[Geoserver-devel] GeoFence Rule limits not working?

[Gabriel Roldan]

Hi,
I think this is a GeoFence bug, but would need confirmation.

RuleLimits are not being respected, as far as I can see.
For example, if I want to create a Rule stating a given user or role
can see all layers but within a given area, my understanding is
a Rule with Access Type = LIMIT, and an allowed area WKT would do,
but that's just not being applied.

Digging into it, it looks like RuleReaderServiceImpl's
resolveRuleset(List<Rule>
ruleList)
<https://github.com/geoserver/geofence/blob/cdaee4ac2cc7a3f6dc692a2dec282f6667a4031e/src/services/core/services-impl/src/main/java/org/geoserver/geofence/services/RuleReaderServiceImpl.java#L303-L343>
does nothing when a Rule has RuleLimits, boiling down to

    private AccessInfoInternal resolveRuleset(List<Rule> ruleList) {
        List<RuleLimits> limits = new ArrayList<>();
        AccessInfoInternal ret = null;
        for (Rule rule : ruleList) {
            if(ret != null)
                break;
            switch(rule.getAccess()) {
                case LIMIT:
                   RuleLimits rl = rule.getRuleLimits();
                   if(rl != null)
                       limits.add(rl);
                    break;
                 ....
            }
        }
        return ret;
    }

That is, adds the RuleLimits to the limits list, and then just returns null.

Additionally, the following makes it build an AccessInfoInternal only for
the first Rule in the ruleList:
        for (Rule rule : ruleList) {
            if(ret != null)
                break;

Meaning that if more than one rule matched the filter, only the first one
will be considered.

My use case is an external system sets up rules for companies based on
roles, which come from another system, and
can have several rules per company with different allowed areas, for all
layers. Ideally, I shouldn't need to merge these
areas in order to create a single rule, but have them match the external
system's.

I've a patch [1] that makes both consider the RuleLimits and all the
matching rules
in resolveRuleset(List<Rule> ruleList) argument.

[1]
https://github.com/groldan/geofence/commit/5290c1760746f4e93ff4915c9e80a19a09e433be

With it, I can set up two Rules with different allowed areas, both for all
layers, and have them applied as expected (or as I understand it's
expected). The following image is a layer preview of tiger_roads with both
rules applied:

[image: image.png]

So, is my understanding correct and can I proceed to issue a PR?

Cheers,

-- 
Gabriel Roldán


_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel