Skip to content

basic security extension ignore permissions that use unknown ResourceType or Action #10896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
clintropolis merged 3 commits into from
Feb 23, 2021
Merged

basic security extension ignore permissions that use unknown ResourceType or Action #10896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
665d78e
suppress unknown ResourceType and Action for basic-security authorize…
clintropolis Feb 17, 2021
414c408
fix pom
clintropolis Feb 17, 2021
bab3f02
print failed role, test logs
clintropolis Feb 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions extensions-core/druid-basic-security/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,5 +147,12 @@
<type>test-jar</type>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.druid</groupId>
<artifactId>druid-processing</artifactId>
<version>${project.parent.version}</version>
<scope>test</scope>
<type>test-jar</type>
</dependency>
</dependencies>
</project>
9 changes: 9 additions & 0 deletions .../java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,4 +119,13 @@ public int hashCode()
: 0);
return result;
}

@Override
public String toString()
{
return "BasicAuthorizerPermission{" +
"resourceAction=" + resourceAction +
", resourceNamePattern=" + resourceNamePattern +
'}';
}
}
45 changes: 44 additions & 1 deletion ...c/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRole.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,31 @@

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.ObjectCodec;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import org.apache.druid.java.util.common.RE;
import org.apache.druid.java.util.common.logger.Logger;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

public class BasicAuthorizerRole
{
private static final Logger log = new Logger(BasicAuthorizerRole.class);

private final String name;
private final List<BasicAuthorizerPermission> permissions;

@JsonCreator
public BasicAuthorizerRole(
@JsonProperty("name") String name,
@JsonProperty("permissions") List<BasicAuthorizerPermission> permissions
@JsonProperty("permissions") @JsonDeserialize(using = PermissionsDeserializer.class) List<BasicAuthorizerPermission> permissions
)
{
this.name = name;
Expand Down Expand Up @@ -78,4 +90,35 @@ public int hashCode()
result = 31 * result + (getPermissions() != null ? getPermissions().hashCode() : 0);
return result;
}


static class PermissionsDeserializer extends JsonDeserializer<List<BasicAuthorizerPermission>>
{
@Override
public List<BasicAuthorizerPermission> deserialize(
JsonParser jsonParser,
DeserializationContext deserializationContext
) throws IOException
{
List<BasicAuthorizerPermission> permissions = new ArrayList<>();
// sanity check
ObjectCodec codec = jsonParser.getCodec();
JsonNode hopefullyAnArray = codec.readTree(jsonParser);
if (!hopefullyAnArray.isArray()) {
throw new RE("Failed to deserialize authorizer role list");
}

for (JsonNode node : hopefullyAnArray) {
try {
permissions.add(codec.treeToValue(node, BasicAuthorizerPermission.class));
}
catch (JsonProcessingException e) {
// ignore unparseable, it might be resource types we don't know about
log.warn(e, "Failed to deserialize authorizer role, ignoring: %s", node.toPrettyString());
}
}

return permissions;
}
}
}
123 changes: 123 additions & 0 deletions ...core/druid-basic-security/src/test/java/org/apache/druid/security/BasicAuthUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,25 @@

package org.apache.druid.security;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDruidModule;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.segment.TestHelper;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.server.security.ResourceType;
import org.junit.Assert;
import org.junit.Test;

import java.util.HashMap;
import java.util.Map;

public class BasicAuthUtilsTest
{
@Test
Expand All @@ -36,4 +51,112 @@ public void testHashPassword()
Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
}

@Test
public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProcessingException
Copy link
Copy Markdown
Contributor

@zachjsh zachjsh Feb 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can this be split into a few different tests if not too much trouble?

Copy link
Copy Markdown
Member Author

@clintropolis clintropolis Feb 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't end up splitting this one up yet, since I wasn't quite sure on what way made the most sense after thinking about how it doesn't really take a different code path from the deserializeAuthorizerRoleMap methods perspective here, (the same exception is thrown and same code path taken regardless of which enum failed to deserialize). I put both enums in here because it made me feel better, but from a pure coverage perspective i don't think splitting at least on different enum failures changes much.

