This is an automated email from the ASF dual-hosted git repository. jiangmaolin pushed a commit to branch dev-5.5.1 in repository https://gitbox.apache.org/repos/asf/shardingsphere.git
commit 1e156c916dae99873b30de95083eba74e6ffc14e Author: weisong <[email protected]> AuthorDate: Fri Oct 18 19:00:57 2024 +0800 Fix: verify if the user has the role when revoke --- .../definition/UserNotHaveRoleException.java | 32 ++++++++++++++++++++++ .../checker/AuthorityStatementExecutorChecker.java | 8 ++++++ .../update/RevokeDistPrivilegesExecutor.java | 15 ++++++++++ .../DefaultLoggingRuleConfigurationBuilder.java | 5 +--- 4 files changed, 56 insertions(+), 4 deletions(-) diff --git a/kernel/authority/core/src/main/java/com/sphereex/dbplusengine/authority/exception/definition/UserNotHaveRoleException.java b/kernel/authority/core/src/main/java/com/sphereex/dbplusengine/authority/exception/definition/UserNotHaveRoleException.java new file mode 100644 index 00000000000..b35c81f5e3f --- /dev/null +++ b/kernel/authority/core/src/main/java/com/sphereex/dbplusengine/authority/exception/definition/UserNotHaveRoleException.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.sphereex.dbplusengine.authority.exception.definition; + +import org.apache.shardingsphere.infra.exception.core.external.sql.sqlstate.XOpenSQLState; + +/** + * User not have role exception. + */ +public final class UserNotHaveRoleException extends AuthorityDefinitionException { + + private static final long serialVersionUID = -6014906158048281870L; + + public UserNotHaveRoleException(final String roleName) { + super(XOpenSQLState.NOT_FOUND, 2, "user does not have '%s' role.", roleName); + } +} diff --git a/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/checker/AuthorityStatementExecutorChecker.java b/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/checker/AuthorityStatementExecutorChecker.java index f2560371080..1543b4f8408 100644 --- a/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/checker/AuthorityStatementExecutorChecker.java +++ b/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/checker/AuthorityStatementExecutorChecker.java @@ -23,6 +23,7 @@ import com.sphereex.dbplusengine.authority.distsql.segment.privilege.DistRoleOrP import com.sphereex.dbplusengine.authority.distsql.segment.privilege.DistSQLPrivilegeSegment; import com.sphereex.dbplusengine.authority.exception.definition.MissingRequiredRoleException; import com.sphereex.dbplusengine.authority.exception.definition.MissingRequiredUserOrRoleException; +import com.sphereex.dbplusengine.authority.exception.definition.UserNotHaveRoleException; import com.sphereex.dbplusengine.authority.model.subject.ACLSubject; import com.sphereex.dbplusengine.authority.model.subject.GranteeSubject; import com.sphereex.dbplusengine.authority.model.subject.RoleSubject; @@ -112,4 +113,11 @@ public final class AuthorityStatementExecutorChecker { .filter(each -> !aclObjects.contains(each.toUpperCase())).collect(Collectors.toSet()); ShardingSpherePreconditions.checkMustEmpty(invalidDistPrivileges, () -> new UnsupportedOperationException(String.format("Unsupported privileges type %s", invalidDistPrivileges))); } + + public static void checkUserHaveRole(final Collection<RoleSubject> userRoles, final Collection<RoleSubject> revokeRoles) { + revokeRoles.forEach(each -> { + ShardingSpherePreconditions.checkState(userRoles.contains(each), + () -> new UserNotHaveRoleException(each.getRoleName())); + }); + } } diff --git a/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/update/RevokeDistPrivilegesExecutor.java b/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/update/RevokeDistPrivilegesExecutor.java index 19f9802c710..e45ebe5c8d3 100644 --- a/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/update/RevokeDistPrivilegesExecutor.java +++ b/kernel/authority/distsql/handler/src/main/java/com/sphereex/dbplusengine/authority/distsql/handler/update/RevokeDistPrivilegesExecutor.java @@ -62,6 +62,7 @@ public final class RevokeDistPrivilegesExecutor implements GlobalRuleDefinitionE public void checkBeforeUpdate(final RevokeDistPrivilegesStatement sqlStatement) { AuthorityStatementExecutorChecker.checkProvider(rule.getConfiguration(), sqlStatement); checkACLObjectExisted(sqlStatement); + checkUserHasRole(sqlStatement); } private void checkACLObjectExisted(final RevokeDistPrivilegesStatement sqlStatement) { @@ -72,6 +73,20 @@ public final class RevokeDistPrivilegesExecutor implements GlobalRuleDefinitionE AuthorityStatementExecutorChecker.checkUsersOrRolesExist(sqlStatement.getUsers(), rule.getConfiguration()); } + private void checkUserHasRole(final RevokeDistPrivilegesStatement sqlStatement) { + if (sqlStatement.getRoleOrPrivileges().stream().noneMatch(each -> each instanceof DistRoleSegment)) { + return; + } + Collection<RoleSubject> revokeRoles = sqlStatement.getRoleOrPrivileges().stream() + .map(each -> new RoleSubject(((DistRoleSegment) each).getRole())) + .collect(Collectors.toList()); + Map<String, Collection<RoleSubject>> userRoles = rule.getConfiguration().getSubject().getUserRoles().entrySet().stream() + .collect(Collectors.toMap(entry -> entry.getKey().getGrantee().getUsername(), Map.Entry::getValue)); + sqlStatement.getUsers().forEach(each -> { + AuthorityStatementExecutorChecker.checkUserHaveRole(userRoles.getOrDefault(each.getUser(), Collections.emptySet()), revokeRoles); + }); + } + private void checkSQLStatementByRole(final RevokeDistPrivilegesStatement sqlStatement) { Collection<RoleSubject> roles = sqlStatement.getRoleOrPrivileges().stream() .filter(each -> each instanceof DistRoleSegment).map(each -> new RoleSubject(((DistRoleSegment) each).getRole())).collect(Collectors.toSet()); diff --git a/kernel/logging/core/src/main/java/org/apache/shardingsphere/logging/rule/builder/DefaultLoggingRuleConfigurationBuilder.java b/kernel/logging/core/src/main/java/org/apache/shardingsphere/logging/rule/builder/DefaultLoggingRuleConfigurationBuilder.java index aeefff50023..107bb0dcb4c 100644 --- a/kernel/logging/core/src/main/java/org/apache/shardingsphere/logging/rule/builder/DefaultLoggingRuleConfigurationBuilder.java +++ b/kernel/logging/core/src/main/java/org/apache/shardingsphere/logging/rule/builder/DefaultLoggingRuleConfigurationBuilder.java @@ -35,10 +35,7 @@ public final class DefaultLoggingRuleConfigurationBuilder implements DefaultGlob @SuppressWarnings("unchecked") @Override public LoggingRuleConfiguration build() { - ILoggerFactory loggerFactory = LoggerFactory.getILoggerFactory(); - return TypedSPILoader.findService(ShardingSphereLogBuilder.class, loggerFactory.getClass()) - .map(optional -> new LoggingRuleConfiguration(optional.getDefaultLoggers(loggerFactory), optional.getDefaultAppenders(loggerFactory))) - .orElseGet(() -> new LoggingRuleConfiguration(Collections.emptyList(), Collections.emptySet())); + return new LoggingRuleConfiguration(Collections.emptyList(), Collections.emptySet()); } @Override
