private void validateTemp(DataPolicy.PermissionType action, String resource, boolean schema, LanguageObject object, Context context) { Set<String> resources = Collections.singleton(resource); logRequest(resources, context); boolean allowed = decider.isTempAccessible(action, schema?resource:null, context, commandContext); logResult(resources, context, allowed); if (!allowed) { handleValidationError( QueryPlugin.Util.getString("ERR.018.005.0095", commandContext.getUserName(), "CREATE_TEMPORARY_TABLES"), //$NON-NLS-1$ //$NON-NLS-2$ Arrays.asList(object)); } }
public void visit(StoredProcedure obj) { validateEntitlements(obj); }
/** * Out of the resources specified, return the subset for which the specified not have authorization to access. */ public Set<String> getInaccessibleResources(DataPolicy.PermissionType action, Set<String> resources, Context context) { logRequest(resources, context); Set<String> results = decider.getInaccessibleResources(action, resources, context, commandContext); logResult(resources, context, results.isEmpty()); return results; }
if (group.isProcedure()) { Map<String, LanguageObject> procMap = new LinkedHashMap<String, LanguageObject>(); addToNameMap(((TempMetadataID)metadataID).getOriginalMetadataID(), symbol, procMap, getMetadata()); validateEntitlements(PermissionType.EXECUTE, auditContext, procMap); } else if (group.isTempTable() && group.isImplicitTempGroupSymbol()) { validateTemp(actionCode, group.getNonCorrelationName(), false, group, auditContext); addToNameMap(metadataID, symbol, nameToSymbolMap, getMetadata()); } catch(QueryMetadataException e) { handleException(e); } catch(TeiidComponentException e) { handleException(e); validateEntitlements(actionCode, auditContext, nameToSymbolMap);
public void visit(Function obj) { if (FunctionLibrary.LOOKUP.equalsIgnoreCase(obj.getName())) { try { ResolverUtil.ResolvedLookup lookup = ResolverUtil.resolveLookup(obj, this.getMetadata()); List<Symbol> symbols = new LinkedList<Symbol>(); symbols.add(lookup.getGroup()); symbols.add(lookup.getKeyElement()); symbols.add(lookup.getReturnElement()); validateEntitlements(symbols, DataPolicy.PermissionType.READ, Context.QUERY); } catch (TeiidComponentException e) { handleException(e, obj); } catch (TeiidProcessingException e) { handleException(e, obj); } } else { String schema = obj.getFunctionDescriptor().getSchema(); if (schema != null && !isSystemSchema(schema)) { Map<String, Function> map = new HashMap<String, Function>(); map.put(obj.getFunctionDescriptor().getFullName(), obj); validateEntitlements(PermissionType.EXECUTE, Context.FUNCTION, map); } } }
intoElements.add(intoGroup); try { intoElements.addAll(ResolverUtil.resolveElementsInGroup(intoGroup, getMetadata())); } catch (QueryMetadataException err) { handleException(err, intoGroup); } catch (TeiidComponentException err) { handleException(err, intoGroup); validateEntitlements(intoElements, DataPolicy.PermissionType.CREATE, Context.INSERT); if (!isXMLCommand(obj)) { entitledObjects.addAll(ElementCollectorVisitor.getElements(obj, true)); validateEntitlements(entitledObjects, DataPolicy.PermissionType.READ, Context.QUERY);
AuthorizationValidationVisitor.addToNameMap(metadataObject, es, map, commandContext.getMetadata()); Set<String> results = this.policyDecider.getInaccessibleResources(PermissionType.READ, map.keySet(), Context.QUERY, commandContext); if (!results.isEmpty()) { AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(this.policyDecider, commandContext); Request.validateWithVisitor(visitor, metadata, command);
/** * Validate query entitlements */ protected void validateEntitlements(Query obj) { // If query contains SELECT INTO, validate INTO portion Into intoObj = obj.getInto(); if ( intoObj != null ) { GroupSymbol intoGroup = intoObj.getGroup(); Collection<LanguageObject> intoElements = new LinkedList<LanguageObject>(); intoElements.add(intoGroup); try { intoElements.addAll(ResolverUtil.resolveElementsInGroup(intoGroup, getMetadata())); } catch (QueryMetadataException err) { handleException(err, intoGroup); } catch (TeiidComponentException err) { handleException(err, intoGroup); } validateEntitlements(intoElements, DataPolicy.PermissionType.CREATE, Context.INSERT); } // Validate this query's entitlements Collection<LanguageObject> entitledObjects = new ArrayList<LanguageObject>(GroupCollectorVisitor.getGroupsIgnoreInlineViews(obj, true)); entitledObjects.addAll(ElementCollectorVisitor.getElements(obj, true)); if(entitledObjects.size() == 0) { return; } validateEntitlements(entitledObjects, DataPolicy.PermissionType.READ, Context.QUERY); }
