aws-greengrass · jcosentino11 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/src/integrationtests/java/com/aws/greengrass/integrationtests/policy/PolicyTest.java b/src/integrationtests/java/com/aws/greengrass/integrationtests/policy/PolicyTest.java
@@ -273,6 +273,34 @@ public static Stream<Arguments> authzRequests() {
                                 .operation("mqtt:publish")
                                 .resource("mqtt:topic:myThing/world")
                                 .expectedResult(false)
+                                .build(),
+                        // single character eval not supported by default
+                        AuthZRequest.builder()
+                                .thingName("myThing")
+                                .operation("mqtt:subscribe")
+                                .resource("mqtt:topic:myThing/#/test/abc")
+                                .expectedResult(false)
+                                .build(),
+                        AuthZRequest.builder()
+                                .thingName("myThing")
+                                .operation("mqtt:subscribe")
+                                .resource("mqtt:topic:myThing/#/test/???")
+                                .expectedResult(true)
+                                .build()
+                )),
+
+                Arguments.of("single-character-wildcards-in-resource.yaml", Arrays.asList(
+                        AuthZRequest.builder()
+                                .thingName("myThing")
+                                .operation("mqtt:subscribe")
+                                .resource("mqtt:topic:myThing/abc/test/a/b")
+                                .expectedResult(true)
+                                .build(),
+                        AuthZRequest.builder()
+                                .thingName("myThing")
+                                .operation("mqtt:subscribe")
+                                .resource("mqtt:topic:myThing/abcd/test/a/b")
+                                .expectedResult(false)
                                 .build()
                 )),
 

diff --git a/...es/com/aws/greengrass/integrationtests/policy/single-character-wildcards-in-resource.yaml b/...es/com/aws/greengrass/integrationtests/policy/single-character-wildcards-in-resource.yaml
@@ -0,0 +1,29 @@
+---
+services:
+  aws.greengrass.Nucleus:
+    configuration:
+      runWithDefault:
+        posixUser: nobody
+        windowsUser: integ-tester
+      logging:
+        level: "DEBUG"
+  aws.greengrass.clientdevices.Auth:
+    configuration:
+      enableSingleCharacterWildcardMatching: true
+      deviceGroups:
+        formatVersion: "2021-03-05"
+        definitions:
+          myThing:
+            selectionRule: "thingName: myThing"
+            policyName: "thingAccessPolicy"
+        policies:
+          thingAccessPolicy:
+            subscribe:
+              statementDescription: "mqtt subscribe"
+              operations:
+                - "mqtt:subscribe"
+              resources:
+                - "mqtt:topic:${iot:Connection.Thing.ThingName}/???/test/*"
+  main:
+    dependencies:
+      - aws.greengrass.clientdevices.Auth
diff --git a/...ests/resources/com/aws/greengrass/integrationtests/policy/wildcards-in-resource-type.yaml b/...ests/resources/com/aws/greengrass/integrationtests/policy/wildcards-in-resource-type.yaml
@@ -17,12 +17,18 @@ services:
             policyName: "thingAccessPolicy"
         policies:
           thingAccessPolicy:
-            policyStatement:
+            publish:
               statementDescription: "mqtt publish"
               operations:
                 - "mqtt:publish"
               resources:
                 - "mqtt:topic:*/myThing/*"
+            subscribe:
+              statementDescription: "mqtt subscribe"
+              operations:
+                - "mqtt:subscribe"
+              resources:
+                - "mqtt:topic:myThing/#/test/???"
   main:
     dependencies:
       - aws.greengrass.clientdevices.Auth
diff --git a/src/main/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthService.java b/src/main/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthService.java
@@ -170,6 +170,8 @@ private void subscribeToConfigChanges() {
     private void onConfigurationChanged() {
         try {
             cdaConfiguration = CDAConfiguration.from(cdaConfiguration, getConfig());
+            // TODO decouple
+            context.get(PermissionEvaluationUtils.class).setCdaConfiguration(cdaConfiguration);
         } catch (URISyntaxException e) {
             serviceErrored(e);
         }

diff --git a/src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java b/src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java
@@ -5,15 +5,17 @@
 
 package com.aws.greengrass.clientdevices.auth;
 
-import com.aws.greengrass.authorization.WildcardTrie;
+import com.aws.greengrass.clientdevices.auth.configuration.CDAConfiguration;
 import com.aws.greengrass.clientdevices.auth.configuration.GroupManager;
 import com.aws.greengrass.clientdevices.auth.configuration.Permission;
 import com.aws.greengrass.clientdevices.auth.exception.PolicyException;
 import com.aws.greengrass.clientdevices.auth.session.Session;
+import com.aws.greengrass.clientdevices.auth.util.WildcardTrie;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
 import com.aws.greengrass.util.Utils;
 import lombok.Builder;
+import lombok.Setter;
 import lombok.Value;
 import org.apache.commons.lang3.StringUtils;
 
