[broker-35] Implement ACL rules engine (#59)

* [broker-35] HCL-format playbook

* [broker-35] Groovy-DSL playbook

* [broker-35] Improve Groovy-DSL

* [broker-35] Move Groovy-DSL to main sources

* [broker-35] Code cleanup

* [broker-35] Extract ACL parser and engine to separate modules

* [broker-35] Apply schema to config

* [broker-35] Optimize AclRuleEngine

* [broker-35] Optimize lambda usage

* [broker-35] Replace groovy-all dependency with groovy

* [broker-35] Remove testFixtures(projects.network) from acl-engine

* [broker-35] Include package-info.java to acl-engine

* [broker-35] Introduce OOP into client matching logic

* [broker-35] Fix small issues

* [broker-35] Implement nested allOf/anyOf

* [broker-35] Work on PR comments

* [broker-35] Clean up the code

* [broker-35] Move model classes from groovy to java

* [broker-35] Move TopicFilter.matches() to TopicFilterMatcher

* [broker-35] Improve test

* [broker-35] Fix gdsl definition

* [broker-35] Remove redundant class members

* [broker-35] Introduce anyOf() and anyone() matchers

* [broker-35] Add tests

* [broker-35] Improve TopicFilterMatcher

* [broker-35] Add test

* [broker-35] Improve Rule abstraction

* [broker-35] Fix rule application

* [broker-35] Make AclRulesLoader returning EnumMap

* [broker-35] Increase performance of AclRuleLoader

* [broker-35] Code cleanup

* [broker-35] Refactoring

* [broker-35] Increase test coverage

* [broker-35] Adapt AclRuleEngine to MqttUser interface

* [broker-35] Move AclConfigurationException to java

* [broker-35] Remove redundant code

* [broker-35] Improve AllOfBuilder encapsulation

* [broker-35] Add more test cases

* [broker-35] Increase test coverage

* [broker-35] Ensure each operation has non-null rule list

* [broker-35] Update the same comment with Coverage Report

* [broker-35] Improve EnumMap<Rule> creation

* [broker-35] Add more tests

* [broker-35] Work on review comments

* [broker-35] Accept AbstractTopic instead of rawTopic

* [broker-35] Support anyone() for user identity matchers

* [broker-35] Renaming, refactoring, code cleanup

* [broker-35] Add README.md

* [broker-35] Update README.md

Author: crazyrokr

.github/workflows/gradle.yml

@@ -54,6 +54,8 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: 40
           min-coverage-changed-files: 60
+          update-comment: true
+          title: Test Coverage Report
 
   dependency-submission:
     runs-on: ubuntu-latest

.gitignore

@@ -1,4 +1,4 @@
 /.idea/
-/.gradle/
-/build/
+**/.gradle/
+**/build/
 /out/

acl-engine/README.md

@@ -0,0 +1,6 @@
+## Summary
+
+This module implements an Access Control List rules engine for the MQTT broker.
+**_ACL Rules Engine_** stores rules parsed by **_ACL Rules Loader_** and verify user authorization requests against the rules.
+It utilizes order-based priority: once a rule matches, its permission (allow or deny) is applied and subsequent rules
+are skipped. By default, it denies any incoming request unless it's allowed explicitly.

acl-engine/build.gradle

@@ -0,0 +1,14 @@
+plugins {
+  id("groovy")
+  id("java-library")
+  id("configure-java")
+}
+
+dependencies {
+  api projects.aclGroovyDsl
+  api projects.model
+  api libs.groovy
+
+  testImplementation projects.testSupport
+  testImplementation testFixtures(projects.aclGroovyDsl)
+}

acl-engine/src/main/java/javasabr/mqtt/service/acl/AclRulesEngine.java

@@ -0,0 +1,22 @@
+package javasabr.mqtt.service.acl;
+
+import java.util.Map;
+import javasabr.mqtt.model.MqttUser;
+import javasabr.mqtt.model.acl.Action;
+import javasabr.mqtt.model.acl.Operation;
+import javasabr.mqtt.model.acl.rule.Rule;
+import javasabr.mqtt.model.topic.AbstractTopic;
+import javasabr.rlib.collections.array.Array;
+
+public record AclRulesEngine(Map<Operation, Array<Rule>> ruleMap) {
+
+  public boolean authorize(MqttUser mqttUser, Operation operation, AbstractTopic topic) {
+    Array<Rule> rules = ruleMap.get(operation);
+    for (Rule rule : rules) {
+      if (rule.test(mqttUser, operation, topic)) {
+        return rule.action() == Action.ALLOW;
+      }
+    }
+    return false;
+  }
+}

