agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java - ranger - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.ranger.plugin.policyengine.gds;

 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
 import org.apache.ranger.plugin.policyevaluator.RangerCustomConditionEvaluator;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
 import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
 import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 import org.apache.ranger.plugin.util.ServiceDefUtil;
 import org.apache.ranger.plugin.util.ServiceGdsInfo.SharedResourceInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.util.*;

 public class GdsSharedResourceEvaluator implements RangerResourceEvaluator {
     private static final Logger LOG = LoggerFactory.getLogger(GdsSharedResourceEvaluator.class);

     public static final GdsSharedResourceEvalOrderComparator EVAL_ORDER_COMPARATOR = new GdsSharedResourceEvalOrderComparator();

     private final SharedResourceInfo                resource;
     private final RangerConditionEvaluator          conditionEvaluator;
     private final Map<String, RangerPolicyResource> policyResource;
     private final RangerPolicyResourceMatcher       policyResourceMatcher;
     private final RangerResourceDef                 leafResourceDef;
     private final Set<String>                       allowedAccessTypes;

     public GdsSharedResourceEvaluator(SharedResourceInfo resource, Set<String> defaultAccessTypes, RangerServiceDefHelper serviceDefHelper) {
         this.resource           = resource;
         this.conditionEvaluator = RangerCustomConditionEvaluator.getInstance().getExpressionEvaluator(resource.getConditionExpr(), serviceDefHelper.getServiceDef());

         if (this.resource.getResource() == null) {
             this.resource.setResource(Collections.emptyMap());
         }

         if (StringUtils.isNotBlank(resource.getSubResourceType()) && resource.getSubResource() != null && CollectionUtils.isNotEmpty(resource.getSubResource().getValues())) {
             this.policyResource = new HashMap<>(resource.getResource());

             this.policyResource.put(resource.getSubResourceType(), resource.getSubResource());
         } else {
             this.policyResource = resource.getResource();
         }

         this.policyResourceMatcher = initPolicyResourceMatcher(policyResource, serviceDefHelper);
         this.leafResourceDef       = ServiceDefUtil.getLeafResourceDef(serviceDefHelper.getServiceDef(), policyResource);
         this.allowedAccessTypes    = serviceDefHelper.expandImpliedAccessGrants(resource.getAccessTypes() != null ? resource.getAccessTypes() : defaultAccessTypes);

         LOG.debug("GdsSharedResourceEvaluator: resource={}, conditionEvaluator={}, policyResource={}, leafResourceDef={}, allowedAccessTypes={}",
                   resource, conditionEvaluator, policyResource, leafResourceDef, allowedAccessTypes);
     }

     @Override
     public long getId() {
         return resource.getId();
     }

     @Override
     public RangerPolicyResourceMatcher getPolicyResourceMatcher() {
         return policyResourceMatcher;
     }

     @Override
     public Map<String, RangerPolicyResource> getPolicyResource() {
         return policyResource;
     }

     @Override
     public RangerResourceMatcher getResourceMatcher(String resourceName) {
         return policyResourceMatcher.getResourceMatcher(resourceName);
     }

     @Override
     public boolean isAncestorOf(RangerResourceDef resourceDef) {
         return ServiceDefUtil.isAncestorOf(policyResourceMatcher.getServiceDef(), leafResourceDef, resourceDef);
     }

     public Collection<String> getResourceKeys() {
         return resource != null && resource.getResource() != null ? resource.getResource().keySet() : Collections.emptySet();
     }

     public boolean isConditional() { return conditionEvaluator != null; }

     public Set<String> getAllowedAccessTypes() { return allowedAccessTypes; }

     public boolean isAllowed(RangerAccessRequest request) {
         LOG.debug("==> GdsSharedResourceEvaluator.evaluate({})", request);

         boolean ret = conditionEvaluator == null || conditionEvaluator.isMatched(request);

         if (ret) {
             ret = request.isAccessTypeAny() ? !allowedAccessTypes.isEmpty() : allowedAccessTypes.contains(request.getAccessType());

             if (ret) {
                 MatchType matchType = policyResourceMatcher.getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());

                 if (request.isAccessTypeAny()) {
                     ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                 } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                     ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                 } else {
                     ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
                 }

                 if (!ret) {
                     LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for resource {}", request, request.getResource());
                 }
             } else {
                 LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for accessType {}", request, request.getAccessType());
             }
         } else {
             LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for condition {}", request, resource.getConditionExpr());
         }

