Example 1 with Action
use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.
the class TestRangerPolicyValidator method test_isPolicyResourceUnique.
@Test
public final void test_isPolicyResourceUnique() throws Exception {
// if store does not contain any matching policies then check should succeed
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
String hash = "hash-1";
when(signature.getSignature()).thenReturn(hash);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(_policy.getService()).thenReturn("service-name");
List<RangerPolicy> policies = null;
when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
policies = new ArrayList<>();
for (Action action : cu) {
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
}
/*
* If store has a policy with matching signature then the check should fail with appropriate error message.
* - For create any match is a problem
* - Signature check can never fail for disabled policies!
*/
RangerPolicy policy1 = mock(RangerPolicy.class);
policies.add(policy1);
when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
_failures.clear();
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
// For Update match with itself is not a problem as long as it isn't itself, i.e. same id.
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
when(policy1.getId()).thenReturn(103L);
when(_policy.getId()).thenReturn(103L);
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
// matching policy can't be some other policy (i.e. different id) because that implies a conflict.
when(policy1.getId()).thenReturn(104L);
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
// And validation should never pass if there are more than one policies with matching signature, regardless of their ID!!
RangerPolicy policy2 = mock(RangerPolicy.class);
// has same id as the policy being tested (_policy)
when(policy2.getId()).thenReturn(103L);
policies.add(policy2);
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
Test(org.junit.Test)
Example 2 with Action
use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.
the class TestRangerServiceDefValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
// null service def and bad service def name
for (Action action : cu) {
// passing in null service def is an error
assertFalse(_validator.isValid((RangerServiceDef) null, action, _failures));
_utils.checkFailureForMissingValue(_failures, "service def");
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
Test(org.junit.Test)
Example 3 with Action
use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.
the class TestRangerServiceDefValidator method test_isValidName.
@Test
public final void test_isValidName() throws Exception {
// some arbitrary value
Long id = 7L;
// name can't be null/empty
for (Action action : cu) {
for (String name : new String[] { null, "", " " }) {
when(_serviceDef.getName()).thenReturn(name);
_failures.clear();
assertFalse(_validator.isValidServiceDefName(name, id, action, _failures));
_utils.checkFailureForMissingValue(_failures, "name");
}
}
}Example 4 with Action
use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.
the class TestRangerServiceValidator method test_isValid_missingRequiredParameter.
@Test
public void test_isValid_missingRequiredParameter() throws Exception {
// Create/Update: simulate a condition where required parameters are missing
Object[][] input = new Object[][] { { "param1", true }, { "param2", true }, { "param3", false }, { "param4", false } };
List<RangerServiceConfigDef> configDefs = _utils.createServiceConditionDefs(input);
RangerServiceDef serviceDef = mock(RangerServiceDef.class);
when(serviceDef.getConfigs()).thenReturn(configDefs);
// wire this service def into store
when(_store.getServiceDefByName("aType")).thenReturn(serviceDef);
// create a service with some require parameters missing
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("aType");
when(service.getName()).thenReturn("aName");
// required parameters param2 is missing
String[] params = new String[] { "param1", "param3", "param4", "param5" };
Map<String, String> paramMap = _utils.createMap(params);
when(service.getConfigs()).thenReturn(paramMap);
// service does not exist in the store
when(_store.getServiceByName("aService")).thenReturn(null);
for (Action action : cu) {
// it should be invalid
checkFailure_isValid(_validator, service, action, _failures, "missing", "configuration", "param2");
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerServiceConfigDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
Test(org.junit.Test)
Example 5 with Action
use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "service-name");
filter.setParam(SearchFilter.POLICY_NAME, "policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
existingPolicies.clear();
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// more than one policies with same name is also an internal error
when(_policy.getName()).thenReturn("policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
existingPolicies.add(existingPolicy);
existingPolicy = mock(RangerPolicy.class);
existingPolicies.add(existingPolicy);
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, Action.UPDATE, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures);
}
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
when(_policy.getService()).thenReturn("service-name");
RangerService service = mock(RangerService.class);
when(_store.getServiceByName("service-name")).thenReturn(service);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicies(filter)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Aggregations
Action (org.apache.ranger.plugin.model.validation.RangerValidator.Action)8
Test (org.junit.Test)8
RangerService (org.apache.ranger.plugin.model.RangerService)5
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4
RangerPolicyResourceSignature (org.apache.ranger.plugin.model.RangerPolicyResourceSignature)3
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)3
ArrayList (java.util.ArrayList)2
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)2
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)2
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)2
RangerServiceConfigDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)1
