#1638 add wildcard support

Author: hu-ahmed

deployment/helm/ditto/Chart.yaml

@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.8.16  # chart version is effectively set by release-job
+version: 3.8.17  # chart version is effectively set by release-job
 appVersion: 3.8.12
 keywords:
   - iot-chart

internal/utils/config/src/main/resources/ditto-namespace-policies.conf

@@ -1,21 +1,27 @@
 # namespace root policies
-# Maps namespaces to lists of policy IDs whose implicit entries are transparently merged
-# into every policy in that namespace when building policy enforcers.
+# Maps namespace patterns to lists of policy IDs whose implicit entries are transparently merged
+# into every matching policy's enforcer at build time.
+#
+# Pattern syntax (key side):
+#  - exact string      e.g. "org.example.devices"  matches only that namespace
+#  - prefix wildcard   e.g. "org.example.*"        matches any namespace starting with "org.example."
+#  - catch-all         "*"                         matches every namespace
 #
 # Rules:
 #  - only entries with importable = "implicit" are merged; "explicit" and "never" are skipped.
 #  - local policy entries always win on label conflicts (namespace root cannot override local entries)
+#  - matching patterns are applied in this precedence: exact > more specific prefix wildcard > less specific prefix wildcard > "*"
+#  - unsupported wildcard syntax is rejected at config load time
 #  - if a configured root policy is missing or deleted, its entries are skipped and an ERROR is logged
+#  - changing a root policy triggers cache invalidation for all cached policies in matching namespaces
 #  - this config is read by all services that perform policy enforcement (policies, things)
 #
-# Example:
-#   "org.example.devices"  = ["org.example:tenant-root"]
-#   "org.example.sensors"  = ["org.example:tenant-root", "org.example:audit-policy"]
-#
 # For Helm deployments, configure this via the policies.config.namespacePolicies and
 # things.config.namespacePolicies values, which are rendered into the respective
 # service extension config files.
 ditto.policies.namespace-policies {
-//  "org.example.devices"  = ["org.example:tenant-root"]
-//  "org.example.sensors"  = ["org.example:tenant-root", "org.example:audit-policy"]
+//  "org.example.devices"  = ["org.example:tenant-root"]           # exact namespace
+//  "org.example.devices.*" = ["org.example:devices-root"]         # more specific prefix wildcard
+//  "org.example.*"         = ["org.example:tenant-root"]          # broader prefix wildcard
+//  "*"                     = ["root:catch-all-policy"]            # every namespace
 }

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/PolicyEnforcer.java

@@ -68,6 +68,8 @@ public static CompletionStage<PolicyEnforcer> withResolvedImports(final Policy p
      * Creates a policy enforcer from a policy, resolving both its explicit imports and any namespace root policies
      * configured for the policy's namespace. Namespace root policies are resolved with their own imports and their
      * implicit entries are merged last with local entries taking precedence on label conflicts.
+     * Matching namespace roots are applied in config precedence order: exact match first, then more
+     * specific prefix wildcards, then broader prefix wildcards, and finally {@code *}.
      * <p>
      * This is the preferred factory method to use in the cache loader. Namespace root policy resolution bypasses
      * the normal READ permission pre-enforcer check, since namespace policies are operator-configured and injected

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/PolicyEnforcerCache.java

@@ -147,7 +147,9 @@ private boolean invalidateNamespaceDependents(final PolicyId policyId,
         }
 
         return delegate.asMap().keySet().stream()
-                .filter(cachedPolicyId -> affectedNamespaces.contains(cachedPolicyId.getNamespace()))
+                .filter(cachedPolicyId -> affectedNamespaces.stream()
+                        .anyMatch(pattern -> NamespacePoliciesConfig.namespaceMatchesPattern(
+                                cachedPolicyId.getNamespace(), pattern)))
                 .map(invalidateFunction)
                 .reduce((a, b) -> a || b)
                 .orElse(false);

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/DefaultNamespacePoliciesConfig.java

@@ -14,6 +14,7 @@
 
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -23,6 +24,8 @@
 
 import javax.annotation.concurrent.Immutable;
 
