Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B99D3200BCB for ; Thu, 24 Nov 2016 14:24:14 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id B82FC160B11; Thu, 24 Nov 2016 13:24:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D5960160B21 for ; Thu, 24 Nov 2016 14:24:12 +0100 (CET) Received: (qmail 16896 invoked by uid 500); 24 Nov 2016 13:24:12 -0000 Mailing-List: contact commits-help@ignite.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.apache.org Delivered-To: mailing list commits@ignite.apache.org Received: (qmail 16799 invoked by uid 99); 24 Nov 2016 13:24:12 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Nov 2016 13:24:12 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id CCF73DFFAB; Thu, 24 Nov 2016 13:24:11 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: av@apache.org To: commits@ignite.apache.org Date: Thu, 24 Nov 2016 13:24:16 -0000 Message-Id: In-Reply-To: <60e3a79c717a4fc68f717e1a06f724c3@git.apache.org> References: <60e3a79c717a4fc68f717e1a06f724c3@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [06/50] [abbrv] ignite git commit: ignite-4178 support permission builder archived-at: Thu, 24 Nov 2016 13:24:14 -0000 ignite-4178 support permission builder Project: http://git-wip-us.apache.org/repos/asf/ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/40ef2f5a Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/40ef2f5a Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/40ef2f5a Branch: refs/heads/ignite-4242 Commit: 40ef2f5ae42826fe8fd077e3013e8f55c8512bdd Parents: 175da6b Author: Dmitriy Govorukhin Authored: Mon Nov 7 12:09:41 2016 +0300 Committer: Dmitriy Govorukhin Committed: Mon Nov 7 12:09:41 2016 +0300 ---------------------------------------------------------------------- .../security/SecurityBasicPermissionSet.java | 107 +++++++++ .../security/SecurityPermissionSetBuilder.java | 222 +++++++++++++++++++ .../SecurityPermissionSetBuilderTest.java | 93 ++++++++ .../ignite/testsuites/IgniteBasicTestSuite.java | 3 + 4 files changed, 425 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java new file mode 100644 index 0000000..5b50c56 --- /dev/null +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java @@ -0,0 +1,107 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ignite.plugin.security; + +import java.util.Map; +import java.util.HashMap; +import java.util.ArrayList; +import java.util.Collection; +import org.apache.ignite.internal.util.typedef.internal.S; +import org.jetbrains.annotations.Nullable; + +/** + * Simple implementation of {@link SecurityPermissionSet} interface. Provides + * convenient way to specify permission set in the XML configuration. + */ +public class SecurityBasicPermissionSet implements SecurityPermissionSet { + /** Serial version uid. */ + private static final long serialVersionUID = 0L; + + /** Cache permissions. */ + private Map> cachePerms = new HashMap<>(); + + /** Task permissions. */ + private Map> taskPerms = new HashMap<>(); + + /** System permissions. */ + private Collection sysPerms = new ArrayList<>(); + + /** Default allow all. */ + private boolean dfltAllowAll; + + /** + * Setter for set cache permission map. + * + * @param cachePerms Cache permissions. + */ + public void setCachePermissions(Map> cachePerms) { + this.cachePerms = cachePerms; + } + + /** + * Setter for set task permission map. + * + * @param taskPerms Task permissions. + */ + public void setTaskPermissions(Map> taskPerms) { + this.taskPerms = taskPerms; + } + + /** + * Setter for set collection system permission. + * + * @param sysPerms System permissions. + */ + public void setSystemPermissions(Collection sysPerms) { + this.sysPerms = sysPerms; + } + + /** + * Setter for set default allow all. + * + * @param dfltAllowAll Default allow all. + */ + public void setDefaultAllowAll(boolean dfltAllowAll) { + this.dfltAllowAll = dfltAllowAll; + } + + /** {@inheritDoc} */ + @Override public Map> cachePermissions() { + return cachePerms; + } + + /** {@inheritDoc} */ + @Override public Map> taskPermissions() { + return taskPerms; + } + + /** {@inheritDoc} */ + @Nullable @Override public Collection systemPermissions() { + return sysPerms; + } + + /** {@inheritDoc} */ + @Override public boolean defaultAllowAll() { + return dfltAllowAll; + } + + /** {@inheritDoc} */ + @Override public String toString() { + return S.toString(SecurityBasicPermissionSet.class, this); + } +} http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java new file mode 100644 index 0000000..61ad77c --- /dev/null +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java @@ -0,0 +1,222 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ignite.plugin.security; + +import java.util.Map; +import java.util.List; +import java.util.HashMap; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import org.apache.ignite.IgniteException; + +import static java.util.Collections.unmodifiableList; +import static java.util.Collections.unmodifiableMap; + +/** + * Provides a convenient way to create a permission set. + *

