refactor(policy): provide new contexts and function interfaces for policy engine (#4542)

* refactor(policy-engine): provide new contexts and function interfaces

* pr remark

Author: ndr-brt

core/control-plane/control-plane-aggregate-services/build.gradle.kts

@@ -17,14 +17,14 @@ plugins {
 }
 
 dependencies {
-    implementation(project(":spi:common:validator-spi"))
-    implementation(project(":spi:control-plane:control-plane-spi"))
-    implementation(project(":core:common:lib:util-lib"))
-    implementation(project(":spi:common:boot-spi"))
+    implementation(project(":spi:common:policy:request-policy-context-spi"))
     implementation(project(":spi:common:transaction-spi"))
+    implementation(project(":spi:common:validator-spi"))
     implementation(project(":spi:control-plane:asset-spi"))
+    implementation(project(":spi:control-plane:control-plane-spi"))
     implementation(project(":spi:control-plane:secrets-spi"))
     implementation(project(":spi:control-plane:transfer-data-plane-spi"))
+    implementation(project(":core:common:lib:util-lib"))
 
     implementation(libs.opentelemetry.instrumentation.annotations)
 

core/control-plane/control-plane-contract/build.gradle.kts

@@ -20,8 +20,9 @@ plugins {
 dependencies {
     api(project(":spi:common:json-ld-spi"))
     api(project(":spi:common:policy-engine-spi"))
-    api(project(":spi:control-plane:contract-spi"))
     api(project(":spi:control-plane:asset-spi"))
+    api(project(":spi:control-plane:catalog-spi"))
+    api(project(":spi:control-plane:contract-spi"))
 
     implementation(project(":core:common:lib:state-machine-lib"))
     implementation(project(":core:control-plane:lib:control-plane-policies-lib"))

data-protocols/dsp/dsp-http-spi/build.gradle.kts

@@ -19,6 +19,7 @@ plugins {
 
 dependencies {
     api(project(":spi:common:core-spi"))
+    api(project(":spi:common:policy:request-policy-context-spi"))
     api(project(":data-protocols:dsp:dsp-spi"))
 
     api(libs.okhttp)

extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationServiceTest.java

@@ -43,7 +43,6 @@
 
 class DelegatedAuthenticationServiceTest {
 
-    private static final long TEST_CACHE_VALIDITY = 50;
     private final TokenValidationRulesRegistry rulesRegistry = mock();
     private final PublicKeyResolver publicKeyResolver = mock();
     private final ObjectMapper mapper = new ObjectMapper();
@@ -163,4 +162,4 @@ void isAuthenticated_withXapiKeyAndAuthHeader_authTakesPrecedence() {
         verifyNoMoreInteractions(publicKeyResolver, rulesRegistry);
     }
 
-}
+}

extensions/common/iam/identity-trust/identity-trust-core/build.gradle.kts

@@ -5,6 +5,7 @@ plugins {
 
 dependencies {
     api(project(":spi:common:identity-trust-spi"))
+    api(project(":spi:common:policy:request-policy-context-spi"))
     implementation(project(":spi:common:keys-spi"))
     implementation(project(":spi:common:http-spi"))
     implementation(project(":spi:common:json-ld-spi"))

settings.gradle.kts

@@ -235,6 +235,7 @@ include(":spi:common:token-spi")
 include(":spi:common:oauth2-spi")
 include(":spi:common:policy-engine-spi")
 include(":spi:common:policy-model")
+include(":spi:common:policy:request-policy-context-spi")
 include(":spi:common:transaction-datasource-spi")
 include(":spi:common:transaction-spi")
 include(":spi:common:transform-spi")

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/AtomicConstraintFunction.java

@@ -14,43 +14,16 @@
 
 package org.eclipse.edc.policy.engine.spi;
 
-import org.eclipse.edc.policy.model.Operator;
 import org.eclipse.edc.policy.model.Rule;
-import org.eclipse.edc.spi.result.Result;
 
