security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.ranger.validation;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.RangerRoleCache;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.*;
import org.apache.ranger.plugin.model.RangerGds.RangerDataShare;
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.apache.ranger.service.RangerGdsDataShareService;
import org.apache.ranger.service.RangerGdsDatasetService;
import org.apache.ranger.service.RangerGdsProjectService;
import org.apache.ranger.service.RangerServiceService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.Map;

import static org.apache.ranger.db.XXGlobalStateDao.RANGER_GLOBAL_STATE_NAME_ROLE;

@Component
public class RangerGdsValidationDBProvider extends RangerGdsValidationDataProvider {
    private static final Logger LOG = LoggerFactory.getLogger(RangerGdsValidationDBProvider.class);

    private static final String SERVICE_NAME_FOR_ROLES = "";

    @Autowired
    RangerDaoManager daoMgr;

    @Autowired
    XUserMgr userMgr;

    @Autowired
    ServiceMgr serviceMgr;

    @Autowired
    RangerServiceService svcService;

    @Autowired
    RangerGdsDatasetService datasetService;

    @Autowired
    RangerGdsProjectService projectService;

    @Autowired
    RangerGdsDataShareService dataShareService;

    @Autowired
    RoleDBStore rolesStore;

    @Autowired
    RangerBizUtil bizUtil;

    RangerRolesUtil rolesUtil;


    public RangerGdsValidationDBProvider() {
    }

    public Long getServiceId(String name) {
        XXService obj = daoMgr.getXXService().findByName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getZoneId(String name) {
        XXSecurityZone obj = daoMgr.getXXSecurityZoneDao().findByZoneName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getDatasetId(String name) {
        XXGdsDataset obj = daoMgr.getXXGdsDataset().findByName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getProjectId(String name) {
        XXGdsProject obj = daoMgr.getXXGdsProject().findByName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getDataShareId(String name) {
        XXGdsDataShare obj = daoMgr.getXXGdsDataShare().findByName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getUserId(String name) {
        XXUser obj = daoMgr.getXXUser().findByUserName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getGroupId(String name) {
        XXGroup obj = daoMgr.getXXGroup().findByGroupName(name);

        return obj != null ? obj.getId() : null;
    }

    public Long getRoleId(String name) {
        XXRole obj = daoMgr.getXXRole().findByRoleName(name);

        return obj != null ? obj.getId() : null;
    }

    public String getCurrentUserLoginId() {
        return bizUtil.getCurrentUserLoginId();
    }

    public boolean isAdminUser() {
        return bizUtil.isAdmin();
    }

    public boolean isServiceAdmin(String name) {
        XXService     xService = daoMgr.getXXService().findByName(name);
        RangerService service  = xService != null ? svcService.getPopulatedViewObject(xService) : null;

        return service != null && bizUtil.isUserServiceAdmin(service, bizUtil.getCurrentUserLoginId());

    }

    public boolean isZoneAdmin(String zoneName) {
        return serviceMgr.isZoneAdmin(zoneName);
    }

    public Set<String> getGroupsForUser(String userName) {
        return userMgr.getGroupsForUser(userName);
    }

    public Set<String> getRolesForUser(String userName) {
        RangerRolesUtil rolesUtil = initGetRolesUtil();

        return rolesUtil != null && rolesUtil.getUserRoleMapping() != null ? rolesUtil.getUserRoleMapping().get(userName) : null;
    }

    public Set<String> getRolesForUserAndGroups(String userName, Collection<String> groups) {
        RangerRolesUtil rolesUtil = initGetRolesUtil();
        Set<String>     ret       = getRolesForUser(userName);

        if (rolesUtil != null) {
            final Map<String, Set<String>> groupRoleMapping = rolesUtil.getGroupRoleMapping();

            if (MapUtils.isNotEmpty(groupRoleMapping)) {
                if (CollectionUtils.isNotEmpty(groups)) {
                    for (String group : groups) {
                        ret = addRoles(ret, groupRoleMapping.get(group));
                    }
                }

                ret = addRoles(ret, groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC));
            }
        }

        return ret;
    }

    public Set<String> getAccessTypes(String serviceName) {
        List<String> accessTypes = daoMgr.getXXAccessTypeDef().getNamesByServiceName(serviceName);
        Set<String>  ret         = new HashSet<>(accessTypes);

        ret.addAll(ServiceDefUtil.ACCESS_TYPE_MARKERS);

        return ret;
    }

    public Set<String> getMaskTypes(String serviceName) {
        List<String> maskTypes = daoMgr.getXXDataMaskTypeDef().getNamesByServiceName(serviceName);
        Set<String>  ret       = new HashSet<>(maskTypes);

        return ret;
    }

    public RangerDataset getDataset(Long id) {
        RangerDataset ret = null;

        if (id != null) {
            try {
                ret = datasetService.read(id);
            } catch (Exception excp) {
                LOG.debug("failed to get dataset with id={}", id, excp);

                // ignore
            }
        }

        return ret;
    }

    public RangerProject getProject(Long id) {
        RangerProject ret = null;

        if (id != null) {
            try {
                ret = projectService.read(id);
            } catch (Exception excp) {
                LOG.debug("failed to get project with id={}", id, excp);

                // ignore
            }
        }

        return ret;
    }

    public RangerDataShare getDataShare(Long id) {
        RangerDataShare ret = null;

        try {
            ret = dataShareService.read(id);
        } catch (Exception excp) {
            LOG.debug("failed to get DataShare with id={}", id, excp);

            // ignore
        }

        return ret;
    }

    public Long getSharedResourceId(Long dataShareId, String name) {
        Long ret = daoMgr.getXXGdsSharedResource().getIdByDataShareIdAndName(dataShareId, name);

        return ret;
    }

    public Long getSharedResourceId(Long dataShareId, RangerPolicyResourceSignature signature) {
		Long ret = daoMgr.getXXGdsSharedResource().getIdByDataShareIdAndResourceSignature(dataShareId, signature.getSignature());

		return ret;
    }

    private RangerRolesUtil initGetRolesUtil() {
        RangerRolesUtil ret              = this.rolesUtil;
        Long            lastKnownVersion = ret != null ? ret.getRoleVersion() : null;
        Long            currentVersion   = daoMgr.getXXGlobalState().getAppDataVersion(RANGER_GLOBAL_STATE_NAME_ROLE);

        if (lastKnownVersion == null || !lastKnownVersion.equals(currentVersion)) {
            synchronized (this) {
                ret              = this.rolesUtil;
                lastKnownVersion = ret != null ? ret.getRoleVersion() : null;

                if (lastKnownVersion == null || !lastKnownVersion.equals(currentVersion)) {
                    try {
                        RangerRoles roles = RangerRoleCache.getInstance().getLatestRangerRoleOrCached(SERVICE_NAME_FOR_ROLES, rolesStore, lastKnownVersion, currentVersion);

                        if (roles != null) {
                            this.rolesUtil = ret = new RangerRolesUtil(roles);
                        }
                    } catch (Exception excp) {
                        LOG.warn("failed to get roles from store", excp);
                    }
                } else {
                    LOG.debug("roles already initialized to latest version {}", currentVersion);
                }
            }
        }

        return ret;
    }

    private Set<String> addRoles(Set<String> allRoles, Set<String> rolesToAdd) {
        if (CollectionUtils.isNotEmpty(rolesToAdd)) {
            if (allRoles == null) {
                allRoles = new HashSet<>();
            }

            allRoles.addAll(rolesToAdd);
        }

        return allRoles;
    }
}