Search in sources :

Example 11 with AuthorizeRequestPP

use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.

the class ServerToClientFunctionResultSender method authorizeResult.

protected void authorizeResult(Object oneResult) throws IOException {
    // check if the caller is authorised to receive these function execution
    // results from server
    AuthorizeRequestPP authzRequestPP = this.sc.getPostAuthzRequest();
    if (authzRequestPP != null) {
        this.authContext.setIsPostOperation(true);
        this.authContext = authzRequestPP.executeFunctionAuthorize(oneResult, this.authContext);
    }
}
Also used : AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP)

Example 12 with AuthorizeRequestPP

use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.

the class CacheClientProxy method postDeliverAuthCheckPassed.

private boolean postDeliverAuthCheckPassed(ClientUpdateMessage clientMessage) {
    // process authorization
    if (AcceptorImpl.isAuthenticationRequired() && this.postAuthzCallback == null && AcceptorImpl.isPostAuthzCallbackPresent()) {
        // security is on and callback is null: it means multiuser mode.
        ClientUpdateMessageImpl cumi = (ClientUpdateMessageImpl) clientMessage;
        CqNameToOp clientCq = cumi.getClientCq(this.proxyID);
        if (clientCq != null && !clientCq.isEmpty()) {
            if (logger.isDebugEnabled()) {
                logger.debug("CCP clientCq size before processing auth {}", clientCq.size());
            }
            String[] regionNameHolder = new String[1];
            OperationContext opctxt = getOperationContext(clientMessage, regionNameHolder);
            if (opctxt == null) {
                logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_THE_OPERATION_CONTEXT_OBJECT_COULD_NOT_BE_OBTAINED_FOR_THIS_CLIENT_MESSAGE, new Object[] { this, clientMessage }));
                return false;
            }
            String[] cqNames = clientCq.getNames();
            if (logger.isDebugEnabled()) {
                logger.debug("CCP clientCq names array size {}", cqNames.length);
            }
            for (int i = 0; i < cqNames.length; i++) {
                try {
                    if (logger.isDebugEnabled()) {
                        logger.debug("CCP clientCq name {}", cqNames[i]);
                    }
                    boolean isAuthorized = false;
                    if (this.proxyID.isDurable() && this.getDurableKeepAlive() && this._isPaused) {
                        // need to take lock as we may be reinitializing proxy cache
                        synchronized (this.clientUserAuthsLock) {
                            AuthorizeRequestPP postAuthCallback = this.clientUserAuths.getUserAuthAttributes(cqNames[i]).getPostAuthzRequest();
                            if (logger.isDebugEnabled() && postAuthCallback == null) {
                                logger.debug("CCP clientCq post callback is null");
                            }
                            if (postAuthCallback != null && postAuthCallback.getPostAuthzCallback().authorizeOperation(regionNameHolder[0], opctxt)) {
                                isAuthorized = true;
                            }
                        }
                    } else {
                        UserAuthAttributes userAuthAttributes = this.clientUserAuths.getUserAuthAttributes(cqNames[i]);
                        AuthorizeRequestPP postAuthCallback = userAuthAttributes.getPostAuthzRequest();
                        if (postAuthCallback == null && logger.isDebugEnabled()) {
                            logger.debug("CCP clientCq post callback is null");
                        }
                        if (postAuthCallback != null && postAuthCallback.getPostAuthzCallback().authorizeOperation(regionNameHolder[0], opctxt)) {
                            isAuthorized = true;
                        }
                    }
                    if (!isAuthorized) {
                        logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_CQ_MESSAGE_TO_QUEUE_1_BECAUSE_AUTHORIZATION_FAILED, new Object[] { this, clientMessage }));
                        clientCq.delete(cqNames[i]);
                    }
                } catch (Exception ex) {
                // ignore...
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("CCP clientCq size after processing auth {}", clientCq.size());
                }
            }
            // again need to check as there may be no CQ available
            if (!clientMessage.hasCqs(this.proxyID)) {
                this._statistics.incMessagesNotQueuedNotInterested();
                if (logger.isTraceEnabled(LogMarker.BRIDGE_SERVER)) {
                    logger.debug("{}: Not adding message to queue. It is not interested in this region and key: {}", clientMessage);
                }
                return false;
            }
        }
    } else if (this.postAuthzCallback != null) {
        String[] regionNameHolder = new String[1];
        boolean isAuthorize = false;
        OperationContext opctxt = getOperationContext(clientMessage, regionNameHolder);
        if (opctxt == null) {
            logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_THE_OPERATION_CONTEXT_OBJECT_COULD_NOT_BE_OBTAINED_FOR_THIS_CLIENT_MESSAGE, new Object[] { this, clientMessage }));
            return false;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("{}: Invoking authorizeOperation for message: {}", this, clientMessage);
        }
        if (this.proxyID.isDurable() && this.getDurableKeepAlive() && this._isPaused) {
            synchronized (this.clientUserAuthsLock) {
                isAuthorize = this.postAuthzCallback.authorizeOperation(regionNameHolder[0], opctxt);
            }
        } else {
            isAuthorize = this.postAuthzCallback.authorizeOperation(regionNameHolder[0], opctxt);
        }
        if (!isAuthorize) {
            logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_AUTHORIZATION_FAILED, new Object[] { this, clientMessage }));
            return false;
        }
    }
    return true;
}
Also used : RegionCreateOperationContext(org.apache.geode.cache.operations.RegionCreateOperationContext) DestroyOperationContext(org.apache.geode.cache.operations.DestroyOperationContext) PutOperationContext(org.apache.geode.cache.operations.PutOperationContext) InvalidateOperationContext(org.apache.geode.cache.operations.InvalidateOperationContext) RegionClearOperationContext(org.apache.geode.cache.operations.RegionClearOperationContext) RegionDestroyOperationContext(org.apache.geode.cache.operations.RegionDestroyOperationContext) OperationContext(org.apache.geode.cache.operations.OperationContext) CqNameToOp(org.apache.geode.internal.cache.tier.sockets.ClientUpdateMessageImpl.CqNameToOp) AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP) RegionExistsException(org.apache.geode.cache.RegionExistsException) CqException(org.apache.geode.cache.query.CqException) RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException) CancelException(org.apache.geode.CancelException) SocketException(java.net.SocketException) IOException(java.io.IOException) CacheException(org.apache.geode.cache.CacheException)

