feat(authorization): built-in permission management

At `/permissions/manage` users can grant permissions to other users based on the user ID from the
JWT identity token. The data is persisted to the file specified in the environment variable
`MODELIX_ACCESS_CONTROL_FILE`.

Author: slisson

authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt

@@ -5,6 +5,9 @@ import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.jwk.JWK
 import io.ktor.server.application.Application
 import io.ktor.server.application.plugin
+import org.modelix.authorization.permissions.FileSystemAccessControlPersistence
+import org.modelix.authorization.permissions.IAccessControlPersistence
+import org.modelix.authorization.permissions.InMemoryAccessControlPersistence
 import org.modelix.authorization.permissions.Schema
 import org.modelix.authorization.permissions.buildPermissionSchema
 import java.io.File
@@ -33,6 +36,11 @@ interface IModelixAuthorizationConfig {
      */
     var debugEndpointsEnabled: Boolean
 
+    /**
+     * At /permissions/manage users can grant permissions to identity tokens.
+     */
+    var permissionManagementEnabled: Boolean
+
     /**
      * NotLoggedInException and NoPermissionException will be turned into HTTP status codes 401 and 403
      */
@@ -87,7 +95,7 @@ interface IModelixAuthorizationConfig {
      */
     var permissionSchema: Schema
 
-    var accessControlDataProvider: IAccessControlDataProvider
+    var accessControlPersistence: IAccessControlPersistence
 
     /**
      * Generates fake tokens and allows all requests.
@@ -99,6 +107,7 @@ class ModelixAuthorizationConfig : IModelixAuthorizationConfig {
     override var permissionChecksEnabled: Boolean? = PERMISSION_CHECKS_ENABLED
     override var generateFakeTokens: Boolean? = getBooleanFromEnv("MODELIX_GENERATE_FAKE_JWT")
     override var debugEndpointsEnabled: Boolean = true
+    override var permissionManagementEnabled: Boolean = true
     override var installStatusPages: Boolean = false
     override var hmac512Key: String? = null
     override var hmac384Key: String? = null
@@ -113,7 +122,9 @@ class ModelixAuthorizationConfig : IModelixAuthorizationConfig {
         }
     override var jwkKeyId: String? = System.getenv("MODELIX_JWK_KEY_ID")
     override var permissionSchema: Schema = buildPermissionSchema { }
-    override var accessControlDataProvider: IAccessControlDataProvider = EmptyAccessControlDataProvider()
+    override var accessControlPersistence: IAccessControlPersistence = System.getenv("MODELIX_ACCESS_CONTROL_FILE")
+        ?.let { path -> FileSystemAccessControlPersistence(File(path)) }
+        ?: InMemoryAccessControlPersistence()
 
     private val hmac512KeyFromEnv by lazy {
         System.getenv("MODELIX_JWT_SIGNATURE_HMAC512_KEY")
@@ -131,7 +142,7 @@ class ModelixAuthorizationConfig : IModelixAuthorizationConfig {
     val jwtUtil: ModelixJWTUtil by lazy {
         val util = ModelixJWTUtil()
 
-        util.accessControlDataProvider = accessControlDataProvider
+        util.accessControlDataProvider = accessControlPersistence
         util.loadKeysFromEnvironment()
 
         listOfNotNull<Pair<String, JWSAlgorithm>>(

authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt

@@ -34,6 +34,9 @@ import io.ktor.util.AttributeKey
 import org.modelix.authorization.permissions.PermissionEvaluator
 import org.modelix.authorization.permissions.PermissionParts
 import org.modelix.authorization.permissions.SchemaInstance
+import java.nio.charset.StandardCharsets
+import java.util.Base64
+import java.util.Collections
 import java.util.concurrent.TimeUnit
 
 private val LOG = mu.KotlinLogging.logger { }
@@ -110,10 +113,10 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
             }
         }
 
