feat(auth): define AuthorizationService#setRootRule(.) to allow cycles [PPUC-318]

- provided for flexibility for rules that for some not so good reason depend on the service singleton itself

Author: dcleao

assemblies/pentaho-solutions/src/main/resources/pentaho-solutions/system/pentahoObjects.spring.xml

@@ -368,8 +368,11 @@ not directly from the PentahoObjectFactory. -->
   <bean id="authorizationService"
         class="org.pentaho.platform.engine.security.authorization.core.CachingAuthorizationService">
     <constructor-arg ref="authorizationActionService" />
-    <constructor-arg ref="rootAuthorizationRule" />
     <constructor-arg ref="authorizationDecisionCache" />
+    <!-- Setting the rootRule as a property, instead of as a constructor arg, allows rules themselves to depend on the
+         authorizationService. While this does not appear to be a useful scenario, it is provided for flexibility, and
+         might avoid some third-party usage issues implementing rules. -->
+    <property name="rootRule" ref="rootAuthorizationRule" />
     <pen:publish as-type="INTERFACES" />
   </bean>
 

core/src/main/java/org/pentaho/platform/engine/security/authorization/core/AuthorizationService.java

@@ -26,13 +26,29 @@
 import org.pentaho.platform.engine.security.authorization.core.decisions.DefaultAuthorizationDecision;
 import org.pentaho.platform.engine.security.authorization.core.exceptions.AuthorizationRequestCycleException;
 import org.pentaho.platform.engine.security.authorization.core.exceptions.AuthorizationRequestUndefinedActionException;
+import org.pentaho.platform.engine.security.authorization.core.rules.AbstractAuthorizationRule;
 import org.springframework.util.Assert;
 
 import java.util.ArrayDeque;
 import java.util.Deque;
 import java.util.Objects;
 import java.util.Optional;
 
+/**
+ * The {@code AuthorizationService} class is the default implementation of the {@link IAuthorizationService} interface.
+ * <p>
+ * It performs authorization evaluations based on a root authorization rule, which may delegate to other rules as
+ * needed.
+ * <p>
+ * The implementation is thread-safe, as each authorization evaluation is performed within its own
+ * {@link AuthorizationContext}, which tracks the evaluation state for that specific request.
+ * Of course, the thread-safety of the overall service also depends on the thread-safety of the provided authorization
+ * rules.
+ * <p>
+ * One exception is setting the root rule, using {@link #setRootRule(IAuthorizationRule)} which is not thread-safe. Care
+ * must be taken to avoid inconsistent decisions in concurrent evaluations. This is intended to be used during
+ * application initialization.
+ */
 public class AuthorizationService implements IAuthorizationService {
 
   private static final Log logger = LogFactory.getLog( AuthorizationService.class );
@@ -207,17 +223,45 @@ protected IAuthorizationDecision getDefaultDecision( @NonNull IAuthorizationRequ
     }
   }
 
+  /**
+   * An authorization rule that always abstains. Used as a default root rule if none is provided.
+   */
+  private static class AbstainAuthorizationRule extends AbstractAuthorizationRule<IAuthorizationRequest> {
+
+    @NonNull
+    @Override
+    public Class<IAuthorizationRequest> getRequestType() {
+      return IAuthorizationRequest.class;
+    }
+
+    @NonNull
+    @Override
+    public Optional<IAuthorizationDecision> authorize( @NonNull IAuthorizationRequest request,
+                                                       @NonNull IAuthorizationContext context ) {
+      return abstain();
+    }
+  }
+
   @NonNull
   private final IAuthorizationActionService actionService;
 
   @NonNull
-  private final IAuthorizationRule<? extends IAuthorizationRequest> rootRule;
+  private IAuthorizationRule<? extends IAuthorizationRequest> rootRule;
+
+  /**
+   * Constructs an instance of the authorization service with a default root rule that always abstains.
+   *
+   * @param actionService The service providing access to authorization actions.
+   */
+  public AuthorizationService( @NonNull IAuthorizationActionService actionService ) {
+    this( actionService, new AbstainAuthorizationRule() );
+  }
 
   /**
    * Constructs an instance of the authorization service with a given root rule.
    *
    * @param actionService The service providing access to authorization actions.
-   * @param rootRule The root authorization rule.
+   * @param rootRule      The root authorization rule.
    */
   public AuthorizationService( @NonNull IAuthorizationActionService actionService,
                                @NonNull IAuthorizationRule<? extends IAuthorizationRequest> rootRule ) {
@@ -263,17 +307,30 @@ protected AuthorizationContext createContext( @NonNull IAuthorizationOptions opt
    * @return The root rule.
    */
   @NonNull
-  protected final IAuthorizationRule<? extends IAuthorizationRequest> getRootRule() {
+  public final IAuthorizationRule<? extends IAuthorizationRequest> getRootRule() {
     return rootRule;
   }
 
+  /**
+   * Sets the root authorization rule.
+   * <p>
+   * Warning: changing the root rule at runtime may lead to inconsistent authorization decisions if there are
+   * concurrent authorization evaluations. This method should only be used during application initialization.
+   *
+   * @param rootRule The root rule.
+   */
+  public final void setRootRule( @NonNull IAuthorizationRule<? extends IAuthorizationRequest> rootRule ) {
+    Assert.notNull( rootRule, "Argument 'rootRule' is required" );
+    this.rootRule = rootRule;
+  }
+
   /**
    * Gets the authorization action service.
    *
    * @return The action service.
    */
   @NonNull
-  protected IAuthorizationActionService getActionService() {
+  protected final IAuthorizationActionService getActionService() {
     return actionService;
   }
 }

core/src/main/java/org/pentaho/platform/engine/security/authorization/core/CachingAuthorizationService.java

@@ -29,11 +29,27 @@ public class CachingAuthorizationService extends AuthorizationService {
   @NonNull
   private final IAuthorizationDecisionCache decisionCache;
 
+  /**
+   * Constructs an instance of the authorization service with a default root rule that always abstains.
+   *
+   * @param actionService The service providing access to authorization actions.
+   * @param decisionCache The cache for authorization decisions.
+   */
+  public CachingAuthorizationService( @NonNull IAuthorizationActionService actionService,
+                                      @NonNull IAuthorizationDecisionCache decisionCache ) {
+    super( actionService );
+
+    Assert.notNull( decisionCache, "Argument 'decisionCache' is required" );
+
+    this.decisionCache = decisionCache;
+  }
+
   /**
    * Constructs an instance of the authorization service with a given root rule.
    *
    * @param actionService The service providing access to authorization actions.
    * @param rootRule      The root authorization rule.
+   * @param decisionCache The cache for authorization decisions.
    */
   public CachingAuthorizationService( @NonNull IAuthorizationActionService actionService,
                                       @NonNull IAuthorizationRule<? extends IAuthorizationRequest> rootRule,