refactor: policy validation on config change

[jcosentino11]

Issue #, if available:

Description of changes:

Add an explicit GroupConfiguration#validate method, which is used to validate incoming policy config changes before applying them to CDA.

Making this change as the foundation for adding more validations in the future (for policy variable feature).

Why is this change necessary:

How was this change tested:

Any additional information or context required to review the change:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[MikeDombo]

We identified new issues on unchanged lines of code. Navigate to the Amazon CodeGuru Reviewer console to view the recommendations to fix them.

[github-actions]

Benchmark Results

Benchmark	Score
com.aws.greengrass.clientdevices.auth.benchmark.AuthorizationBenchmarks.GIVEN_policy_with_thing_name_variable_WHEN_auth_request_THEN_successful_auth	758411.85 ops/s
com.aws.greengrass.clientdevices.auth.benchmark.AuthorizationBenchmarks.GIVEN_single_group_permission_WHEN_simple_auth_request_THEN_successful_auth	1064997.34 ops/s

[github-actions]

Code Coverage Report

File	Coverage
All files	73%	✅
com.aws.greengrass.clientdevices.auth.PermissionEvaluationUtils	77%	✅
com.aws.greengrass.clientdevices.auth.CertificateManager	88%	✅
com.aws.greengrass.clientdevices.auth.ClientDevicesAuthService	77%	✅
com.aws.greengrass.clientdevices.auth.DeviceAuthClient	73%	✅
com.aws.greengrass.clientdevices.auth.certificate.ClientCertificateGenerator	95%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateHelper	74%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateStore	72%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor	77%	✅
com.aws.greengrass.clientdevices.auth.certificate.ServerCertificateGenerator	93%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateGenerator	70%	✅
com.aws.greengrass.clientdevices.auth.certificate.CertificateExpiryMonitor$CertRotationDecider	90%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyIotCertificate	94%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyThingAttachedToCertificate	89%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.CreateIoTThingSession	67%	✅
com.aws.greengrass.clientdevices.auth.iot.usecases.VerifyCertificateValidityPeriod	88%	✅
com.aws.greengrass.clientdevices.auth.certificate.infra.BackgroundCertificateRefresh	82%	✅
com.aws.greengrass.clientdevices.auth.iot.infra.ThingRegistry	92%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureManagedCertificateAuthority	85%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.ConfigureCustomCertificateAuthority	83%	✅
com.aws.greengrass.clientdevices.auth.certificate.usecases.RegisterCertificateAuthorityUseCase	65%	✅
com.aws.greengrass.clientdevices.auth.configuration.MetricsConfiguration	83%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupManager	89%	✅
com.aws.greengrass.clientdevices.auth.configuration.CAConfiguration	96%	✅
com.aws.greengrass.clientdevices.auth.configuration.RuntimeConfiguration	83%	✅
com.aws.greengrass.clientdevices.auth.configuration.SecurityConfiguration	80%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupDefinition	75%	✅
com.aws.greengrass.clientdevices.auth.configuration.ExpressionVisitor	84%	✅
com.aws.greengrass.clientdevices.auth.configuration.GroupConfiguration	92%	✅
com.aws.greengrass.clientdevices.auth.api.ClientDevicesAuthServiceApi	85%	✅
com.aws.greengrass.clientdevices.auth.api.GetCertificateRequestWithGenerator	75%	✅
com.aws.greengrass.clientdevices.auth.api.UseCases	71%	✅
com.aws.greengrass.clientdevices.auth.session.attribute.WildcardSuffixAttribute	96%	✅
com.aws.greengrass.clientdevices.auth.iot.IotAuthClient$Default	56%	✅
com.aws.greengrass.clientdevices.auth.iot.Thing	85%	✅
com.aws.greengrass.clientdevices.auth.iot.Certificate	74%	✅
com.aws.greengrass.clientdevices.auth.iot.GreengrassV2DataClientFactory	18%	❌
com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry	95%	✅
com.aws.greengrass.clientdevices.auth.infra.NetworkStateProvider$Default	83%	✅
com.aws.greengrass.ipc.IPCUtils	83%	✅
com.aws.greengrass.ipc.VerifyClientDeviceIdentityOperationHandler	60%	✅
com.aws.greengrass.ipc.GetClientDeviceAuthTokenOperationHandler	83%	✅
com.aws.greengrass.ipc.AuthorizeClientDeviceActionOperationHandler	79%	✅
com.aws.greengrass.ipc.SubscribeToCertificateUpdatesOperationHandler	81%	✅
com.aws.greengrass.clientdevices.auth.session.SessionConfig	92%	✅
com.aws.greengrass.clientdevices.auth.session.SessionManager	88%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CAConfigurationChangedHandler	93%	✅
com.aws.greengrass.clientdevices.auth.certificate.handlers.CertificateRotationHandler	96%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.SessionCreationEventHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.MetricsConfigurationChangedHandler	70%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.AuthorizeClientDeviceActionsMetricHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.VerifyClientDeviceIdentityEventHandler	88%	✅
com.aws.greengrass.clientdevices.auth.metrics.handlers.CertificateSubscriptionEventHandler	83%	✅
com.aws.greengrass.clientdevices.auth.util.ResizableLinkedBlockingQueue	90%	✅
com.aws.greengrass.clientdevices.auth.util.ParseIPAddress	90%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$SucceedOnceOperation	88%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor	79%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$ProcessCISShadowTask	83%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$CISShadowTaskQueue	82%	✅
com.aws.greengrass.clientdevices.auth.connectivity.HostAddress	67%	✅
com.aws.greengrass.clientdevices.auth.connectivity.CISShadowMonitor$CISShadowTaskExecutor	80%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.TokenMgrError	22%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTokenManager	61%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTStart	33%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTAnd	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.Token	58%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionDefaultVisitor	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTOr	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleCharStream	28%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpressionTreeConstants	0%	❌
com.aws.greengrass.clientdevices.auth.configuration.parser.JJTRuleExpressionState	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.ASTThing	67%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.RuleExpression	63%	✅
com.aws.greengrass.clientdevices.auth.configuration.parser.SimpleNode	27%	❌

Minimum allowed coverage is 50%

Generated by 🐒 cobertura-action against f32d9d5

[MikeDombo]

use the mappers we already have in the utils. We have one already for recipes which does case insensitive stuff

[MikeDombo]

I think you want getConfigurationSerializerJson to avoid changing capitalization

[jcosentino11]

looks like we were relying on FAIL_ON_UNKNOWN_PROPERTIES before (which is why there's a test failure right now). so we'd have to use the existing objectmapper for backwards compat; otherwise if customers set group policy w/ extra stuff they can't rollback

[MikeDombo]

We shouldn't fail on unknown though. That prevents forward compatibility

[jcosentino11]

yeah, ok if we're fine with that behavior change then yeah can add it in

[jcosentino11]

done

[robcmann]

Should we also validate that policy variables in the policy document are supported by the PolicyVariableResolver since the resolver doesn't handle unsupported policy variables?

[jcosentino11]

yep, wanted to do that in a follow-up, this PR is meant to be a refactor