Re: [PR] auth: Refactor `AuthorizationRequest` Into Explicit Shapes [polaris]

Mon, 01 Jun 2026 13:03:34 -0700 


dimas-b commented on code in PR #4409:
URL: https://github.com/apache/polaris/pull/4409#discussion_r3336822033


##########
polaris-core/src/test/java/org/apache/polaris/core/auth/PolarisAuthorizerImplTest.java:
##########
@@ -205,19 +206,142 @@ void authorizeResolvesNamespaceTargetUsingCatalog() {
         .getResolvedPath(ResolvedPathKey.of(List.of("ns"), 
PolarisEntityType.NAMESPACE), true);
     verify(authorizer)
         .authorizeOrThrow(
-            eq(request.getPrincipal()),
+            eq(principal),
             eq(Set.of()),
             eq(PolarisAuthorizableOperation.LIST_NAMESPACES),
             eq(List.of(namespaceWrapper)),
             eq(null));
   }
 
+  @Test
+  void authorizeSingleOperationMultiIntentRequestEvaluatesSequentially() {
+    PolarisAuthorizerImpl authorizer = spy(new 
PolarisAuthorizerImpl(mock(RealmConfig.class)));
+    AuthorizationState authzState = new AuthorizationState();
+    PolarisResolutionManifest manifest = mock(PolarisResolutionManifest.class);
+    PolarisResolvedPathWrapper firstCatalogWrapper = 
mock(PolarisResolvedPathWrapper.class);
+    PolarisResolvedPathWrapper secondCatalogWrapper = 
mock(PolarisResolvedPathWrapper.class);
+    PolarisPrincipal principal = PolarisPrincipal.of("alice", Map.of(), 
Set.of("role"));
+
+    authzState.setResolutionManifest(manifest);
+    when(manifest.getResolvedTopLevelEntity("catalog1", 
PolarisEntityType.CATALOG))
+        .thenReturn(firstCatalogWrapper);
+    when(manifest.getResolvedTopLevelEntity("catalog2", 
PolarisEntityType.CATALOG))
+        .thenReturn(secondCatalogWrapper);
+    
when(manifest.getAllActivatedCatalogRoleAndPrincipalRoles()).thenReturn(Set.of());
+    doNothing()
+        .when(authorizer)
+        .authorizeOrThrow(
+            any(PolarisPrincipal.class),
+            ArgumentMatchers.any(),
+            eq(PolarisAuthorizableOperation.GET_CATALOG),
+            ArgumentMatchers.any(),
+            ArgumentMatchers.<List<PolarisResolvedPathWrapper>>any());
+
+    AuthorizationDecision decision =
+        authorizer.authorize(
+            authzState,
+            new AuthorizationRequest(
+                principal,
+                List.of(
+                    new SingleTargetAuthorizationIntent(
+                        PolarisAuthorizableOperation.GET_CATALOG,
+                        PolarisSecurable.of(
+                            new PathSegment(PolarisEntityType.CATALOG, 
"catalog1"))),
+                    new SingleTargetAuthorizationIntent(
+                        PolarisAuthorizableOperation.GET_CATALOG,
+                        PolarisSecurable.of(
+                            new PathSegment(PolarisEntityType.CATALOG, 
"catalog2"))))));
+
+    assertThat(decision.isAllowed()).isTrue();
+    verify(authorizer, times(1))

Review Comment:
   How about renaming the test method to 
`authorizeSingleOperationIntentsEvaluateIndividually`?
   
   I do not feel too strongly about this, though :)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to