-        if (config.debugEndpointsEnabled) {
-            application.routing {
-                authenticate(MODELIX_JWT_AUTH) {
-                    (installedIntoRoute ?: this).apply {
+        application.routing {
+            authenticate(MODELIX_JWT_AUTH) {
+                (installedIntoRoute ?: this).apply {
+                    if (config.debugEndpointsEnabled) {
                         get("/user") {
                             val jwt = call.principal<AccessTokenPrincipal>()?.jwt ?: call.jwtFromHeaders()
                             if (jwt == null) {
@@ -144,9 +147,13 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                             }
                         }
                     }
+                    if (config.permissionManagementEnabled) {
+                        installPermissionManagementHandlers()
+                    }
                 }
             }
         }
+
         val pluginInstance = ModelixAuthorizationPluginInstance(config)
         return pluginInstance
     }
@@ -155,16 +162,36 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
 }
 
 class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig) {
+
+    private val deniedPermissionRequests: MutableSet<DeniedPermissionRequest> = Collections.synchronizedSet(LinkedHashSet())
     private val permissionCache = CacheBuilder.newBuilder()
         .expireAfterWrite(5, TimeUnit.SECONDS)
         .build<Pair<AccessTokenPrincipal, PermissionParts>, Boolean>()
 
+    fun getDeniedPermissions(): Set<DeniedPermissionRequest> = deniedPermissionRequests.toSet()
+
     fun hasPermission(call: ApplicationCall, permissionToCheck: PermissionParts): Boolean {
         if (!config.permissionCheckingEnabled()) return true
 
         val principal = call.principal<AccessTokenPrincipal>() ?: throw NotLoggedInException()
         return permissionCache.get(principal to permissionToCheck) {
-            getPermissionEvaluator(principal).hasPermission(permissionToCheck)
+            getPermissionEvaluator(principal).hasPermission(permissionToCheck).also { granted ->
+                if (!granted) {
+                    val userId = principal.getUserName()
+                    if (userId != null) {
+                        synchronized(deniedPermissionRequests) {
+                            deniedPermissionRequests += DeniedPermissionRequest(
+                                permissionId = permissionToCheck,
+                                userId = userId,
+                                jwtPayload = principal.jwt.payload,
+                            )
+                            while (deniedPermissionRequests.size >= 100) {
+                                deniedPermissionRequests.iterator().also { it.next() }.remove()
+                            }
+                        }
+                    }
+                }
+            }
         }
     }
 
@@ -191,6 +218,14 @@ class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig)
     }
 }
 
+data class DeniedPermissionRequest(
+    val permissionId: PermissionParts,
+    val userId: String,
+    val jwtPayload: String,
+) {
+    fun jwtPayloadJson() = String(Base64.getUrlDecoder().decode(jwtPayload), StandardCharsets.UTF_8)
+}
+
 /**
  * Returns an [JWTVerifier] that wraps our common authorization logic,
  * so that it can be configured in the verification with Ktor's JWT authorization.

authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt

@@ -149,6 +149,14 @@ class ModelixJWTUtil {
         return JWSObject(header, payload).also { it.sign(signer) }.serialize()
     }
 
+    fun isAccessToken(token: DecodedJWT): Boolean {
+        return extractPermissions(token) != null
+    }
+
+    fun isIdentityToken(token: DecodedJWT): Boolean {
+        return !isAccessToken(token)
+    }
+
     fun createPermissionEvaluator(token: DecodedJWT, schema: Schema): PermissionEvaluator {
         return createPermissionEvaluator(token, SchemaInstance(schema))
     }
@@ -157,8 +165,12 @@ class ModelixJWTUtil {
         return PermissionEvaluator(schema).also { loadGrantedPermissions(token, it) }
     }
 
+    fun extractPermissions(token: DecodedJWT): List<String>? {
+        return token.claims["permissions"]?.asList(String::class.java)
+    }
+
     fun loadGrantedPermissions(token: DecodedJWT, evaluator: PermissionEvaluator) {
-        val permissions = token.claims["permissions"]?.asList(String::class.java)
+        val permissions = extractPermissions(token)
 
         // There is a difference between access tokens and identity tokens.
         // An identity token just contains the user ID and the service has to know the granted permissions.