feat(credentials): implement matchExpression-based credentials

[andrewazores]

Related to #895
Depends on cryostatio/cryostat-web#475

This PR enhances the existing CredentialsManager by replacing the targetId field of stored credentials with a matchExpression. This uses the same expression evaluation internal infrastructure already in place for Automated Rules, so the syntax and behaviour is exactly the same. There is a migration function that checks all stored credentials already on disk and checks if they have the targetId field. If they do not then they are skipped over, since they are either invalid files or conform to the new format already.

{
  "targetId": "foo",
  "credentials": {
    "username": "user",
    "password": "pass"
  }
}

is migrated by applying a simple transformation to:

{
  "matchExpression": "target.connectUrl == \"foo\"",
  "credentials": {
    "username": "user",
    "password": "pass"
  }
}

This allows the new expression-based system to migrate existing credentials while maintaining the same semantics, and also allows the old credentials API endpoints to continue working with the same behaviour.

Still TODO in follow-up PRs:

1. Add new API endpoints to allow clients to define and delete credentials with generalized matchExpression, not only the backward-compatible target.connectUrl == "foo" style
2. Use the new CredentialsGetHandler on the frontend to enhance the Security view to better reflect these expression-based credentials [Story] Enhance JMX Credentials UI for matchExpressions cryostat-web#465

Since it is now possible for one set of credentials to match multiple targets, the AbstractAuthenticatedRequestHandler no longer deletes credentials if they are used for a JMX connection and the connection fails - since the credentials may apply to multiple targets, they may be valid for other targets than the one that was just checked.

It is also possible that one target may be matched by multiple sets of credentials. There is no protection against this case, so it would simply be considered a user configuration error. If this occurs then the credentialsManager will simply provide the "first" matching set of credentials for a given target when requested. The ordering of credentials is intentionally undefined at this time. Multiple credentials for a given target is not an expected valid configuration and so no scheme of trying each of them in order is attempted, or any other more complex behaviours.

[jan-law]

Works well

[andrewazores]

Actually, hold on. I'll add unit tests for the CredentialsManager. It probably should have had them before and it certainly should now.

[andrewazores]

Not done adding tests yet, just added basic tests for the new migration function so far. I'll add some more tomorrow.

[hareetd]

I haven't reviewed the tests yet but the implementation changes look good. However, since the credentials-related notifications have been changed to accommodate the match expression change, the StoreJmxCredentials component (on -web) no longer updates the table state properly when credentials are added or deleted.

[andrewazores]

Yea, I'll fix that with TODO 2 listed in the PR body.

[andrewazores]

Filing the -web side to do later, since I'm on PTO next week and won't have any time to get started on it. I'll leave it open for anyone else to take a stab at if there's interest, otherwise I'll start on it when I'm back to work.

[jan-law]

Backend looks good, I'm assuming you'll merge this once the web client gets updated

[andrewazores]

-web PR opened that just patches the UI enough to not break with this backend change. The actual UI enhancements like using a nested table view and allowing users to create credentials definitions using a matchExpression need to wait for more follow-up backend changes adding API for that.

[github-actions]

This PR/issue depends on:

• feat(security): use API v2.2 JMX credentials cryostat-web#475
  By Dependent Issues (🤖). Happy coding!

[andrewazores]

-web side merged and updated in this feature branch. Nothing else has changed since previous review approvals.

[hareetd]

Oops, looks like the web-client submodule hasn't been updated with the frontend changes (I don't see it in the changed files).

[andrewazores]

It isn't listed as a commit in this PR since I rebased on top, but the latest frontend change in the submodule is already in main thanks to our new CI-bot: cryostatio/cryostat@d4b448c

[hareetd]

Oh that makes sense then, cool.

[andrewazores]

No more manually updating the submodule :-)