[geode] branch develop updated: GEODE-4744: Allow java.util.Map#get in OQL when security is enabled

nnag Wed, 28 Feb 2018 09:51:27 -0800

This is an automated email from the ASF dual-hosted git repository.

nnag pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git



The following commit(s) were added to refs/heads/develop by this push:
     new 967b9db  GEODE-4744: Allow java.util.Map#get in OQL when security is 
enabled
967b9db is described below

commit 967b9dba0576b43a00280528e0ff4a53eb1d1bf3
Author: masaki.yamakawa <[email protected]>
AuthorDate: Sat Feb 24 22:07:15 2018 +0900

    GEODE-4744: Allow java.util.Map#get in OQL when security is enabled
---
 .../RestrictedMethodInvocationAuthorizer.java      | 11 +-------
 .../RestrictedMethodInvocationAuthorizerTest.java  | 10 +++++--
 .../QuerySecurityAllowedQueriesDUnitTest.java      | 32 ++++++++++++++++++++++
 .../geode/security/query/data/QueryTestObject.java |  3 ++
 4 files changed, 43 insertions(+), 13 deletions(-)

diff --git 
a/geode-core/src/main/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizer.java
 
b/geode-core/src/main/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizer.java
index b62b92d..254c817 100644
--- 
a/geode-core/src/main/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizer.java
+++ 
b/geode-core/src/main/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizer.java
@@ -14,25 +14,15 @@
  */
 package org.apache.geode.cache.query.internal;
 
-import java.lang.reflect.Member;
 import java.lang.reflect.Method;
-import java.math.BigDecimal;
-import java.math.BigInteger;
-import java.sql.Timestamp;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.atomic.AtomicInteger;
-import java.util.concurrent.atomic.AtomicLong;
 
 import org.apache.geode.cache.Region;
-import org.apache.geode.cache.query.internal.index.DummyQRegion;
-import org.apache.geode.internal.cache.EntrySnapshot;
-import org.apache.geode.internal.cache.LocalRegion;
-import org.apache.geode.internal.cache.PartitionedRegion;
 import org.apache.geode.internal.security.SecurityService;
 import org.apache.geode.security.NotAuthorizedException;
 import org.apache.geode.security.ResourcePermission;
@@ -76,6 +66,7 @@ public class RestrictedMethodInvocationAuthorizer implements 
MethodInvocationAut
     Set<Class> mapCallers = new HashSet();
     mapCallers.add(Collection.class);
     mapCallers.add(Map.class);
+    whiteListMap.put("get", mapCallers);
     whiteListMap.put("entrySet", mapCallers);
     whiteListMap.put("keySet", mapCallers);
     whiteListMap.put("values", mapCallers);
diff --git 
a/geode-core/src/test/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizerTest.java
 
b/geode-core/src/test/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizerTest.java
index 3169a23..0f5e589 100644
--- 
a/geode-core/src/test/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizerTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/cache/query/internal/RestrictedMethodInvocationAuthorizerTest.java
@@ -425,11 +425,13 @@ public class RestrictedMethodInvocationAuthorizerTest {
 
   @Test
   public void mapMethodsForPartitionedRegionAreWhiteListed() throws Exception {
-    Class clazz = PartitionedRegion.class;
+    Class<PartitionedRegion> clazz = PartitionedRegion.class;
+    Method get = clazz.getMethod("get", Object.class);
     Method entrySet = clazz.getMethod("entrySet");
     Method keySet = clazz.getMethod("keySet");
     Method values = clazz.getMethod("values");
     Method containsKey = clazz.getMethod("containsKey", Object.class);
+    assertTrue(methodInvocationAuthorizer.isWhitelisted(get));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(entrySet));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(keySet));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(values));
@@ -481,7 +483,7 @@ public class RestrictedMethodInvocationAuthorizerTest {
     testNumberMethods(AtomicLong.class);
   }
 
-  private void testNumberMethods(Class clazz) throws NoSuchMethodException {
+  private void testNumberMethods(Class<?> clazz) throws NoSuchMethodException {
     Method byteValue = clazz.getMethod("byteValue");
     Method doubleValue = clazz.getMethod("doubleValue");
     Method intValue = clazz.getMethod("intValue");
@@ -496,13 +498,15 @@ public class RestrictedMethodInvocationAuthorizerTest {
     assertTrue(methodInvocationAuthorizer.isWhitelisted(shortValue));
   }
 
