use of org.apache.solr.security.AuthorizationContext.CollectionRequest in project lucene-solr by apache.
the class TestRuleBasedAuthorizationPlugin method testBasicPermissions.
public void testBasicPermissions() {
int STATUS_OK = 200;
int FORBIDDEN = 403;
int PROMPT_FOR_CREDENTIALS = 401;
checkRules(makeMap("resource", "/update/json/docs", "httpMethod", "POST", "userPrincipal", "unknownuser", "collectionRequests", "freeforall", "handler", new UpdateRequestHandler()), STATUS_OK);
checkRules(makeMap("resource", "/update/json/docs", "httpMethod", "POST", "userPrincipal", "tim", "collectionRequests", "mycoll", "handler", new UpdateRequestHandler()), STATUS_OK);
checkRules(makeMap("resource", "/update/json/docs", "httpMethod", "POST", "collectionRequests", "mycoll", "handler", new UpdateRequestHandler()), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/schema", "userPrincipal", "somebody", "collectionRequests", "mycoll", "httpMethod", "POST", "handler", new SchemaHandler()), FORBIDDEN);
checkRules(makeMap("resource", "/schema", "userPrincipal", "somebody", "collectionRequests", "mycoll", "httpMethod", "GET", "handler", new SchemaHandler()), STATUS_OK);
checkRules(makeMap("resource", "/schema/fields", "userPrincipal", "somebody", "collectionRequests", "mycoll", "httpMethod", "GET", "handler", new SchemaHandler()), STATUS_OK);
checkRules(makeMap("resource", "/schema", "userPrincipal", "somebody", "collectionRequests", "mycoll", "httpMethod", "POST", "handler", new SchemaHandler()), FORBIDDEN);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", "tim", "requestType", RequestType.ADMIN, "collectionRequests", null, "httpMethod", "GET", "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "LIST"))), STATUS_OK);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", null, "requestType", RequestType.ADMIN, "collectionRequests", null, "httpMethod", "GET", "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "LIST"))), STATUS_OK);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", null, "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "CREATE"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", null, "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "RELOAD"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", "somebody", "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "CREATE"))), FORBIDDEN);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", "tim", "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "CREATE"))), STATUS_OK);
checkRules(makeMap("resource", "/select", "httpMethod", "GET", "handler", new SearchHandler(), "collectionRequests", singletonList(new CollectionRequest("mycoll")), "userPrincipal", "joe"), FORBIDDEN);
Map rules = (Map) Utils.fromJSONString(permissions);
((Map) rules.get("user-role")).put("cio", "su");
((List) rules.get("permissions")).add(makeMap("name", "all", "role", "su"));
checkRules(makeMap("resource", ReplicationHandler.PATH, "httpMethod", "POST", "userPrincipal", "tim", "handler", new ReplicationHandler(), "collectionRequests", singletonList(new CollectionRequest("mycoll"))), FORBIDDEN, rules);
checkRules(makeMap("resource", ReplicationHandler.PATH, "httpMethod", "POST", "userPrincipal", "cio", "handler", new ReplicationHandler(), "collectionRequests", singletonList(new CollectionRequest("mycoll"))), STATUS_OK, rules);
checkRules(makeMap("resource", "/admin/collections", "userPrincipal", "tim", "requestType", AuthorizationContext.RequestType.ADMIN, "collectionRequests", null, "handler", new CollectionsHandler(), "params", new MapSolrParams(singletonMap("action", "CREATE"))), STATUS_OK, rules);
rules = (Map) Utils.fromJSONString(permissions);
((List) rules.get("permissions")).add(makeMap("name", "core-admin-edit", "role", "su"));
((List) rules.get("permissions")).add(makeMap("name", "core-admin-read", "role", "user"));
((Map) rules.get("user-role")).put("cio", "su");
((List) rules.get("permissions")).add(makeMap("name", "all", "role", "su"));
permissions = Utils.toJSONString(rules);
checkRules(makeMap("resource", "/admin/cores", "userPrincipal", null, "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CoreAdminHandler(null), "params", new MapSolrParams(singletonMap("action", "CREATE"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/admin/cores", "userPrincipal", "joe", "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CoreAdminHandler(null), "params", new MapSolrParams(singletonMap("action", "CREATE"))), FORBIDDEN);
checkRules(makeMap("resource", "/admin/cores", "userPrincipal", "joe", "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CoreAdminHandler(null), "params", new MapSolrParams(singletonMap("action", "STATUS"))), STATUS_OK);
checkRules(makeMap("resource", "/admin/cores", "userPrincipal", "cio", "requestType", RequestType.ADMIN, "collectionRequests", null, "handler", new CoreAdminHandler(null), "params", new MapSolrParams(singletonMap("action", "CREATE"))), STATUS_OK);
rules = (Map) Utils.fromJSONString(permissions);
List permissions = (List) rules.get("permissions");
//remove the 'all' permission
