Support for OPA policy security

Security decisions are forwarded to an OPA server. Users must
provide a mapping from possible table, request, action, etc.
into an input document which is sent to OPA.

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/security/opa/OpaRequest.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.security.opa;
+
+import com.google.common.collect.ImmutableMap;
+import io.trino.aws.proxy.spi.util.ImmutableMultiMap;
+import io.trino.aws.proxy.spi.util.MultiMap;
+
+import java.net.URI;
+import java.util.Map;
+
+import static java.util.Objects.requireNonNull;
+
+public record OpaRequest(URI opaServerUri, Map<String, Object> document, MultiMap additionalHeaders)
+{
+ public OpaRequest
+ {
+ requireNonNull(opaServerUri, "opaServerUri is null");
+ document = ImmutableMap.copyOf(document);
+ additionalHeaders = ImmutableMultiMap.copyOf(additionalHeaders);
+ }
+
+ public OpaRequest(URI opaServerUri, Map<String, Object> document)
+ {
+ this(opaServerUri, document, ImmutableMultiMap.empty());
+ }
+}

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/security/opa/OpaS3SecurityMapper.java

@@ -0,0 +1,70 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.security.opa;
+
+import com.google.common.collect.ImmutableMap;
+import io.trino.aws.proxy.spi.rest.ParsedS3Request;
+import io.trino.aws.proxy.spi.security.SecurityResponse;
+
+import java.net.URI;
+import java.util.Map;
+import java.util.Optional;
+
+import static io.trino.aws.proxy.spi.security.SecurityResponse.FAILURE;
+import static io.trino.aws.proxy.spi.security.SecurityResponse.SUCCESS;
+
+@SuppressWarnings("SameParameterValue")
+@FunctionalInterface
+public interface OpaS3SecurityMapper
+{
+ default Map<String, Object> toInputDocument(Map<String, Object> document)
+ {
+ /*
+ Default formats standard input:
+
+ {
+ "input": {
+ ... nested document ...
+ }
+ }
+ */
+
+ return ImmutableMap.of("input", document);
+ }
+
+ default SecurityResponse toSecurityResponse(Map<String, Object> responseDocument)
+ {
+ /*
+ Default handles standard response:
+
+ {
+ "result": true/false
+ }
+ */
+
+ return extractBoolean(responseDocument, "result")
+ .map(allowed -> allowed ? SUCCESS : FAILURE)
+ .orElse(FAILURE);
+ }
+
+ OpaRequest toRequest(ParsedS3Request request, Optional<String> lowercaseAction, URI baseUri);
+
+ static Optional<Boolean> extractBoolean(Map<?, ?> map, String key)
+ {
+ return switch (map.get(key)) {
+ case Boolean b -> Optional.of(b);
+ case null, default -> Optional.empty();
+ };
+ }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/TrinoAwsProxyServerModule.java

@@ -40,6 +40,7 @@
 import io.trino.aws.proxy.server.rest.TrinoS3Resource;
 import io.trino.aws.proxy.server.rest.TrinoStsResource;
 import io.trino.aws.proxy.server.security.S3SecurityController;
+import io.trino.aws.proxy.server.security.opa.OpaS3SecurityModule;
 import io.trino.aws.proxy.server.signing.SigningControllerConfig;
 import io.trino.aws.proxy.server.signing.SigningModule;
 import io.trino.aws.proxy.spi.credentials.AssumedRoleProvider;
@@ -114,8 +115,10 @@ protected void setup(Binder binder)
  log.info("Using %s identity type", StandardIdentity.class.getSimpleName());
  return StandardIdentity.class;
  });
- // CredentialsProvider provided implementations
+
+ // provided implementations
  install(new FileBasedCredentialsModule());
+ install(new OpaS3SecurityModule());
 
  // AssumedRoleProvider binder
  configBinder(binder).bindConfig(AssumedRoleProviderConfig.class);

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/security/opa/ForOpa.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.security.opa;
+
+import com.google.inject.BindingAnnotation;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Retention(RUNTIME)
+@Target({FIELD, PARAMETER, METHOD})
+@BindingAnnotation
+public @interface ForOpa
+{
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/security/opa/OpaS3SecurityConfig.java

@@ -0,0 +1,37 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.security.opa;
+
+import io.airlift.configuration.Config;
+import jakarta.validation.constraints.NotNull;
+
+import java.net.URI;
+
+public class OpaS3SecurityConfig
+{
+ private URI opaServerBaseUri;
+
+ @NotNull
+ public URI getOpaServerBaseUri()
+ {
+ return opaServerBaseUri;
+ }
+
+ @Config("opa-s3-security.server-base-uri")
+ public OpaS3SecurityConfig setOpaServerBaseUri(String opaServerBaseUri)
+ {
+ this.opaServerBaseUri = URI.create(opaServerBaseUri);
+ return this;
+ }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/security/opa/OpaS3SecurityFacadeProvider.java

