This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 1438644b7 RANGER-4234: simplify condition/row-filter expressions that
deal with delimited strings
1438644b7 is described below
commit 1438644b7f1f7f5fb9e62d0d855982d7e10e7fc6
Author: Eckman, Barbara
AuthorDate: Fri Sep 22 11:38:07 2023 -0400
RANGER-4234: simplify condition/row-filter expressions that deal with
delimited strings
Signed-off-by: Madhan Neethiraj
---
.../RangerDefaultRowFilterPolicyItemEvaluator.java | 9 ++-
.../apache/ranger/plugin/util/JavaScriptEdits.java | 77 ++
.../ranger/plugin/util/JavaScriptEditsTest.java| 45 +
3 files changed, 130 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index d2b3e746b..759c0ff59 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -25,6 +25,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.util.JavaScriptEdits;
import org.apache.ranger.plugin.util.RangerRequestExprResolver;
@@ -41,7 +42,13 @@ public class RangerDefaultRowFilterPolicyItemEvaluator
extends RangerDefaultPoli
RangerPolicyItemRowFilterInfo rowFilterInfo =
getRowFilterInfo();
if (rowFilterInfo != null && rowFilterInfo.getFilterExpr() !=
null) {
- rowFilterExpr = rowFilterInfo.getFilterExpr();
+ String rowFilterExpr = rowFilterInfo.getFilterExpr();
+
+ if (JavaScriptEdits.hasDoubleBrackets(rowFilterExpr)) {
+ rowFilterExpr =
JavaScriptEdits.replaceDoubleBrackets(rowFilterExpr);
+ }
+
+ this.rowFilterExpr = rowFilterExpr;
} else {
rowFilterExpr = null;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/JavaScriptEdits.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/JavaScriptEdits.java
new file mode 100644
index 0..a2dd18e4f
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/JavaScriptEdits.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class JavaScriptEdits {
+private static final Logger LOG =
LoggerFactory.getLogger(JavaScriptEdits.class);
+
+private static final String DOUBLE_BRACKET_START = "[[";
+private static final String DOUBLE_BRACKET_END = "]]";
+private static final String DOUBLE_BRACKET_REGEX =
"\\[\\[([}{\\$\"a-zA-Z0-9_.\\[\\]]+)(\\,['\\\"](.+?)['\\\"])*\\]\\]"; // regex:
/\[\[([a-zA-Z0-9_.\[\]]+)(\,['"](.+)['"])*\]\]/g;
+private static final Pattern DOUBLE_BRACKET_PATTERN =
Pattern.compile(DOUBLE_BRACKET_REGEX);
+
+public static boolean hasDoubleBrackets(String str) {
+return StringUtils.contains(str, DOUBLE_BRACKET_START) &&
StringUtils.contains(str, DOUBLE_BRACKET_END);
+}
+
+/* some examples:
+tag-based access policy:
+original: [[TAG.value]].intersects([[USER[TAG._type]]])
+replaced: TAG.value.split(",").intersects(USER[TAG._type].split(","))
+Row-filter policy:
+original: ${{[["$USER.e