+import org.eclipse.ditto.base.model.entity.id.RegexPatterns;
+import org.eclipse.ditto.internal.utils.config.DittoConfigError;
 import org.eclipse.ditto.policies.model.PolicyId;
 
 import com.typesafe.config.Config;
@@ -34,13 +37,24 @@
  * Default implementation of {@link NamespacePoliciesConfig}.
  * <p>
  * Reads from the HOCON config path {@value #CONFIG_PATH}, which must be a config object mapping
- * namespace strings to lists of policy ID strings:
+ * namespace patterns to lists of policy ID strings. Keys may be exact namespaces, prefix wildcards,
+ * or {@code *} to match every namespace:
  * <pre>{@code
  * ditto.policies.namespace-policies {
- *   "org.example.devices"  = ["org.example:tenant-root"]
+ *   "org.example.devices"  = ["org.example:tenant-root"]          # exact namespace
  *   "org.example.sensors"  = ["org.example:tenant-root", "org.example:audit-policy"]
+ *   "org.example.*"        = ["org.example:tenant-root"]          # all namespaces under org.example
+ *   "*"                    = ["root:catch-all-policy"]            # every namespace
  * }
  * }</pre>
+ * <p>
+ * Matching patterns are resolved in deterministic precedence order:
+ * exact match first, then prefix wildcards ordered from most specific to least specific,
+ * and finally {@code *}.
+ * </p>
+ * <p>
+ * See {@link NamespacePoliciesConfig#namespaceMatchesPattern} for the supported pattern syntax.
+ * </p>
  */
 @Immutable
 public final class DefaultNamespacePoliciesConfig implements NamespacePoliciesConfig {
@@ -49,11 +63,15 @@ public final class DefaultNamespacePoliciesConfig implements NamespacePoliciesCo
 
     private final Map<String, List<PolicyId>> forwardMap;
     private final Map<PolicyId, Set<String>> reverseMap;
+    private final List<String> sortedPatterns;
 
     private DefaultNamespacePoliciesConfig(final Map<String, List<PolicyId>> forwardMap,
             final Map<PolicyId, Set<String>> reverseMap) {
         this.forwardMap = toUnmodifiableForwardMap(forwardMap);
         this.reverseMap = toUnmodifiableReverseMap(reverseMap);
+        this.sortedPatterns = this.forwardMap.keySet().stream()
+                .sorted(Comparator.comparingInt(DefaultNamespacePoliciesConfig::patternPrecedence).reversed())
+                .toList();
     }
 
     /**
@@ -62,6 +80,7 @@ private DefaultNamespacePoliciesConfig(final Map<String, List<PolicyId>> forward
      *
      * @param config the root config (from {@code actorSystem.settings().config()}).
      * @return the parsed instance.
+     * @throws DittoConfigError if any configured namespace pattern is invalid.
      */
     public static DefaultNamespacePoliciesConfig of(final Config config) {
         if (!config.hasPath(CONFIG_PATH)) {
@@ -75,6 +94,7 @@ public static DefaultNamespacePoliciesConfig of(final Config config) {
         for (final Map.Entry<String, ConfigValue> entry : nsPoliciesConfig.root().entrySet()) {
             final String namespace = entry.getKey();
             final ConfigValue value = entry.getValue();
+            patternPrecedence(namespace);
 
             if (value.valueType() != ConfigValueType.LIST) {
                 continue;
@@ -103,7 +123,10 @@ public Map<String, List<PolicyId>> getNamespacePolicies() {
 
     @Override
     public List<PolicyId> getRootPoliciesForNamespace(final String namespace) {
-        return forwardMap.getOrDefault(namespace, List.of());
+        return sortedPatterns.stream()
+                .filter(p -> NamespacePoliciesConfig.namespaceMatchesPattern(namespace, p))
+                .flatMap(p -> forwardMap.get(p).stream())
+                .toList();
     }
 
     @Override
@@ -139,6 +162,22 @@ public String toString() {
         return getClass().getSimpleName() + " [namespacePolicies=" + forwardMap + "]";
     }
 
+
+    private static int patternPrecedence(final String pattern) {
+        if ("*".equals(pattern)) {
+            return 0;
+        }
+        if (pattern.endsWith(".*") &&
+                RegexPatterns.NAMESPACE_PATTERN.matcher(pattern.substring(0, pattern.length() - 2)).matches()) {
+            return pattern.length();
+        }
+        if (RegexPatterns.NAMESPACE_PATTERN.matcher(pattern).matches()) {
+            return Integer.MAX_VALUE;
+        }
+        throw new DittoConfigError("Unsupported namespace policy pattern <" + pattern + "> at config path <" +
+                CONFIG_PATH + ">. Supported syntax is exact namespace, prefix wildcard '<namespace>.*', or '*'.");
+    }
+
     private static Map<String, List<PolicyId>> toUnmodifiableForwardMap(final Map<String, List<PolicyId>> source) {
         final Map<String, List<PolicyId>> result = new HashMap<>();
         source.forEach((namespace, policyIds) -> result.put(namespace, Collections.unmodifiableList(

