fix that CreationRestrictionPreEnforcer did not work

* reason was that wrong config was loaded - and e.g. system properties overwrites were not applied
* also cleaned up and improved documentation of that feature

Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>

base/model/src/main/java/org/eclipse/ditto/base/model/common/LikeHelper.java

@@ -14,6 +14,8 @@
 
 import java.util.regex.Pattern;
 
+import javax.annotation.Nullable;
+
 /**
  * A helper to create "like" patterns.
  *
@@ -40,7 +42,8 @@ private LikeHelper() {
      * @param expression The wildcard expression to convert.
      * @return The regular expression, which can be compiled with {@link Pattern#compile(String)}.
      */
-    public static String convertToRegexSyntax(final String expression) {
+    @Nullable
+    public static String convertToRegexSyntax(@Nullable final String expression) {
         if (expression == null) {
             return null;
         }

documentation/src/main/resources/pages/ditto/installation-operating.md

@@ -260,16 +260,24 @@ The basic schema is:
 ```
 # restrict entity creation
 ditto.entity-creation {
-   grant = [
-      {
-         resource-types = [],
-         namespace = []
-         auth-subjects = []
-      }
-   ]
-   revoke = [
-      # same as "grant", but rejecting requests which already passed "grant"
-   ]
+   # this default entry allows every authenticated "auth-subject" to create any "resource-type" in any "namespace":
+  grant = [
+    {
+      resource-types = [
+//        "policy"
+//        "thing"
+      ]
+      namespaces = [
+//        "org.eclipse.ditto*"
+      ]
+      auth-subjects = [
+//        "pre:ditto-*"
+      ]
+    }
+  ]
+  revoke = [
+    # same as "grant", but rejecting requests which already passed "grant"
+  ]
 }
 ```
 

internal/utils/config/src/main/resources/ditto-entity-creation.conf

@@ -2,7 +2,20 @@
 ditto.entity-creation {
 
   # this default entry allows every authenticated "auth-subject" to create any "resource-type" in any "namespace":
-  grant = [{}]
+  grant = [
+    {
+      resource-types = [
+//        "policy"
+//        "thing"
+      ]
+      namespaces = [
+//        "org.eclipse.ditto*"
+      ]
+      auth-subjects = [
+//        "pre:ditto-*"
+      ]
+    }
+  ]
   # same as "grant", but rejecting requests which already passed "grant"
   revoke = []
 }

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/DefaultCreationRestrictionConfig.java

@@ -30,23 +30,27 @@
 @Immutable
 public final class DefaultCreationRestrictionConfig implements CreationRestrictionConfig {
 
-    private static final String RESOURCE_TYPES_CONFIG_PATH = "resource-types";
-    private static final String NAMESPACES_CONFIG_PATH = "namespaces";
-    private static final String AUTH_SUBJECTS_CONFIG_PATH = "auth-subjects";
-
     private final Set<String> resourceTypes;
     private final List<Pattern> namespacePatterns;
     private final List<Pattern> authSubjectPatterns;
 
     private DefaultCreationRestrictionConfig(final ConfigWithFallback configWithFallback) {
-        this.resourceTypes = Set.copyOf(configWithFallback.getStringList(RESOURCE_TYPES_CONFIG_PATH));
-        this.namespacePatterns = compile(List.copyOf(configWithFallback.getStringList(NAMESPACES_CONFIG_PATH)));
-        this.authSubjectPatterns = compile(List.copyOf(configWithFallback.getStringList(AUTH_SUBJECTS_CONFIG_PATH)));
+        this.resourceTypes = Set.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.RESOURCE_TYPES.getConfigPath()
+        ));
+        this.namespacePatterns = compile(List.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.NAMESPACES.getConfigPath())
+        ));
+        this.authSubjectPatterns = compile(List.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.AUTH_SUBJECTS.getConfigPath())
+        ));
     }
 
     private static List<Pattern> compile(final List<String> patterns) {
         return patterns.stream()
-                .map(expression -> Pattern.compile(LikeHelper.convertToRegexSyntax(expression)))
+                .map(LikeHelper::convertToRegexSyntax)
+                .filter(Objects::nonNull)
+                .map(Pattern::compile)
                 .toList();
     }
 

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/DefaultEntityCreationConfig.java

@@ -28,7 +28,7 @@
 @Immutable
 public final class DefaultEntityCreationConfig implements EntityCreationConfig {
 
-    private static final String CONFIG_PATH = "entity-creation";
+    private static final String CONFIG_PATH = "ditto.entity-creation";
 
     private final List<CreationRestrictionConfig> grant;
     private final List<CreationRestrictionConfig> revoke;

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer.java

@@ -55,7 +55,9 @@ public final class CreationRestrictionPreEnforcer implements PreEnforcer {
      */
     @SuppressWarnings("unused")
     public CreationRestrictionPreEnforcer(final ActorSystem actorSystem, final Config config) {
-        this.config = DefaultEntityCreationConfig.of(config);
+        // explicitly use the ActorSystem config instead of the PreEnforcer config - as the config is loaded from
+        // file "ditto-entity-creation.conf" and extending with system properties of that file should not be broken
+        this.config = DefaultEntityCreationConfig.of(actorSystem.settings().config());
     }
 
     boolean canCreate(final Context context) {

policies/enforcement/src/test/resources/entity-creation/default.conf

@@ -1,4 +1,4 @@
-entity-creation {
+ditto.entity-creation {
     grant = [{}]
     revoke = []
 }

policies/enforcement/src/test/resources/entity-creation/restricted1.conf

@@ -1,4 +1,4 @@
-entity-creation {
+ditto.entity-creation {
     grant = [
         {
             resource-types = ["policy"]