Examples with Action org.apache.ranger.plugin.model.validation.RangerValidator.Action used on opensource projects

Example 6 with Action

use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.

the class TestRangerPolicyValidator method testIsValid_errorPaths.

@Test
public final void testIsValid_errorPaths() throws Exception {
    boolean isAdmin = true;
    // 1. create policy in a non-existing service
    Action action = Action.CREATE;
    when(_policy.getService()).thenReturn("non-existing-service-name");
    when(_store.getServiceByName("non-existing-service-name")).thenReturn(null);
    Assert.assertFalse(action.toString(), _validator.isValid(_policy, action, isAdmin, _failures));
    // 2. update a policy to change the service-name
    RangerPolicy existingPolicy = mock(RangerPolicy.class);
    when(existingPolicy.getId()).thenReturn(8L);
    when(existingPolicy.getService()).thenReturn("service-name");
    RangerService service = mock(RangerService.class);
    when(service.getType()).thenReturn("service-type");
    when(service.getName()).thenReturn("service-name");
    when(_store.getServiceByName("service-name")).thenReturn(service);
    RangerService service2 = mock(RangerService.class);
    when(service2.getType()).thenReturn("service-type");
    when(service2.getName()).thenReturn("service-name2");
    when(_store.getServiceByName("service-name2")).thenReturn(service2);
    when(_policy.getService()).thenReturn("service-name2");
    when(_store.getServiceByName("service-name2")).thenReturn(service2);
    action = Action.UPDATE;
    Assert.assertFalse(action.toString(), _validator.isValid(_policy, action, isAdmin, _failures));
    // 3. update a policy to change the policy-type
    when(existingPolicy.getId()).thenReturn(8L);
    when(existingPolicy.getService()).thenReturn("service-name");
    when(existingPolicy.getPolicyType()).thenReturn(Integer.valueOf(0));
    when(_policy.getId()).thenReturn(8L);
    when(_policy.getService()).thenReturn("service-name");
    when(_policy.getPolicyType()).thenReturn(Integer.valueOf(1));
    Assert.assertFalse(action.toString(), _validator.isValid(_policy, action, isAdmin, _failures));
}

Example 7 with Action

use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.

the class TestRangerPolicyValidator method testIsValid_happyPath.

@Test
public final void testIsValid_happyPath() throws Exception {
    // valid policy has valid non-empty name and service name
    when(_policy.getService()).thenReturn("service-name");
    // service name exists
    RangerService service = mock(RangerService.class);
    when(service.getType()).thenReturn("service-type");
    when(_store.getServiceByName("service-name")).thenReturn(service);
    // service points to a valid service-def
    _serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
    when(_serviceDef.getName()).thenReturn("service-type");
    when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
    // a matching policy should exist for create when checked by id and not exist when checked by name.
    when(_store.getPolicy(7L)).thenReturn(null);
    RangerPolicy existingPolicy = mock(RangerPolicy.class);
    when(existingPolicy.getId()).thenReturn(8L);
    when(existingPolicy.getService()).thenReturn("service-name");
    when(_store.getPolicy(8L)).thenReturn(existingPolicy);
    SearchFilter createFilter = new SearchFilter();
    createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
    // this name would be used for create
    createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
    when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
    // a matching policy should not exist for update.
    SearchFilter updateFilter = new SearchFilter();
    updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
    // this name would be used for update
    updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
    List<RangerPolicy> existingPolicies = new ArrayList<>();
    existingPolicies.add(existingPolicy);
    when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
    // valid policy can have empty set of policy items if audit is turned on
    // null value for audit is treated as audit on.
    // for now we want to turn any resource related checking off
    when(_policy.getResources()).thenReturn(null);
    for (Action action : cu) {
        for (Boolean auditEnabled : new Boolean[] { null, true }) {
            for (boolean isAdmin : new boolean[] { true, false }) {
                when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
                if (action == Action.CREATE) {
                    when(_policy.getId()).thenReturn(7L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                } else {
                    // update should work both when by-name is found or not, since nothing found by-name means name is being updated.
                    when(_policy.getId()).thenReturn(8L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                    when(_policy.getName()).thenReturn("policy-name-2");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                }
            }
        }
    }
    // if audit is disabled then policy should have policy items and all of them should be valid
    List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
    when(_policy.getPolicyItems()).thenReturn(policyItems);
    when(_policy.getIsAuditEnabled()).thenReturn(false);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            if (action == Action.CREATE) {
                when(_policy.getId()).thenReturn(7L);
                when(_policy.getName()).thenReturn("policy-name-1");
            } else {
                when(_policy.getId()).thenReturn(8L);
                when(_policy.getName()).thenReturn("policy-name-2");
            }
            Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
            Assert.assertTrue(_failures.isEmpty());
        }
    }
    // above succeeded as service def did not have any resources on it, mandatory or otherwise.
    // policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
    when(_policy.getResources()).thenReturn(resourceMap);
    // let's add some other policies in the store for this service that have a different signature
    // setup the signatures on the policies
    RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
    when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
    // setup the store to indicate that no other policy exists with matching signature
    when(policySignature.getSignature()).thenReturn("hash-1");
    when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
    // we are reusing the same policies collection here -- which is fine
    for (Action action : cu) {
        if (action == Action.CREATE) {
            when(_policy.getId()).thenReturn(7L);
            when(_policy.getName()).thenReturn("policy-name-1");
        } else {
            when(_policy.getId()).thenReturn(8L);
            when(_policy.getName()).thenReturn("policy-name-2");
        }
        // since policy resource has excludes admin privilages would be required
        Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
        Assert.assertTrue(_failures.isEmpty());
    }
}