@@ -36,6 +38,8 @@ public final class PermissionEvaluationUtils {
             "Resource is malformed, must be of the form: "
             + "([a-zA-Z]+):([a-zA-Z]+):" + RESOURCE_NAME_PATTERN.pattern();
     private final GroupManager groupManager;
+    @Setter
+    private volatile CDAConfiguration cdaConfiguration;
 
     /**
      * Constructor for PermissionEvaluationUtils.
@@ -133,10 +137,16 @@ private boolean compareResource(Resource requestResource, String policyResource)
         if (Objects.equals(requestResource.getResourceStr(), policyResource)) {
             return true;
         }
+        return new WildcardTrie(wildcardOpts())
+                .withPattern(policyResource)
+                .matches(requestResource.getResourceStr());
+    }
 
-        WildcardTrie wildcardTrie = new WildcardTrie();
-        wildcardTrie.add(policyResource);
-        return wildcardTrie.matchesStandard(requestResource.getResourceStr());
+    private WildcardTrie.MatchOptions wildcardOpts() {
+        CDAConfiguration config = cdaConfiguration;
+        return WildcardTrie.MatchOptions.builder()
+                .useSingleCharWildcard(config != null && config.isMatchSingleCharacterWildcard())
+                .build();
     }
 
     private Operation parseOperation(String operationStr) throws PolicyException {

diff --git a/src/main/java/com/aws/greengrass/clientdevices/auth/configuration/CDAConfiguration.java b/src/main/java/com/aws/greengrass/clientdevices/auth/configuration/CDAConfiguration.java
@@ -10,6 +10,8 @@
 import com.aws.greengrass.clientdevices.auth.configuration.events.MetricsConfigurationChanged;
 import com.aws.greengrass.clientdevices.auth.configuration.events.SecurityConfigurationChanged;
 import com.aws.greengrass.config.Topics;
+import com.aws.greengrass.util.Coerce;
+import lombok.Builder;
 import lombok.Getter;
 
 import java.net.URISyntaxException;
@@ -48,23 +50,19 @@
  * |
  * </p>
  */
+@Builder
 public final class CDAConfiguration {
 
+    public static final String ENABLE_MQTT_WILDCARD_EVALUATION = "enableSingleCharacterWildcardMatching";
+
+    private final DomainEvents domainEvents;
     private final RuntimeConfiguration runtime;
-    private final SecurityConfiguration security;
     @Getter
     private final CAConfiguration certificateAuthorityConfiguration;
+    private final SecurityConfiguration security;
     private final MetricsConfiguration metricsConfiguration;
-    private final DomainEvents domainEvents;
-
-    private CDAConfiguration(DomainEvents domainEvents, RuntimeConfiguration runtime, CAConfiguration ca,
-                             SecurityConfiguration security, MetricsConfiguration metricsConfiguration) {
-        this.domainEvents = domainEvents;
-        this.runtime = runtime;
-        this.security = security;
-        this.certificateAuthorityConfiguration = ca;
-        this.metricsConfiguration = metricsConfiguration;
-    }
+    @Getter
+    private final boolean matchSingleCharacterWildcard;
 
     /**
      * Creates the CDA (Client Device Auth) Service configuration. And allows it to be available in the context with the
@@ -80,9 +78,15 @@
 
         DomainEvents domainEvents = topics.getContext().get(DomainEvents.class);
 
-        CDAConfiguration newConfig = new CDAConfiguration(domainEvents, RuntimeConfiguration.from(runtimeTopics),
-                CAConfiguration.from(serviceConfiguration), SecurityConfiguration.from(serviceConfiguration),
-                MetricsConfiguration.from(serviceConfiguration));
+        CDAConfiguration newConfig = CDAConfiguration.builder()
+                .domainEvents(domainEvents)
+                .runtime(RuntimeConfiguration.from(runtimeTopics))
+                .certificateAuthorityConfiguration(CAConfiguration.from(serviceConfiguration))
+                .security(SecurityConfiguration.from(serviceConfiguration))
+                .metricsConfiguration(MetricsConfiguration.from(serviceConfiguration))
+                .matchSingleCharacterWildcard(
+                        Coerce.toBoolean(serviceConfiguration.find(ENABLE_MQTT_WILDCARD_EVALUATION)))
+                .build();
 
         newConfig.triggerChanges(newConfig, existingConfig);