+ * Here is example: + * 

+ *      SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ *          .appendCachePermissions("cache1", CACHE_PUT, CACHE_REMOVE)
+ *          .appendCachePermissions("cache2", CACHE_READ)
+ *          .appendTaskPermissions("task1", TASK_CANCEL)
+ *          .appendTaskPermissions("task2", TASK_EXECUTE)
+ *          .appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE)
+ *          .build();
+ *
+ *

+ * The builder also does additional validation. For example, if you try to + * append {@code EVENTS_ENABLE} permission for a cache, exception will be thrown: + * 

+ *      SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ *          .appendCachePermissions("cache1", EVENTS_ENABLE)
+ *          .build();
+ *
+ */ +public class SecurityPermissionSetBuilder { + /** Cache permissions.*/ + private Map> cachePerms = new HashMap<>(); + + /** Task permissions.*/ + private Map> taskPerms = new HashMap<>(); + + /** System permissions.*/ + private List sysPerms = new ArrayList<>(); + + /** Default allow all.*/ + private boolean dfltAllowAll; + + /** + * Static factory method for create new permission builder. + * + * @return SecurityPermissionSetBuilder + */ + public static SecurityPermissionSetBuilder create(){ + return new SecurityPermissionSetBuilder(); + } + + /** + * Append default all flag. + * + * @param dfltAllowAll Default allow all. + * @return SecurityPermissionSetBuilder refer to same permission builder. + */ + public SecurityPermissionSetBuilder defaultAllowAll(boolean dfltAllowAll) { + this.dfltAllowAll = dfltAllowAll; + + return this; + } + + /** + * Append permission set form {@link org.apache.ignite.IgniteCompute task} with {@code name}. + * + * @param name String for map some task to permission set. + * @param perms Permissions. + * @return SecurityPermissionSetBuilder refer to same permission builder. + */ + public SecurityPermissionSetBuilder appendTaskPermissions(String name, SecurityPermission... perms) { + validate(toCollection("TASK_"), perms); + + append(taskPerms, name, toCollection(perms)); + + return this; + } + + /** + * Append permission set form {@link org.apache.ignite.IgniteCache cache} with {@code name}. + * + * @param name String for map some cache to permission set. + * @param perms Permissions. + * @return {@link SecurityPermissionSetBuilder} refer to same permission builder. + */ + public SecurityPermissionSetBuilder appendCachePermissions(String name, SecurityPermission... perms) { + validate(toCollection("CACHE_"), perms); + + append(cachePerms, name, toCollection(perms)); + + return this; + } + + /** + * Append system permission set. + * + * @param perms Permission. + * @return {@link SecurityPermissionSetBuilder} refer to same permission builder. + */ + public SecurityPermissionSetBuilder appendSystemPermissions(SecurityPermission... perms) { + validate(toCollection("EVENTS_", "ADMIN_"), perms); + + sysPerms.addAll(toCollection(perms)); + + return this; + } + + /** + * Validate method use patterns. + * + * @param ptrns Pattern. + * @param perms Permissions. + */ + private void validate(Collection ptrns, SecurityPermission... perms) { + assert ptrns != null; + assert perms != null; + + for (SecurityPermission perm : perms) + validate(ptrns, perm); + } + + /** + * @param ptrns Patterns. + * @param perm Permission. + */ + private void validate(Collection ptrns, SecurityPermission perm) { + assert ptrns != null; + assert perm != null; + + boolean ex = true; + + String name = perm.name(); + + for (String ptrn : ptrns) { + if (name.startsWith(ptrn)) { + ex = false; + + break; + } + } + + if (ex) + throw new IgniteException("you can assign permission only start with " + ptrns + ", but you try " + name); + } + + /** + * Convert vararg to {@link Collection}. + * + * @param perms Permissions. + */ + @SafeVarargs + private final Collection toCollection(T... perms) { + assert perms != null; + + Collection col = new ArrayList<>(perms.length); + + Collections.addAll(col, perms); + + return col; + } + + /** + * @param permsMap Permissions map. + * @param name Name. + * @param perms Permission. + */ + private void append( + Map> permsMap, + String name, + Collection perms + ) { + assert permsMap != null; + assert name != null; + assert perms != null; + + Collection col = permsMap.get(name); + + if (col == null) + permsMap.put(name, perms); + else + col.addAll(perms); + } + + /** + * Builds the {@link SecurityPermissionSet}. + * + * @return {@link SecurityPermissionSet} instance. + */ + public SecurityPermissionSet build() { + SecurityBasicPermissionSet permSet = new SecurityBasicPermissionSet(); + + permSet.setDefaultAllowAll(dfltAllowAll); + permSet.setCachePermissions(unmodifiableMap(cachePerms)); + permSet.setTaskPermissions(unmodifiableMap(taskPerms)); + permSet.setSystemPermissions(unmodifiableList(sysPerms)); + + return permSet; + } +} http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java new file mode 100644 index 0000000..1d951cf --- /dev/null +++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java @@ -0,0 +1,93 @@ +package org.apache.ignite.plugin.security; + +import java.util.Map; +import java.util.Arrays; +import java.util.HashMap; +import java.util.Collection; +import java.util.concurrent.Callable; +import org.apache.ignite.IgniteException; +import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest; + +import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT; +import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ; +import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE; +import static org.apache.ignite.plugin.security.SecurityPermission.TASK_CANCEL; +import static org.apache.ignite.plugin.security.SecurityPermission.TASK_EXECUTE; +import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE; +import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_VIEW; +import static org.apache.ignite.testframework.GridTestUtils.assertThrows; + +/** + * Test for check correct work {@link SecurityPermissionSetBuilder permission builder} + */ +public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { + /** + * + */ + public void testPermissionBuilder() { + SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet(); + + Map> permCache = new HashMap<>(); + permCache.put("cache1", Arrays.asList(CACHE_PUT, CACHE_REMOVE)); + permCache.put("cache2", Arrays.asList(CACHE_READ)); + + exp.setCachePermissions(permCache); + + Map> permTask = new HashMap<>(); + permTask.put("task1", Arrays.asList(TASK_CANCEL)); + permTask.put("task2", Arrays.asList(TASK_EXECUTE)); + + exp.setTaskPermissions(permTask); + + exp.setSystemPermissions(Arrays.asList(ADMIN_VIEW, EVENTS_ENABLE)); + + final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder(); + + assertThrows(log, new Callable() { + @Override + public Object call() throws Exception { + permsBuilder.appendCachePermissions("cache", ADMIN_VIEW); + return null; + } + }, IgniteException.class, + "you can assign permission only start with [CACHE_], but you try ADMIN_VIEW" + ); + + assertThrows(log, new Callable() { + @Override + public Object call() throws Exception { + permsBuilder.appendTaskPermissions("task", CACHE_READ); + return null; + } + }, IgniteException.class, + "you can assign permission only start with [TASK_], but you try CACHE_READ" + ); + + assertThrows(log, new Callable() { + @Override + public Object call() throws Exception { + permsBuilder.appendSystemPermissions(TASK_EXECUTE, CACHE_PUT); + return null; + } + }, IgniteException.class, + "you can assign permission only start with [EVENTS_, ADMIN_], but you try TASK_EXECUTE" + ); + + permsBuilder.appendCachePermissions( + "cache1", CACHE_PUT, CACHE_REMOVE + ).appendCachePermissions( + "cache2", CACHE_READ + ).appendTaskPermissions( + "task1", TASK_CANCEL + ).appendTaskPermissions( + "task2", TASK_EXECUTE + ).appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE); + + SecurityPermissionSet actual = permsBuilder.build(); + + assertEquals(exp.cachePermissions(), actual.cachePermissions()); + assertEquals(exp.taskPermissions(), actual.taskPermissions()); + assertEquals(exp.systemPermissions(), actual.systemPermissions()); + assertEquals(exp.defaultAllowAll(), actual.defaultAllowAll()); + } +} http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java index 62c2eb3..6ab0885 100644 --- a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java +++ b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java @@ -53,6 +53,7 @@ import org.apache.ignite.marshaller.DynamicProxySerializationMultiJvmSelfTest; import org.apache.ignite.messaging.GridMessagingNoPeerClassLoadingSelfTest; import org.apache.ignite.messaging.GridMessagingSelfTest; import org.apache.ignite.messaging.IgniteMessagingWithClientTest; +import org.apache.ignite.plugin.security.SecurityPermissionSetBuilderTest; import org.apache.ignite.spi.GridSpiLocalHostInjectionTest; import org.apache.ignite.startup.properties.NotStringSystemPropertyTest; import org.apache.ignite.testframework.GridTestUtils; @@ -143,6 +144,8 @@ public class IgniteBasicTestSuite extends TestSuite { suite.addTestSuite(MarshallerContextLockingSelfTest.class); + suite.addTestSuite(SecurityPermissionSetBuilderTest.class); + return suite; } }