Any suggestion on what split makes sense? There are more general tests that cover happier paths with JSON serde of the types involved here in some of the other test classes, I just did this unhappy path test in this test class so I could call the deserializeAuthorizerRoleMap method directly without worrying about the rest of the scaffolding stuff the happy path tests are using.

Copy link
Copy Markdown
Contributor

@zachjsh zachjsh Feb 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this test seems to test 3 cases: 1 good Permission, one bad resourceType permission and one bad resourceAciont permission. Thought it made sens to split into 3 tests accordingly. Its ok to leave as is too, just a nit, no biggie.

{
final String someRoleName = "some-role";
final String otherRoleName = "other-role";
final String thirdRoleName = "third-role";
final ResourceAction fooRead = new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ);
final ResourceAction barRead = new ResourceAction(new Resource("bar", ResourceType.DATASOURCE), Action.READ);

final ObjectMapper mapper = TestHelper.makeJsonMapper();
mapper.registerModules(new BasicSecurityDruidModule().getJacksonModules());
Map<String, Object> rawMap = new HashMap<>();
rawMap.put(
someRoleName,
new BasicAuthorizerRole(
someRoleName,
BasicAuthorizerPermission.makePermissionList(
ImmutableList.of(
fooRead,
barRead
)
)
)
);
// bad ResourceType
rawMap.put(
otherRoleName,
ImmutableMap.of(
"name",
otherRoleName,
"permissions",
ImmutableList.of(
ImmutableMap.of(
"resourceAction", fooRead,
"resourceNamePattern", "foo"
),
ImmutableMap.of(
"resourceAction",
ImmutableMap.of(
"resource",
ImmutableMap.of("name", "bar", "type", "UNKNOWN"),
"action", "READ"
),
"resourceNamePattern", "bar"
)
)
)
);
// bad Action
rawMap.put(
thirdRoleName,
ImmutableMap.of(
"name",
thirdRoleName,
"permissions",
ImmutableList.of(
ImmutableMap.of(
"resourceAction",
ImmutableMap.of(
"resource",
ImmutableMap.of("name", "some-view", "type", "VIEW"),
"action", "READ"
),
"resourceNamePattern", "some-view"
),
ImmutableMap.of(
"resourceAction",
ImmutableMap.of(
"resource",
ImmutableMap.of("name", "foo", "type", "DATASOURCE"),
"action", "UNKNOWN"
),
"resourceNamePattern", "some-view"
)
)
)
);
byte[] mapBytes = mapper.writeValueAsBytes(rawMap);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(mapper, mapBytes);
Assert.assertNotNull(roleMap);
Assert.assertEquals(3, roleMap.size());

Assert.assertTrue(roleMap.containsKey(someRoleName));
Assert.assertEquals(2, roleMap.get(someRoleName).getPermissions().size());
Assert.assertEquals(
BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, barRead)),
roleMap.get(someRoleName).getPermissions()
);

// this one has an unknown ResourceType, expect only 1 permission to deserialize correctly and failure ignored
Assert.assertTrue(roleMap.containsKey(otherRoleName));
Assert.assertEquals(1, roleMap.get(otherRoleName).getPermissions().size());
Assert.assertEquals(
BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead)),
roleMap.get(otherRoleName).getPermissions()
);

// this one has an unknown Action, expect only 1 permission to deserialize correctly and failure ignored
Assert.assertTrue(roleMap.containsKey(thirdRoleName));
Assert.assertEquals(1, roleMap.get(thirdRoleName).getPermissions().size());
Assert.assertEquals(
BasicAuthorizerPermission.makePermissionList(
ImmutableList.of(new ResourceAction(new Resource("some-view", ResourceType.VIEW), Action.READ))
),
roleMap.get(thirdRoleName).getPermissions()
);
}
}
35 changes: 35 additions & 0 deletions extensions-core/druid-basic-security/src/test/resources/log4j2.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->

<Configuration status="WARN">
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{ISO8601} %p [%t] %c - %m%n"/>
</Console>
</Appenders>
<Loggers>
<Root level="info">
<AppenderRef ref="Console"/>
</Root>
<Logger level="debug" name="org.apache.druid" additivity="false">
<AppenderRef ref="Console"/>
</Logger>
</Loggers>
</Configuration>