Example 8 with Action

use of org.apache.ranger.plugin.model.validation.RangerValidator.Action in project ranger by apache.

the class TestRangerServiceValidator method testIsValid_failures.

@Test
public void testIsValid_failures() throws Exception {
    RangerService service = mock(RangerService.class);
    // passing in a null service to the check itself is an error
    Assert.assertFalse(_validator.isValid((RangerService) null, _action, _failures));
    _utils.checkFailureForMissingValue(_failures, "service");
    // id is required for update
    when(service.getId()).thenReturn(null);
    // let's verify the failure and the sort of error information that is returned (for one of these)
    // Assert.assert that among the failure reason is one about id being missing.
    checkFailure_isValid(_validator, service, Action.UPDATE, _failures, "missing", "id");
    when(service.getId()).thenReturn(7L);
    for (Action action : cu) {
        // null, empty of blank name renders a service invalid
        for (String name : new String[] { null, "", " 	" }) {
            // spaces and tabs
            when(service.getName()).thenReturn(name);
            checkFailure_isValid(_validator, service, action, _failures, "missing", "name");
        }
        // same is true for the type
        for (String type : new String[] { null, "", "    " }) {
            when(service.getType()).thenReturn(type);
            checkFailure_isValid(_validator, service, action, _failures, "missing", "type");
        }
    }
    when(service.getName()).thenReturn("aName");
    // if non-empty, then the type should exist!
    when(_store.getServiceDefByName("null-type")).thenReturn(null);
    when(_store.getServiceDefByName("throwing-type")).thenThrow(new Exception());
    for (Action action : cu) {
        for (String type : new String[] { "null-type", "throwing-type" }) {
            when(service.getType()).thenReturn(type);
            checkFailure_isValid(_validator, service, action, _failures, "semantic", "type");
        }
    }
    when(service.getType()).thenReturn("aType");
    RangerServiceDef serviceDef = mock(RangerServiceDef.class);
    when(_store.getServiceDefByName("aType")).thenReturn(serviceDef);
    // Create: No service should exist matching its id and/or name
    RangerService anExistingService = mock(RangerService.class);
    when(_store.getServiceByName("aName")).thenReturn(anExistingService);
    checkFailure_isValid(_validator, service, Action.CREATE, _failures, "semantic", "name");
    // Update: service should exist matching its id and name specified should not belong to a different service
    when(_store.getService(7L)).thenReturn(null);
    when(_store.getServiceByName("aName")).thenReturn(anExistingService);
    checkFailure_isValid(_validator, service, Action.UPDATE, _failures, "semantic", "id");
    when(_store.getService(7L)).thenReturn(anExistingService);
    RangerService anotherExistingService = mock(RangerService.class);
    when(anotherExistingService.getId()).thenReturn(49L);
    when(_store.getServiceByName("aName")).thenReturn(anotherExistingService);
    checkFailure_isValid(_validator, service, Action.UPDATE, _failures, "semantic", "id/name");
}