crabka-authz 0.3.2

Shared Kafka-ACL authorization evaluator for the Crabka broker and gateway
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

//! Gateway-side ACL snapshot: a flat `Vec<AclEntry>` (from `describe_acls`)
//! that implements [`AclSource`] with EXACTLY the broker's matching semantics.

use crabka_metadata::{AclEntry, PatternType, ResourceType};

use crate::AclSource;

/// Immutable ACL snapshot; rebuilt wholesale on each refresh.
#[derive(Debug, Clone, Default)]
pub struct AclCache {
    entries: Vec<AclEntry>,
}

impl AclCache {
    #[must_use]
    pub fn new(entries: Vec<AclEntry>) -> Self {
        Self { entries }
    }
    #[must_use]
    pub fn len(&self) -> usize {
        self.entries.len()
    }
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.entries.is_empty()
    }
}

impl AclSource for AclCache {
    fn matching_acls<'a>(
        &'a self,
        rt: ResourceType,
        name: &'a str,
    ) -> Box<dyn Iterator<Item = &'a AclEntry> + 'a> {
        // MUST mirror MetadataImage::matching_acls: same resource_type, and
        // (LITERAL == name) || (LITERAL == "*") || (PREFIXED && name.starts_with(resource_name)).
        Box::new(self.entries.iter().filter(move |e| {
            e.resource_type == rt
                && match e.pattern_type {
                    PatternType::Literal => e.resource_name == name || e.resource_name == "*",
                    PatternType::Prefixed => name.starts_with(e.resource_name.as_str()),
                }
        }))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use assert2::assert;
    use crabka_metadata::{
        AclOperation, MetadataImage, MetadataRecord, PermissionType, ResourceType,
    };
    use uuid::Uuid;

    fn entry(rt: ResourceType, pattern: PatternType, name: &str, op: AclOperation) -> AclEntry {
        AclEntry {
            resource_type: rt,
            resource_name: name.into(),
            pattern_type: pattern,
            principal: "User:alice".into(),
            host: "*".into(),
            operation: op,
            permission_type: PermissionType::Allow,
        }
    }

    /// A stable, comparable identity for an `AclEntry` so the two sources'
    /// `matching_acls` outputs can be compared as sets regardless of order.
    /// (The ACL enums derive `Debug` but not `Ord`, so we key on the debug
    /// rendering of the identifying fields — a `String`, which is `Ord`.)
    fn key(e: &AclEntry) -> String {
        format!(
            "{:?}|{:?}|{}|{:?}",
            e.resource_type, e.pattern_type, e.resource_name, e.operation
        )
    }

    fn sorted_keys<'a>(it: Box<dyn Iterator<Item = &'a AclEntry> + 'a>) -> Vec<String> {
        let mut v: Vec<_> = it.map(key).collect();
        v.sort();
        v
    }

    /// Cross-validation guard: the same `AclEntry` set, built into BOTH a
    /// `MetadataImage` (via `apply`) and an `AclCache`, must yield the SAME
    /// matching set for every probe. This protects against drift between the
    /// broker's image matching and the gateway cache's reimplementation.
    #[test]
    fn cache_matches_image_for_every_probe() {
        // A representative ACL set: literal exact, the literal "*" wildcard,
        // a prefixed entry, an unrelated topic, and a different resource type.
        let entries = vec![
            entry(
                ResourceType::Topic,
                PatternType::Literal,
                "foo",
                AclOperation::Read,
            ),
            entry(
                ResourceType::Topic,
                PatternType::Literal,
                "*",
                AclOperation::Write,
            ),
            entry(
                ResourceType::Topic,
                PatternType::Prefixed,
                "team-",
                AclOperation::Read,
            ),
            entry(
                ResourceType::Topic,
                PatternType::Literal,
                "bar",
                AclOperation::Read,
            ),
            entry(
                ResourceType::Group,
                PatternType::Literal,
                "cg-1",
                AclOperation::Read,
            ),
            entry(
                ResourceType::Group,
                PatternType::Prefixed,
                "app-",
                AclOperation::Read,
            ),
        ];

        // Build the same set into a MetadataImage (broker side) ...
        let mut image = MetadataImage::new(Uuid::nil());
        for e in &entries {
            image.apply(&MetadataRecord::V1AccessControlEntry(e.clone()));
        }
        // ... and into an AclCache (gateway side).
        let cache = AclCache::new(entries.clone());

        // Probes covering every matching code path.
        let probes: &[(ResourceType, &str)] = &[
            (ResourceType::Topic, "foo"),      // literal exact hit (+ "*" wildcard)
            (ResourceType::Topic, "*"),        // querying the wildcard resource itself
            (ResourceType::Topic, "team-foo"), // prefixed hit (+ "*" wildcard)
            (ResourceType::Topic, "team-"),    // prefix boundary (starts_with itself)
            (ResourceType::Topic, "nomatch"),  // only the "*" wildcard matches
            (ResourceType::Group, "cg-1"),     // literal hit, no wildcard for Group
            (ResourceType::Group, "app-svc"),  // prefixed hit on Group
            (ResourceType::Group, "other"),    // prefixed miss, no wildcard → empty
            (ResourceType::Cluster, "kafka-cluster"), // wrong type → empty in both
        ];

        for &(rt, name) in probes {
            let from_image = sorted_keys(AclSource::matching_acls(&image, rt, name));
            let from_cache = sorted_keys(AclSource::matching_acls(&cache, rt, name));
            assert!(
                from_image == from_cache,
                "drift at ({rt:?}, {name:?}): image={from_image:?} cache={from_cache:?}"
            );
        }
    }

    #[test]
    fn len_and_is_empty_track_entries() {
        let empty = AclCache::default();
        assert!(empty.is_empty());
        assert!(empty.len() == 0);

        let cache = AclCache::new(vec![entry(
            ResourceType::Topic,
            PatternType::Literal,
            "foo",
            AclOperation::Read,
        )]);
        assert!(!cache.is_empty());
        assert!(cache.len() == 1);
    }
}