feat: wildcard support

[jcosentino11]

Issue #, if available:

Description of changes:

Allow policy resources with wildcards, such as "mqtt:topic:my*". Matching is done via WildcardTrie.

Also refactored policy-related integration tests

Why is this change necessary:

How was this change tested:
Integration tests

Any additional information or context required to review the change:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[github-actions]

Unit Tests Coverage Report

File	Coverage	Lines	Branches
All files	73%	80%	66%	✅
com.aws.greengrass.clientdevices.auth.PermissionEvaluationUtils	79%	86%	71%	✅
com.aws.greengrass.clientdevices.auth.PermissionEvaluationUtils$Operation	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.PermissionEvaluationUtils$Resource	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.CertificateManager	80%	90%	69%	✅
com.aws.greengrass.clientdevices.auth.ClientDevicesAuthService	79%	90%	67%	✅
com.aws.greengrass.clientdevices.auth.DeviceAuthClient	74%	83%	64%	✅
com.aws.greengrass.clientdevices.auth.certificate.ClientCertificateGenerator	95%	90%	100%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateHelper$ProviderType	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateHelper	74%	92%	56%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateStore	72%	85%	60%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor	77%	87%	67%	✅
com.aws.greengrass.clientdevices.auth.certificate.ServerCertificateGenerator	93%	87%	100%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateGenerator	70%	90%	50%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateStore$CAType	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor$CertRotationDecider	90%	100%	80%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificatesConfig	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.session.events.SessionCreationEvent$SessionCreationStatus	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyIotCertificate	94%	88%	100%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyThingAttachedToCertificate	89%	91%	88%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.CreateIoTThingSession	88%	93%	83%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyCertificateValidityPeriod	88%	88%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyThingAttachedToCertificate$Result$VerificationSource	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.infra.ClientCertificateStore	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.certificate.infra.BackgroundCertificateRefresh	83%	85%	82%	✅
com.aws.greengrass.clientdevices.auth.iot.infra.ThingRegistry	92%	97%	88%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureManagedCertificateAuthority	85%	85%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureCustomCertificateAuthority	83%	83%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.RegisterCertificateAuthorityUseCase	65%	81%	50%	✅
com.aws.greengrass.clientdevices.auth.configuration.MetricsConfiguration	83%	100%	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.AuthorizationPolicyStatement$Effect	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupManager	89%	94%	83%	✅
com.aws.greengrass.clientdevices.auth.configuration.ConfigurationFormatVersion	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.CAConfiguration	96%	100%	92%	✅
com.aws.greengrass.clientdevices.auth.configuration.RuntimeConfiguration	83%	96%	70%	✅
com.aws.greengrass.clientdevices.auth.configuration.SecurityConfiguration	80%	93%	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.CDAConfiguration	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupDefinition	75%	100%	50%	✅
com.aws.greengrass.clientdevices.auth.configuration.ExpressionVisitor	84%	94%	75%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupConfiguration	90%	95%	86%	✅
com.aws.greengrass.clientdevices.auth.api.ServiceErrorEvent	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.api.ClientDevicesAuthServiceApi	90%	80%	100%	✅
com.aws.greengrass.clientdevices.auth.api.DomainEvents	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.api.AuthorizeClientDeviceActionEvent$AuthorizationStatus	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.api.UseCases	71%	92%	50%	✅
com.aws.greengrass.clientdevices.auth.api.DomainEvent	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.api.GetCertificateRequestOptions$CertificateType	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.session.attribute.StringLiteralAttribute	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.session.attribute.WildcardSuffixAttribute	88%	100%	75%	✅
com.aws.greengrass.clientdevices.auth.certificate.events.CertificateSubscriptionEvent$SubscriptionStatus	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.events.CACertificateChainChanged	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.Certificate$Status	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.IotAuthClient$Default	56%	47%	64%	✅
