ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-232 Knox plugin review comments
Date Thu, 12 Feb 2015 08:09:24 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 604d3bb79 -> 9f559d5fe


RANGER-232 Knox plugin review comments

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9f559d5f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9f559d5f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9f559d5f

Branch: refs/heads/stack
Commit: 9f559d5fe955dc103792a5bd40caa7cb12d4c5c7
Parents: 604d3bb
Author: Alok Lal <alal@hortonworks.com>
Authored: Sun Feb 8 18:11:08 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Thu Feb 12 00:03:42 2015 -0800

----------------------------------------------------------------------
 .../RangerConditionEvaluator.java               |   3 +-
 .../conditionevaluator/RangerIpMatcher.java     | 217 ++++++++++++----
 .../policyengine/RangerAccessRequest.java       |   2 -
 .../policyengine/RangerAccessRequestImpl.java   |  20 --
 .../RangerDefaultPolicyEvaluator.java           |  67 +++--
 .../conditionevaluator/RangerIpMatcherTest.java | 258 +++++++++++++------
 .../RangerDefaultPolicyEvaluatorTest.java       | 111 ++++++--
 .../authorization/knox/KnoxRangerPlugin.java    |  11 +-
 .../RangerPDPKnoxDeploymentContributor.java     |   2 +-
 9 files changed, 466 insertions(+), 225 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
index 9dc61a7..345a017 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
@@ -1,9 +1,10 @@
 package org.apache.ranger.plugin.conditionevaluator;
 
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 
 public interface RangerConditionEvaluator {
 
 	void init(RangerPolicyItemCondition condition);
-	boolean isMatched(String value);
+	boolean isMatched(RangerAccessRequest request);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java
index f21f7f4..f7b3a91 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java
@@ -21,12 +21,16 @@
 package org.apache.ranger.plugin.conditionevaluator;
 
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 
 /**
  * Credits: Large parts of this file have been lifted as is from org.apache.ranger.pdp.knox.URLBasedAuthDB.
 Credits for those are due to Dilli Arumugam. 
@@ -36,82 +40,183 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
 public class RangerIpMatcher implements RangerConditionEvaluator {
 
 	private static final Log LOG = LogFactory.getLog(RangerIpMatcher.class);
-	private List<String> _ipAddresses = new ArrayList<String>();
+	private List<String> _exactIps = new ArrayList<String>();
+	private List<String> _wildCardIps = new ArrayList<String>();
 	private boolean _allowAny = false;
-
+	public static final String ConditionName = "ip-range";
+	
 	@Override
-	public void init(RangerPolicyItemCondition condition) {
-		if (condition != null) {
-			List<String> ipAddresses = condition.getValues();
-			if (CollectionUtils.isNotEmpty(ipAddresses)) {
-				_ipAddresses.addAll(ipAddresses);
-				// do this once, contains on a list is O(n) operation!
-				if (_ipAddresses.contains("*")) {
+	public void init(final RangerPolicyItemCondition condition) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.init(" + condition + ")");
+		}
+
+		if (condition == null) {
+			LOG.debug("init: null policy condition! Will match always!");
+			_allowAny = true;
+		} else if (CollectionUtils.isEmpty(condition.getValues())) {
+			LOG.debug("init: empty conditions collection on policy condition!  Will match always!");
+			_allowAny = true;
+		} else if (condition.getValues().contains("*")) {
+			_allowAny = true;
+			LOG.debug("init: wildcard value found.  Will match always.");
+		} else {
+			for (String ip : condition.getValues()) {
+				String digestedIp = digestPolicyIp(ip);
+				if (digestedIp.isEmpty()) {
+					LOG.debug("init: digested ip was empty! Will match always");
 					_allowAny = true;
+				} else if (digestedIp.equals(ip)) {
+					_exactIps.add(ip);
+				} else {
+					_wildCardIps.add(digestedIp);
 				}
 			}
 		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.init(" + condition + "): exact-ips[" + _exactIps + "],
wildcard-ips[" + _wildCardIps + "]");
+		}
 	}
 
 	@Override
-	public boolean isMatched(String requestIp) {
-		boolean ipMatched = false;
-		if (LOG.isDebugEnabled()) {
-			LOG.debug("Checking ipMatch for rolePermissionIpList: " + _ipAddresses +
-					", requestIP: " + requestIp);
-		}
-		if (CollectionUtils.isEmpty(_ipAddresses)) {
-			LOG.debug("RolePermission does not require IP Matching");
-			ipMatched = true;
-		} else if (_allowAny) {
-			LOG.debug("RolePermission allows any IP: *");
-			ipMatched = true;
+	public boolean isMatched(final RangerAccessRequest request) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.isMatched(" + request + ")");
+		}
+
+		boolean ipMatched = true;
+		if (_allowAny) {
+			LOG.debug("isMatched: allowAny flag is true.  Matched!");
 		} else {
-			for (String ip : _ipAddresses) {
-				if (ipMatches(ip, requestIp)) {
-					LOG.debug("RolePermission IP matches request IP");
-					ipMatched = true;
-					break;// break out of ipList
-				}
+			String requestIp = extractIp(request);
+			if (requestIp == null) {
+				LOG.debug("isMatched: couldn't get ip address from request.  Ok.  Implicitly matched!");
+			} else {
+				ipMatched = isWildcardMatched(_wildCardIps, requestIp) || isExactlyMatched(_exactIps,
requestIp);
 			}
 		}
+		
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.isMatched(" + request+ "): " + ipMatched);
+		}
+
 		return ipMatched;
 	}
 	
