solr/core/src/java/org/apache/solr/security/Permission.java - lucene-solr - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.solr.security;

 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;

 import com.google.common.collect.ImmutableSet;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.util.Utils;

 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
 import static org.apache.solr.common.params.CommonParams.NAME;

 class Permission {
   String name;
   Set<String> path, role, collections, method;
   Map<String, Function<String[], Boolean>> params;
   PermissionNameProvider.Name wellknownName;
   @SuppressWarnings({"rawtypes"})
   Map originalConfig;

   private Permission() {
   }

   @SuppressWarnings({"unchecked", "rawtypes"})
   static Permission load(@SuppressWarnings({"rawtypes"})Map m) {
     Permission p = new Permission();
     p.originalConfig = new LinkedHashMap<>(m);
     String name = (String) m.get(NAME);
     if (!m.containsKey("role")) throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "role not specified");
     p.role = readValueAsSet(m, "role");
     if (PermissionNameProvider.Name.get(name)!= null) {
       p.wellknownName = PermissionNameProvider.Name.get(name);
       HashSet<String> disAllowed = new HashSet<>(knownKeys);
       disAllowed.remove("role");//these are the only
       disAllowed.remove(NAME);//allowed keys for well-known permissions
       disAllowed.remove("collection");//allowed keys for well-known permissions
       disAllowed.remove("index");
       for (String s : disAllowed) {
         if (m.containsKey(s))
           throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, s + " is not a valid key for the permission : " + name);
       }

     }
     p.name = name;
     p.path = readSetSmart(name, m, "path");
     p.collections = readSetSmart(name, m, "collection");
     p.method = readSetSmart(name, m, "method");
     Map<String, Object> paramRules = (Map<String, Object>) m.get("params");
     if (paramRules != null) {
       p.params = new LinkedHashMap<>();
       for (Map.Entry<String, Object> e : paramRules.entrySet()) {
         if (e.getValue() == null) {
           p.params.put(e.getKey(), (String[] val) -> val == null);
         } else {
           List<String> patternStrs = e.getValue() instanceof List ?
               (List) e.getValue() :
               singletonList(e.getValue().toString());
           List patterns = patternStrs.stream()
               .map(it -> it.startsWith("REGEX:") ?
                   Pattern.compile(String.valueOf(it.substring("REGEX:".length())))
                   : it)
               .collect(Collectors.toList());
           p.params.put(e.getKey(), val -> {
             if (val == null) return false;
             for (Object pattern : patterns) {
               for (String s : val) {
                 if (pattern instanceof String) {
                   if (pattern.equals(s)) return true;
                 } else if (pattern instanceof Pattern) {
                   if (((Pattern) pattern).matcher(s).find()) return true;
                 }
               }
             }
             return false;
           });
         }
       }
     }
     return p;
   }

   /**
    * This checks for the defaults available other rules for the keys
    */
   private static Set<String> readSetSmart(String permissionName, @SuppressWarnings({"rawtypes"})Map m, String key) {
     if(PermissionNameProvider.values.containsKey(permissionName) && !m.containsKey(key) && "collection".equals(key)) {
       return PermissionNameProvider.Name.get(permissionName).collName;
     }
     Set<String> set = readValueAsSet(m, key);
     if ("method".equals(key)) {
       if (set != null) {
         for (String s : set) if (!HTTP_METHODS.contains(s)) return null;
       }
       return set;
     }
     return set == null ? singleton(null) : set;
   }
   /**
    * read a key value as a set. if the value is a single string ,
    * return a singleton set
    *
    * @param m   the map from which to lookup
    * @param key the key with which to do lookup
    */
   static Set<String> readValueAsSet(@SuppressWarnings({"rawtypes"})Map m, String key) {
     Set<String> result = new HashSet<>();
     Object val = m.get(key);
     if (val == null) {
       if("collection".equals(key)) {
         //for collection collection: null means a core admin/ collection admin request
         // otherwise it means a request where collection name is ignored
         return m.containsKey(key) ? singleton(null) : singleton("*");
       }
       return null;
     }
     if (val instanceof Collection) {
       @SuppressWarnings({"rawtypes"})
       Collection list = (Collection) val;
       for (Object o : list) result.add(String.valueOf(o));
     } else if (val instanceof String) {
       result.add((String) val);
     } else {
       throw new RuntimeException("Bad value for : " + key);
     }
     return result.isEmpty() ? null : Collections.unmodifiableSet(result);
   }

   @Override
   public String toString() {
    return Utils.toJSONString(originalConfig);
   }

   static final Set<String> knownKeys = ImmutableSet.of("collection", "role", "params", "path", "method", NAME,"index");
   public static final Set<String> HTTP_METHODS = ImmutableSet.of("GET", "POST", "DELETE", "PUT", "HEAD");

