Support mTLS connection-level capabilities and RPC access filtering in C++

Adds the following:
 * Named capabilities and capability sets that represent (respectively)
   a single Vespa access API (such as Document API, search API etc)
   or a concrete subset of individual capabilities that make up a
   particular Vespa service (such as a content node).
 * A new `capabilities` array field to the mTLS authorization policies
   that allows for constraining what requests sent over a particular
   connection are allowed to actually do. Capabilities are referenced
   by name and may include any combination of capability sets and
   individual capabilities. If multiple capabilities/sets are configured,
   the resulting set of capabilities is the union set of all of them.
 * An FRT RPC-level access filter that can be set up as part of RPC
   method definitions. If set, filters are invoked prior to RPC methods.
 * A new `PERMISSION_DENIED` error code to FRT RPC that is invoked if
   an access filter denies a request.

This also GCs the unused `AssumedRoles` concept which is now deprecated
in favor of capabilities.

Note: this is **not yet** a public or stable API, and capability
names/semantics may change at any time.

1 files changed, 1 insertions, 0 deletions

diff --git a/vespalib/CMakeLists.txt b/vespalib/CMakeLists.txt
index 69bd709c613..609c825dafa 100644
--- a/vespalib/CMakeLists.txt
+++ b/vespalib/CMakeLists.txt
@@ -101,6 +101,7 @@ vespa_define_module(
     src/tests/net/socket_spec
     src/tests/net/sync_crypto_socket
     src/tests/net/tls/auto_reloading_tls_crypto_engine
+    src/tests/net/tls/capabilities
     src/tests/net/tls/direct_buffer_bio
     src/tests/net/tls/openssl_impl
     src/tests/net/tls/policy_checking_certificate_verifier