-	private boolean ipMatches(String policyIp, String requestIp) {
-		if (policyIp == null) {
-			return false;
-		}
-		policyIp = policyIp.trim();
-		if (policyIp.isEmpty()) {
-			return false;
-		}
-		boolean ipMatched = false;
-		boolean wildEnd = false;
-		if (policyIp.contains(".")) {
-			while (policyIp.endsWith(".*")) {
-				wildEnd = true;
-				policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*"));
-			}
-			if (wildEnd) {
-				policyIp = policyIp + ".";
-			}
-		} else if (policyIp.contains(":")) {
-			while (policyIp.endsWith(":*")) {
-				wildEnd = true;
-				policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*"));
+	/**
+	 * Pre-digests the policy ip address to drop any trailing wildcard specifiers such that
a simple beginsWith match can be done to check for match during authorization calls
+	 * @param ip
+	 * @return
+	 */
+	static final Pattern allWildcards = Pattern.compile("^((\\*(\\.\\*)*)|(\\*(:\\*)*))$");
// "*", "*.*", "*.*.*", "*:*", "*:*:*", etc.
+	static final Pattern trailingWildcardsIp4 = Pattern.compile("(\\.\\*)+$"); // "blah.*",
"blah.*.*", etc.
+	static final Pattern trailingWildcardsIp6 = Pattern.compile("(:\\*)+$");   // "blah:*",
"blah:*:*", etc.
+	
+	String digestPolicyIp(final String policyIp) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.digestPolicyIp(" + policyIp + ")");
+		}
+
+		String result;
+		Matcher matcher = allWildcards.matcher(policyIp);
+		if (matcher.matches()) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("digestPolicyIp: policyIP[" + policyIp +"] all wildcards.");
 			}
-			if (wildEnd) {
-				policyIp = policyIp + ":";
+			result = "";
+		} else if (policyIp.contains(".")) {
+			matcher = trailingWildcardsIp4.matcher(policyIp);
+			result = matcher.replaceFirst(".");
+		} else {
+			matcher = trailingWildcardsIp6.matcher(policyIp);
+			// also lower cases the ipv6 items
+			result = matcher.replaceFirst(":").toLowerCase();
+		}
+		
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.digestPolicyIp(" + policyIp + "): " + policyIp);
+		}
+		return result;
+	}
+	
+	boolean isWildcardMatched(final List<String> ips, final String requestIp) {
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.isWildcardMatched(" + ips+ ", " + requestIp + ")");
+		}
+
+		boolean matchFound = false;
+		Iterator<String> iterator = ips.iterator();
+		while (iterator.hasNext() && !matchFound) {
+			String ip = iterator.next();
+			if (requestIp.contains(".") && requestIp.startsWith(ip)) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Wildcard Policy IP[" + ip + "] matches request IPv4[" + requestIp + "].");
+				}
+				matchFound = true;
+			} else if (requestIp.toLowerCase().startsWith(ip)) {
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Wildcard Policy IP[" + ip + "] matches request IPv6[" + requestIp + "].");
+					}
+					matchFound = true;
+			} else {
+				LOG.debug("Wildcard policy IP[" + ip + "] did not match request IP[" + requestIp + "].");
 			}
 		}
-		if (wildEnd && requestIp.toLowerCase().startsWith(policyIp.toLowerCase())) {
-			ipMatched = true;
-		} else if (policyIp.equalsIgnoreCase(requestIp)) {
-			ipMatched = true;
+		
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.isWildcardMatched(" + ips+ ", " + requestIp + "): "
+ matchFound);
 		}
-		return ipMatched;
+		return matchFound;
+	}
+	
+	boolean isExactlyMatched(final List<String> ips, final String requestIp) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.isExactlyMatched(" + ips+ ", " + requestIp + ")");
+		}
+
+		boolean matchFound = false;
+		if (requestIp.contains(".")) {
+			matchFound = ips.contains(requestIp);
+		} else {
+			matchFound = ips.contains(requestIp.toLowerCase());
+		}
+		
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.isExactlyMatched(" + ips+ ", " + requestIp + "): " +
matchFound);
+		}
+		return matchFound;
 	}
+	
+	/**
+	 * Extracts and returns the ip address from the request.  Returns null if one can't be obtained
out of the request.
+	 * @param request
+	 * @return
+	 */
+	String extractIp(final RangerAccessRequest request) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerIpMatcher.extractIp(" + request+ ")");
+		}
 