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/NamespacePoliciesConfig.java

@@ -21,50 +21,66 @@
 import org.eclipse.ditto.policies.model.PolicyId;
 
 /**
- * Configuration mapping namespaces to a set of "namespace root" policy IDs whose implicit entries are
- * automatically merged into every policy belonging to that namespace during enforcer resolution.
+ * Configuration mapping namespace patterns to a set of "namespace root" policy IDs whose implicit
+ * entries are automatically merged into every policy belonging to a matching namespace during enforcer
+ * resolution.
  * <p>
  * This allows operators to define tenant/namespace-wide access policies without requiring individual
  * policies to declare explicit imports. The injection happens transparently at enforcer-build time, so
  * the stored policy's {@code imports} field is never modified.
  * </p>
+ * <p>
+ * Namespace patterns support the following syntax:
+ * <ul>
+ *   <li>{@code *} — matches every namespace</li>
+ *   <li>{@code org.example.*} — matches any namespace whose name starts with {@code org.example.}</li>
+ *   <li>exact string — matches only that exact namespace</li>
+ * </ul>
+ * Matching namespace roots are applied in deterministic precedence order:
+ * exact match first, then prefix wildcards ordered from most specific to least specific, and finally
+ * the catch-all pattern {@code *}.
+ * </p>
  *
  * @since 3.9.0
  */
 @Immutable
 public interface NamespacePoliciesConfig {
 
     /**
-     * Returns the full mapping of namespace to list of namespace root policy IDs.
+     * Returns the full mapping of namespace patterns to list of namespace root policy IDs.
+     * Map keys may be exact namespaces or wildcard patterns (e.g. {@code org.example.*}).
      *
-     * @return immutable map of namespace string to list of PolicyIds.
+     * @return immutable map of namespace pattern to list of PolicyIds.
      */
     Map<String, List<PolicyId>> getNamespacePolicies();
 
     /**
-     * Returns the list of namespace root policy IDs configured for the given {@code namespace}.
-     * Returns an empty list if no namespace root policies are configured for the namespace.
+     * Returns the combined list of namespace root policy IDs whose patterns match the given
+     * {@code namespace}. Returns an empty list if no pattern matches.
+     * Matching patterns are resolved in deterministic precedence order: exact match first, then
+     * prefix wildcards ordered from most specific to least specific, and finally {@code *}.
      *
-     * @param namespace the namespace to look up.
+     * @param namespace the concrete namespace to look up (not a pattern).
      * @return list of PolicyIds acting as namespace roots for the given namespace, never null.
      */
     List<PolicyId> getRootPoliciesForNamespace(String namespace);
 
     /**
-     * Returns all policy IDs that are configured as namespace root policies across all namespaces.
-     * Used to build the cache invalidation reverse map.
+     * Returns all policy IDs that are configured as namespace root policies across all patterns.
+     * Used to short-circuit cache invalidation checks.
      *
      * @return set of all namespace root PolicyIds.
      */
     Set<PolicyId> getAllNamespaceRootPolicyIds();
 
     /**
-     * Returns the set of namespaces that the given {@code rootPolicyId} covers.
+     * Returns the set of namespace patterns that the given {@code rootPolicyId} covers.
+     * Patterns may be exact namespaces or wildcards (e.g. {@code org.example.*} or {@code *}).
      * Used during cache invalidation: when a namespace root policy changes, all cached policies
-     * in its covered namespaces must be invalidated.
+     * whose namespace matches any returned pattern must be invalidated.
      *
      * @param rootPolicyId the policy ID of a namespace root policy.
-     * @return set of namespaces covered by the given root policy, empty if none.
+     * @return set of namespace patterns covered by the given root policy, empty if none.
      */
     Set<String> getNamespacesForRootPolicy(PolicyId rootPolicyId);
 
@@ -75,4 +91,27 @@ public interface NamespacePoliciesConfig {
      */
     boolean isEmpty();
 
