Add Trino API integration with authorization checks (#291)

* Add Trino API integration with authorization checks

- Introduced a new Trino API endpoint for authorization checks at `/trino/allowed`.
- Implemented request and response schemas for Trino authorization queries.
- Added logic to handle various Trino resource types including tables, schemas, and functions.
- Configured the PDP to allow unauthenticated access to Trino endpoints via a new configuration flag.
- Updated the Makefile to include a new build target for the latest version.
- Created an example environment configuration file for easier setup.

This commit enhances the PDP server's capabilities to manage Trino authorization, improving integration with Trino services.

* Fix query string in Trino authorization checks by updating the resource identifier from "trino.sys" to "trino_sys" for consistency.

Author: danyi1212

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build prepare build-amd64 build-arm64
+.PHONY: help build prepare build-amd64 build-arm64 cargo-run
 
 .DEFAULT_GOAL := help
 
@@ -28,8 +28,14 @@ build-arm64: prepare
 build: prepare
 	@docker buildx build -t permitio/pdp-v2:$(VERSION) . --load
 
+build-latest: prepare
+	@docker buildx build -t permitio/pdp-v2:latest . --load
+
 run: run-prepare
 	@docker run -it --rm -p 7766:7000 --env PDP_API_KEY=$(API_KEY) --env PDP_DEBUG=true permitio/pdp-v2:$(VERSION)
 
 run-on-background: run-prepare
 	@docker run -it --rm -d -p 7766:7000  --env PDP_API_KEY=$(API_KEY) --env PDP_DEBUG=true permitio/pdp-v2:$(VERSION)
+
+cargo-run:
+	cargo run --bin pdp-server --package pdp-server -- --port 7766

pdp-server/src/api/horizon_fallback.rs

@@ -525,6 +525,7 @@ mod tests {
             debug: None,
             port: 0,
             use_new_authorized_users: false,
+            allow_unauthenticated_trino: false,
             healthcheck_timeout: 1.0,
             // Point to a non-existent server with a reserved port
             horizon: crate::config::horizon::HorizonConfig {
@@ -591,6 +592,7 @@ mod tests {
             debug: None,
             port: 0,
             use_new_authorized_users: false,
+            allow_unauthenticated_trino: false,
             healthcheck_timeout: 1.0,
             horizon: crate::config::horizon::HorizonConfig {
                 host: horizon_mock.address().ip().to_string(),

pdp-server/src/api/mod.rs

@@ -3,6 +3,7 @@ pub(crate) mod authz;
 pub(crate) mod authzen;
 pub(crate) mod health;
 mod horizon_fallback;
+pub(crate) mod trino;
 
 use crate::api::authn_middleware::authentication_middleware;
 use crate::api::horizon_fallback::fallback_to_horizon;
@@ -11,17 +12,27 @@ use axum::{middleware, routing::any, Router};
 
 /// Combines all API routes into a single router
 pub(super) fn router(state: &AppState) -> Router<AppState> {
-    Router::new()
-        .merge(health::router())
-        .merge(protected_routes(state))
+    let mut root = Router::new().merge(health::router());
+
+    if state.config.allow_unauthenticated_trino {
+        root = root.merge(trino::router());
+    }
+
+    root.merge(protected_routes(state))
 }
 
 /// Creates a router for protected routes that require API key authentication
 fn protected_routes(state: &AppState) -> Router<AppState> {
-    // Protected routes that require API key authentication
-    Router::new()
+    let mut router = Router::new()
         .merge(authz::router())
-        .merge(authzen::router())
+        .merge(authzen::router());
+
+    if !state.config.allow_unauthenticated_trino {
+        router = router.merge(trino::router());
+    }
+
+    // Protected routes that require API key authentication
+    router
         // Add fallback route to handle any unmatched requests
         .fallback(any(fallback_to_horizon))
         // we must use layer here and not route_layer because, route_layer only