+		String ip = null;
+		if (request == null) {
+			LOG.debug("isMatched: Unexpected: null request.  Implicitly matched!");
+		} else if (request.getContext() == null) {
+			LOG.debug("isMatched: Context map of request is null.  Ok. Implicitly matched!");
+		} else if (CollectionUtils.isEmpty(request.getContext().entrySet())) {
+			LOG.debug("isMatched: Missing context on request.  Ok. Condition isn't applicable.  Implicitly
matched!");
+		} else if (!request.getContext().containsKey(ConditionName)) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + ConditionName
+ "]. Implicitly matched!");
+			}
+		} else {
+			ip = (String)request.getContext().get(ConditionName);
+		}
 
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerIpMatcher.extractIp(" + request+ "): " + ip);
+		}
+		return ip;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 3f4570d..56a55ae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -45,6 +45,4 @@ public interface RangerAccessRequest {
 	String getSessionId();
 	
 	Map<String, Object> getContext();
-	
-	Map<String, String> getConditions();
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 1114804..bc23763 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -38,8 +38,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 	private String              requestData     = null;
 	private String              sessionId       = null;
 	private Map<String, Object> context         = null;
-	private Map<String, String> conditions      = null;
-
 
 	public RangerAccessRequestImpl() {
 		this(null, null, null, null);
@@ -59,7 +57,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		setRequestData(null);
 		setSessionId(null);
 		setContext(null);
-		setConditions(null);
 	}
 
 	@Override
@@ -117,11 +114,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		return context;
 	}
 
-	@Override
-	public Map<String, String> getConditions() {
-		return conditions;
-	}
-
 	public void setResource(RangerResource resource) {
 		this.resource = resource;
 	}
@@ -166,10 +158,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		this.context = (context == null) ? new HashMap<String, Object>() : context;
 	}
 
-	public void setConditions(final Map<String, String> conditions) {
-		this.conditions = (conditions == null) ? new HashMap<String, String>() : conditions;
-	}
-
 	@Override
 	public String toString( ) {
 		StringBuilder sb = new StringBuilder();
@@ -210,14 +198,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		}
 		sb.append("} ");
 
-		sb.append("conditions={");
-		if(conditions != null) {
-			for(Map.Entry<String, String> e : conditions.entrySet()) {
-				sb.append(e.getKey()).append("={").append(e.getValue()).append("} ");
-			}
-		}
-		sb.append("} ");
-
 		sb.append("}");
 
 		return sb;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 7d05d30..e3535ac 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -186,18 +186,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 			Class<RangerConditionEvaluator> matcherClass = (Class<RangerConditionEvaluator>)Class.forName(className);
 
 			evaluator = matcherClass.newInstance();
-		} catch(ClassNotFoundException excp) {
-			LOG.error("Caught ClassNotFoundException: error instantiating object of class[" + className
+ "].  Returning null!");
-			excp.printStackTrace();
-		} catch (InstantiationException excp) {
-			LOG.error("Caught InstantiationException: error instantiating object of class[" + className
+ "].  Returning null!");
-			excp.printStackTrace();
-		} catch (IllegalAccessException excp) {
-			LOG.error("Caught IllegalAccessException: error instantiating object of class[" + className
+ "].  Returning null!");
-			excp.printStackTrace();
-		} catch (Throwable t) {
-			LOG.error("Caught Throwable: unexpected error instantiating object of class[" + className
+ "].  Returning null!");
-			t.printStackTrace();
+		} catch(Throwable t) {
+			LOG.error("Caught Throwable: unexpected error instantiating object of class[" + className
+ "].  Returning null!", t);
 		}
 	
 		if(LOG.isDebugEnabled()) {
@@ -252,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 						continue;
 					}
 
-					boolean isCustomConditionsMatch = matchCustomConditions(request, conditionEvaluators);
+					boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request, conditionEvaluators);
 
 					if(! isCustomConditionsMatch) {
 						continue;
@@ -458,43 +448,50 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 	}
 
 	// takes map in as argument for testability
-	protected boolean matchCustomConditions(RangerAccessRequest request, Map<String, RangerConditionEvaluator>
evaluatorMap) {
+	protected boolean matchCustomConditions(RangerPolicyItem policyItem, RangerAccessRequest
request, Map<String, RangerConditionEvaluator> evaluatorMap) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + ")");
 		}
 