acl-engine/src/main/java/javasabr/mqtt/service/acl/package-info.java

@@ -0,0 +1,4 @@
+@NullMarked
+package javasabr.mqtt.service.acl;
+
+import org.jspecify.annotations.NullMarked;

acl-engine/src/test/groovy/javasabr/mqtt/service/acl/AclRulesEngineTest.groovy

@@ -0,0 +1,143 @@
+package javasabr.mqtt.service.acl
+
+import javasabr.mqtt.model.MqttUser
+import javasabr.mqtt.model.acl.Operation
+import javasabr.mqtt.model.acl.condition.AllOfCondition
+import javasabr.mqtt.model.acl.condition.AnyOfCondition
+import javasabr.mqtt.model.acl.condition.MqttUserCondition
+import javasabr.mqtt.model.acl.condition.TopicCondition
+import javasabr.mqtt.model.acl.matcher.TopicNameMatcher
+import javasabr.mqtt.model.acl.rule.AllowPublishRule
+import javasabr.mqtt.model.acl.rule.AllowSubscribeRule
+import javasabr.mqtt.model.acl.rule.DenyPublishRule
+import javasabr.mqtt.model.acl.rule.DenySubscribeRule
+import javasabr.mqtt.model.acl.rule.Rule
+import javasabr.mqtt.model.topic.AbstractTopic
+import javasabr.mqtt.model.topic.TopicFilter
+import javasabr.mqtt.model.topic.TopicName
+import javasabr.mqtt.service.acl.builder.TopicMatcherBuilder
+import javasabr.mqtt.test.support.UnitSpecification
+import javasabr.rlib.collections.array.Array
+import javasabr.rlib.collections.array.MutableArray
+
+import static javasabr.mqtt.model.acl.Operation.PUBLISH
+import static javasabr.mqtt.model.acl.Operation.SUBSCRIBE
+
+class AclRulesEngineTest extends UnitSpecification implements ConditionMatcherAware, TopicMatcherBuilder {
+
+  def "should allow or deny according rules"(
+      String username, String clientId, String ipAddress, Operation operation, AbstractTopic topic) {
+    given:
+        EnumMap<Operation, MutableArray<Rule>> rulesEnumMap = new EnumMap<>(Operation.class)
+    and:
+        Array<Rule> publishRules = MutableArray.ofType(Rule.class)
+        rulesEnumMap.put(PUBLISH, publishRules)
+        publishRules << new AllowPublishRule(
+            new AnyOfCondition(
+                userNameEquals("sensor1"),
+                userNameEquals("sensor10"),
+                userNameRegex("^sensor1/"),
+                userNameRegex("/sensor10\$"),
+                clientIdEquals("clientId1"),
+                clientIdEquals("sensor10"),
+                clientIdRegex("/^sensor1/"),
+                clientIdRegex("/sensor10\$"),
+                ipAddressEquals("10.56.0.3"),
+                ipAddressRegex("127.0.0.1")
+            ),
+            new TopicCondition(Array.of(
+                new TopicNameMatcher(TopicName.valueOf("/topic1/#")),
+                new TopicNameMatcher(TopicName.valueOf("/topic2/+/temp"))
+            ))
+        )
+        publishRules << new DenyPublishRule(
+            new AllOfCondition(
+                userNameEquals("user10"),
+                clientIdEquals("clientId1"),
+                ipAddressEquals("12.30.0.117"),
+            ),
+            new TopicCondition(Array.of(
+                new TopicNameMatcher(TopicName.valueOf("/topic/home/temp"))
+            ))
+        )
+        publishRules << new AllowPublishRule(
+            new AnyOfCondition(
+                userNameEquals("user120"),
+                clientIdEquals("clientId500"),
+                ipAddressEquals("12.30.0.117"),
+            ),
+            new TopicCondition(Array.of(
+                new TopicNameMatcher(TopicName.valueOf("/topic/home/temp"))
+            ))
+        )
+        publishRules << new AllowPublishRule(MqttUserCondition.MATCH_ANY, new TopicCondition(Array.of(
+            new TopicNameMatcher(TopicName.valueOf("/topic1/#")),
+            new TopicNameMatcher(TopicName.valueOf("/topic2/+/temp"))
+        )))
+    and:
+        Array<Rule> subscribeRules = MutableArray.ofType(Rule.class)
+        rulesEnumMap.put(SUBSCRIBE, subscribeRules)
+        subscribeRules << new DenySubscribeRule(MqttUserCondition.MATCH_ANY, new TopicCondition(Array.of(
+            match("/allowed/+/restricted")
+        )))
+        subscribeRules << new AllowSubscribeRule(new AllOfCondition(
+            userNameEquals("admin"),
+            clientIdEquals("id"),
+            ipAddressEquals("10.0.0.1"),
+        ), new TopicCondition(Array.of(
+            match("/allowed/#")
+        )))