         LOG.debug("<== GdsSharedResourceEvaluator.evaluate({})", request);

         return ret;
     }

     public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, List<GdsDshidEvaluator> dshidEvaluators) {
         LOG.debug("==> GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);

         boolean isResourceMatch = policyResourceMatcher.isMatch(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());

         if (isResourceMatch) {
             isConditional = isConditional || conditionEvaluator != null;

             for (GdsDshidEvaluator dshidEvaluator : dshidEvaluators) {
                 dshidEvaluator.getResourceACLs(request, acls, isConditional, getAllowedAccessTypes());
             }
         }

         LOG.debug("<== GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);
     }

     public RangerPolicyItemRowFilterInfo getRowFilter() {
         return resource.getRowFilter();
     }

     public RangerPolicyItemDataMaskInfo getDataMask(String subResourceName) {
         return resource.getSubResourceMasks() != null ? resource.getSubResourceMasks().get(subResourceName) : null;
     }

     private static RangerPolicyResourceMatcher initPolicyResourceMatcher(Map<String, RangerPolicyResource> policyResource, RangerServiceDefHelper serviceDefHelper) {
         RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();

         matcher.setServiceDefHelper(serviceDefHelper);
         matcher.setServiceDef(serviceDefHelper.getServiceDef());
         matcher.setPolicyResources(policyResource, RangerPolicy.POLICY_TYPE_ACCESS);

         matcher.init();

         return matcher;
     }

     public static class GdsSharedResourceEvalOrderComparator implements Comparator<GdsSharedResourceEvaluator> {
         @Override
         public int compare(GdsSharedResourceEvaluator me, GdsSharedResourceEvaluator other) {
             int ret = 0;

             if (me != null && other != null) {
                 ret = compareStrings(me.resource.getName(), other.resource.getName());

                 if (ret == 0) {
                     ret = Integer.compare(me.resource.getResource().size(), other.resource.getResource().size());

                     if (ret == 0) {
                         ret = Long.compare(me.getId(), other.getId());
                     }
                 }
             } else if (me != null) {
                 ret = -1;
             } else if (other != null) {
                 ret = 1;
             }

             return ret;
         }

         static int compareStrings(String str1, String str2) {
             if (str1 == null) {
                 return str2 == null ? 0 : -1;
             } else {
                 return str2 == null ? 1 : str1.compareTo(str2);
             }
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.ranger.plugin.policyengine.gds;

	import org.apache.commons.collections.CollectionUtils;
	import org.apache.commons.lang3.StringUtils;
	import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
	import org.apache.ranger.plugin.model.RangerPolicy;
	import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
	import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
	import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
	import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
	import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
	import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
	import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
	import org.apache.ranger.plugin.policyevaluator.RangerCustomConditionEvaluator;
	import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
	import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
	import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
	import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
	import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
	import org.apache.ranger.plugin.util.ServiceDefUtil;
	import org.apache.ranger.plugin.util.ServiceGdsInfo.SharedResourceInfo;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.util.*;

	public class GdsSharedResourceEvaluator implements RangerResourceEvaluator {
	private static final Logger LOG = LoggerFactory.getLogger(GdsSharedResourceEvaluator.class);

	public static final GdsSharedResourceEvalOrderComparator EVAL_ORDER_COMPARATOR = new GdsSharedResourceEvalOrderComparator();

	private final SharedResourceInfo resource;
	private final RangerConditionEvaluator conditionEvaluator;
	private final Map<String, RangerPolicyResource> policyResource;
	private final RangerPolicyResourceMatcher policyResourceMatcher;
	private final RangerResourceDef leafResourceDef;
	private final Set<String> allowedAccessTypes;

	public GdsSharedResourceEvaluator(SharedResourceInfo resource, Set<String> defaultAccessTypes, RangerServiceDefHelper serviceDefHelper) {
	this.resource = resource;
	this.conditionEvaluator = RangerCustomConditionEvaluator.getInstance().getExpressionEvaluator(resource.getConditionExpr(), serviceDefHelper.getServiceDef());

	if (this.resource.getResource() == null) {
	this.resource.setResource(Collections.emptyMap());
	}

	if (StringUtils.isNotBlank(resource.getSubResourceType()) && resource.getSubResource() != null && CollectionUtils.isNotEmpty(resource.getSubResource().getValues())) {
	this.policyResource = new HashMap<>(resource.getResource());

	this.policyResource.put(resource.getSubResourceType(), resource.getSubResource());
	} else {
	this.policyResource = resource.getResource();
	}

	this.policyResourceMatcher = initPolicyResourceMatcher(policyResource, serviceDefHelper);
	this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDefHelper.getServiceDef(), policyResource);
	this.allowedAccessTypes = serviceDefHelper.expandImpliedAccessGrants(resource.getAccessTypes() != null ? resource.getAccessTypes() : defaultAccessTypes);