permissions.remove(permissions.size() - 1);
permissions.add(makeMap("name", "test-params", "role", "admin", "path", "/x", "params", makeMap("key", Arrays.asList("REGEX:(?i)val1", "VAL2"))));
this.permissions = Utils.toJSONString(rules);
checkRules(makeMap("resource", "/x", "userPrincipal", null, "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "VAL1"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/x", "userPrincipal", null, "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "Val1"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/x", "userPrincipal", null, "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "Val1"))), PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/x", "userPrincipal", "joe", "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "Val1"))), FORBIDDEN);
checkRules(makeMap("resource", "/x", "userPrincipal", "joe", "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "Val2"))), STATUS_OK);
checkRules(makeMap("resource", "/x", "userPrincipal", "joe", "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new DumpRequestHandler(), "params", new MapSolrParams(singletonMap("key", "VAL2"))), FORBIDDEN);
checkRules(makeMap("resource", "/update", "userPrincipal", "solr", "requestType", RequestType.UNKNOWN, "collectionRequests", "go", "handler", new UpdateRequestHandler(), "params", new MapSolrParams(singletonMap("key", "VAL2"))), FORBIDDEN, (Map<String, Object>) Utils.fromJSONString("{user-role:{" + " admin:[admin_role]," + " update:[update_role]," + " solr:[read_role]}," + " permissions:[" + " {name:update, role:[admin_role,update_role]}," + " {name:read, role:[admin_role,update_role,read_role]}" + "]}"));
}
use of org.apache.solr.security.AuthorizationContext.CollectionRequest in project lucene-solr by apache.
the class HttpSolrCall method getAuthCtx.
private AuthorizationContext getAuthCtx() {
String resource = getPath();
SolrParams params = getQueryParams();
final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
if (getCollectionsList() != null) {
for (String collection : getCollectionsList()) {
collectionRequests.add(new CollectionRequest(collection));
}
}
// Extract collection name from the params in case of a Collection Admin request
if (getPath().equals("/admin/collections")) {
if (CREATE.isEqual(params.get("action")) || RELOAD.isEqual(params.get("action")) || DELETE.isEqual(params.get("action")))
collectionRequests.add(new CollectionRequest(params.get("name")));
else if (params.get(COLLECTION_PROP) != null)
collectionRequests.add(new CollectionRequest(params.get(COLLECTION_PROP)));
}
// Handle the case when it's a /select request and collections are specified as a param
if (resource.equals("/select") && params.get("collection") != null) {
collectionRequests.clear();
for (String collection : params.get("collection").split(",")) {
collectionRequests.add(new CollectionRequest(collection));
}
}
// Populate the request type if the request is select or update
if (requestType == RequestType.UNKNOWN) {
if (resource.startsWith("/select") || resource.startsWith("/get"))
requestType = RequestType.READ;
if (resource.startsWith("/update"))
requestType = RequestType.WRITE;
}
// the purpose of processing this request.
if (getCore() != null && (getCollectionsList() == null || getCollectionsList().size() == 0)) {
collectionRequests.add(new CollectionRequest(getCore().getCoreDescriptor().getCollectionName()));
}
if (getQueryParams().get(COLLECTION_PROP) != null)
collectionRequests.add(new CollectionRequest(getQueryParams().get(COLLECTION_PROP)));
return new AuthorizationContext() {
@Override
public SolrParams getParams() {
return null == solrReq ? null : solrReq.getParams();
}
@Override
public Principal getUserPrincipal() {
return getReq().getUserPrincipal();
}
@Override
public String getHttpHeader(String s) {
return getReq().getHeader(s);
}
@Override
public Enumeration getHeaderNames() {
return getReq().getHeaderNames();
}
@Override
public List<CollectionRequest> getCollectionRequests() {
return collectionRequests;
}
@Override
public RequestType getRequestType() {
return requestType;
}
public String getResource() {
return path;
}
@Override
public String getHttpMethod() {
return getReq().getMethod();
}
@Override
public Object getHandler() {
return _getHandler();
}
@Override
public String toString() {
StringBuilder response = new StringBuilder("userPrincipal: [").append(getUserPrincipal()).append("]").append(" type: [").append(requestType.toString()).append("], collections: [");
for (CollectionRequest collectionRequest : collectionRequests) {
response.append(collectionRequest.collectionName).append(", ");
}
if (collectionRequests.size() > 0)
response.delete(response.length() - 1, response.length());
response.append("], Path: [").append(resource).append("]");
response.append(" path : ").append(path).append(" params :").append(getParams());
return response.toString();
}
@Override
public String getRemoteAddr() {
return getReq().getRemoteAddr();
}
@Override
public String getRemoteHost() {
return getReq().getRemoteHost();
}
};
}
Aggregations