Search in sources :

Example 1 with TestData

use of org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    policyEngineOptions.disableTagPolicyEvaluation = false;
    boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    long requestCount = 0L;
    RangerAccessRequest request = null;
    for (TestData test : testCase.tests) {
        request = test.request;
        if ((requestCount++ % 10) == 1) {
            policyEngine.reorderPolicyEvaluators();
        }
        if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            // Create a new AccessRequest
            RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
            newRequest.setClientType(request.getClientType());
            newRequest.setAccessTime(request.getAccessTime());
            newRequest.setAction(request.getAction());
            newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
            newRequest.setForwardedAddresses(request.getForwardedAddresses());
            newRequest.setRequestData(request.getRequestData());
            newRequest.setSessionId(request.getSessionId());
            Map<String, Object> context = request.getContext();
            String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            if (!StringUtils.isEmpty(tagsJsonString)) {
                try {
                    Type setType = new TypeToken<Set<RangerTagForEval>>() {
                    }.getType();
                    Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
                    context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
                } catch (Exception e) {
                    System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
                }
            } else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
                String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                if (!StringUtils.isEmpty(resourcesJsonString)) {
                    try {
                        /*
							Reader stringReader = new StringReader(resourcesJsonString);
							RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
							*/
                        Type myType = new TypeToken<RangerRequestedResources>() {
                        }.getType();
                        RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
                        context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
                    } catch (Exception e) {
                        System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
                    }
                }
            }
            newRequest.setContext(context);
            // accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
            // sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
            // context already contains tags -- This may change when we want enrichers to enrich request in the
            // presence of tags!!!
            // Safe cast
            RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
            accessResource.setServiceDef(testCase.serviceDef);
            request = newRequest;
        } else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            policyEngine.preProcess(request);
        }
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        if (test.result != null) {
            RangerAccessResult expected = test.result;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.dataMaskResult != null) {
            RangerAccessResult expected = test.dataMaskResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
            assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
            assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.rowFilterResult != null) {
            RangerAccessResult expected = test.rowFilterResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.resourceAccessInfo != null) {
            RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
            RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
            assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
            assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
            assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
        }
    }
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) Set(java.util.Set) TestData(org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler) RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources) JsonParseException(com.google.gson.JsonParseException) Type(java.lang.reflect.Type) TypeToken(com.google.gson.reflect.TypeToken)

Aggregations

JsonParseException (com.google.gson.JsonParseException)1 TypeToken (com.google.gson.reflect.TypeToken)1 Type (java.lang.reflect.Type)1 Set (java.util.Set)1 RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)1 RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)1 TestData (org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData)1 RangerRequestedResources (org.apache.ranger.plugin.util.RangerRequestedResources)1 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)1