-		boolean matched = true;
-		
-		Map<String, String> input = request.getConditions();
-		if (input == null || input.size() == 0) {
-			// if input didn't even have certain inputs then it could never fail the check.
-			matched = true;  // assignment only to document in code the result
+		boolean result = true;
+		if (policyItem == null) {
+			LOG.debug("matchCustomConditions: Unexpected: policyItem was null");
+		} else if (CollectionUtils.isEmpty(policyItem.getConditions())) {
+			LOG.debug("matchCustomConditions: policy item does not have any conditions! Ok, implicitly
passed.");
 		} else {
-			// we want to abort the minute we find a mismatch
-			Iterator<Map.Entry<String, String>> iterator = input.entrySet().iterator();
+			Iterator<RangerPolicyItemCondition> iterator = policyItem.getConditions().iterator();
+			/*
+			 * We need to let the request be evaluated by the condition evaluator for each condition
on the policy item.
+			 * We bail out as soon as we find a mismatch, i.e. ALL conditions must succeed for condition
evaluation to return true.
+			 */
+			boolean matched = true;
 			while (iterator.hasNext() && matched) {
-				Map.Entry<String, String> anEntry = iterator.next();
-				String conditionName = anEntry.getKey();
-				String value = anEntry.getValue();
-				RangerConditionEvaluator evaluator = evaluatorMap.get(conditionName); 
-				if (evaluator == null) {
-					// it is possible that due to mis-configuration no evaluator was found. 
-					LOG.warn("No evaluator found for condition[" + conditionName + "]! Check implicitly
passed. Context: value[" + value + "]");
+				RangerPolicyItemCondition itemCondition = iterator.next();
+				if (itemCondition == null) {
+					LOG.debug("matchCustomConditions: Unexpected: Item condition on policy item was null!
 Ignoring...");
 				} else {
-					matched = evaluator.isMatched(value);
-					if (LOG.isDebugEnabled()) {
-						String format = "Condition evaluation verdict for condition[%s] with value[%s]: %s";
-						LOG.debug(String.format(format, conditionName, value, matched));
+					String conditionName = itemCondition.getType();
+					if (StringUtils.isBlank(conditionName)) {
+						LOG.debug("matchCustomConditions: Unexpected: condition name on item conditon [" +
conditionName + "] was null/empty/blank! Ignoring...");
+					} else if (!evaluatorMap.containsKey(conditionName)) {
+						LOG.warn("matchCustomConditions: Unexpected: Could not find condition evaluator for
condition[" + conditionName + "]! Ignoring...");
+					} else {
+						RangerConditionEvaluator conditionEvaluator = evaluatorMap.get(conditionName);
+						matched = conditionEvaluator.isMatched(request);
+						if (LOG.isDebugEnabled()) {
+							LOG.debug(String.format("matchCustomConditions: evaluator for condition[%s] returned[%s]
for request[%s]", conditionName, matched, request));
+						}
 					}
 				}
 			}
+			result = result && matched;
 		}
 		
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + "):
" + matched);
+			LOG.debug("<== RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + "):
" + result);
 		}
 
-		return matched;
+		return result;
 	}
 
 	protected RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem, String accessType)
{

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java
b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java
index 10c8697..e2d5c3c 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java
@@ -20,18 +20,24 @@
 package org.apache.ranger.plugin.conditionevaluator;
 
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 
-import static org.mockito.Mockito.*;
-
 public class RangerIpMatcherTest {
 