com.aws.greengrass.clientdevices.auth.iot.Thing	87%	93%	82%	✅
com.aws.greengrass.clientdevices.auth.iot.Certificate	78%	89%	67%	✅
com.aws.greengrass.clientdevices.auth.iot.GreengrassV2DataClientFactory	18%	18%	0%	❌
com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry	95%	90%	100%	✅
com.aws.greengrass.clientdevices.auth.iot.Component	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.events.VerifyClientDeviceIdentityEvent$VerificationStatus	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider$Default$1	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider$ConnectionState	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider$Default	83%	97%	70%	✅
com.aws.greengrass.ipc.IPCUtils	83%	67%	100%	✅
com.aws.greengrass.ipc.VerifyClientDeviceIdentityOperationHandler	60%	69%	50%	✅
com.aws.greengrass.ipc.GetClientDeviceAuthTokenOperationHandler	86%	98%	75%	✅
com.aws.greengrass.ipc.AuthorizeClientDeviceActionOperationHandler	79%	92%	67%	✅
com.aws.greengrass.ipc.SubscribeToCertificateUpdatesOperationHandler	81%	88%	75%	✅
com.aws.greengrass.clientdevices.auth.session.SessionConfig	92%	100%	83%	✅
com.aws.greengrass.clientdevices.auth.session.SessionManager$1	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.session.MqttSessionFactory	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.session.SessionCreator	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.session.SessionManager	88%	100%	75%	✅
com.aws.greengrass.clientdevices.auth.session.SessionImpl	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.session.SessionCreator$SessionFactorySingleton	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.session.MqttSessionFactory$MqttCredential	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CACertificateChainChangedHandler	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CAConfigurationChangedHandler	93%	87%	100%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CertificateRotationHandler	96%	91%	100%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.SecurityConfigurationChangedHandler	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.SessionCreationEventHandler	88%	100%	75%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.MetricsConfigurationChangedHandler	70%	90%	50%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.AuthorizeClientDeviceActionsMetricHandler	88%	100%	75%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.VerifyClientDeviceIdentityEventHandler	88%	100%	75%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.CertificateSubscriptionEventHandler	83%	100%	67%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.ServiceErrorEventHandler	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.iot.dto.CertificateV1DTO$Status	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.connectivity.usecases.GetConnectivityInformationUseCase	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.connectivity.usecases.RecordConnectivityChangesUseCase	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.util.ResizableLinkedBlockingQueue	90%	80%	100%	✅
com.aws.greengrass.clientdevices.auth.util.ParseIPAddress	90%	95%	84%	✅
com.aws.greengrass.clientdevices.auth.metrics.ClientDeviceAuthMetrics	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.metrics.MetricsEmitter	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.connectivity.ConnectivityInfoCache	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor	68%	79%	57%	✅
com.aws.greengrass.clientdevices.auth.connectivity.RecordConnectivityChangesResponse	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.connectivity.HostAddress	67%	67%	0%	✅
com.aws.greengrass.clientdevices.auth.connectivity.RecordConnectivityChangesRequest	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.connectivity.ConnectivityInformation	100%	100%	100%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionConstants	100%	100%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.TokenMgrError	22%	32%	12%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTokenManager	61%	65%	58%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTStart	33%	33%	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTAnd	67%	67%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.Token	58%	58%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionDefaultVisitor	0%	0%	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTOr	67%	67%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleCharStream	28%	31%	25%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTreeConstants	0%	0%	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.JJTRuleExpressionState	67%	65%	70%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTThing	67%	67%	0%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpression	63%	63%	62%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleNode	27%	35%	19%	❌

