttribute;
 
 public class ExpressionVisitor implements RuleExpressionVisitor {
@@ -51,7 +52,7 @@ public Object visit(ASTAnd node, Object data) {
     public Object visit(ASTThing node, Object data) {
         // TODO: Make ASTThing a generic node instead of hardcoding ThingName
         Session session = (Session) data;
-        DeviceAttribute attribute = session.getSessionAttribute("Thing", "ThingName");
+        DeviceAttribute attribute = session.getSessionAttribute(Attribute.THING_NAME);
         return attribute != null && attribute.matches((String) node.jjtGetValue());
     }
 }

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/GroupConfiguration.java

@@ -12,6 +12,7 @@
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
 import lombok.Builder;
+import lombok.Getter;
 import lombok.Value;
 
 import java.util.Collections;
@@ -33,70 +34,95 @@ public class GroupConfiguration {
     Map<String, GroupDefinition> definitions;
     Map<String, Map<String, AuthorizationPolicyStatement>> policies;
     Map<String, Set<Permission>> groupToPermissionsMap;
+    boolean hasDeviceAttributeVariables;
 
     @Builder
     GroupConfiguration(ConfigurationFormatVersion formatVersion, Map<String, GroupDefinition> definitions,
                        Map<String, Map<String, AuthorizationPolicyStatement>> policies) {
         this.formatVersion = formatVersion == null ? ConfigurationFormatVersion.MAR_05_2021 : formatVersion;
         this.definitions = definitions == null ? Collections.emptyMap() : definitions;
         this.policies = policies == null ? Collections.emptyMap() : policies;
-        this.groupToPermissionsMap = constructGroupPermissions();
+        GroupPermissionConstructor constructor = new GroupPermissionConstructor(definitions, policies);
+        this.groupToPermissionsMap = constructor.getPermissions();
+        this.hasDeviceAttributeVariables = constructor.isHasDeviceAttributeVariables();
     }
 
     @JsonPOJOBuilder(withPrefix = "")
     public static class GroupConfigurationBuilder {
     }
 
-    private Map<String, Set<Permission>> constructGroupPermissions() {
-        return definitions.entrySet().stream().collect(Collectors.toMap(
-                Map.Entry::getKey,
-                entry -> constructGroupPermission(
-                        entry.getKey(),
-                        policies.getOrDefault(entry.getValue().getPolicyName(),
-                                Collections.emptyMap()))));
-    }
+    private static class GroupPermissionConstructor {
 
-    private Set<Permission> constructGroupPermission(String groupName,
-                                                     Map<String, AuthorizationPolicyStatement> policyStatementMap) {
-        Set<Permission> permissions = new HashSet<>();
-        for (Map.Entry<String, AuthorizationPolicyStatement> statementEntry : policyStatementMap.entrySet()) {
-            AuthorizationPolicyStatement statement = statementEntry.getValue();
-            // only accept 'ALLOW' effect for beta launch
-            // TODO add 'DENY' effect support
-            if (statement.getEffect() == AuthorizationPolicyStatement.Effect.ALLOW) {
-                permissions.addAll(convertPolicyStatementToPermission(groupName, statement));
-            }
+        private final Map<String, GroupDefinition> definitions;
+        private final Map<String, Map<String, AuthorizationPolicyStatement>> policies;
+
+        @Getter
+        private final Map<String, Set<Permission>> permissions;
+
+        @Getter
+        private boolean hasDeviceAttributeVariables;
+
+        private GroupPermissionConstructor(Map<String, GroupDefinition> definitions,
+                                           Map<String, Map<String, AuthorizationPolicyStatement>> policies) {
+            this.definitions = definitions;
+            this.policies = policies;
+            this.permissions = constructGroupPermissions();
+        }
+
+        private Map<String, Set<Permission>> constructGroupPermissions() {
+            return definitions.entrySet().stream().collect(Collectors.toMap(
+                    Map.Entry::getKey,
+                    entry -> constructGroupPermission(
+                            entry.getKey(),
+                            policies.getOrDefault(entry.getValue().getPolicyName(),
+                                    Collections.emptyMap()))));
         }
-        return permissions;
-    }
 
