geode-core/src/main/java/org/apache/geode/cache/query/security/MethodInvocationAuthorizer.java - geode - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
  * agreements. See the NOTICE file distributed with this work for additional information regarding
  * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License. You may obtain a
  * copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License
  * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
  * or implied. See the License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.geode.cache.query.security;

 import java.lang.reflect.Method;

 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.Region;

 /**
  * The root interface that should be implemented by method invocation authorizer instances.
  * The authorizer is responsible for determining whether a {@link java.lang.reflect.Method} is
  * allowed to be executed on a specific {@link java.lang.Object} instance.
  * <p/>
  *
  * There are mainly four security risks when allowing users to execute arbitrary methods in OQL,
  * which should be addressed by implementations of this interface:
  * <p>
  * <ul>
  * <li>{@code Java Reflection}: do anything through {@link Object#getClass()} or similar.
  * <li>{@code Cache Modification}: execute {@link Cache} operations (close, get regions, etc.).
  * <li>{@code Region Modification}: execute {@link Region} operations (destroy, invalidate, etc.).
  * <li>{@code Region Entry Modification}: execute in-place modifications on the region entries.
  * </ul>
  * </p>
  *
  * Implementations of this interface should be thread-safe: multiple threads might be authorizing
  * several method invocations using the same instance at the same time.
  */
 public interface MethodInvocationAuthorizer {

   /**
    * Executes the authorization logic to determine whether the {@code method} is allowed to be
    * executed on the {@code target} object instance.
    * <p/>
    *
    * <b>Implementation Note</b>: the query engine will remember whether the method invocation has
    * been already authorized or not for the current query context, so this method will be called
    * once in the lifetime of a query for every new method seen while traversing the objects.
    * Nevertheless, the implementation should be lighting fast as it will be called by the
    * OQL engine in runtime during the query execution.
    *
    * @param method the {@link Method} that should be authorized.
    * @param target the {@link Object} on which the {@link Method} will be executed.
    * @return {@code true} if the {@code method} can be executed on on the {@code target} instance,
    *         {@code false} otherwise.
    */
   boolean authorize(Method method, Object target);
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
	* agreements. See the NOTICE file distributed with this work for additional information regarding
	* copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License. You may obtain a
	* copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software distributed under the License
	* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
	* or implied. See the License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.geode.cache.query.security;

	import java.lang.reflect.Method;

	import org.apache.geode.cache.Cache;
	import org.apache.geode.cache.Region;

	/**
	* The root interface that should be implemented by method invocation authorizer instances.
	* The authorizer is responsible for determining whether a {@link java.lang.reflect.Method} is
	* allowed to be executed on a specific {@link java.lang.Object} instance.
	* <p/>
	*
	* There are mainly four security risks when allowing users to execute arbitrary methods in OQL,
	* which should be addressed by implementations of this interface:
	* <p>
	* <ul>
	* <li>{@code Java Reflection}: do anything through {@link Object#getClass()} or similar.
	* <li>{@code Cache Modification}: execute {@link Cache} operations (close, get regions, etc.).
	* <li>{@code Region Modification}: execute {@link Region} operations (destroy, invalidate, etc.).
	* <li>{@code Region Entry Modification}: execute in-place modifications on the region entries.
	* </ul>
	* </p>
	*
	* Implementations of this interface should be thread-safe: multiple threads might be authorizing
	* several method invocations using the same instance at the same time.
	*/
	public interface MethodInvocationAuthorizer {

	/**
	* Executes the authorization logic to determine whether the {@code method} is allowed to be
	* executed on the {@code target} object instance.
	* <p/>
	*
	* <b>Implementation Note</b>: the query engine will remember whether the method invocation has
	* been already authorized or not for the current query context, so this method will be called
	* once in the lifetime of a query for every new method seen while traversing the objects.
	* Nevertheless, the implementation should be lighting fast as it will be called by the
	* OQL engine in runtime during the query execution.
	*
	* @param method the {@link Method} that should be authorized.
	* @param target the {@link Object} on which the {@link Method} will be executed.
	* @return {@code true} if the {@code method} can be executed on on the {@code target} instance,
	* {@code false} otherwise.
	*/
	boolean authorize(Method method, Object target);
	}