 	@Before
@@ -45,116 +51,216 @@ public class RangerIpMatcherTest {
 	}
 
 	@Test
-	public void test() {
+	public void testUnexpected() {
+		// this documents some unexpected behavior of the ip matcher
+		RangerIpMatcher ipMatcher = createMatcher(new String[]{"1.2.3.*"} );
+		// NOTE: absurd and downright illegal ipv4 address would match too!
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123567")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3..123567")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.boo")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.")));
+		
+		// wildcard match happens only at the end
+		ipMatcher = createMatcher(new String[]{"1.*.3.4"} );
+		assertFalse(ipMatcher.isMatched(createRequest("1.3.3.4")));
+		assertFalse(ipMatcher.isMatched(createRequest("1.1.3.4")));
+		// it becomes a literal match!
+		assertTrue(ipMatcher.isMatched(createRequest("1.*.3.4")));
+		
+		// same is true of ipv6
+		ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:*"} );
+		// NOTE: absurd and downright illegal ipv4 address would match too!
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:*")));
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:1.3.4")));
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9: <:-) ")));
+	}
+	
+	@Test
+	public void test_isWildcardMatched() {
+		List<String> ips = Arrays.asList("1.2.3.", "1.3.", "2.", "a0:b0:c0:", "a0:b1:", "a2:");
+		RangerIpMatcher matcher = new RangerIpMatcher();
+		
+		assertTrue(matcher.isWildcardMatched(ips, "1.2.3.4"));
+		assertTrue(matcher.isWildcardMatched(ips, "1.3.3.4"));
+		assertTrue(matcher.isWildcardMatched(ips, "2.3.3.4"));
+		
+		assertTrue(matcher.isWildcardMatched(ips, "A0:B0:C0:D0:E0:F0"));
+		assertTrue(matcher.isWildcardMatched(ips, "A0:B1:C0:D0:E0:F0"));
+		assertTrue(matcher.isWildcardMatched(ips, "A2:B0:C1:D2:E3:F4"));
+
+		assertFalse(matcher.isWildcardMatched(ips, "1.2.33.4"));
+		assertFalse(matcher.isWildcardMatched(ips, "1.33.3.4"));
+		assertFalse(matcher.isWildcardMatched(ips, "22.3.3.4"));
+		
+		assertFalse(matcher.isWildcardMatched(ips, "A0:B0:00:D0:E0:F0"));
+		assertFalse(matcher.isWildcardMatched(ips, "A0:B2:C0:D0:E0:F0"));
+		assertFalse(matcher.isWildcardMatched(ips, "22:B0:C1:D2:E3:F4"));
+	}
+	
+	@Test
+	public void test_isExactlyMatched() {
+		List<String> ips = Arrays.asList("1.2.3.1", "1.2.3.11", "1.2.3.111", "a0:b0:c0:d0:e0:f0",
"a0:b0:c0:d0:e0:f1", "a0:b0:c0:d0:e0:f2");
+		RangerIpMatcher matcher = new RangerIpMatcher();
+		assertTrue(matcher.isExactlyMatched(ips, "1.2.3.1"));
+		assertTrue(matcher.isExactlyMatched(ips, "1.2.3.111"));
+		assertTrue(matcher.isExactlyMatched(ips, "A0:B0:C0:D0:E0:F1"));
+		assertTrue(matcher.isExactlyMatched(ips, "a0:b0:c0:d0:e0:f1"));
+
+		assertFalse(matcher.isExactlyMatched(ips, "1.2.3.2"));
+		assertFalse(matcher.isExactlyMatched(ips, "a0:b0:c0:d0:e0:f3"));
+	}
+	
+	@Test
+	public void test_extractIp() {
+		RangerIpMatcher matcher = new RangerIpMatcher();
+		assertNull(matcher.extractIp(null));
+
+		RangerAccessRequest request = mock(RangerAccessRequest.class);
+		when(request.getContext()).thenReturn(null);
+		assertNull(matcher.extractIp(request));
+		
+		Map<String, Object> context = new HashMap<String, Object>();
+		when(request.getContext()).thenReturn(context);
+		assertNull(matcher.extractIp(request));
+
+		// context does not contain the condition name we are looking for
+		context.put("!" + RangerIpMatcher.ConditionName, "value");
+		assertNull(matcher.extractIp(request));
+		
+		// value for the condition name itself isnull
+		context.clear();
+		context.put(RangerIpMatcher.ConditionName, null);
+		assertNull(matcher.extractIp(request));
+		
+		// get back what you put in
+		context.clear();
+		context.put(RangerIpMatcher.ConditionName, "aValue");
+		assertEquals("aValue", matcher.extractIp(request));
+	}
+	
+	@Test
+	public void test_digestIp() {
+		// comlete wildcards get reduced to empty string.
+		RangerIpMatcher matcher = new RangerIpMatcher();
+		assertEquals("", matcher.digestPolicyIp("*"));
+		assertEquals("", matcher.digestPolicyIp("*.*"));
+		assertEquals("", matcher.digestPolicyIp("*.*.*"));
+		assertEquals("", matcher.digestPolicyIp("*.*.*.*"));
+		assertEquals("", matcher.digestPolicyIp("*:*:*:*"));
+		assertEquals("", matcher.digestPolicyIp("*:*:*:*:*:*"));
+
+		// wildcard parts get dropped; retails trailing ./: to avoid doing partial number match
+		assertEquals("10.", matcher.digestPolicyIp("10.*"));
+		assertEquals("10.", matcher.digestPolicyIp("10.*.*"));
+		assertEquals("10.", matcher.digestPolicyIp("10.*.*.*"));
+		assertEquals("10.20.", matcher.digestPolicyIp("10.20.*"));
+		assertEquals("10.20.", matcher.digestPolicyIp("10.20.*.*"));
+		assertEquals("10.20.30.", matcher.digestPolicyIp("10.20.30.*"));
+		
+		// ipv6 digested values are also lower cased to ensure sensible comparison later
+		assertEquals("a0:", matcher.digestPolicyIp("A0:*"));
+		assertEquals("a0:", matcher.digestPolicyIp("a0:*:*"));
+		assertEquals("a0:", matcher.digestPolicyIp("A0:*:*:*"));
+		assertEquals("a0:b0:c0:", matcher.digestPolicyIp("A0:B0:C0:*"));
+	}
+
+	@Test
+	public void test_integration() {
 		
-		RangerIpMatcher ipMatcher = new RangerIpMatcher();
-		// uninitialized matcher shoudl behave sensibly!  empty matcher matches everything!
-		assertTrue(ipMatcher.isMatched("1.2.3.4"));
+		RangerIpMatcher ipMatcher = createMatcher(null);
+		// Matcher initialized with null policy should behave sensibly!  It matches everything!
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4")));
 		
 		// empty ip-address list is same as null, i.e. matchs anything!
 		ipMatcher = createMatcher(new String[]{});
-		assertTrue(ipMatcher.isMatched("1.2.3.4"));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4")));
 
 		// wildcard address will match anything -- ipv4 and ipv6 addresses
 		ipMatcher = createMatcher(new String[]{"*"});
-		assertTrue(ipMatcher.isMatched("1.2.3.4"));
-		assertTrue(ipMatcher.isMatched("1:2:3:4:5:6"));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4")));
+		assertTrue(ipMatcher.isMatched(createRequest("1:2:3:4:5:6")));
 		