	LOG.debug("GdsSharedResourceEvaluator: resource={}, conditionEvaluator={}, policyResource={}, leafResourceDef={}, allowedAccessTypes={}",
	resource, conditionEvaluator, policyResource, leafResourceDef, allowedAccessTypes);
	}

	@Override
	public long getId() {
	return resource.getId();
	}

	@Override
	public RangerPolicyResourceMatcher getPolicyResourceMatcher() {
	return policyResourceMatcher;
	}

	@Override
	public Map<String, RangerPolicyResource> getPolicyResource() {
	return policyResource;
	}

	@Override
	public RangerResourceMatcher getResourceMatcher(String resourceName) {
	return policyResourceMatcher.getResourceMatcher(resourceName);
	}

	@Override
	public boolean isAncestorOf(RangerResourceDef resourceDef) {
	return ServiceDefUtil.isAncestorOf(policyResourceMatcher.getServiceDef(), leafResourceDef, resourceDef);
	}

	public Collection<String> getResourceKeys() {
	return resource != null && resource.getResource() != null ? resource.getResource().keySet() : Collections.emptySet();
	}

	public boolean isConditional() { return conditionEvaluator != null; }

	public Set<String> getAllowedAccessTypes() { return allowedAccessTypes; }

	public boolean isAllowed(RangerAccessRequest request) {
	LOG.debug("==> GdsSharedResourceEvaluator.evaluate({})", request);

	boolean ret = conditionEvaluator == null \|\| conditionEvaluator.isMatched(request);

	if (ret) {
	ret = request.isAccessTypeAny() ? !allowedAccessTypes.isEmpty() : allowedAccessTypes.contains(request.getAccessType());

	if (ret) {
	MatchType matchType = policyResourceMatcher.getMatchType(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());

	if (request.isAccessTypeAny()) {
	ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
	} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
	ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
	} else {
	ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF \|\| matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
	}

	if (!ret) {
	LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for resource {}", request, request.getResource());
	}
	} else {
	LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for accessType {}", request, request.getAccessType());
	}
	} else {
	LOG.debug("GdsSharedResourceEvaluator.evaluate({}): not matched for condition {}", request, resource.getConditionExpr());
	}

	LOG.debug("<== GdsSharedResourceEvaluator.evaluate({})", request);

	return ret;
	}

	public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, List<GdsDshidEvaluator> dshidEvaluators) {
	LOG.debug("==> GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);

	boolean isResourceMatch = policyResourceMatcher.isMatch(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());

	if (isResourceMatch) {
	isConditional = isConditional \|\| conditionEvaluator != null;

	for (GdsDshidEvaluator dshidEvaluator : dshidEvaluators) {
	dshidEvaluator.getResourceACLs(request, acls, isConditional, getAllowedAccessTypes());
	}
	}

	LOG.debug("<== GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);
	}

	public RangerPolicyItemRowFilterInfo getRowFilter() {
	return resource.getRowFilter();
	}

	public RangerPolicyItemDataMaskInfo getDataMask(String subResourceName) {
	return resource.getSubResourceMasks() != null ? resource.getSubResourceMasks().get(subResourceName) : null;
	}

	private static RangerPolicyResourceMatcher initPolicyResourceMatcher(Map<String, RangerPolicyResource> policyResource, RangerServiceDefHelper serviceDefHelper) {
	RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();

	matcher.setServiceDefHelper(serviceDefHelper);
	matcher.setServiceDef(serviceDefHelper.getServiceDef());
	matcher.setPolicyResources(policyResource, RangerPolicy.POLICY_TYPE_ACCESS);

	matcher.init();

	return matcher;
	}

	public static class GdsSharedResourceEvalOrderComparator implements Comparator<GdsSharedResourceEvaluator> {
	@Override
	public int compare(GdsSharedResourceEvaluator me, GdsSharedResourceEvaluator other) {
	int ret = 0;

	if (me != null && other != null) {
	ret = compareStrings(me.resource.getName(), other.resource.getName());

	if (ret == 0) {
	ret = Integer.compare(me.resource.getResource().size(), other.resource.getResource().size());

	if (ret == 0) {
	ret = Long.compare(me.getId(), other.getId());
	}
	}
	} else if (me != null) {
	ret = -1;
	} else if (other != null) {
	ret = 1;
	}

	return ret;
	}

	static int compareStrings(String str1, String str2) {
	if (str1 == null) {
	return str2 == null ? 0 : -1;
	} else {
	return str2 == null ? 1 : str1.compareTo(str2);
	}
	}
	}
	}