 /**
  * Invoked during policy evaluation when the left operand of an atomic constraint evaluates to a key associated with this function. The function is responsible for performing
  * policy evaluation on the right operand.
+ *
+ * @deprecated use {@link AtomicConstraintRuleFunction}.
  */
+@Deprecated(since = "0.10.0")
 @FunctionalInterface
-public interface AtomicConstraintFunction<R extends Rule> {
-
-    /**
-     * Performs the evaluation.
-     *
-     * @param operator   the operation
-     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection.
-     * @param rule       the rule associated with the constraint
-     * @param context    the policy context
-     */
-    boolean evaluate(Operator operator, Object rightValue, R rule, PolicyContext context);
-    
-    /**
-     * Performs a validation of an atomic constraint
-     *
-     * @param operator   the operation
-     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection
-     * @param rule       the rule associated with the constraint
-     * @return the result of the validation
-     */
-    default Result<Void> validate(Operator operator, Object rightValue, R rule) {
-        return Result.success();
-    }
+public interface AtomicConstraintFunction<R extends Rule> extends AtomicConstraintRuleFunction<R, PolicyContext> {
 
-    /**
-     * Returns the name of the function
-     */
-    default String name() {
-        return getClass().getSimpleName();
-    }
 }

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/AtomicConstraintRuleFunction.java

@@ -0,0 +1,57 @@
+/*
+ *  Copyright (c) 2021 Microsoft Corporation
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Microsoft Corporation - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.policy.engine.spi;
+
+import org.eclipse.edc.policy.model.Operator;
+import org.eclipse.edc.policy.model.Rule;
+import org.eclipse.edc.spi.result.Result;
+
+/**
+ * Invoked during policy evaluation when the left operand of an atomic constraint evaluates to a key associated with this function. The function is responsible for performing
+ * policy evaluation on the right operand.
+ */
+@FunctionalInterface
+public interface AtomicConstraintRuleFunction<R extends Rule, C extends PolicyContext> {
+
+    /**
+     * Performs the evaluation.
+     *
+     * @param operator   the operation
+     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection.
+     * @param rule       the rule associated with the constraint
+     * @param context    the policy context
+     */
+    boolean evaluate(Operator operator, Object rightValue, R rule, C context);
+    
+    /**
+     * Performs a validation of an atomic constraint
+     *
+     * @param operator   the operation
+     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection
+     * @param rule       the rule associated with the constraint
+     * @return the result of the validation
+     */
+    default Result<Void> validate(Operator operator, Object rightValue, R rule) {
+        return Result.success();
+    }
+
+    /**
+     * Returns the name of the function
+     */
+    default String name() {
+        return getClass().getSimpleName();
+    }
+
+}

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/DynamicAtomicConstraintFunction.java

@@ -14,53 +14,15 @@
 
 package org.eclipse.edc.policy.engine.spi;
 
-import org.eclipse.edc.policy.model.Operator;
 import org.eclipse.edc.policy.model.Rule;
-import org.eclipse.edc.spi.result.Result;
 
 /**
  * Invoked during policy evaluation as when the left operand of an atomic constraint evaluates to a key that is not bound to a {@link AtomicConstraintFunction}.
  * The function is responsible for performing policy evaluation on the right operand and the left operand.
+ *
+ * @deprecated use {@link DynamicAtomicConstraintRuleFunction}
  */
-public interface DynamicAtomicConstraintFunction<R extends Rule> {
-
-    /**
-     * Performs the evaluation.
-     *
-     * @param leftValue  the left-side expression for the constraint
-     * @param operator   the operation
-     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection.
-     * @param rule       the rule associated with the constraint
-     * @param context    the policy context
-     */
-    boolean evaluate(Object leftValue, Operator operator, Object rightValue, R rule, PolicyContext context);
-
-    /**
-     * Returns true if the function can evaluate the input left operand.
-     *
-     * @param leftValue the left-side expression for the constraint
-     * @return true if the function can evaluate the left operand, false otherwise
-     */
-    boolean canHandle(Object leftValue);
-
-    /**
-     * Performs a validation of an atomic constraint
-     *
-     * @param leftValue  the left-side expression for the constraint
-     * @param operator   the operation
-     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection
-     * @param rule       the rule associated with the constraint
-     * @return the result of the validation
-     */
-    default Result<Void> validate(Object leftValue, Operator operator, Object rightValue, R rule) {
-        return Result.success();
-    }
-
-    /**
-     * Returns the name of the function
-     */
-    default String name() {
-        return getClass().getSimpleName();
-    }
+@Deprecated(since = "0.10.0")
+public interface DynamicAtomicConstraintFunction<R extends Rule> extends DynamicAtomicConstraintRuleFunction<R, PolicyContext> {
 
 }

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/DynamicAtomicConstraintRuleFunction.java