+        subscribeRules << new DenySubscribeRule(MqttUserCondition.MATCH_ANY, new TopicCondition(Array.of(
+            match("\$SYS/#"),
+            match("#")
+        )))
+        subscribeRules << new AllowSubscribeRule(MqttUserCondition.MATCH_ANY, TopicCondition.MATCH_ANY)
+    and:
+        AclRulesEngine engine = new AclRulesEngine(rulesEnumMap)
+        MqttUser mqttUser = Mock(MqttUser)
+        mqttUser.userName() >> username
+        mqttUser.clientId() >> clientId
+        mqttUser.ipAddress() >> ipAddress
+    when:
+        boolean result = engine.authorize(mqttUser, operation, topic)
+    then:
+        result == expectedResult
+    where:
+        username   | clientId    | ipAddress     | operation | topic                                           | expectedResult
+        "sensor1"  | "clientId2" | "60.50.0.1"   | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "sensor2"  | "clientId1" | "60.50.0.1"   | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "sensor2"  | "clientId2" | "127.0.0.1"   | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "sensor2"  | "clientId2" | "127.0.0.2"   | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "sensor2"  | "clientId2" | "127.0.0.2"   | PUBLISH   | TopicName.valueOf("/topic/#")                   | false
+        "user10"   | "clientId1" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic/home/temp")           | false
+        "user10"   | "clientId1" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "user10"   | "clientId1" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic/home/temp")           | false
+        "user120"  | "clientId1" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic/home/temp")           | true
+        "sensorX"  | "id"        | "1.1.1.1"     | PUBLISH   | TopicName.valueOf("/topic1/data")               | false
+        "sensors1" | "id"        | "1.1.1.1"     | PUBLISH   | TopicName.valueOf("/topic1/data")               | false
+        "sensor1"  | "id"        | "1.1.1.1"     | PUBLISH   | TopicName.valueOf("/topic2/temp")               | false
+        "sensor1/" | "id"        | "1.1.1.1"     | PUBLISH   | TopicName.valueOf("/topic1/#")                  | true
+        "user10"   | "clientId1" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic/home/temp")           | false
+        "user10"   | "clientId2" | "12.30.0.117" | PUBLISH   | TopicName.valueOf("/topic/home/temp")           | true
+        "nobody"   | "none"      | "0.0.0.0"     | PUBLISH   | TopicName.valueOf("/unknown/topic")             | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("system/status")            | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("\$SYS/info")               | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/topic")           | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/topic/#")         | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/+")               | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/+/temp")          | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/sub1/restricted") | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/+/restricted")    | false
+        "username" | "clientId"  | "127.0.0.1"   | SUBSCRIBE | TopicFilter.valueOf("/topic/#")                 | false
+        "user"     | "id"        | "10.0.0.10"   | SUBSCRIBE | TopicFilter.valueOf("home/temp/status")         | false
+        "user"     | "id"        | "10.0.0.10"   | SUBSCRIBE | TopicFilter.valueOf("\$SYS/info")               | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/data")            | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/#")               | true
+        "admin"    | "id"        | "10.0.0.2"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/data")            | false
+        "nobody"   | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/data")            | false
+        "user"     | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("home/status")              | false
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed")                 | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/allowed/a/b/c/d")         | true
+        "admin"    | "id"        | "10.0.0.1"    | SUBSCRIBE | TopicFilter.valueOf("/other/topic")             | false
+  }
+}

