Add an ACL Authorizer implementation (kroxylicious#2903)

* kroxylicious-authorizer-acl: Implement the Authorizer API using ACLs
* Allow keywords as identifiers
* Javadoc ResourceType.implies()
* Rejig import statement to better support multi import from same package
* Remove `version`
* Import User by default, but allow it to be overridden

Signed-off-by: Tom Bentley <tbentley@redhat.com>

Author: tombentley

etc/checkstyle-suppressions.xml

@@ -20,4 +20,7 @@
               files="io[/\\]kroxylicious[/\\]kubernetes[/\\]filter[/\\]api[/\\].*\.java"/>
     <suppress checks=".*"
               files="io[/\\]kroxylicious[/\\]microbenchmarks[/\\]jmh_generated[/\\].*"/>
+
+    <suppress checks=".*"
+              files="generated-sources/antlr4/.*"/>
 </suppressions>

kroxylicious-authorizer-api/src/main/java/io/kroxylicious/authorizer/service/ResourceType.java

@@ -19,6 +19,13 @@
  */
 public interface ResourceType<S extends Enum<S> & ResourceType<S>> {
 
+    /**
+     * Returns a set of operations that are implied by this operation.
+     * This must return the complete transitive closure of all such implied operations.
+     * In other words, if logically speaking {@code A} implies {@code B}, and {@code B} implies {@code C} then
+     * programmatically speaking {@code A.implies()} must contain both {@code B} <em>and {@code C}</em>.
+     * @return The operations that are implied by this operation.
+     */
     default Set<S> implies() {
         // TODO This is actually really tricky to model in a way that works for different Authorizer implementations
         // Allowing operations to express implication makes in-process authorization evaluations easier

kroxylicious-authorizer-providers/kroxylicious-authorizer-acl/pom.xml

@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright Kroxylicious Authors.
+
+    Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.kroxylicious</groupId>
+        <artifactId>kroxylicious-parent</artifactId>
+        <version>0.18.0-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>kroxylicious-authorizer-acl</artifactId>
+    <name>ACL Authorization plugin implementation</name>
+    <description>An Authorization plugin implementation using Access Control Lists (ACLs)</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.antlr</groupId>
+            <artifactId>antlr4-runtime</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-authorizer-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.re2j</groupId>
+            <artifactId>re2j</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.github.spotbugs</groupId>
+            <artifactId>spotbugs-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.antlr</groupId>
+                <artifactId>antlr4-maven-plugin</artifactId>
+                <version>4.13.1</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>antlr4</goal>
+                        </goals>
+                        <phase>generate-sources</phase>
+
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-javadocs</id>
+                        <configuration>
+                            <!-- don't doc the antler generated classes -->
+                            <excludePackageNames>io.kroxylicious.authorizer.provider.acl.parser</excludePackageNames>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

kroxylicious-authorizer-providers/kroxylicious-authorizer-acl/src/main/antlr4/io/kroxylicious/authorizer/provider/acl/parser/AclRules.g4

@@ -0,0 +1,116 @@
+/**
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+grammar AclRules;
+
+rule:
+    importStmt*
+    denyRule*
+    allowRule*
+    endRule
+    <EOF>
+    ;
+
+// We include all the lexer keywords, in addition to the lexer IDENT token, into this grammar rule
+// so that those keywords can be used in identifiers in the grammar
+ident : FROM | IMPORT | AS
+    | ALLOW | DENY  | TO
+    | WITH | NAME | IN | LIKE | MATCHING
+    | OTHERWISE
+    | IDENT;
+
+importStmt: FROM packageName IMPORT importList SEMI
+    ;
+packageName: qualIdent
+    ;
+qualIdent: ident (DOT ident)*
+    ;
+importList: importElement (COMMA importElement)*
+    ;
+importElement: name=ident (AS local=ident)?
+    ;
+
+denyRule: DENY allowOrDenyRule SEMI
+    ;
+allowRule: ALLOW allowOrDenyRule SEMI
+    ;
+
+allowOrDenyRule: userPattern TO operationPattern
+    ;
+
+userPattern: principalType WITH NAME userNamePred
+    ;
+principalType: ident
+    ;
+userNamePred: nameAny
+    | nameEq
+    | nameIn
+    | nameLike
+    ;
+
+operationPattern: operations resource WITH NAME resourceNamePred
+    ;
+
+operations: STAR
+    | operation
+    | operationSet
+    ;
+operation: ident
+    ;
+operationSet: LBRA operation (COMMA operation)* RBRA
+    ;
+
+resource: ident
+    //| STAR
+    ;
+
+resourceNamePred: nameAny
+    | nameEq
+    | nameIn
+    | nameMatch
+    | nameLike
+    ;
+nameAny: STAR
+    ;
+nameEq: EQ STRING
+    ;
+nameIn: IN LBRA STRING (COMMA STRING)* RBRA
+    ;
+nameMatch: MATCHING REGEX
+    ;
+nameLike: LIKE STRING
+    ;
+
+endRule: OTHERWISE DENY SEMI
+    ;
+
+// lexer rules
+SEMI: ';';
+DOT: '.';
+COMMA: ',';
+STAR: '*';
+EQ: '=';
+LBRA: '{';
+RBRA: '}';
+DENY: 'deny';
+ALLOW: 'allow';
+OTHERWISE: 'otherwise';
+IN: 'in';
+TO: 'to';
+AS: 'as';
+LIKE: 'like';
+MATCHING: 'matching';
+FROM: 'from';
+IMPORT: 'import';
+NAME: 'name';
+WITH: 'with';
+STRING: '"' (STRING_ESC | .)*? '"';
+fragment STRING_ESC: '\\"' | '\\\\';
+REGEX: '/' (REGEX_ESC | .)*? '/';
+fragment REGEX_ESC: '\\/' | '\\\\';
+LINE_COMMENT: '//' .*? '\r'? '\n' -> skip;
+COMMENT: '/*' .*? '*/' -> skip;
+WS: [ \t\r\n]+ -> skip;
+IDENT: [A-Za-z][A-Za-z0-9_]*;