Minimum allowed coverage is 50%

Generated by 🐒 cobertura-action against 8a8e202

[github-actions]

Code Coverage Report

File	Coverage
All files	74%	✅
com.aws.greengrass.clientdevices.auth.PermissionEvaluationUtils	90%	✅
com.aws.greengrass.clientdevices.auth.CertificateManager	88%	✅
com.aws.greengrass.clientdevices.auth.ClientDevicesAuthService	77%	✅
com.aws.greengrass.clientdevices.auth.DeviceAuthClient	73%	✅
com.aws.greengrass.clientdevices.auth.certificate.ClientCertificateGenerator	95%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateHelper	74%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateStore	72%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor	77%	✅
com.aws.greengrass.clientdevices.auth.certificate.ServerCertificateGenerator	93%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateGenerator	70%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor$CertRotationDecider	90%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyIotCertificate	94%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyThingAttachedToCertificate	89%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.CreateIoTThingSession	67%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyCertificateValidityPeriod	88%	✅
com.aws.greengrass.clientdevices.auth.certificate.infra.BackgroundCertificateRefresh	82%	✅
com.aws.greengrass.clientdevices.auth.iot.infra.ThingRegistry	92%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureManagedCertificateAuthority	85%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureCustomCertificateAuthority	83%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.RegisterCertificateAuthorityUseCase	65%	✅
com.aws.greengrass.clientdevices.auth.configuration.MetricsConfiguration	83%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupManager	94%	✅
com.aws.greengrass.clientdevices.auth.configuration.CAConfiguration	96%	✅
com.aws.greengrass.clientdevices.auth.configuration.RuntimeConfiguration	83%	✅
com.aws.greengrass.clientdevices.auth.configuration.SecurityConfiguration	80%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupDefinition	75%	✅
com.aws.greengrass.clientdevices.auth.configuration.ExpressionVisitor	84%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupConfiguration	92%	✅
com.aws.greengrass.clientdevices.auth.api.ClientDevicesAuthServiceApi	85%	✅
com.aws.greengrass.clientdevices.auth.api.GetCertificateRequestWithGenerator	75%	✅
com.aws.greengrass.clientdevices.auth.api.UseCases	71%	✅
com.aws.greengrass.clientdevices.auth.session.attribute.WildcardSuffixAttribute	96%	✅
com.aws.greengrass.clientdevices.auth.iot.IotAuthClient$Default	56%	✅
com.aws.greengrass.clientdevices.auth.iot.Thing	85%	✅
com.aws.greengrass.clientdevices.auth.iot.Certificate	74%	✅
com.aws.greengrass.clientdevices.auth.iot.GreengrassV2DataClientFactory	18%	❌
com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry	95%	✅
com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider$Default	83%	✅
com.aws.greengrass.ipc.IPCUtils	83%	✅
com.aws.greengrass.ipc.VerifyClientDeviceIdentityOperationHandler	60%	✅
com.aws.greengrass.ipc.GetClientDeviceAuthTokenOperationHandler	83%	✅
com.aws.greengrass.ipc.AuthorizeClientDeviceActionOperationHandler	79%	✅
com.aws.greengrass.ipc.SubscribeToCertificateUpdatesOperationHandler	81%	✅
com.aws.greengrass.clientdevices.auth.session.SessionConfig	92%	✅
com.aws.greengrass.clientdevices.auth.session.SessionManager	88%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CAConfigurationChangedHandler	93%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CertificateRotationHandler	96%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.SessionCreationEventHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.MetricsConfigurationChangedHandler	70%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.AuthorizeClientDeviceActionsMetricHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.VerifyClientDeviceIdentityEventHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.CertificateSubscriptionEventHandler	83%	✅
com.aws.greengrass.clientdevices.auth.util.ResizableLinkedBlockingQueue	90%	✅
com.aws.greengrass.clientdevices.auth.util.ParseIPAddress	90%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$SucceedOnceOperation	88%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor	79%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$ProcessCISShadowTask	76%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$CISShadowTaskQueue	88%	✅
com.aws.greengrass.clientdevices.auth.connectivity.HostAddress	67%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$CISShadowTaskExecutor	80%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.TokenMgrError	22%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTokenManager	61%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTStart	33%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTAnd	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.Token	58%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionDefaultVisitor	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTOr	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleCharStream	28%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTreeConstants	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.JJTRuleExpressionState	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTThing	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpression	63%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleNode	27%	❌

Minimum allowed coverage is 50%

Generated by 🐒 cobertura-action against 50fc7c1

[github-actions]

Benchmark Results

Benchmark	Score
com.aws.greengrass.clientdevices.auth.benchmark.AuthorizationBenchmarks.GIVEN_policy_with_thing_name_variable_WHEN_auth_request_THEN_successful_auth	1286219.87 ops/s
com.aws.greengrass.clientdevices.auth.benchmark.AuthorizationBenchmarks.GIVEN_policy_with_wildcards_WHEN_auth_request_THEN_successful_auth	208251.16 ops/s
com.aws.greengrass.clientdevices.auth.benchmark.AuthorizationBenchmarks.GIVEN_single_group_permission_WHEN_simple_auth_request_THEN_successful_auth	2458760.53 ops/s

[MikeDombo]

Can you do a profile and see if there's anything you can do about the performance? This is significantly slower than the non wildcard tests according to the benchmark.

[MikeDombo]

Does this change work with the policy variables too, can you mix both?

[jcosentino11]

Does this change work with the policy variables too, can you mix both?

yep there's an integ test for it. would like to add more coverage, but wanted to do some refactoring of existing unit tests first in separate change

[jcosentino11]

Can you do a profile and see if there's anything you can do about the performance? This is significantly slower than the non wildcard tests according to the benchmark.

noticed that trie is using a synchronized map, can explore if using non synchronized would have significant impact

[MikeDombo]

Can you do a profile and see if there's anything you can do about the performance? This is significantly slower than the non wildcard tests according to the benchmark.

noticed that trie is using a synchronized map, can explore if using non synchronized would have significant impact

Where do you see any synchronized? WildcardTrie uses a concurrent hashmap which is nearly lock free.

[jcosentino11]

Can you do a profile and see if there's anything you can do about the performance? This is significantly slower than the non wildcard tests according to the benchmark.

noticed that trie is using a synchronized map, can explore if using non synchronized would have significant impact

ah, intellij profile shows constructino of WildcardTrie is what's eating up the time, initializing children map

[jcosentino11]

Can you do a profile and see if there's anything you can do about the performance? This is significantly slower than the non wildcard tests according to the benchmark.

noticed that trie is using a synchronized map, can explore if using non synchronized would have significant impact

Where do you see any synchronized? WildcardTrie uses a concurrent hashmap which is nearly lock free.

saw concurrent and assumed locks 😓

[jcosentino11]

other hotspots include

• parseOperation() (which we already knew about because regex)
• groupManager.getApplicablePolicyPermissions()

[jcosentino11]

And marking down previous ops/s before comment gets overwritten: 174675