acl-groovy-dsl/README.md

@@ -0,0 +1,48 @@
+## Summary
+
+This module implements an Access Control List rules loader for the MQTT broker.
+It enables defining fine-grained permissions for clients — controlling who can publish or subscribe to which topics,
+based on client identifiers such as username, client id and IP-address.
+
+**_ACL Rules Loader_** is a DSL-based configuration parser inspired by HCL format, allowing specifying rules like
+`allowPublish`, `denySubscribe`, `allowSubscribe` and `denyPublish`, supporting nesting of `allOf` and `anyOf`
+conditions and wildcards with `anyOf()` and `anyone()` keywords. An example of simple ACL file can be found in tests:
+
+https://github.com/JavaSaBr/mqtt-broker/blob/d07808bbd9eaf0264853c832dc83d34e4f591c9d/acl-groovy-dsl/src/test/resources/acl/config/acl.groovy#L3-L50
+
+### Domain Specific Language
+
+#### Rules
+- `allowPublish` - defines allowing rule for publish operation
+- `denySubscribe` - defines denying rule for subscribe operation
+- `allowSubscribe` - defines allowing rule for subscribe operation
+- `denyPublish` - defines denying rule for publish operation
+#### Compose Conditions
+- `allOf` - conjunction condition (logical AND) of user conditions, allows only single-matcher members
+- `anyOf` - disjunction condition (logical OR) of other conditions, allows multi-matcher members including `allOf`/`anyOf`
+#### User Conditions
+- `username` - defines user matcher based on its username, supports multi-matchers
+- `clientId` - defines user matcher based on its client id, supports multi-matchers
+- `ipAddress` - defines user matcher based on its ip address, supports multi-matchers
+#### Topic Conditions
+- `topicName` - topic name condition for publish request, supports multi-matchers
+- `topicFilter` - topic filter condition for subscribe request, supports multi-matchers
+#### Value Matchers
+- `eq` - strict equality matcher
+- `regex` - regular expression matcher
+- `match` - topic filter matcher (respecting topic naming rules and wildcards support)
+
+#### Constraints
+
+- Maximum number of rules 1000
+- Rule can contain only one compose condition
+- Publish rule can contain several topic names
+- Subscribe rule can contain several topic filters
+- AllOf condition can contain only single client id, username or IP-address matchers
+- AnyOf condition can contain multiple client id, username, IP-address matchers, or other AllOf and AnyOf conditions
+- Username, Client ID and IP address conditions accept one or many regular expression or strict equality matchers
+- Topic name condition accepts one or many strict equality matchers
+- Topic filter condition accepts one or many topic filter matchers
+- Strict equality matcher compares two string values
+- Regular expression matcher verifies if incoming value match regex
+- Topic filter matcher verifies if incoming topic match subscription topic filter respecting `#` and `+` wildcards

acl-groovy-dsl/build.gradle

@@ -0,0 +1,14 @@
+plugins {
+  id("groovy")
+  id("java-library")
+  id("configure-java")
+}
+
+dependencies {
+  api libs.groovy
+  api projects.model
+  api libs.rlib.collections
+
+  testImplementation testFixtures(projects.model)
+  testImplementation projects.testSupport
+}

acl-groovy-dsl/src/main/groovy/javasabr/mqtt/service/acl/AclRulesLoader.groovy

@@ -0,0 +1,43 @@
+package javasabr.mqtt.service.acl
+
+import groovy.transform.Field
+import javasabr.mqtt.model.acl.Operation
+import javasabr.mqtt.model.acl.rule.Rule
+import javasabr.mqtt.model.exception.AclConfigurationException
+import javasabr.mqtt.service.acl.builder.AclRulesBuilder
+import javasabr.mqtt.service.acl.builder.RuleContainerBuilder
+import javasabr.rlib.collections.array.Array
+import org.codehaus.groovy.control.CompilerConfiguration
+
+import java.nio.file.Files
+import java.nio.file.Path
+
+class AclRulesLoader {
+
+  @SuppressWarnings('GrFinalVariableAccess')
+  private final Path aclConfigPath
+
+  AclRulesLoader(String aclConfigPath) {
+    if (aclConfigPath == null) {
+      throw new AclConfigurationException("ACL config path is null")
+    }
+    this.aclConfigPath = Path.of(aclConfigPath)
+    if (Files.notExists(this.aclConfigPath)) {
+      throw new AclConfigurationException("Class loader unable to load resource: %s".formatted(aclConfigPath))
+    }
+  }
+
+  Map<Operation, Array<Rule>> load() {
+    CompilerConfiguration compilerConfig = new CompilerConfiguration()
+    AclRulesBuilder aclRulesBuilder = new AclRulesBuilder()
+    new GroovyShell(compilerConfig).with {
+      setVariable("allowPublish", aclRulesBuilder.&allowPublish)
+      setVariable("denyPublish", aclRulesBuilder.&denyPublish)
+      setVariable("allowSubscribe", aclRulesBuilder.&allowSubscribe)
+      setVariable("denySubscribe", aclRulesBuilder.&denySubscribe)
+      evaluate(aclConfigPath.toFile())
+    }
+    def rules = aclRulesBuilder.build()
+    return RuleContainerBuilder.groupRulesByOperation(rules)
+  }
+}