+    /**
+     * Returns whether the given concrete {@code namespace} matches the given {@code pattern}.
+     * <ul>
+     *   <li>{@code *} matches any namespace.</li>
+     *   <li>{@code org.example.*} matches any namespace starting with {@code org.example.}</li>
+     *   <li>Any other value is treated as an exact match.</li>
+     * </ul>
+     *
+     * @param namespace the concrete namespace string to test.
+     * @param pattern the pattern from the config (exact, prefix wildcard, or {@code *}).
+     * @return {@code true} if {@code namespace} matches {@code pattern}.
+     * @since 3.9.0
+     */
+    static boolean namespaceMatchesPattern(final String namespace, final String pattern) {
+        if ("*".equals(pattern)) {
+            return true;
+        }
+        if (pattern.endsWith(".*")) {
+            return namespace.startsWith(pattern.substring(0, pattern.length() - 1));
+        }
+        return namespace.equals(pattern);
+    }
+
 }

policies/enforcement/src/test/java/org/eclipse/ditto/policies/enforcement/PolicyEnforcerCacheTest.java

@@ -172,6 +172,55 @@ public void policyTagInvalidatesCachedPoliciesInNamespacesOfChangedRootPolicy()
         }};
     }
 
+    @Test
+    public void wildcardNamespacePatternInvalidatesCachedPoliciesInMatchingNamespaces() throws Exception {
+        final AsyncCacheLoader<PolicyId, Entry<PolicyEnforcer>> cacheLoader = mock(AsyncCacheLoader.class);
+        final ExecutionContextExecutor executor = actorSystem.dispatcher();
+        final PolicyId rootPolicyId = PolicyId.of("org.example", "tenant-root-wildcard");
+
+        // configure root policy via wildcard pattern "org.example.*"
+        final var underTest = new PolicyEnforcerCache(
+                cacheLoader,
+                executor,
+                DefaultCacheConfig.of(actorSystem.settings().config(), "ditto.policies-enforcer-cache"),
+                namespacePoliciesConfigForWildcard(rootPolicyId, "org.example.*")
+        );
+
+        final Policy devicesPolicy = Policy.newBuilder(PolicyId.of("org.example.devices", "policy-a")).build();
+        final Policy sensorsPolicy = Policy.newBuilder(PolicyId.of("org.example.sensors", "policy-b")).build();
+        // "org.examples" must NOT match "org.example.*" (no dot separator)
+        final Policy unrelatedPolicy = Policy.newBuilder(PolicyId.of("org.examples", "policy-c")).build();
+
+        new TestKit(actorSystem) {{
+            verifyLoadedFromCacheLoader(devicesPolicy, underTest, cacheLoader);
+            verifyLoadedFromCacheLoader(sensorsPolicy, underTest, cacheLoader);
+            verifyLoadedFromCacheLoader(unrelatedPolicy, underTest, cacheLoader);
+            reset(cacheLoader);
+
+            verifyLoadedFromCache(devicesPolicy, underTest, cacheLoader);
+            verifyLoadedFromCache(sensorsPolicy, underTest, cacheLoader);
+            verifyLoadedFromCache(unrelatedPolicy, underTest, cacheLoader);
+            reset(cacheLoader);
+
+            final boolean invalidated = underTest.invalidate(rootPolicyId);
+            assertThat(invalidated).isTrue();
+
+            // matching namespace policies must be reloaded
+            verifyLoadedFromCacheLoader(devicesPolicy, underTest, cacheLoader);
+            verifyLoadedFromCacheLoader(sensorsPolicy, underTest, cacheLoader);
+            // non-matching policy must still be served from cache
+            verifyLoadedFromCache(unrelatedPolicy, underTest, cacheLoader);
+        }};
+    }
+
+    private NamespacePoliciesConfig namespacePoliciesConfigForWildcard(final PolicyId rootPolicyId,
+            final String pattern) {
+        final NamespacePoliciesConfig config = mock(NamespacePoliciesConfig.class);
+        when(config.getAllNamespaceRootPolicyIds()).thenReturn(Collections.singleton(rootPolicyId));
+        when(config.getNamespacesForRootPolicy(rootPolicyId)).thenReturn(Collections.singleton(pattern));
+        return config;
+    }
+
     private NamespacePoliciesConfig namespacePoliciesConfigFor(final PolicyId rootPolicyId) {
         final NamespacePoliciesConfig config = mock(NamespacePoliciesConfig.class);
         final Map<String, List<PolicyId>> namespacePolicies = new HashMap<>();