Example 13 with AuthorizeRequestPP

use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.

the class BaseCommandQuery method processQueryUsingParams.

/**
   * Process the give query and sends the resulset back to the client.
   *
   * @param msg
   * @param query
   * @param queryString
   * @param regionNames
   * @param start
   * @param cqQuery
   * @param queryContext
   * @param servConn
   * @return true if successful execution false in case of failure.
   * @throws IOException
   */
protected boolean processQueryUsingParams(Message msg, Query query, String queryString, Set regionNames, long start, ServerCQ cqQuery, QueryOperationContext queryContext, ServerConnection servConn, boolean sendResults, Object[] params) throws IOException, InterruptedException {
    ChunkedMessage queryResponseMsg = servConn.getQueryResponseMessage();
    CacheServerStats stats = servConn.getCacheServerStats();
    CachedRegionHelper crHelper = servConn.getCachedRegionHelper();
    {
        long oldStart = start;
        start = DistributionStats.getStatTime();
        stats.incReadQueryRequestTime(start - oldStart);
    }
    // object type
    if (servConn.getClientVersion().compareTo(Version.GFE_70) >= 0) {
        ((DefaultQuery) query).setRemoteQuery(true);
    }
    // Process the query request
    try {
        // integrated security
        for (Object regionName : regionNames) {
            this.securityService.authorizeRegionRead(regionName.toString());
        }
        // Execute query
        // startTime = GenericStats.getTime();
        // startTime = System.currentTimeMillis();
        // For now we assume the results are a SelectResults
        // which is the only possibility now, but this may change
        // in the future if we support arbitrary queries
        Object result = null;
        if (params != null) {
            result = query.execute(params);
        } else {
            result = query.execute();
        }
        // Asif : Before conditioning the results check if any
        // of the regions involved in the query have been destroyed
        // or not. If yes, throw an Exception.
        // This is a workaround/fix for Bug 36969
        Iterator itr = regionNames.iterator();
        while (itr.hasNext()) {
            String regionName = (String) itr.next();
            if (crHelper.getRegion(regionName) == null) {
                throw new RegionDestroyedException(LocalizedStrings.BaseCommand_REGION_DESTROYED_DURING_THE_EXECUTION_OF_THE_QUERY.toLocalizedString(), regionName);
            }
        }
        AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
        if (postAuthzRequest != null) {
            if (cqQuery == null) {
                queryContext = postAuthzRequest.queryAuthorize(queryString, regionNames, result, queryContext, params);
            } else {
                queryContext = postAuthzRequest.executeCQAuthorize(cqQuery.getName(), queryString, regionNames, result, queryContext);
            }
            result = queryContext.getQueryResult();
        }
        if (result instanceof SelectResults) {
            SelectResults selectResults = (SelectResults) result;
            if (logger.isDebugEnabled()) {
                logger.debug("Query Result size for : {} is {}", query.getQueryString(), selectResults.size());
            }
            CollectionType collectionType = null;
            boolean sendCqResultsWithKey = true;
            boolean isStructs = false;
            // check if resultset has serialized objects, so that they could be sent
            // as ObjectPartList
            boolean hasSerializedObjects = ((DefaultQuery) query).isKeepSerialized();
            if (logger.isDebugEnabled()) {
                logger.debug("Query Result for :{} has serialized objects: {}", query.getQueryString(), hasSerializedObjects);
            }
            // Don't convert to a Set, there might be duplicates now
            // The results in a StructSet are stored in Object[]s
            // Get them as Object[]s for the objs[] in order to avoid duplicating
            // the StructTypes
            // Object[] objs = new Object[selectResults.size()];
            // Get the collection type (which includes the element type)
            // (used to generate the appropriate instance on the client)
            // Get the collection type (which includes the element type)
            // (used to generate the appropriate instance on the client)
            collectionType = getCollectionType(selectResults);
            isStructs = collectionType.getElementType().isStructType();
            // Check if the Query is from CQ execution.
            if (cqQuery != null) {
                // Check if the key can be sent to the client based on its version.
                sendCqResultsWithKey = sendCqResultsWithKey(servConn);
                if (sendCqResultsWithKey) {
                    // Update the collection type to include key info.
                    collectionType = new CollectionTypeImpl(Collection.class, new StructTypeImpl(new String[] { "key", "value" }));
                    isStructs = collectionType.getElementType().isStructType();
                }
            }
            int numberOfChunks = (int) Math.ceil(selectResults.size() * 1.0 / MAXIMUM_CHUNK_SIZE);
            if (logger.isTraceEnabled()) {
                logger.trace("{}: Query results size: {}: Entries in chunk: {}: Number of chunks: {}", servConn.getName(), selectResults.size(), MAXIMUM_CHUNK_SIZE, numberOfChunks);
            }
            long oldStart = start;
