agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java - ranger - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.ranger.plugin.policyengine;

 import static org.junit.Assert.*;

 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.lang.reflect.Type;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;

 import com.google.gson.JsonDeserializationContext;
 import com.google.gson.JsonDeserializer;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonParseException;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.plugin.util.ServicePolicies;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;

 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;

 public class TestPolicyACLs {
 	private static Gson gsonBuilder;

 	@BeforeClass
 	public static void setUpBeforeClass() throws Exception {
 		gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
 				.setPrettyPrinting()
 				.registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer())
 				.create();

 	}

 	@AfterClass
 	public static void tearDownAfterClass() throws Exception {
 	}

 	@Before
 	public void setUp() throws Exception {
 	}

 	@After
 	public void tearDown() throws Exception {
 	}

 	@Test
 	public void testResourceMatcher_default() throws Exception {
 		String[] tests = { "/policyengine/test_aclprovider_default.json" };

 		runTestsFromResourceFiles(tests);
 	}

 	private void runTestsFromResourceFiles(String[] resourceNames) throws Exception {
 		for(String resourceName : resourceNames) {
 			InputStream       inStream = this.getClass().getResourceAsStream(resourceName);
 			InputStreamReader reader   = new InputStreamReader(inStream);

 			runTests(reader, resourceName);
 		}
 	}

 	private void runTests(InputStreamReader reader, String testName) throws Exception {
 		PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);

 		assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);

 		for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
 			RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
 			RangerPluginContext       pluginContext       = new RangerPluginContext("hive", "cl1", "on-prem");
 			RangerPolicyEngine        policyEngine        = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null);

 			for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
 				if(oneTest == null) {
 					continue;
 				}
 				RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null);
 				RangerResourceACLs acls = policyEngine.getResourceACLs(request);

 				boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true;

 				if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {

 					for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
 							acls.getUserACLs().entrySet()) {
 						String userName = entry.getKey();
 						Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
 						if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
 							// Compare
 							for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
 								if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
 									continue;
 								}
 								RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
 								if (expectedResult == null) {
 									userACLsMatched = false;
 									break;
 								} else if (!expectedResult.equals(privilege.getValue())) {
 									userACLsMatched = false;
 									break;
 								}
 							}
 						} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
 							Set<String> privileges = entry.getValue().keySet();
 							if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
 								userACLsMatched = true;
 							} else {
 								userACLsMatched = false;
 							}
 							break;
 						}
 						if (!userACLsMatched) {
 							break;
 						}
 					}
 				} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
 					userACLsMatched = false;
 				}

 				if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
 					for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
 							acls.getGroupACLs().entrySet()) {
 						String groupName = entry.getKey();
 						Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
 						if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
 							// Compare
 							for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
 								if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
 									continue;
 								}
 								RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
 								if (expectedResult == null) {
 									groupACLsMatched = false;
 									break;
 								} else if (!expectedResult.equals(privilege.getValue())) {
 									groupACLsMatched = false;
 									break;
 								}
 							}
 						} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
 							Set<String> privileges = entry.getValue().keySet();
 							if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
 								groupACLsMatched = true;
 							} else {
 								groupACLsMatched = false;
 							}
 							break;
 						}
 						if (!groupACLsMatched) {
 							break;
 						}
 					}
 				} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
 					groupACLsMatched = false;
 				}

 				if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
 					for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
 							acls.getRoleACLs().entrySet()) {
 						String roleName = entry.getKey();
 						Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
 						if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
 							// Compare
 							for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
 								if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
 									continue;
 								}
 								RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
 								if (expectedResult == null) {
 									roleACLsMatched = false;
 									break;
 								} else if (!expectedResult.equals(privilege.getValue())) {
 									roleACLsMatched = false;
 									break;
 								}
 							}
 						} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
 							Set<String> privileges = entry.getValue().keySet();
 							if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
 								roleACLsMatched = true;
 							} else {
 								roleACLsMatched = false;
 							}
 							break;
 						}
 						if (!roleACLsMatched) {
 							break;
 						}
 					}
 				} else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
 					roleACLsMatched = false;
 				}
 				assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched);
 			}
 		}
 	}

 	static class PolicyACLsTests {
 		List<TestCase> testCases;

 		class TestCase {
 			String               name;
 			ServicePolicies      servicePolicies;
 			List<OneTest>        tests;

 			class OneTest {
 				String               name;
 				RangerAccessResource   resource;
 				Map<String, Map<String, RangerResourceACLs.AccessResult>> userPermissions;
 				Map<String, Map<String, RangerResourceACLs.AccessResult>> groupPermissions;
 				Map<String, Map<String, RangerResourceACLs.AccessResult>> rolePermissions;
 			}
 		}
 	}

