feat(access-control-service): AccessControlService added as a new micro service (#3767)

## Overview
This PR is fixing the first part of
[#3634](#3634). The full
[PR](#3598) had so many changes so
we broke it down into two PRs. This PR is the first one that introduce
Access Control Service only without its usage in any part of the system.

## Test cases
- Empty authorization token
- Wrong CUID format
- Request access for a user without access to the computing unit
- Request access for a user with access to the computing unit

## Changes
Currently, the folder named `access-control-service` is added with its
dependencies to `auth` folder. Currently, it has test cases to make sure
its functionality is working correctly.

<img width="1382" height="554" alt="Screenshot from 2025-09-25 15-46-55"
src="https://github.com/user-attachments/assets/25da27b4-5018-4a47-bccc-6ba2adacbfb4"
/>


| Component/Flow | File | Description |
| :--- | :--- | :--- |
| **New `AccessControl` Service** | `core/access-control-service/...` |
A new Dropwizard-based microservice responsible for authorizing user
requests to computing units. This includes its build configuration,
application setup (`AccessControlService.scala`), configuration model
(`AccessControlServiceConfiguration.scala`), authorization logic, REST
endpoint (`AccessControlResource.scala`), and unit tests
(`AccessControlResourceSpec.scala`). |
| **Database Access Logic** |
`core/auth/src/main/scala/edu/uci/ics/texera/auth/util/ComputingUnitAccess.scala`
| Implements the logic to query the PostgreSQL database and determine a
user's access privilege (`READ`, `WRITE`, `NONE`) for a given Computing
Unit. |
| |
`core/auth/src/main/scala/edu/uci/ics/texera/auth/util/HeaderField.scala`
| Defines constants for the custom HTTP headers (`x-user-cu-access`,
`x-user-id`, etc.) that are injected by the Access Control Service. |

Author: aicam

core/access-control-service/build.sbt

@@ -0,0 +1,81 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import scala.collection.Seq
+
+name := "access-control-service"
+organization := "edu.uci.ics"
+version := "1.0.0"
+
+scalaVersion := "2.13.12"
+
+enablePlugins(JavaAppPackaging)
+
+// Enable semanticdb for Scalafix
+ThisBuild / semanticdbEnabled := true
+ThisBuild / semanticdbVersion := scalafixSemanticdb.revision
+
+// Manage dependency conflicts by always using the latest revision
+ThisBuild / conflictManager := ConflictManager.latestRevision
+
+// Restrict parallel execution of tests to avoid conflicts
+Global / concurrentRestrictions += Tags.limit(Tags.Test, 1)
+
+/////////////////////////////////////////////////////////////////////////////
+// Compiler Options
+/////////////////////////////////////////////////////////////////////////////
+
+// Scala compiler options
+Compile / scalacOptions ++= Seq(
+  "-Xelide-below", "WARNING",       // Turn on optimizations with "WARNING" as the threshold
+  "-feature",                       // Check feature warnings
+  "-deprecation",                   // Check deprecation warnings
+  "-Ywarn-unused:imports"           // Check for unused imports
+)
+
+/////////////////////////////////////////////////////////////////////////////
+// Version Variables
+/////////////////////////////////////////////////////////////////////////////
+
+val dropwizardVersion = "4.0.7"
+val mockitoVersion = "5.4.0"
+val assertjVersion = "3.24.2"
+
+/////////////////////////////////////////////////////////////////////////////
+// Test-related Dependencies
+/////////////////////////////////////////////////////////////////////////////
+
+libraryDependencies ++= Seq(
+  "org.scalamock" %% "scalamock" % "5.2.0" % Test,                   // ScalaMock
+  "org.scalatest" %% "scalatest" % "3.2.17" % Test,                  // ScalaTest
+  "io.dropwizard" % "dropwizard-testing" % dropwizardVersion % Test, // Dropwizard Testing
+  "org.mockito" % "mockito-core" % mockitoVersion % Test,            // Mockito for mocking
+  "org.assertj" % "assertj-core" % assertjVersion % Test,            // AssertJ for assertions
+  "com.novocode" % "junit-interface" % "0.11" % Test                // SBT interface for JUnit
+)
+
+/////////////////////////////////////////////////////////////////////////////
+// Dependencies
+/////////////////////////////////////////////////////////////////////////////
+
+// Core Dependencies
+libraryDependencies ++= Seq(
+  "io.dropwizard" % "dropwizard-core" % dropwizardVersion,
+  "io.dropwizard" % "dropwizard-auth" % dropwizardVersion, // Dropwizard Authentication module
+  "com.fasterxml.jackson.module" %% "jackson-module-scala" % "2.15.2",
+  "org.playframework" %% "play-json" % "3.1.0-M1",
+)

core/access-control-service/project/build.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+sbt.version = 1.9.9

core/access-control-service/src/main/resources/access-control-service-web-config.yaml