            start = DistributionStats.getStatTime();
            stats.incProcessQueryTime(start - oldStart);
            if (sendResults) {
                queryResponseMsg.setMessageType(MessageType.RESPONSE);
                queryResponseMsg.setTransactionId(msg.getTransactionId());
                queryResponseMsg.sendHeader();
            }
            if (sendResults && numberOfChunks == 0) {
                // Send 1 empty chunk
                if (logger.isTraceEnabled()) {
                    logger.trace("{}: Creating chunk: 0", servConn.getName());
                }
                writeQueryResponseChunk(new Object[0], collectionType, true, servConn);
                if (logger.isDebugEnabled()) {
                    logger.debug("{}: Sent chunk (1 of 1) of query response for query {}", servConn.getName(), queryString);
                }
            } else {
                // send it as a part of ObjectPartList
                if (hasSerializedObjects) {
                    sendResultsAsObjectPartList(numberOfChunks, servConn, selectResults.asList(), isStructs, collectionType, queryString, cqQuery, sendCqResultsWithKey, sendResults);
                } else {
                    sendResultsAsObjectArray(selectResults, numberOfChunks, servConn, isStructs, collectionType, queryString, cqQuery, sendCqResultsWithKey, sendResults);
                }
            }
            if (cqQuery != null) {
                // Set the CQ query result cache initialized flag.
                cqQuery.setCqResultsCacheInitialized();
            }
        } else if (result instanceof Integer) {
            if (sendResults) {
                queryResponseMsg.setMessageType(MessageType.RESPONSE);
                queryResponseMsg.setTransactionId(msg.getTransactionId());
                queryResponseMsg.sendHeader();
                writeQueryResponseChunk(result, null, true, servConn);
            }
        } else {
            throw new QueryInvalidException(LocalizedStrings.BaseCommand_UNKNOWN_RESULT_TYPE_0.toLocalizedString(result.getClass()));
        }
        msg.clearParts();
    } catch (QueryInvalidException e) {
        // Handle this exception differently since it can contain
        // non-serializable objects.
        // java.io.NotSerializableException: antlr.CommonToken
        // Log a warning to show stack trace and create a new
        // QueryInvalidEsception on the original one's message (not cause).
        logger.warn(LocalizedMessage.create(LocalizedStrings.BaseCommand_UNEXPECTED_QUERYINVALIDEXCEPTION_WHILE_PROCESSING_QUERY_0, queryString), e);
        QueryInvalidException qie = new QueryInvalidException(LocalizedStrings.BaseCommand_0_QUERYSTRING_IS_1.toLocalizedString(new Object[] { e.getLocalizedMessage(), queryString }));
        writeQueryResponseException(msg, qie, servConn);
        return false;
    } catch (DistributedSystemDisconnectedException se) {
        if (msg != null && logger.isDebugEnabled()) {
            logger.debug("{}: ignoring message of type {} from client {} because shutdown occurred during message processing.", servConn.getName(), MessageType.getString(msg.getMessageType()), servConn.getProxyID());
        }
        servConn.setFlagProcessMessagesAsFalse();
        servConn.setClientDisconnectedException(se);
        return false;
    } catch (Exception e) {
        // If an interrupted exception is thrown , rethrow it
        checkForInterrupt(servConn, e);
        // Otherwise, write a query response and continue
        // Check if query got canceled from QueryMonitor.
        DefaultQuery defaultQuery = (DefaultQuery) query;
        if ((defaultQuery).isCanceled()) {
            e = new QueryException(defaultQuery.getQueryCanceledException().getMessage(), e.getCause());
        }
        writeQueryResponseException(msg, e, servConn);
        return false;
    } finally {
    // Since the query object is being shared in case of bind queries,
    // resetting the flag may cause inconsistency.
    // Also since this flag is only being set in code path executed by
    // remote query execution, resetting it is not required.
    // ((DefaultQuery)query).setRemoteQuery(false);
    }
    if (logger.isDebugEnabled()) {
        logger.debug("{}: Sent query response for query {}", servConn.getName(), queryString);
    }
    stats.incWriteQueryResponseTime(DistributionStats.getStatTime() - start);
    return true;
}
Also used : DistributedSystemDisconnectedException(org.apache.geode.distributed.DistributedSystemDisconnectedException) DefaultQuery(org.apache.geode.cache.query.internal.DefaultQuery) RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException) QueryInvalidException(org.apache.geode.cache.query.QueryInvalidException) AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP) RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException) DistributedSystemDisconnectedException(org.apache.geode.distributed.DistributedSystemDisconnectedException) QueryInvalidException(org.apache.geode.cache.query.QueryInvalidException) IOException(java.io.IOException) QueryException(org.apache.geode.cache.query.QueryException) CachedRegionHelper(org.apache.geode.internal.cache.tier.CachedRegionHelper) QueryException(org.apache.geode.cache.query.QueryException) SelectResults(org.apache.geode.cache.query.SelectResults) CollectionTypeImpl(org.apache.geode.cache.query.internal.types.CollectionTypeImpl) CollectionType(org.apache.geode.cache.query.types.CollectionType) Iterator(java.util.Iterator) StructTypeImpl(org.apache.geode.cache.query.internal.types.StructTypeImpl) Collection(java.util.Collection)