@@ -0,0 +1,80 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.security.opa;
+
+import com.google.inject.Inject;
+import io.airlift.http.client.HttpClient;
+import io.airlift.http.client.Request;
+import io.airlift.json.JsonCodec;
+import io.trino.aws.proxy.spi.rest.ParsedS3Request;
+import io.trino.aws.proxy.spi.security.S3SecurityFacade;
+import io.trino.aws.proxy.spi.security.S3SecurityFacadeProvider;
+import io.trino.aws.proxy.spi.security.SecurityResponse;
+import io.trino.aws.proxy.spi.security.opa.OpaRequest;
+import io.trino.aws.proxy.spi.security.opa.OpaS3SecurityMapper;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.UriBuilder;
+
+import java.net.URI;
+import java.util.Map;
+import java.util.Optional;
+
+import static io.airlift.http.client.JsonBodyGenerator.jsonBodyGenerator;
+import static io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler;
+import static io.airlift.http.client.Request.Builder.preparePost;
+import static io.airlift.json.JsonCodec.mapJsonCodec;
+import static jakarta.ws.rs.core.HttpHeaders.CONTENT_TYPE;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE;
+import static java.util.Objects.requireNonNull;
+
+public class OpaS3SecurityFacadeProvider
+ implements S3SecurityFacadeProvider
+{
+ private static final JsonCodec<Map<String, Object>> CODEC = mapJsonCodec(String.class, Object.class);
+
+ private final HttpClient httpClient;
+ private final URI opaServerUri;
+ private final OpaS3SecurityMapper opaS3SecurityMapper;
+
+ @Inject
+ public OpaS3SecurityFacadeProvider(@ForOpa HttpClient httpClient, OpaS3SecurityMapper opaS3SecurityMapper, OpaS3SecurityConfig config)
+ {
+ this.httpClient = requireNonNull(httpClient, "httpClient is null");
+ this.opaS3SecurityMapper = requireNonNull(opaS3SecurityMapper, "opaS3SecurityMapper is null");
+ opaServerUri = UriBuilder.fromUri(config.getOpaServerBaseUri()).path("/v1/data").build();
+ }
+
+ @Override
+ public S3SecurityFacade securityFacadeForRequest(ParsedS3Request request)
+ throws WebApplicationException
+ {
+ return lowercaseAction -> facade(request, lowercaseAction);
+ }
+
+ private SecurityResponse facade(ParsedS3Request parsedS3Request, Optional<String> lowercaseAction)
+ {
+ OpaRequest opaRequest = opaS3SecurityMapper.toRequest(parsedS3Request, lowercaseAction, opaServerUri);
+
+ Map<String, Object> inputDocument = opaS3SecurityMapper.toInputDocument(opaRequest.document());
+
+ Request.Builder builder = preparePost()
+ .setUri(opaRequest.opaServerUri())
+ .addHeader(CONTENT_TYPE, APPLICATION_JSON_TYPE.getType())
+ .setBodyGenerator(jsonBodyGenerator(CODEC, inputDocument));
+ opaRequest.additionalHeaders().forEach((name, values) -> values.forEach(value -> builder.addHeader(name, value)));
+
+ Map<String, Object> responseDocument = httpClient.execute(builder.build(), createJsonResponseHandler(CODEC));
+ return opaS3SecurityMapper.toSecurityResponse(responseDocument);
+ }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/security/opa/OpaS3SecurityModule.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.security.opa;
+
+import com.google.inject.Binder;
+import io.airlift.configuration.AbstractConfigurationAwareModule;
+
+import static io.airlift.configuration.ConfigBinder.configBinder;
+import static io.airlift.http.client.HttpClientBinder.httpClientBinder;
+import static io.trino.aws.proxy.spi.plugin.TrinoAwsProxyServerBinding.s3SecurityFacadeProviderModule;
+
+public class OpaS3SecurityModule
+ extends AbstractConfigurationAwareModule
+{
+ // set as config value for "s3-security.type"
+ // user must bind an OpaS3SecurityMapper
+ public static final String OPA_S3_SECURITY_IDENTIFIER = "opa";
+
+ @Override
+ protected void setup(Binder binder)
+ {
+ install(s3SecurityFacadeProviderModule(OPA_S3_SECURITY_IDENTIFIER, OpaS3SecurityFacadeProvider.class, internalBinder -> {
+ configBinder(internalBinder).bindConfig(OpaS3SecurityConfig.class);
+ httpClientBinder(internalBinder).bindHttpClient(OPA_S3_SECURITY_IDENTIFIER, ForOpa.class);
+ }));
+ }
+}