-  private void testMapMethods(Class clazz) throws NoSuchMethodException {
+  private void testMapMethods(Class<?> clazz) throws NoSuchMethodException {
+    Method get = clazz.getMethod("get", Object.class);
     Method entrySet = clazz.getMethod("entrySet");
     Method keySet = clazz.getMethod("keySet");
     Method values = clazz.getMethod("values");
     Method getEntries = clazz.getMethod("getEntries");
     Method getValues = clazz.getMethod("getValues");
     Method containsKey = clazz.getMethod("containsKey", Object.class);
+    assertTrue(methodInvocationAuthorizer.isWhitelisted(get));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(entrySet));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(keySet));
     assertTrue(methodInvocationAuthorizer.isWhitelisted(values));
diff --git 
a/geode-core/src/test/java/org/apache/geode/security/query/QuerySecurityAllowedQueriesDUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/security/query/QuerySecurityAllowedQueriesDUnitTest.java
index 318086e..d2529c9 100644
--- 
a/geode-core/src/test/java/org/apache/geode/security/query/QuerySecurityAllowedQueriesDUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/security/query/QuerySecurityAllowedQueriesDUnitTest.java
@@ -15,7 +15,9 @@
 package org.apache.geode.security.query;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -252,4 +254,34 @@ public class QuerySecurityAllowedQueriesDUnitTest extends 
QuerySecurityBase {
         Arrays.asList(values));
   }
 
+  @Test
+  public void checkUserAuthorizationsForSelectByMapFieldQuery() {
+    QueryTestObject valueObject1 = new QueryTestObject(1, "John");
+    Map<Object, Object> map1 = new HashMap<>();
+    map1.put("intData", 1);
+    map1.put(1, 98);
+    map1.put("strData1", "ABC");
+    map1.put("strData2", "ZZZ");
+    valueObject1.mapField = map1;
+    QueryTestObject valueObject2 = new QueryTestObject(3, "Beth");
+    Map<Object, Object> map2 = new HashMap<>();
+    map2.put("intData", 99);
+    map2.put(1, 99);
+    map2.put("strData1", "XYZ");
+    map2.put("strData2", "ZZZ");
+    valueObject2.mapField = map2;
+    values = new Object[] {valueObject1, valueObject2};
+    putIntoRegion(superUserClient, keys, values, regionName);
+
+    String query1 = String.format(
+        "SELECT * FROM /%s WHERE mapField.get('intData') = 1 AND 
mapField.get(1) = 98 AND mapField.get('strData1') = 'ABC' AND 
mapField.get('strData2') = 'ZZZ'",
+        regionName);
+    executeQueryWithCheckForAccessPermissions(specificUserClient, query1, 
regionName,
+        Arrays.asList(new Object[] {valueObject1}));
+
+    String query2 =
+        String.format("SELECT * FROM /%s WHERE mapField.get('strData2') = 
'ZZZ'", regionName);
+    executeQueryWithCheckForAccessPermissions(specificUserClient, query2, 
regionName,
+        Arrays.asList(values));
+  }
 }
diff --git 
a/geode-core/src/test/java/org/apache/geode/security/query/data/QueryTestObject.java
 
b/geode-core/src/test/java/org/apache/geode/security/query/data/QueryTestObject.java
index 70b535d..46a2bf9 100644
--- 
a/geode-core/src/test/java/org/apache/geode/security/query/data/QueryTestObject.java
+++ 
b/geode-core/src/test/java/org/apache/geode/security/query/data/QueryTestObject.java
@@ -18,6 +18,7 @@ import java.io.Serializable;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
+import java.util.Map;
 
 public class QueryTestObject implements Serializable {
   public int id = -1;
@@ -26,6 +27,8 @@ public class QueryTestObject implements Serializable {
 
   public Date dateField;
 
+  public Map<Object, Object> mapField;
+
   public QueryTestObject(int id, String name) {
     this.id = id;
     this.name = name;

-- 
To stop receiving notification emails like this one, please contact
[email protected].

[geode] branch develop updated: GEODE-4744: Allow java.util.Map#get in OQL when security is enabled

Reply via email to