-    private Set<Permission> convertPolicyStatementToPermission(String groupName,
-                                                               AuthorizationPolicyStatement statement) {
-        Set<Permission> permissions = new HashSet<>();
-        for (String operation : statement.getOperations()) {
-            if (Utils.isEmpty(operation)) {
-                continue;
+        private Set<Permission> constructGroupPermission(String groupName,
+                                                         Map<String, AuthorizationPolicyStatement> policyStatementMap) {
+            Set<Permission> permissions = new HashSet<>();
+            for (Map.Entry<String, AuthorizationPolicyStatement> statementEntry : policyStatementMap.entrySet()) {
+                AuthorizationPolicyStatement statement = statementEntry.getValue();
+                // only accept 'ALLOW' effect for beta launch
+                // TODO add 'DENY' effect support
+                if (statement.getEffect() == AuthorizationPolicyStatement.Effect.ALLOW) {
+                    permissions.addAll(convertPolicyStatementToPermission(groupName, statement));
+                }
             }
-            for (String resource : statement.getResources()) {
-                if (Utils.isEmpty(resource)) {
+            return permissions;
+        }
+
+        private Set<Permission> convertPolicyStatementToPermission(String groupName,
+                                                                   AuthorizationPolicyStatement statement) {
+            Set<Permission> permissions = new HashSet<>();
+            for (String operation : statement.getOperations()) {
+                if (Utils.isEmpty(operation)) {
                     continue;
                 }
-                permissions.add(
-                        Permission.builder().principal(groupName).operation(operation).resource(resource)
-                                .resourcePolicyVariables(findPolicyVariables(resource)).build());
+                for (String resource : statement.getResources()) {
+                    if (Utils.isEmpty(resource)) {
+                        continue;
+                    }
+                    permissions.add(
+                            Permission.builder().principal(groupName).operation(operation).resource(resource)
+                                    .resourcePolicyVariables(findPolicyVariables(resource)).build());
+                }
             }
+            return permissions;
         }
-        return permissions;
-    }
 
-    private Set<String> findPolicyVariables(String resource) {
-        Matcher matcher = POLICY_VARIABLE_PATTERN.matcher(resource);
-        Set<String> policyVariables = new HashSet<>();
-        while (matcher.find()) {
-            String policyVariable = matcher.group(0);
-            policyVariables.add(policyVariable);
+        private Set<String> findPolicyVariables(String resource) {
+            Matcher matcher = POLICY_VARIABLE_PATTERN.matcher(resource);
+            Set<String> policyVariables = new HashSet<>();
+            while (matcher.find()) {
+                String policyVariable = matcher.group(0);
+                if (PolicyVariableResolver.isAttributePolicyVariable(policyVariable)) {
+                    hasDeviceAttributeVariables = true;
+                }
+                policyVariables.add(policyVariable);
+            }
+            return policyVariables;
         }
-        return policyVariables;
     }
 