@@ -0,0 +1,66 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.policy.engine.spi;
+
+import org.eclipse.edc.policy.model.Operator;
+import org.eclipse.edc.policy.model.Rule;
+import org.eclipse.edc.spi.result.Result;
+
+/**
+ * Invoked during policy evaluation as when the left operand of an atomic constraint evaluates to a key that is not bound to a {@link AtomicConstraintRuleFunction}.
+ * The function is responsible for performing policy evaluation on the right operand and the left operand.
+ */
+public interface DynamicAtomicConstraintRuleFunction<R extends Rule, C extends PolicyContext> {
+
+    /**
+     * Performs the evaluation.
+     *
+     * @param leftValue  the left-side expression for the constraint
+     * @param operator   the operation
+     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection.
+     * @param rule       the rule associated with the constraint
+     * @param context    the policy context
+     */
+    boolean evaluate(Object leftValue, Operator operator, Object rightValue, R rule, C context);
+
+    /**
+     * Returns true if the function can evaluate the input left operand.
+     *
+     * @param leftValue the left-side expression for the constraint
+     * @return true if the function can evaluate the left operand, false otherwise
+     */
+    boolean canHandle(Object leftValue);
+
+    /**
+     * Performs a validation of an atomic constraint
+     *
+     * @param leftValue  the left-side expression for the constraint
+     * @param operator   the operation
+     * @param rightValue the right-side expression for the constraint; the concrete type may be a string, primitive or object such as a JSON-LD encoded collection
+     * @param rule       the rule associated with the constraint
+     * @return the result of the validation
+     */
+    default Result<Void> validate(Object leftValue, Operator operator, Object rightValue, R rule) {
+        return Result.success();
+    }
+
+    /**
+     * Returns the name of the function
+     */
+    default String name() {
+        return getClass().getSimpleName();
+    }
+
+}

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/PolicyContext.java

@@ -46,7 +46,9 @@ public interface PolicyContext {
      * @param type the type class.
      * @param <T> the type of data.
      * @return the object associated with the type, or null.
+     * @deprecated implementations should add specific get methods
      */
+    @Deprecated(since = "0.10.0")
     <T> T getContextData(Class<T> type);
 
     /**
@@ -55,7 +57,16 @@ public interface PolicyContext {
      * @param type the type class.
      * @param data the data.
      * @param <T> the type of data.
+     * @deprecated implementations should add specific set methods
      */
+    @Deprecated(since = "0.10.0")
     <T> void putContextData(Class<T> type, T data);
 
+    /**
+     * The policy scope
+     *
+     * @return the policy scope.
+     */
+    String scope();
+
 }

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/PolicyContextImpl.java

@@ -26,11 +26,11 @@
 /**
  * Default context implementation.
  */
-public class PolicyContextImpl implements PolicyContext {
+public abstract class PolicyContextImpl implements PolicyContext {
     private final List<String> problems = new ArrayList<>();
     private final Map<Class<?>, Object> additional = new HashMap<>();
 
-    private PolicyContextImpl() {
+    protected PolicyContextImpl() {
     }
 
     @Override
@@ -61,7 +61,13 @@ public <T> void putContextData(Class<T> type, T data) {
 
     public static class Builder {
 
-        private final PolicyContextImpl context = new PolicyContextImpl();
+        private final PolicyContextImpl context = new PolicyContextImpl() {
+
+            @Override
+            public String scope() {
+                return "";
+            }
+        };
 
         private Builder() {
 

spi/common/policy-engine-spi/src/main/java/org/eclipse/edc/policy/engine/spi/PolicyValidatorFunction.java

@@ -16,18 +16,13 @@
 
 import org.eclipse.edc.policy.model.Policy;
 
-import java.util.function.BiFunction;
-
 /**
  * A {@link Policy} validator that can be registered in the {@link PolicyEngine} in pre- or post-evaluation phase.
+ *
+ * @deprecated use {@link PolicyValidatorRule}
  */
+@Deprecated(since = "0.10.0")
 @FunctionalInterface
-public interface PolicyValidatorFunction extends BiFunction<Policy, PolicyContext, Boolean> {
+public interface PolicyValidatorFunction extends PolicyValidatorRule<PolicyContext> {
 
-    /**
-     * Returns the name of the {@link PolicyValidatorFunction}
-     */
-    default String name() {
-        return getClass().getSimpleName();
-    }
 }