 	static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> {
 		@Override
 		public RangerAccessResource deserialize(JsonElement jsonObj, Type type,
 		                                        JsonDeserializationContext context) throws JsonParseException {
 			return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class);
 		}
 	}
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.ranger.plugin.policyengine;

	import static org.junit.Assert.*;

	import java.io.InputStream;
	import java.io.InputStreamReader;
	import java.lang.reflect.Type;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;

	import com.google.gson.JsonDeserializationContext;
	import com.google.gson.JsonDeserializer;
	import com.google.gson.JsonElement;
	import com.google.gson.JsonParseException;
	import org.apache.commons.collections.MapUtils;
	import org.apache.commons.lang.StringUtils;
	import org.apache.ranger.plugin.util.ServicePolicies;
	import org.junit.After;
	import org.junit.AfterClass;
	import org.junit.Before;
	import org.junit.BeforeClass;
	import org.junit.Test;

	import com.google.gson.Gson;
	import com.google.gson.GsonBuilder;

	public class TestPolicyACLs {
	private static Gson gsonBuilder;

	@BeforeClass
	public static void setUpBeforeClass() throws Exception {
	gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
	.setPrettyPrinting()
	.registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer())
	.create();

	}

	@AfterClass
	public static void tearDownAfterClass() throws Exception {
	}

	@Before
	public void setUp() throws Exception {
	}

	@After
	public void tearDown() throws Exception {
	}

	@Test
	public void testResourceMatcher_default() throws Exception {
	String[] tests = { "/policyengine/test_aclprovider_default.json" };

	runTestsFromResourceFiles(tests);
	}

	private void runTestsFromResourceFiles(String[] resourceNames) throws Exception {
	for(String resourceName : resourceNames) {
	InputStream inStream = this.getClass().getResourceAsStream(resourceName);
	InputStreamReader reader = new InputStreamReader(inStream);

	runTests(reader, resourceName);
	}
	}

	private void runTests(InputStreamReader reader, String testName) throws Exception {
	PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);

	assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);

	for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
	RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
	RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem");
	RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null);

	for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
	if(oneTest == null) {
	continue;
	}
	RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null);
	RangerResourceACLs acls = policyEngine.getResourceACLs(request);

	boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true;

	if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {

	for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
	acls.getUserACLs().entrySet()) {
	String userName = entry.getKey();
	Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
	if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
	// Compare
	for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
	if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
	continue;
	}
	RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
	if (expectedResult == null) {
	userACLsMatched = false;
	break;
	} else if (!expectedResult.equals(privilege.getValue())) {
	userACLsMatched = false;
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
	Set<String> privileges = entry.getValue().keySet();
	if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
	userACLsMatched = true;
	} else {
	userACLsMatched = false;
	}
	break;
	}
	if (!userACLsMatched) {
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
	userACLsMatched = false;
	}

	if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
	for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
	acls.getGroupACLs().entrySet()) {
	String groupName = entry.getKey();
	Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
	if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
	// Compare
	for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
	if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
	continue;
	}
	RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
	if (expectedResult == null) {
	groupACLsMatched = false;
	break;
	} else if (!expectedResult.equals(privilege.getValue())) {
	groupACLsMatched = false;
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
	Set<String> privileges = entry.getValue().keySet();
	if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
	groupACLsMatched = true;
	} else {
	groupACLsMatched = false;
	}
	break;
	}
	if (!groupACLsMatched) {
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
	groupACLsMatched = false;
	}

	if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
	for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
	acls.getRoleACLs().entrySet()) {
	String roleName = entry.getKey();
	Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
	if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
	// Compare
	for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
	if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
	continue;
	}
	RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
	if (expectedResult == null) {
	roleACLsMatched = false;
	break;
	} else if (!expectedResult.equals(privilege.getValue())) {
	roleACLsMatched = false;
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
	Set<String> privileges = entry.getValue().keySet();
	if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
	roleACLsMatched = true;
	} else {
	roleACLsMatched = false;
	}
	break;
	}
	if (!roleACLsMatched) {
	break;
	}
	}
	} else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
	roleACLsMatched = false;
	}
	assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched);
	}
	}
	}

	static class PolicyACLsTests {
	List<TestCase> testCases;

	class TestCase {
	String name;
	ServicePolicies servicePolicies;
	List<OneTest> tests;

	class OneTest {
	String name;
	RangerAccessResource resource;
	Map<String, Map<String, RangerResourceACLs.AccessResult>> userPermissions;
	Map<String, Map<String, RangerResourceACLs.AccessResult>> groupPermissions;
	Map<String, Map<String, RangerResourceACLs.AccessResult>> rolePermissions;
	}
	}
	}

	static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> {
	@Override
	public RangerAccessResource deserialize(JsonElement jsonObj, Type type,
	JsonDeserializationContext context) throws JsonParseException {
	return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class);
	}
	}
	}