private void validateEntitlements(DataPolicy.PermissionType actionCode, Context auditContext, Map<String, ? extends LanguageObject> nameToSymbolMap) { if (nameToSymbolMap.isEmpty()) { return; } Collection<String> inaccessibleResources = getInaccessibleResources(actionCode, nameToSymbolMap.keySet(), auditContext); if(inaccessibleResources.isEmpty()) { return; } List<LanguageObject> inaccessibleSymbols = new ArrayList<LanguageObject>(inaccessibleResources.size()); for (String name : inaccessibleResources) { inaccessibleSymbols.add(nameToSymbolMap.get(name)); } // CASE 2362 - do not include the names of the elements for which the user // is not authorized in the exception message handleValidationError( QueryPlugin.Util.getString("ERR.018.005.0095", commandContext.getUserName(), actionCode), //$NON-NLS-1$ inaccessibleSymbols); }
static void addToNameMap(Object metadataID, LanguageObject symbol, Map<String, LanguageObject> nameToSymbolMap, QueryMetadataInterface metadata) throws QueryMetadataException, TeiidComponentException { String fullName = metadata.getFullName(metadataID); Object modelId = metadata.getModelID(metadataID); String modelName = metadata.getFullName(modelId); if (!isSystemSchema(modelName)) { //foreign temp table full names are not schema qualified by default if (!metadata.isVirtualModel(modelId)) { GroupSymbol group = null; if (symbol instanceof ElementSymbol) { group = ((ElementSymbol)symbol).getGroupSymbol(); } else if (symbol instanceof GroupSymbol) { group = (GroupSymbol)symbol; } if (group != null && group.isTempGroupSymbol() && !group.isGlobalTable()) { fullName = modelName + AbstractMetadataRecord.NAME_DELIM_CHAR + modelId; } } nameToSymbolMap.put(fullName, symbol); } }
private void helpTest(String sql, QueryMetadataInterface metadata, String[] expectedInaccesible, VDBMetaData vdb, DataPolicyMetadata... roles) throws QueryParserException, QueryResolverException, TeiidComponentException { QueryParser parser = QueryParser.getQueryParser(); Command command = parser.parseCommand(sql); QueryResolver.resolveCommand(command, metadata); DataRolePolicyDecider dataRolePolicyDecider = createPolicyDecider(metadata, vdb, roles); AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(dataRolePolicyDecider, context); //$NON-NLS-1$ ValidatorReport report = Validator.validate(command, metadata, visitor); if(report.hasItems()) { ValidatorFailure firstFailure = report.getItems().iterator().next(); // strings Set<String> expected = new HashSet<String>(Arrays.asList(expectedInaccesible)); // elements Set<String> actual = new HashSet<String>(); for (LanguageObject obj : firstFailure.getInvalidObjects()) { if (obj instanceof ElementSymbol) { actual.add(((ElementSymbol)obj).getName()); } else { actual.add(obj.toString()); } } assertEquals(expected, actual); } else if(expectedInaccesible.length > 0) { fail("Expected inaccessible objects, but got none."); //$NON-NLS-1$ } }
if (group.isProcedure()) { Map<String, LanguageObject> procMap = new LinkedHashMap<String, LanguageObject>(); addToNameMap(((TempMetadataID)metadataID).getOriginalMetadataID(), symbol, procMap, getMetadata()); validateEntitlements(PermissionType.EXECUTE, auditContext, procMap); } else if (group.isTempTable() && group.isImplicitTempGroupSymbol()) { validateTemp(actionCode, group.getNonCorrelationName(), false, group, auditContext); addToNameMap(metadataID, symbol, nameToSymbolMap, getMetadata()); } catch(QueryMetadataException e) { handleException(e); } catch(TeiidComponentException e) { handleException(e); validateEntitlements(actionCode, auditContext, nameToSymbolMap);
public void visit(Function obj) { if (FunctionLibrary.LOOKUP.equalsIgnoreCase(obj.getName())) { try { ResolverUtil.ResolvedLookup lookup = ResolverUtil.resolveLookup(obj, this.getMetadata()); List<Symbol> symbols = new LinkedList<Symbol>(); symbols.add(lookup.getGroup()); symbols.add(lookup.getKeyElement()); symbols.add(lookup.getReturnElement()); validateEntitlements(symbols, DataPolicy.PermissionType.READ, Context.QUERY); } catch (TeiidComponentException e) { handleException(e, obj); } catch (TeiidProcessingException e) { handleException(e, obj); } } else { String schema = obj.getFunctionDescriptor().getSchema(); if (schema != null && !isSystemSchema(schema)) { Map<String, Function> map = new HashMap<String, Function>(); map.put(obj.getFunctionDescriptor().getFullName(), obj); validateEntitlements(PermissionType.EXECUTE, Context.FUNCTION, map); } } }
AuthorizationValidationVisitor.addToNameMap(metadataObject, es, map, commandContext.getMetadata()); Set<String> results = this.policyDecider.getInaccessibleResources(PermissionType.READ, map.keySet(), Context.QUERY, commandContext); if (!results.isEmpty()) { AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(this.policyDecider, commandContext); Request.validateWithVisitor(visitor, metadata, command);
