This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 40014486a4 NIFI-11492 Allow authorization to proceed based on request 
groups even if user does not exist
40014486a4 is described below

commit 40014486a408c2676afecad9d20b8c130a4bc8d1
Author: Bryan Bende <[email protected]>
AuthorDate: Thu Jun 22 12:08:00 2023 -0400

    NIFI-11492 Allow authorization to proceed based on request groups even if 
user does not exist
    
    This closes #7425
    
    Signed-off-by: David Handermann <[email protected]>
---
 .../authorization/StandardManagedAuthorizer.java   | 23 ++++++---
 .../StandardManagedAuthorizerTest.java             | 59 +++++++++++++++++++---
 2 files changed, 69 insertions(+), 13 deletions(-)

diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
index d115794fd7..09277642cd 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
@@ -87,11 +87,6 @@ public class StandardManagedAuthorizer implements 
ManagedAuthorizer {
 
         final UserAndGroups userAndGroups = 
userGroupProvider.getUserAndGroups(request.getIdentity());
 
-        final User user = userAndGroups.getUser();
-        if (user == null) {
-            return AuthorizationResult.denied(String.format("Unknown user with 
identity '%s'.", request.getIdentity()));
-        }
-
         // combine groups from incoming request with groups from UserAndGroups 
because the request may contain groups from
         // an external identity provider and the membership may not be 
maintained with in any of the UserGroupProviders
 
@@ -100,9 +95,9 @@ public class StandardManagedAuthorizer implements 
ManagedAuthorizer {
 
         final Set<Group> allGroups = new HashSet<>();
         allGroups.addAll(userGroups == null ? Collections.emptySet() : 
userGroups);
-        allGroups.addAll(requestGroups == null ? Collections.emptySet() : 
requestGroups);
+        allGroups.addAll(requestGroups);
 
-        if (policy.getUsers().contains(user.getIdentifier()) || 
containsGroup(allGroups, policy)) {
+        if (containsUser(userAndGroups.getUser(), policy) || 
containsGroup(allGroups, policy)) {
             return AuthorizationResult.approved();
         }
 
@@ -147,6 +142,20 @@ public class StandardManagedAuthorizer implements 
ManagedAuthorizer {
         return false;
     }
 
+    /**
+     * Determines if the policy contains the user's identifier.
+     *
+     * @param user the user
+     * @param policy the policy
+     * @return true if the user is non-null and the user's identifies is 
contained in the policy's users
+     */
+    private boolean containsUser(final User user, final AccessPolicy policy) {
+        if (user == null || policy.getUsers().isEmpty()) {
+            return false;
+        }
+        return policy.getUsers().contains(user.getIdentifier());
+    }
+
     @Override
     public String getFingerprint() throws AuthorizationAccessException {
         XMLStreamWriter writer = null;
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
index ac419ddd6a..d3a6855881 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
@@ -366,6 +366,59 @@ public class StandardManagedAuthorizerTest {
         assertEquals(AuthorizationResult.approved(), 
managedAuthorizer.authorize(request));
     }
 
+    @Test
+    public void 
testAuthorizationByRequestGroupsAndUserNotInUserGroupProvider() {
+        final String userIdentity = "userIdentity1";
+        final String groupIdentifier = "groupIdentifier1";
+
+        // group membership will come from the groups on the request
+        final Group group = new Group.Builder()
+                .identifier(groupIdentifier)
+                .name(groupIdentifier)
+                .build();
+
+        final AccessPolicy policy = new AccessPolicy.Builder()
+                .identifier("1")
+                .resource(TEST_RESOURCE.getIdentifier())
+                .addGroup(groupIdentifier)
+                .action(RequestAction.READ)
+                .build();
+
+        final ConfigurableUserGroupProvider userGroupProvider = 
mock(ConfigurableUserGroupProvider.class);
+        when(userGroupProvider.getUserAndGroups(userIdentity)).thenReturn(new 
UserAndGroups() {
+            // user does not exist in UGP
+            @Override
+            public User getUser() {
+                return null;
+            }
+
+            // no groups for the user in the UGP, groups come from request
+            @Override
+            public Set<Group> getGroups() {
+                return Collections.emptySet();
+            }
+        });
+
+        final ConfigurableAccessPolicyProvider accessPolicyProvider = 
mock(ConfigurableAccessPolicyProvider.class);
+        
when(accessPolicyProvider.getAccessPolicy(TEST_RESOURCE.getIdentifier(), 
RequestAction.READ)).thenReturn(policy);
+        
when(accessPolicyProvider.getUserGroupProvider()).thenReturn(userGroupProvider);
+        
when(userGroupProvider.getGroupByName(group.getName())).thenReturn(group);
+
+        // simulate groups being passed in on request from NiFiUser 
getAllGroups()
+        final AuthorizationRequest request = new AuthorizationRequest.Builder()
+                .identity(userIdentity)
+                .groups(Collections.singleton(group.getName()))
+                .resource(TEST_RESOURCE)
+                .action(RequestAction.READ)
+                .accessAttempt(true)
+                .anonymous(false)
+                .build();
+
+        final StandardManagedAuthorizer managedAuthorizer = 
getStandardManagedAuthorizer(accessPolicyProvider);
+        assertEquals(AuthorizationResult.approved(), 
managedAuthorizer.authorize(request));
+    }
+
+
     @Test
     public void testResourceNotFound() {
         final String userIdentity = "userIdentity1";
@@ -391,14 +444,8 @@ public class StandardManagedAuthorizerTest {
     @Test
     public void testUnauthorizedDueToUnknownUser() {
         final String userIdentifier = "userIdentifier1";
-        final String userIdentity = "userIdentity1";
         final String notUser1Identity = "not userIdentity1";
 
-        final User user = new User.Builder()
-                .identity(userIdentity)
-                .identifier(userIdentifier)
-                .build();
-
         final AccessPolicy policy = new AccessPolicy.Builder()
                 .identifier("1")
                 .resource(TEST_RESOURCE.getIdentifier())

Reply via email to