 		// partial wildcard matches work as expected.
 		ipMatcher = createMatcher(new String[]{"1.2.3.*"} );
-		assertTrue(ipMatcher.isMatched("1.2.3.4"));
-		assertTrue(ipMatcher.isMatched("1.2.3.123"));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123")));
 		// NOTE: absurd ipv4 address but it should match too!
-		assertTrue(ipMatcher.isMatched("1.2.3.123567"));
-		assertTrue(ipMatcher.isMatched("1.2.3..123567"));
-		assertTrue(ipMatcher.isMatched("1.2.3.boo"));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123567")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3..123567")));
+		assertTrue(ipMatcher.isMatched(createRequest("1.2.3.boo")));
 		// mismatches caught correctly
-		assertFalse(ipMatcher.isMatched("1.2.31.123567"));
-		assertFalse(ipMatcher.isMatched("1.2.33.123567"));
+		assertFalse(ipMatcher.isMatched(createRequest("1.2.31.123567")));
+		assertFalse(ipMatcher.isMatched(createRequest("1.2.33.123567")));
 		// no address has special meaning
-		assertFalse(ipMatcher.isMatched("1.2.0.0"));
-		assertFalse(ipMatcher.isMatched("1.2.255.255"));
-		assertFalse(ipMatcher.isMatched("1.2.254.254"));
-		assertFalse(ipMatcher.isMatched("0.0.0.0"));
-		assertFalse(ipMatcher.isMatched("255.255.255.255"));
+		assertFalse(ipMatcher.isMatched(createRequest("1.2.0.0")));
+		assertFalse(ipMatcher.isMatched(createRequest("1.2.255.255")));
+		assertFalse(ipMatcher.isMatched(createRequest("1.2.254.254")));
+		assertFalse(ipMatcher.isMatched(createRequest("0.0.0.0")));
+		assertFalse(ipMatcher.isMatched(createRequest("255.255.255.255")));
 
 		// wild card can be more than one octets
 		ipMatcher = createMatcher(new String[]{"11.22.*.*"} );
-		assertTrue(ipMatcher.isMatched("11.22.33.4"));
-		assertTrue(ipMatcher.isMatched("11.22.33.44"));
-		assertTrue(ipMatcher.isMatched("11.22.253.190"));
-		assertTrue(ipMatcher.isMatched("11.22.253.190"));
+		assertTrue(ipMatcher.isMatched(createRequest("11.22.33.4")));
+		assertTrue(ipMatcher.isMatched(createRequest("11.22.33.44")));
+		assertTrue(ipMatcher.isMatched(createRequest("11.22.253.190")));
+		assertTrue(ipMatcher.isMatched(createRequest("11.22.253.190")));
 		// mismatches
-		assertFalse(ipMatcher.isMatched("11.222.253.190"));
-		assertFalse(ipMatcher.isMatched("11.21.253.190"));
+		assertFalse(ipMatcher.isMatched(createRequest("11.222.253.190")));
+		assertFalse(ipMatcher.isMatched(createRequest("11.21.253.190")));
 		
 		// one need't provide all the octets; missing ones are treaetd as wild cards
 		ipMatcher = createMatcher(new String[]{"193.214.*"} ); // note just 3 octets in pattern
-		assertTrue(ipMatcher.isMatched("193.214.3.4"));
-		assertFalse(ipMatcher.isMatched("193.21.253.190"));
+		assertTrue(ipMatcher.isMatched(createRequest("193.214.3.4")));
+		assertFalse(ipMatcher.isMatched(createRequest("193.21.253.190")));
 		// can't match ipv6 address using a ipv4 policy
-		assertFalse(ipMatcher.isMatched("193:214:3:4"));
+		assertFalse(ipMatcher.isMatched(createRequest("193:214:3:4")));
 		
 		// same holds for ipv6 addresses
 		ipMatcher = createMatcher(new String[]{"193:214:*"} );
-		assertTrue(ipMatcher.isMatched("193:214:3:4:5:6"));
-		assertTrue(ipMatcher.isMatched("193:214:13:94:a90:b4f"));
+		assertTrue(ipMatcher.isMatched(createRequest("193:214:3:4:5:6")));
+		assertTrue(ipMatcher.isMatched(createRequest("193:214:13:94:a90:b4f")));
 		// mismatches work as expected
-		assertFalse(ipMatcher.isMatched("193:215:13:94:a90:b4f"));
+		assertFalse(ipMatcher.isMatched(createRequest("193:215:13:94:a90:b4f")));
 		// can't match ipv4 address against ipv6 policy
-		assertFalse(ipMatcher.isMatched("193.214.3.4"));
+		assertFalse(ipMatcher.isMatched(createRequest("193.214.3.4")));
 		
 		// direct match works as expected
 		ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:d9:e9"} );
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9"));
-		assertFalse(ipMatcher.isMatched("99:a9:b9:c9:d0:e9"));
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9")));
+		assertFalse(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d0:e9")));
 		
 		// Matcher can support multiple patterns of different domains - a mix of ipv4 and ipv6
addresses
 		ipMatcher = createMatcher(new String[]{"10.20.30.*", "99:a9:b9:c9:d9:*"} );
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9"));
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9"));
-		assertFalse(ipMatcher.isMatched("99:a9:b9:c9:dd:e9"));
-		assertFalse(ipMatcher.isMatched("89:a9:b9:c9:d9:e9"));
-		assertTrue(ipMatcher.isMatched("10.20.30.10"));
-		assertTrue(ipMatcher.isMatched("10.20.30.20"));
-		assertFalse(ipMatcher.isMatched("10.20.3.10"));
-		assertFalse(ipMatcher.isMatched("10.20.33.10"));
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9")));
+		assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9")));
+		assertFalse(ipMatcher.isMatched(createRequest("99:a9:b9:c9:dd:e9")));
+		assertFalse(ipMatcher.isMatched(createRequest("89:a9:b9:c9:d9:e9")));
+		assertTrue(ipMatcher.isMatched(createRequest("10.20.30.10")));
+		assertTrue(ipMatcher.isMatched(createRequest("10.20.30.20")));
+		assertFalse(ipMatcher.isMatched(createRequest("10.20.3.10")));
+		assertFalse(ipMatcher.isMatched(createRequest("10.20.33.10")));
 	}
 	
