jtuglu1 commented on code in PR #19011: URL: https://github.com/apache/druid/pull/19011#discussion_r2834796586
########## server/src/test/java/org/apache/druid/server/QueryBlocklistRuleTest.java: ########## @@ -0,0 +1,179 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.server; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; +import org.apache.druid.query.Druids; +import org.apache.druid.query.timeseries.TimeseriesQuery; +import org.junit.Assert; +import org.junit.Test; +import java.util.Map; +import java.util.Set; + +public class QueryBlocklistRuleTest +{ + @Test + public void testMatchAllCriteria_rejectsNullCriteria() + { + // Rule with all null criteria would block ALL queries - this should be rejected + Assert.assertThrows( + IllegalArgumentException.class, + () -> new QueryBlocklistRule("match-all", null, null, null) + ); + } + + @Test + public void testMatchAllCriteria_rejectsEmptyCollections() + { + // Rule with all empty collections should also be rejected (same as null) + Assert.assertThrows( + IllegalArgumentException.class, + () -> new QueryBlocklistRule("match-all", ImmutableSet.of(), ImmutableSet.of(), ImmutableMap.of()) + ); + } + + @Test + public void testMatchByDataSource() + { + Set<String> dataSources = ImmutableSet.of("sensitive_data", "pii_table"); + QueryBlocklistRule rule = new QueryBlocklistRule("block-sensitive", dataSources, null, null); + + // Should match when datasource is in the list + TimeseriesQuery matchingQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("sensitive_data") + .intervals("2020-01-01/2020-01-02") + .build(); + Assert.assertTrue(rule.matches(matchingQuery)); + + // Should not match when datasource is not in the list + TimeseriesQuery nonMatchingQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("safe_data") + .intervals("2020-01-01/2020-01-02") + .build(); + Assert.assertFalse(rule.matches(nonMatchingQuery)); + } + + @Test + public void testMatchByContext() + { + Map<String, String> contextMatches = ImmutableMap.of("priority", "0", "application", "rogue-app"); + QueryBlocklistRule rule = new QueryBlocklistRule("block-rogue-app", null, null, contextMatches); + + // Should match when all context values match + TimeseriesQuery matchingQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("test") + .intervals("2020-01-01/2020-01-02") + .context(ImmutableMap.of("priority", "0", "application", "rogue-app")) + .build(); + Assert.assertTrue(rule.matches(matchingQuery)); + + // Should not match when context values don't match + TimeseriesQuery nonMatchingQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("test") + .intervals("2020-01-01/2020-01-02") + .context(ImmutableMap.of("priority", "1", "application", "rogue-app")) + .build(); + Assert.assertFalse(rule.matches(nonMatchingQuery)); + + // Should not match when context is missing + TimeseriesQuery noContextQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("test") + .intervals("2020-01-01/2020-01-02") + .build(); + Assert.assertFalse(rule.matches(noContextQuery)); + } + + @Test + public void testMatchByMultipleCriteria() + { + // Rule with multiple criteria - all must match (AND logic) + Set<String> dataSources = ImmutableSet.of("large_table"); + Map<String, String> contextMatches = ImmutableMap.of("priority", "0"); + QueryBlocklistRule rule = new QueryBlocklistRule( + "block-low-priority-large-table", + dataSources, + null, + contextMatches + ); + + // Should match when both datasource AND context match + TimeseriesQuery matchingQuery = Druids.newTimeseriesQueryBuilder() + .dataSource("large_table") + .intervals("2020-01-01/2020-01-02") + .context(ImmutableMap.of("priority", "0")) + .build(); + Assert.assertTrue(rule.matches(matchingQuery)); + + // Should not match when only datasource matches + TimeseriesQuery onlyDataSourceMatches = Druids.newTimeseriesQueryBuilder() + .dataSource("large_table") + .intervals("2020-01-01/2020-01-02") + .context(ImmutableMap.of("priority", "1")) + .build(); + Assert.assertFalse(rule.matches(onlyDataSourceMatches)); + + // Should not match when only context matches + TimeseriesQuery onlyContextMatches = Druids.newTimeseriesQueryBuilder() + .dataSource("small_table") + .intervals("2020-01-01/2020-01-02") + .context(ImmutableMap.of("priority", "0")) + .build(); + Assert.assertFalse(rule.matches(onlyContextMatches)); + } + + @Test + public void testWildcardBehavior_nullQueryTypes() + { + QueryBlocklistRule rule = new QueryBlocklistRule( + "block-datasource-all-types", + ImmutableSet.of("blocked_ds"), + null, // null means match all query types Review Comment: It might be worth specifying in the docs that `null` values in the other 2 parameters will default to match all (`*`) behavior when evaluating. ########## sql/src/test/java/org/apache/druid/sql/calcite/util/QueryFrameworkUtils.java: ########## @@ -102,7 +102,8 @@ public static QueryLifecycleFactory createMockQueryLifecycleFactory( new AuthConfig(), NoopPolicyEnforcer.instance(), authorizerMapper, - Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())) + Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())), Review Comment: nit: `ImmutableMap.of() -> Map.of()` ########## server/src/test/java/org/apache/druid/server/QueryResourceTest.java: ########## @@ -1400,7 +1411,8 @@ public Access authorize(AuthenticationResult authenticationResult, Resource reso new AuthConfig(), NoopPolicyEnforcer.instance(), authMapper, - Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())) + Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())), Review Comment: same ########## server/src/test/java/org/apache/druid/server/QueryResourceTest.java: ########## @@ -1789,7 +1801,8 @@ public <T> QueryRunner<T> getQueryRunnerForSegments(Query<T> query, Iterable<Seg new AuthConfig(), NoopPolicyEnforcer.instance(), AuthTestUtils.TEST_AUTHORIZER_MAPPER, - Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())) + Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of())), Review Comment: same as below ########## server/src/main/java/org/apache/druid/server/QueryBlocklistRule.java: ########## @@ -0,0 +1,175 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.server; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; +import org.apache.druid.query.Query; + +import javax.annotation.Nullable; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +/** + * A rule for matching queries against blocklist criteria. A query matches this rule if ALL + * specified criteria match (AND logic). Null or empty criteria match everything. + */ +public class QueryBlocklistRule +{ + private final String ruleName; + @Nullable + private final Set<String> dataSources; + @Nullable + private final Set<String> queryTypes; + @Nullable + private final Map<String, String> contextMatches; + + private final boolean hasDataSourceCriteria; + private final boolean hasQueryTypeCriteria; + private final boolean hasContextCriteria; + + @JsonCreator + public QueryBlocklistRule( + @JsonProperty("ruleName") String ruleName, + @JsonProperty("dataSources") @Nullable Set<String> dataSources, + @JsonProperty("queryTypes") @Nullable Set<String> queryTypes, + @JsonProperty("contextMatches") @Nullable Map<String, String> contextMatches + ) + { + Preconditions.checkArgument( + !Strings.isNullOrEmpty(ruleName), + "ruleName must not be null or empty" + ); + + // At least one criterion must be specified to prevent accidentally blocking all queries + this.hasDataSourceCriteria = dataSources != null && !dataSources.isEmpty(); + this.hasQueryTypeCriteria = queryTypes != null && !queryTypes.isEmpty(); + this.hasContextCriteria = contextMatches != null && !contextMatches.isEmpty(); + + Preconditions.checkArgument( + hasDataSourceCriteria || hasQueryTypeCriteria || hasContextCriteria, + "At least one criterion (dataSources, queryTypes, or contextMatches) must be specified. " + + "A rule with all null/empty criteria would block ALL queries." + ); + + this.ruleName = ruleName; + this.dataSources = dataSources; + this.queryTypes = queryTypes; + this.contextMatches = contextMatches; + } + + @JsonProperty + public String getRuleName() + { + return ruleName; + } + + @JsonProperty + @Nullable + public Set<String> getDataSources() + { + return dataSources; + } + + @JsonProperty + @Nullable + public Set<String> getQueryTypes() + { + return queryTypes; + } + + @JsonProperty + @Nullable + public Map<String, String> getContextMatches() + { + return contextMatches; + } + + /** + * Returns true if the query matches ALL specified criteria (AND logic). + * Null or empty criteria match everything. + * + * @param query the query to check + * @return true if the query matches this rule, false otherwise + */ + public boolean matches(Query<?> query) + { + if (hasDataSourceCriteria) { + Set<String> queryDatasources = query.getDataSource().getTableNames(); + if (Sets.intersection(dataSources, queryDatasources).isEmpty()) { + return false; + } + } + + if (hasQueryTypeCriteria) { + if (!queryTypes.contains(query.getType())) { + return false; + } + } + + if (hasContextCriteria) { + for (Map.Entry<String, String> entry : contextMatches.entrySet()) { + Object contextValue = query.getContext().get(entry.getKey()); + if (!entry.getValue().equals(String.valueOf(contextValue))) { Review Comment: Unless we're restricting the possible value set, this will NPE if the `contextValue` is `null`. While this isn't a typical context value, it's still valid context. I think we should be a bit more graceful and return a 200 or 403 depending on how we want to handle the `null` in contextValue(in other fields, we do as match-all for example). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
