Allow replacement string to substitute against original user in impersonation

[chongfeng-hu]

Description

Allow replacement string to substitute against original user in impersonation

Non-technical explanation

Support replacement string in new_user to substitute against original_user in impersonation rules. E.g., the following rule allows a user in the form team_backend to impersonate the team_backend_sandbox user, but not arbitrary users:

{
    "impersonation": [
        {
            "original_user": "team_(.*)",
            "new_user": "team_$1_sandbox",
            "allow": true
        }
    ]
}

Relevant Trino doc on impersonation: https://trino.io/docs/current/security/file-system-access-control.html#impersonation-rules

Release notes

( ) This is not user-visible or docs only and no release notes are required.
(x) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[chongfeng-hu]

All tests passed. Reviews appreciated.

[kokosing]

Looks good, few comments.

[kokosing]

StringBuilder is mutable object. Please replace it with something immutable here like Pattern

Also I think it should be a local variable in match method.

[chongfeng-hu]

Java 17 Matcher lacks a method String substituteReplacement(String replacement) which, unlike
replaceAll() that replaces all matched groups in original string with substituted replacement, just simply returns the substituted replacement string, without replacing the original string.

Therefore, the only other viable option is to use appendReplacement(). However, this method either requires StringBuffer or StringBuilder, both mutable. In my earlier version, I had declared the StringBuilder object in match method, the only downside is that each method invocation will require a new StringBuilder to be constructed. It was lifted here for perf reasons. I will move it back to match.

[chongfeng-hu]

Done.

[kokosing]

Provide first generic explanation of substitution and then use example with backend

[chongfeng-hu]

Done.

I have added more detailed generic explanations on lines 547-549 above, as that section is more suited for generic explanations. I have left this line untouched because this section specifically focuses on explaining the examples included below (user-impersonation.json).

[kokosing]

maybe let's replace $2 with $1 to make this example more interesting. WDYT?

"new_user": "internal-$2-$1-sandbox",

[chongfeng-hu]

Done.

[kokosing]

Please provide tests where number of groups is incorrect. For example:

        {
            "original_user": "svc_(.*)",
            "new_user": "$2_$1_prod",
            "allow": true
        },

and

        {
            "original_user": "svc_(.*)",
            "allow": true
        },

[chongfeng-hu]

1st example: done.

2nd example: done. please note that new_user is required, even though it can be explicitly set to .*. This likely is to force the user to explicitly spell out match-all, if that's their intention, whereas allowing it optional and defaulting to match-all might result in unintentional global match, causing security risks. Therefore, I have slightly modified your example, by setting new_user to .* explicitly.

[chongfeng-hu]

Also in order to avoid interfering with other tests, I've used new prefixes abc_ and def_ respectively.

[kokosing]

Can you please also assert the error message? I don't IndexOutOfBoundsException should be an error that we can throw to user. I think it should be TrinoException with an actionable error message for user.

[chongfeng-hu]

done -- the error message is No group 2, which clearly points out the issue, and is also actionable.

[kokosing]

replace abc with missing_replacement

[chongfeng-hu]

done.

[kokosing]

replace def with incorrect_number_of_replacements_groups

[chongfeng-hu]

done.

[kokosing]

As an user it would take me a lot of time to understand where my configuration is incorrect. Please improve error message and use TrinoException

[chongfeng-hu]

Done.

[chongfeng-hu]

@kokosing will appreciate your review when you get a chance.

[kokosing]

Merged, thanks!