feat(authorization): allow wildcards in permission grants

Instead of specifying a resource explicitly, the wildcard character '*' can be used to reference all
resources of the same type.

For example, you can grant write access to all branches without granting write access on the
repository itself.

Author: abstraktor

authorization/src/main/kotlin/org/modelix/authorization/permissions/PermissionEvaluator.kt

@@ -48,10 +48,21 @@ class PermissionEvaluator(val schemaInstance: SchemaInstance) {
     }
 
     fun hasPermission(permissionInstanceRef: PermissionInstanceReference): Boolean {
+        require(!permissionInstanceRef.containsWildcards()) {
+            // An attacker could try to create a resource with the name '*' to get an unintended wildcard grant.
+            "A permission containing wildcards is illegal: $permissionInstanceRef"
+        }
+        for (withWildcards in sequenceOf(permissionInstanceRef) + permissionInstanceRef.getWildcardMutations()) {
+            if (checkPermission(withWildcards)) return true
+        }
+        return false
+    }
+
+    private fun checkPermission(permissionInstanceRef: PermissionInstanceReference): Boolean {
         if (allGrantedPermissions.contains(permissionInstanceRef)) return true
 
         val permissionInstance = schemaInstance.instantiatePermission(permissionInstanceRef)
-        val indirectlyGranted = permissionInstance.includedIn.any { hasPermission(it.ref) }
+        val indirectlyGranted = permissionInstance.includedIn.any { checkPermission(it.ref) }
         if (indirectlyGranted) allGrantedPermissions.add(permissionInstanceRef)
         return indirectlyGranted
     }

authorization/src/main/kotlin/org/modelix/authorization/permissions/SchemaInstance.kt

@@ -156,6 +156,31 @@ data class ResourceInstanceReference(
     fun toPermissionParts(): PermissionParts {
         return (parent?.toPermissionParts() ?: PermissionParts()) + name + parameterValues
     }
+
+    fun getWildcardMutations(): Sequence<ResourceInstanceReference> {
+        val mutateSelf = parameterValues.size == 1 && parameterValues.single() != WILDCARD
+        val parentMutations = parent?.getWildcardMutations() ?: emptySequence()
+        return if (mutateSelf) {
+            sequenceOf(parent).map {
+                ResourceInstanceReference(name, listOf(WILDCARD), it)
+            } + parentMutations.flatMap {
+                sequenceOf(
+                    ResourceInstanceReference(name, parameterValues, it),
+                    ResourceInstanceReference(name, listOf(WILDCARD), it),
+                )
+            }
+        } else {
+            parentMutations.map { ResourceInstanceReference(name, parameterValues, it) }
+        }
+    }
+
+    fun containsWildcards(): Boolean {
+        return parameterValues.contains(WILDCARD) || parent != null && parent.containsWildcards()
+    }
+
+    companion object {
+        const val WILDCARD = "*"
+    }
 }
 
 data class PermissionInstanceReference(val permissionName: String, val resource: ResourceInstanceReference) {
@@ -172,4 +197,9 @@ data class PermissionInstanceReference(val permissionName: String, val resource:
             false
         }
     }
+    fun getWildcardMutations(): Sequence<PermissionInstanceReference> {
+        return resource.getWildcardMutations().map { PermissionInstanceReference(permissionName, it) }
+    }
+
+    fun containsWildcards() = resource.containsWildcards()
 }

model-server/src/test/kotlin/permissions/ImpliedPermissionsTest.kt

@@ -0,0 +1,17 @@
+package permissions
+
+import org.modelix.model.server.ModelServerPermissionSchema
+import kotlin.test.Test
+import kotlin.test.assertTrue
+
+class ImpliedPermissionsTest : PermissionTestBase(
+    listOf(
+        ModelServerPermissionSchema.repository("myFirstRepo").rewrite,
+    ),
+) {
+
+    @Test
+    fun `can delete any branch`() {
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/just-any/delete"))
+    }
+}

model-server/src/test/kotlin/permissions/WildcardBranchPermissionsTest.kt

@@ -0,0 +1,52 @@
+package permissions
+
+import org.junit.jupiter.api.Disabled
+import org.modelix.authorization.permissions.PermissionParts
+import kotlin.test.Test
+import kotlin.test.assertFalse
+import kotlin.test.assertTrue
+
+class WildcardBranchPermissionsTest : PermissionTestBase(
+    listOf(
+        PermissionParts.fromString("repository/myFirstRepo/branch/explicitly-deletable/delete"),
+        PermissionParts.fromString("repository/myFirstRepo/branch/*/write"),
+        PermissionParts.fromString("repository/myFirstRepo/branch/*/delete"),
+    ),
+) {
+
+    @Test
+    fun `can push to branch matching wildcard`() {
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2Ffeature-123/push"))
+    }
+
+    @Test
+    fun `cannot force push since that was granted nowhere`() {
+        assertFalse(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2Ffeature-123/force-push"))
+    }
+
+    @Disabled
+    @Test
+    fun `cannot push to branch not matching wildcard`() {
+        assertFalse(evaluator.hasPermission("repository/myFirstRepo/branch/not-allowed/push"))
+    }
+
+    @Test
+    fun `can delete explicitly deletable branch`() {
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/explicitly-deletable/delete"))
+    }
+
+    @Test
+    fun `can delete branch matching wildcard`() {
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2Ffeature-123/delete"))
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2Fbugfix-456/delete"))
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2Fsubdir%2Ffeature/delete"))
+        assertTrue(evaluator.hasPermission("repository/myFirstRepo/branch/user-named%2F/delete"))
+    }
+
+    @Disabled
+    @Test
+    fun `cannot delete branch not matching wildcard`() {
+        assertFalse(evaluator.hasPermission("repository/myFirstRepo/branch/non-deletable-branch/delete"))
+        assertFalse(evaluator.hasPermission("repository/myFirstRepo/branch/user-named/delete"))
+    }
+}