@@ -0,0 +1,33 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+server:
+  applicationConnectors:
+    - type: http
+      port: 9096
+  adminConnectors: []
+
+logging:
+  level: INFO
+  appenders:
+    - type: console
+      threshold: INFO
+    - type: file
+      currentLogFilename: logs/access-control-service.log
+      archive: true
+      archivedLogFilenamePattern: logs/access-control-service-%d.log.gz
+      archivedFileCount: 5

core/access-control-service/src/main/resources/logback.xml

@@ -0,0 +1,55 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<configuration>
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <!-- encoders are assigned the type ch.qos.logback.classic.encoder.PatternLayoutEncoder
+            by default -->
+        <encoder>
+            <pattern>[%date{ISO8601}] [%level] [%logger] [%thread] - %msg %n
+            </pattern>
+        </encoder>
+    </appender>
+
+
+    <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>../log/access-control-service.log</file>
+        <immediateFlush>true</immediateFlush>
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>../log/access-control-service-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+        </rollingPolicy>
+        <encoder>
+            <pattern>[%date{ISO8601}] [%level] [%logger] [%thread] - %msg %n</pattern>
+        </encoder>
+    </appender>
+
+    <appender name="ASYNC" class="ch.qos.logback.classic.AsyncAppender">
+        <queueSize>8192</queueSize>
+        <neverBlock>true</neverBlock>
+        <appender-ref ref="FILE"/>
+    </appender>
+
+    <root level="INFO">
+        <appender-ref ref="ASYNC"/>
+        <appender-ref ref="STDOUT"/>
+    </root>
+    <logger name="org.apache" level="WARN"/>
+    <logger name="httpclient" level="WARN"/>
+    <logger name="io.grpc.netty" level="WARN"/>
+</configuration>

core/access-control-service/src/main/scala/edu/uci/ics/texera/service/AccessControlService.scala

@@ -0,0 +1,78 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package edu.uci.ics.texera.service
+
+import io.dropwizard.core.Application
+import io.dropwizard.core.setup.{Bootstrap, Environment}
+import com.fasterxml.jackson.module.scala.DefaultScalaModule
+import com.typesafe.scalalogging.LazyLogging
+import edu.uci.ics.amber.config.StorageConfig
+import edu.uci.ics.amber.util.PathUtils.{configServicePath, accessControlServicePath}
+import edu.uci.ics.texera.auth.{JwtAuthFilter, SessionUser}
+import edu.uci.ics.texera.dao.SqlServer
+import edu.uci.ics.texera.service.resource.{HealthCheckResource, AccessControlResource}
+import io.dropwizard.auth.AuthDynamicFeature
+import org.eclipse.jetty.server.session.SessionHandler
+import org.jooq.impl.DSL
+
+
+class AccessControlService extends Application[AccessControlServiceConfiguration] with LazyLogging {
+  override def initialize(bootstrap: Bootstrap[AccessControlServiceConfiguration]): Unit = {
+    // Register Scala module to Dropwizard default object mapper
+    bootstrap.getObjectMapper.registerModule(DefaultScalaModule)
+
+    SqlServer.initConnection(
+      StorageConfig.jdbcUrl,
+      StorageConfig.jdbcUsername,
+      StorageConfig.jdbcPassword
+    )
+  }
+
+  override def run(configuration: AccessControlServiceConfiguration, environment: Environment): Unit = {
+    // Serve backend at /api
+    environment.jersey.setUrlPattern("/api/*")
+
+    environment.jersey.register(classOf[SessionHandler])
+    environment.servlets.setSessionHandler(new SessionHandler)
+
+    environment.jersey.register(classOf[HealthCheckResource])
+    environment.jersey.register(classOf[AccessControlResource])
+
+    // Register JWT authentication filter
+    environment.jersey.register(new AuthDynamicFeature(classOf[JwtAuthFilter]))
+
+    // Enable @Auth annotation for injecting SessionUser
+    environment.jersey.register(
+      new io.dropwizard.auth.AuthValueFactoryProvider.Binder(classOf[SessionUser])
+    )
+  }
+}
+object AccessControlService {
+  def main(args: Array[String]): Unit = {
+    val accessControlPath = accessControlServicePath
+      .resolve("src")
+      .resolve("main")
+      .resolve("resources")
+      .resolve("access-control-service-web-config.yaml")
+      .toAbsolutePath
+      .toString
+
+    // Start the Dropwizard application
+    new AccessControlService().run("server", accessControlPath)
+  }
+}

core/access-control-service/src/main/scala/edu/uci/ics/texera/service/AccessControlServiceConfiguration.scala

@@ -0,0 +1,22 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package edu.uci.ics.texera.service
+
+import io.dropwizard.core.Configuration
+
+class AccessControlServiceConfiguration extends Configuration {}