     /**

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariable.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.aws.greengrass.clientdevices.auth.configuration;
+
+import com.aws.greengrass.clientdevices.auth.session.attribute.Attribute;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Objects;
+import java.util.Optional;
+
+@Builder
+@Value
+public class PolicyVariable {
+
+    private static final String THING_NAME_PATTERN = "${iot:Connection.Thing.ThingName}";
+    private static final String THING_NAMESPACE = "Thing";
+
+    private static final String THING_ATTRS_PREFIX = "${iot:Connection.Thing.Attributes[";
+    private static final String THING_ATTRS_SUFFIX = "]}";
+
+    String originalText;
+    boolean isThingAttribute;
+    Attribute attribute;
+    String selector; // the part within [ ]
+
+    public static Optional<PolicyVariable> parse(@NonNull String policyVariable) {
+        // thing name
+        if (Objects.equals(policyVariable, THING_NAME_PATTERN)) {
+            return Optional.of(PolicyVariable.builder()
+                    .originalText(policyVariable)
+                    .attribute(Attribute.THING_NAME)
+                    .build());
+        }
+
+        // thing attributes
+        if (policyVariable.startsWith(THING_ATTRS_PREFIX) && policyVariable.endsWith(THING_ATTRS_SUFFIX)) {
+            int attrStart = THING_ATTRS_PREFIX.length();
+            int attrEnd = policyVariable.length() - THING_ATTRS_SUFFIX.length();
+            if (attrStart <= attrEnd) {
+                String attr = policyVariable.substring(attrStart, attrEnd);
+                if (StringUtils.isAlphanumeric(attr)) {
+                    return Optional.of(PolicyVariable.builder()
+                            .originalText(policyVariable)
+                            .attribute(Attribute.THING_ATTRIBUTES)
+                            .selector(attr)
+                            .build());
+                }
+            }
+        }
+
+        // unsupported variable
+        return Optional.empty();
+    }
+}

src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariableResolver.java

@@ -8,20 +8,13 @@
 import com.aws.greengrass.clientdevices.auth.exception.PolicyException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
 import com.aws.greengrass.util.Coerce;
-import com.aws.greengrass.util.Pair;
 import org.apache.commons.lang3.StringUtils;
-import software.amazon.awssdk.utils.ImmutableMap;
 
-import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 public final class PolicyVariableResolver {
-    private static final String THING_NAMESPACE = "Thing";
-    private static final String THING_NAME_ATTRIBUTE = "ThingName";
-
-    private static final Map<String, Pair<String,String>> policyVariableToAttributeProvider = ImmutableMap.of(
-            "${iot:Connection.Thing.ThingName}", new Pair<>(THING_NAMESPACE, THING_NAME_ATTRIBUTE)
-    );
 
     private PolicyVariableResolver() {
     }
@@ -32,8 +25,8 @@ private PolicyVariableResolver() {
      * This method does not handle unsupported policy variables.
      *
      * @param policyVariables list of policy variables in permission format
-     * @param format permission format to resolve
-     * @param session current device session
+     * @param format          permission format to resolve
+     * @param session         current device session
      * @return updated format
      * @throws PolicyException when unable to find a policy variable value
      */
@@ -43,23 +36,27 @@ public static String resolvePolicyVariables(Set<String> policyVariables, String
             return format;
         }
         String substitutedFormat = format;
-        for (String policyVariable : policyVariables) {
-            String attributeNamespace = policyVariableToAttributeProvider.get(policyVariable).getLeft();
-            String attributeName = policyVariableToAttributeProvider.get(policyVariable).getRight();
-            String policyVariableValue = Coerce.toString(session.getSessionAttribute(attributeNamespace,
-                    attributeName));
+        for (PolicyVariable policyVariable : policyVariables.stream()
+                .map(PolicyVariable::parse).map(v -> v.orElse(null))
+                .filter(Objects::nonNull)
+                .collect(Collectors.toList())) {
+            String policyVariableValue = Coerce.toString(session.getSessionAttribute(policyVariable.getAttribute()));
             if (policyVariableValue == null) {
                 throw new PolicyException(
                         String.format("No attribute found for policy variable %s in current session", policyVariable));
             } else {
                 // StringUtils.replace() is faster than String.replace() since it does not use regex
-                substitutedFormat = StringUtils.replace(substitutedFormat, policyVariable, policyVariableValue);
+                substitutedFormat = StringUtils.replace(substitutedFormat, policyVariable.getOriginalText(), policyVariableValue);
             }
         }
         return substitutedFormat;
     }
 
     public static boolean isPolicyVariable(String variable) {
-        return policyVariableToAttributeProvider.containsKey(variable);
+        return PolicyVariable.parse(variable).isPresent();
+    }
+
+    public static boolean isAttributePolicyVariable(String variable) {
+        return PolicyVariable.parse(variable).map(PolicyVariable::isThingAttribute).orElse(false);
     }
 }