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.solr.security;

	import java.util.Collection;
	import java.util.Collections;
	import java.util.HashSet;
	import java.util.LinkedHashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;
	import java.util.function.Function;
	import java.util.regex.Pattern;
	import java.util.stream.Collectors;

	import com.google.common.collect.ImmutableSet;
	import org.apache.solr.common.SolrException;
	import org.apache.solr.common.util.Utils;

	import static java.util.Collections.singleton;
	import static java.util.Collections.singletonList;
	import static org.apache.solr.common.params.CommonParams.NAME;

	class Permission {
	String name;
	Set<String> path, role, collections, method;
	Map<String, Function<String[], Boolean>> params;
	PermissionNameProvider.Name wellknownName;
	@SuppressWarnings({"rawtypes"})
	Map originalConfig;

	private Permission() {
	}

	@SuppressWarnings({"unchecked", "rawtypes"})
	static Permission load(@SuppressWarnings({"rawtypes"})Map m) {
	Permission p = new Permission();
	p.originalConfig = new LinkedHashMap<>(m);
	String name = (String) m.get(NAME);
	if (!m.containsKey("role")) throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "role not specified");
	p.role = readValueAsSet(m, "role");
	if (PermissionNameProvider.Name.get(name)!= null) {
	p.wellknownName = PermissionNameProvider.Name.get(name);
	HashSet<String> disAllowed = new HashSet<>(knownKeys);
	disAllowed.remove("role");//these are the only
	disAllowed.remove(NAME);//allowed keys for well-known permissions
	disAllowed.remove("collection");//allowed keys for well-known permissions
	disAllowed.remove("index");
	for (String s : disAllowed) {
	if (m.containsKey(s))
	throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, s + " is not a valid key for the permission : " + name);
	}

	}
	p.name = name;
	p.path = readSetSmart(name, m, "path");
	p.collections = readSetSmart(name, m, "collection");
	p.method = readSetSmart(name, m, "method");
	Map<String, Object> paramRules = (Map<String, Object>) m.get("params");
	if (paramRules != null) {
	p.params = new LinkedHashMap<>();
	for (Map.Entry<String, Object> e : paramRules.entrySet()) {
	if (e.getValue() == null) {
	p.params.put(e.getKey(), (String[] val) -> val == null);
	} else {
	List<String> patternStrs = e.getValue() instanceof List ?
	(List) e.getValue() :
	singletonList(e.getValue().toString());
	List patterns = patternStrs.stream()
	.map(it -> it.startsWith("REGEX:") ?
	Pattern.compile(String.valueOf(it.substring("REGEX:".length())))
	: it)
	.collect(Collectors.toList());
	p.params.put(e.getKey(), val -> {
	if (val == null) return false;
	for (Object pattern : patterns) {
	for (String s : val) {
	if (pattern instanceof String) {
	if (pattern.equals(s)) return true;
	} else if (pattern instanceof Pattern) {
	if (((Pattern) pattern).matcher(s).find()) return true;
	}
	}
	}
	return false;
	});
	}
	}
	}
	return p;
	}

	/**
	* This checks for the defaults available other rules for the keys
	*/
	private static Set<String> readSetSmart(String permissionName, @SuppressWarnings({"rawtypes"})Map m, String key) {
	if(PermissionNameProvider.values.containsKey(permissionName) && !m.containsKey(key) && "collection".equals(key)) {
	return PermissionNameProvider.Name.get(permissionName).collName;
	}
	Set<String> set = readValueAsSet(m, key);
	if ("method".equals(key)) {
	if (set != null) {
	for (String s : set) if (!HTTP_METHODS.contains(s)) return null;
	}
	return set;
	}
	return set == null ? singleton(null) : set;
	}
	/**
	* read a key value as a set. if the value is a single string ,
	* return a singleton set
	*
	* @param m the map from which to lookup
	* @param key the key with which to do lookup
	*/
	static Set<String> readValueAsSet(@SuppressWarnings({"rawtypes"})Map m, String key) {
	Set<String> result = new HashSet<>();
	Object val = m.get(key);
	if (val == null) {
	if("collection".equals(key)) {
	//for collection collection: null means a core admin/ collection admin request
	// otherwise it means a request where collection name is ignored
	return m.containsKey(key) ? singleton(null) : singleton("*");
	}
	return null;
	}
	if (val instanceof Collection) {
	@SuppressWarnings({"rawtypes"})
	Collection list = (Collection) val;
	for (Object o : list) result.add(String.valueOf(o));
	} else if (val instanceof String) {
	result.add((String) val);
	} else {
	throw new RuntimeException("Bad value for : " + key);
	}
	return result.isEmpty() ? null : Collections.unmodifiableSet(result);
	}

	@Override
	public String toString() {
	return Utils.toJSONString(originalConfig);
	}

	static final Set<String> knownKeys = ImmutableSet.of("collection", "role", "params", "path", "method", NAME,"index");
	public static final Set<String> HTTP_METHODS = ImmutableSet.of("GET", "POST", "DELETE", "PUT", "HEAD");

	}