Aggregations

AuthorizeRequestPP (org.apache.geode.internal.security.AuthorizeRequestPP)13 AuthorizeRequest (org.apache.geode.internal.security.AuthorizeRequest)8 IOException (java.io.IOException)6 GetOperationContext (org.apache.geode.cache.operations.GetOperationContext)6 NotAuthorizedException (org.apache.geode.security.NotAuthorizedException)6 Iterator (java.util.Iterator)5 Set (java.util.Set)4 GetOperationContextImpl (org.apache.geode.cache.operations.internal.GetOperationContextImpl)3 CachedRegionHelper (org.apache.geode.internal.cache.tier.CachedRegionHelper)3 VersionTag (org.apache.geode.internal.cache.versions.VersionTag)3 Retained (org.apache.geode.internal.offheap.annotations.Retained)3 SocketException (java.net.SocketException)2 Region (org.apache.geode.cache.Region)2 RegionDestroyedException (org.apache.geode.cache.RegionDestroyedException)2 StringId (org.apache.geode.i18n.StringId)2 LocalRegion (org.apache.geode.internal.cache.LocalRegion)2 PartitionedRegion (org.apache.geode.internal.cache.PartitionedRegion)2 CacheServerStats (org.apache.geode.internal.cache.tier.sockets.CacheServerStats)2 Part (org.apache.geode.internal.cache.tier.sockets.Part)2 VersionedObjectList (org.apache.geode.internal.cache.tier.sockets.VersionedObjectList)2