-	@Test
-	public void testUnexpected() {
-		// this documents some unexpected behavior of the ip matcher
-		RangerIpMatcher ipMatcher = createMatcher(new String[]{"1.2.3.*"} );
-		// NOTE: absurd and downright illegal ipv4 address would match too!
-		assertTrue(ipMatcher.isMatched("1.2.3.123567"));
-		assertTrue(ipMatcher.isMatched("1.2.3..123567"));
-		assertTrue(ipMatcher.isMatched("1.2.3.boo"));
-		assertTrue(ipMatcher.isMatched("1.2.3."));
-		
-		// wildcard match happens only at the end
-		ipMatcher = createMatcher(new String[]{"1.*.3.4"} );
-		assertFalse(ipMatcher.isMatched("1.3.3.4"));
-		assertFalse(ipMatcher.isMatched("1.1.3.4"));
-		// it becomes a literal match!
-		assertTrue(ipMatcher.isMatched("1.*.3.4"));
-		
-		// same is true of ipv6
-		ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:*"} );
-		// NOTE: absurd and downright illegal ipv4 address would match too!
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9:*"));
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9:1.3.4"));
-		assertTrue(ipMatcher.isMatched("99:a9:b9:c9: <:-) "));
-	}
-
 	RangerIpMatcher createMatcher(String[] ipArray) {
-		List<String> addresses = Arrays.asList(ipArray);
-
-		RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class);
-		
-		when(condition.getValues()).thenReturn(addresses);
 		RangerIpMatcher matcher = new RangerIpMatcher();
-		matcher.init(condition);
+
+		if (ipArray == null) {
+			matcher.init(null);
+		} else {
+			RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class);
+			List<String> addresses = Arrays.asList(ipArray);
+			when(condition.getValues()).thenReturn(addresses);
+			matcher.init(condition);
+		}
 		
 		return matcher;
 	}
+	
+	RangerAccessRequest createRequest(String requestIp) {
+		Map<String, Object> context = new HashMap<String, Object>();
+		context.put(RangerIpMatcher.ConditionName, requestIp);
+		RangerAccessRequest request = mock(RangerAccessRequest.class);
+		when(request.getContext()).thenReturn(context);
+		return request;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java
index a42ad5b..036eff6 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java
@@ -20,7 +20,11 @@
 package org.apache.ranger.plugin.policyevaluator;
 
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -199,7 +203,7 @@ public class RangerDefaultPolicyEvaluatorTest {
 			// empty body!
 		}
 		@Override
-		public boolean isMatched(String value) {
+		public boolean isMatched(RangerAccessRequest request) {
 			return true;
 		}
 		
@@ -213,7 +217,7 @@ public class RangerDefaultPolicyEvaluatorTest {
 		}
 
 		@Override
-		public boolean isMatched(String value) {
+		public boolean isMatched(RangerAccessRequest request) {
 			return false;
 		}
 		
@@ -225,38 +229,66 @@ public class RangerDefaultPolicyEvaluatorTest {
 	static class Evaluator4 extends AlwaysFail {}
 	
 	/**
-	 * A request may contain a value for several conditions.  A policy could contain evaluators
for more conditions than that are in the request.
-	 * check should fail if any condition check fails for the conditions that are contained
in the request
+	 * A request may contain a value for several conditions.  A policy item could contain evaluators
for more/different conditions than that are in the request.
+	 * check should fail if condition evaluator for any policy fails for a conditions contained
in the request.  If request does not have data for a condition
+	 * then it should succeed.  Data in request for condition that are not part of the policy
item shouldn't affect the result.
 	 */
 	@Test
-	public void test_matchCustomConditions_happyPath() {
+	public void test_matchCustomConditions_happyPath1() {
+
+		// let's create the condition evaluator map for 4 conditions.
+		Map<String, RangerConditionEvaluator> evaluators = createEvaluatorMap();
 		
-		// let's first create a request with 3 different conditons
-		Map<String, String> requestValues = new HashMap<String, String>();
-		requestValues.put("c1", "value1");
-		requestValues.put("c2", "value2");
-		// let's create the condition evaluator map for each of these conditions and some more.
-		RangerAccessRequest request = mock(RangerAccessRequest.class);
-		when(request.getConditions()).thenReturn(requestValues);
-		Map<String, RangerConditionEvaluator> evaluators = new HashMap<String, RangerConditionEvaluator>();
-		evaluators.put("c1", new Evaluator1());
-		evaluators.put("c2", new Evaluator2());
-		evaluators.put("c3", new Evaluator3()); // conditions 3 and 4 would always fail!
-		evaluators.put("c4", new Evaluator4());
-		// stuff the evaluator with this map
+		// let's first create a request with 2 different conditions
+		RangerAccessRequest request = createAccessRequestWithConditions(new String[] {"c1", "c2"});
+
+		// Create a policy item -- which also has same exact same number of policy conditions defined
on it (2)
+		RangerPolicyItem policyItem = createPolicyItemForConditions(new String[] {"c1", "c2"} );
+		
+		// check for success
 		RangerDefaultPolicyEvaluator policyEvaluator = new RangerDefaultPolicyEvaluator();
-		boolean result = policyEvaluator.matchCustomConditions(request, evaluators);
+		boolean result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators);
+		assertTrue(result);
+
+		// missing conditions on request are ok, too -- they always succeed
+		// policy item has conditions c1 and c2 where as context will only have c1. 
+		request = createAccessRequestWithConditions(new String[] { "c1" } );
+		result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators);
 		assertTrue(result);
 		
-		// now check for failure
-		requestValues.clear();
-		requestValues.put("c1", "value1");
-		requestValues.put("c3", "value3");
-		when(request.getConditions()).thenReturn(requestValues);
-		result = policyEvaluator.matchCustomConditions(request, evaluators);
+		// Extra conditions on request are ok, too -- they always succeed
+		// policy item has conditions c1 and c2 where as context has values for conditions c3 and
c4 on it and we know their evaluators always fail! 
+		request = createAccessRequestWithConditions(new String[] {"c3", "c4"});
+		result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators);
+		assertTrue(result);
+	}
+	
+	@Test
+	public void test_matchCustomConditions_happyPath2() {
+		// let's create the condition evaluator map for 4 conditions and some more.
+		Map<String, RangerConditionEvaluator> evaluators = createEvaluatorMap();
+		
+		// create policy item with a condition that we know will always fail
+		RangerPolicyItem policyItem = createPolicyItemForConditions(new String[] { "c1", "c3" }
);
+		
+		// let's first create a request with 2 different conditions
+		RangerAccessRequest request = createAccessRequestWithConditions(new String[]{"c1", "c3"});
+
+		RangerDefaultPolicyEvaluator policyEvaluator = new RangerDefaultPolicyEvaluator();
+		boolean result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators);
 		assertFalse(result);
 	}
 	
+	Map<String, RangerConditionEvaluator> createEvaluatorMap() {
+		Map<String, RangerConditionEvaluator> map = new HashMap<String, RangerConditionEvaluator>();
+		map.put("c1", new Evaluator1());
+		map.put("c2", new Evaluator2());
+		map.put("c3", new Evaluator3()); // conditions 3 and 4 would always fail!
+		map.put("c4", new Evaluator4());
+
+		return map;
+	}
+	
 	RangerPolicyItem getMockPolicyItem(String[] strings) {
 		RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
 		if (strings == null) {
@@ -294,4 +326,31 @@ public class RangerDefaultPolicyEvaluatorTest {
 		return serviceDef;
 	}
 	
+	RangerPolicyItem createPolicyItemForConditions(String[] conditions) {
+
+		List<RangerPolicyItemCondition> itemConditions = new ArrayList<RangerPolicy.RangerPolicyItemCondition>(conditions.length);
+		for (String conditionName : conditions) {
+			RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class);
+			when(condition.getType()).thenReturn(conditionName);
+			itemConditions.add(condition);
+		}
+
+		RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
+		when(policyItem.getConditions()).thenReturn(itemConditions);
+		
+		return policyItem;
+	}
+	
+	RangerAccessRequest createAccessRequestWithConditions(String[] conditionNames) {
+		// let's first create a request with 2 different conditions
+		Map<String, Object> context = new HashMap<String, Object>(conditionNames.length);
+		for (String conditionName: conditionNames) {
+			// value is not important for our test
+			context.put(conditionName, conditionName + "-value");
+		}
+		RangerAccessRequest request = mock(RangerAccessRequest.class);
+		when(request.getContext()).thenReturn(context);
+		
+		return request;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index 5eee332..d5095de 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -24,9 +24,9 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.AccessType;
-import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.Condition;
 import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.PluginConfiguration;
 import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.ResourceName;
+import org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerResourceImpl;
@@ -95,8 +95,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
 			request.setUserGroups(_groups);
 			request.setResource(resource);
 			// build condition for IP address
-			Map<String, String> conditions = Collections.singletonMap(Condition.IpRange, _clientIp);
-			request.setConditions(conditions);
+			Map<String, Object> conditions = Collections.singletonMap(RangerIpMatcher.ConditionName,
(Object)_clientIp);
+			request.setContext(conditions);
 			
 			return request;
 		}
@@ -120,10 +120,5 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
 		static class AccessType {
 			static final String Allow = "allow";
 		}
-		
-		// must match the corresponding string used in service definition file
-		static class Condition {
-			static final String IpRange = "ip-range";
-		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
index 6272f4a..4e497c2 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
@@ -40,7 +40,7 @@ public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContri
 
   @Override
   public String getName() {
-    return "XASecurePDPKnox";
+    return "RangerPDPKnox";
   }
 
   @Override


Mime
View raw message