/** * Validate query entitlements */ protected void validateEntitlements(Query obj) { // If query contains SELECT INTO, validate INTO portion Into intoObj = obj.getInto(); if ( intoObj != null ) { GroupSymbol intoGroup = intoObj.getGroup(); Collection<LanguageObject> intoElements = new LinkedList<LanguageObject>(); intoElements.add(intoGroup); try { intoElements.addAll(ResolverUtil.resolveElementsInGroup(intoGroup, getMetadata())); } catch (QueryMetadataException err) { handleException(err, intoGroup); } catch (TeiidComponentException err) { handleException(err, intoGroup); } validateEntitlements(intoElements, DataPolicy.PermissionType.CREATE, Context.INSERT); } // Validate this query's entitlements Collection<LanguageObject> entitledObjects = new ArrayList<LanguageObject>(GroupCollectorVisitor.getGroupsIgnoreInlineViews(obj, true)); entitledObjects.addAll(ElementCollectorVisitor.getElements(obj, true)); if(entitledObjects.size() == 0) { return; } validateEntitlements(entitledObjects, DataPolicy.PermissionType.READ, Context.QUERY); }
/** * Out of the resources specified, return the subset for which the specified not have authorization to access. */ public Set<String> getInaccessibleResources(DataPolicy.PermissionType action, Set<String> resources, Context context) { logRequest(resources, context); Set<String> results = decider.getInaccessibleResources(action, resources, context, commandContext); logResult(resources, context, results.isEmpty()); return results; }
private void validateEntitlements(DataPolicy.PermissionType actionCode, Context auditContext, Map<String, ? extends LanguageObject> nameToSymbolMap) { if (nameToSymbolMap.isEmpty()) { return; } Collection<String> inaccessibleResources = getInaccessibleResources(actionCode, nameToSymbolMap.keySet(), auditContext); if(inaccessibleResources.isEmpty()) { return; } List<LanguageObject> inaccessibleSymbols = new ArrayList<LanguageObject>(inaccessibleResources.size()); for (String name : inaccessibleResources) { inaccessibleSymbols.add(nameToSymbolMap.get(name)); } // CASE 2362 - do not include the names of the elements for which the user // is not authorized in the exception message handleValidationError( QueryPlugin.Util.getString("ERR.018.005.0095", commandContext.getUserName(), actionCode), //$NON-NLS-1$ inaccessibleSymbols); }
static void addToNameMap(Object metadataID, LanguageObject symbol, Map<String, LanguageObject> nameToSymbolMap, QueryMetadataInterface metadata) throws QueryMetadataException, TeiidComponentException { String fullName = metadata.getFullName(metadataID); Object modelId = metadata.getModelID(metadataID); String modelName = metadata.getFullName(modelId); if (!isSystemSchema(modelName)) { //foreign temp table full names are not schema qualified by default if (!metadata.isVirtualModel(modelId)) { GroupSymbol group = null; if (symbol instanceof ElementSymbol) { group = ((ElementSymbol)symbol).getGroupSymbol(); } else if (symbol instanceof GroupSymbol) { group = (GroupSymbol)symbol; } if (group != null && group.isTempGroupSymbol() && !group.isGlobalTable()) { fullName = modelName + AbstractMetadataRecord.NAME_DELIM_CHAR + modelId; } } nameToSymbolMap.put(fullName, symbol); } }
if (group.isProcedure()) { Map<String, LanguageObject> procMap = new LinkedHashMap<String, LanguageObject>(); addToNameMap(((TempMetadataID)metadataID).getOriginalMetadataID(), symbol, procMap, getMetadata()); validateEntitlements(PermissionType.EXECUTE, auditContext, procMap); } else if (group.isTempTable() && group.isImplicitTempGroupSymbol()) { validateTemp(actionCode, group.getNonCorrelationName(), false, group, auditContext); addToNameMap(metadataID, symbol, nameToSymbolMap, getMetadata()); } catch(QueryMetadataException e) { handleException(e); } catch(TeiidComponentException e) { handleException(e); validateEntitlements(actionCode, auditContext, nameToSymbolMap);
public void visit(Function obj) { if (FunctionLibrary.LOOKUP.equalsIgnoreCase(obj.getName())) { try { ResolverUtil.ResolvedLookup lookup = ResolverUtil.resolveLookup(obj, this.getMetadata()); List<Symbol> symbols = new LinkedList<Symbol>(); symbols.add(lookup.getGroup()); symbols.add(lookup.getKeyElement()); symbols.add(lookup.getReturnElement()); validateEntitlements(symbols, DataPolicy.PermissionType.READ, Context.QUERY); } catch (TeiidComponentException e) { handleException(e, obj); } catch (TeiidProcessingException e) { handleException(e, obj); } } else { String schema = obj.getFunctionDescriptor().getSchema(); if (schema != null && !isSystemSchema(schema)) { Map<String, Function> map = new HashMap<String, Function>(); map.put(obj.getFunctionDescriptor().getFullName(), obj); validateEntitlements(PermissionType.EXECUTE, Context.FUNCTION, map); } } }