ranger git commit: RANGER-2247: RangerRANGER-2247 Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is \

abhay Wed, 17 Oct 2018 14:55:40 -0700

Repository: ranger
Updated Branches:
  refs/heads/master e20e7f4ca -> 70efa6810



RANGER-2247:
RangerRANGER-2247
Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy 
resource is \


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/70efa681
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/70efa681
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/70efa681

Branch: refs/heads/master
Commit: 70efa6810d5880184578b54a205b62a1349f426b
Parents: e20e7f4
Author: Abhay Kulkarni <[email protected]>
Authored: Wed Oct 17 14:54:33 2018 -0700
Committer: Abhay Kulkarni <[email protected]>
Committed: Wed Oct 17 14:54:33 2018 -0700

----------------------------------------------------------------------
 .../resourcematcher/RangerPathResourceMatcher.java  |  4 ++--
 .../ranger/plugin/util/StringTokenReplacer.java     | 16 +++++++++++++++-
 .../policyengine/test_policyengine_hdfs.json        |  6 ++++++
 .../test_resourcematcher_dynamic.json               |  2 +-
 ...est_resourcematcher_wildcards_as_delimiters.json |  2 +-
 5 files changed, 25 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 78a3b8a..9cf31a2 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -227,8 +227,8 @@ abstract class RecursiveMatcher extends ResourceMatcher {
        }
 
        String getStringToCompare(String policyValue) {
-               if (policyValue == null) {
-                       return null;
+               if (StringUtils.isEmpty(policyValue)) {
+                       return policyValue;
                }
                return (policyValue.lastIndexOf(levelSeparatorChar) == 
policyValue.length()-1) ?
                        policyValue.substring(0, policyValue.length()-1) : 
policyValue;

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
index ace04d6..2d09d44 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
@@ -50,11 +50,25 @@ public class StringTokenReplacer {
                 i++;
                 if(i < value.length()) {
                     c = value.charAt(i);
-                    if(token != null) {
+                    if (token != null) {
+                        // if next char is not the escape char or endChar, 
retain the escapeChar
+                        if (c != escapeChar && c != endChar) {
+                            token.append(escapeChar);
+                        }
                         token.append(c);
                     } else {
+                        // if next char is not the escape char or startChar, 
retain the escapeChar
+                        if (c != escapeChar && c != startChar) {
+                            ret.append(escapeChar);
+                        }
                         ret.append(c);
                     }
+                } else {
+                    if (token != null) {
+                        token.append(escapeChar);
+                    } else {
+                        ret.append(escapeChar);
+                    }
                 }
                 continue;
             }

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index ea167f4..3833ba1 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -60,6 +60,12 @@
            "values":["var country_code = 
ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = 
!!country_code;"]
          }]}
      ]
+    },
+    {"id":4,"name":"invalid policy with a single 
backslash","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["\\"],"isRecursive":true}},
+      "policyItems":[
+        
{"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+      ]
     }
   ],
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
index db19f76..6a2119d 100644
--- 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
+++ 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
@@ -25,7 +25,7 @@
                          ,
                          { "name":"exact-path","input":"/abc@%xyz@w", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":false}
                          ,
-                         { "name":"exact-path","input":"/abc%xyzw", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+                         { "name":"exact-path","input":"/abc%xyz@w", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":true}
                          ,
                          { "name":"exact-path","input":"/abcabcdw", 
"evalContext": {"token:somestuff": "somethingelse", "xyz":"abcd"}, 
"result":false}
                          ,

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
index 8e791d6..c1432d0 100644
--- 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
+++ 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
@@ -23,7 +23,7 @@
                          ,
                          { "name":"exact-path","input":"/xyzsomethingelsez", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":true}
                          ,
-                         { "name":"exact-path","input":"/abc*xyzw", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+                         { "name":"exact-path","input":"/abc*xyz@w", 
"evalContext": {"token:somestuff": "somethingelse"}, "result":true}
                  ]
          }
   ]

ranger git commit: RANGER-2247: RangerRANGER-2247 Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is \

Reply via email to