public static boolean canRead(String visibility, String[] authorizations) { VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new Authorizations(authorizations)); ColumnVisibility columnVisibility = new ColumnVisibility(visibility); try { return visibilityEvaluator.evaluate(columnVisibility); } catch (VisibilityParseException ex) { throw new RuntimeException("could not evaluate visibility " + visibility, ex); } } }
/** * Creates a new evaluator for the given collection of authorizations. * Each authorization string is escaped before handling, and the original * strings are unchanged. * * @param authorizations authorizations object */ public VisibilityEvaluator(Authorizations authorizations) { this.auths = escape((Authorizations) authorizations); }
public boolean canRead(VisibilityEvaluator visibilityEvaluator) { try { return visibilityEvaluator.evaluate(columnVisibility); } catch (VisibilityParseException e) { throw new VertexiumException("could not evaluate visibility " + visibility.getVisibilityString(), e); } }
public ImmutableSet<String> getTableNames(Authorizations authorizations) { VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new org.vertexium.security.Authorizations(authorizations.getAuthorizations())); return tables.entrySet().stream() .filter(entry -> entry.getValue().canRead(visibilityEvaluator)) .map(Map.Entry::getKey) .collect(StreamUtils.toImmutableSet()); }
/** * Evaluates the given column visibility against the authorizations provided to this evaluator. * A visibility passes evaluation if all authorizations in it are contained in those known to the evaluator, and * all AND and OR subexpressions have at least two children. * * @param visibility column visibility to evaluate * @return true if visibility passes evaluation * @throws VisibilityParseException if an AND or OR subexpression has less than two children, or a subexpression is of an unknown type */ public boolean evaluate(ColumnVisibility visibility) throws VisibilityParseException { // The VisibilityEvaluator computes a trie from the given Authorizations, that ColumnVisibility expressions can be evaluated against. return evaluate(visibility.getExpression(), visibility.getParseTree()); }
public Iterable<ExtendedDataRow> getTable(String tableName, Authorizations authorizations) { VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new org.vertexium.security.Authorizations(authorizations.getAuthorizations())); Table table = tables.get(tableName); if (table == null) { throw new VertexiumException("Invalid table '" + tableName + "'"); } Iterable<ExtendedDataRow> rows = table.getRows(visibilityEvaluator); if (!rows.iterator().hasNext()) { throw new VertexiumException("Invalid table '" + tableName + "'"); } return rows; }
public static boolean canRead(String visibility, String[] authorizations) { if (visibility == null) { throw new RuntimeException("visibility cannot be null"); } VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new Authorizations(authorizations)); ColumnVisibility columnVisibility = new ColumnVisibility(visibility); try { return visibilityEvaluator.evaluate(columnVisibility); } catch (VisibilityParseException ex) { throw new RuntimeException("could not evaluate visibility " + visibility, ex); } } }
/** * Evaluates the given column visibility against the authorizations provided to this evaluator. * A visibility passes evaluation if all authorizations in it are contained in those known to the evaluator, and * all AND and OR subexpressions have at least two children. * * @param visibility column visibility to evaluate * @return true if visibility passes evaluation * @throws VisibilityParseException if an AND or OR subexpression has less than two children, or a subexpression is of an unknown type */ public boolean evaluate(ColumnVisibility visibility) throws VisibilityParseException { // The VisibilityEvaluator computes a trie from the given Authorizations, that ColumnVisibility expressions can be evaluated against. return evaluate(visibility.getExpression(), visibility.getParseTree()); }
@Override public Iterable<? extends ExtendedDataRow> getTable(ElementType elementType, String elementId, String tableName, Authorizations authorizations) { VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new org.vertexium.security.Authorizations(authorizations.getAuthorizations()));
/** * Creates a new evaluator for the given collection of authorizations. * Each authorization string is escaped before handling, and the original * strings are unchanged. * * @param authorizations authorizations object */ public VisibilityEvaluator(Authorizations authorizations) { this.auths = escape((Authorizations) authorizations); }
public static boolean canRead(String visibility, String[] authorizations) { if (visibility == null) { throw new RuntimeException("visibility cannot be null"); } VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new Authorizations(authorizations)); ColumnVisibility columnVisibility = new ColumnVisibility(visibility); try { return visibilityEvaluator.evaluate(columnVisibility); } catch (VisibilityParseException ex) { throw new RuntimeException("could not evaluate visibility " + visibility, ex); } } }
@Override protected boolean isIncluded(Row item) { try { return visibilityEvaluator.evaluate(new ColumnVisibility(item.visibility.getVisibilityString())); } catch (VisibilityParseException e) { throw new VertexiumException("Could not parse visibility: " + item.visibility); } }
/** * Properly quotes terms in a column visibility expression. If no quoting is needed, then nothing is done. * * @param term term to quote, encoded as UTF-8 bytes * @return quoted term (unquoted if unnecessary), encoded as UTF-8 bytes * @see #quote(String) */ public static byte[] quote(byte[] term) { boolean needsQuote = false; for (int i = 0; i < term.length; i++) { if (!Authorizations.isValidAuthChar(term[i])) { needsQuote = true; break; } } if (!needsQuote) return term; return VisibilityEvaluator.escape(term, true); } }
@Override public boolean canRead(Visibility visibility) { Preconditions.checkNotNull(visibility, "visibility is required"); // this is just a shortcut so that we don't need to construct evaluators and visibility objects to check for an empty string. if (visibility.getVisibilityString().length() == 0) { return true; } VisibilityEvaluator visibilityEvaluator = new VisibilityEvaluator(new Authorizations(this.getAuthorizations())); ColumnVisibility columnVisibility = new ColumnVisibility(visibility.getVisibilityString()); try { return visibilityEvaluator.evaluate(columnVisibility); } catch (VisibilityParseException e) { throw new VertexiumException("could not evaluate visibility " + visibility.getVisibilityString(), e); } }
private final boolean evaluate(final byte[] expression, final ColumnVisibility.Node root) throws VisibilityParseException { if (expression.length == 0) return true; switch (root.type) { case TERM: return auths.contains(root.getTerm(expression)); case AND: if (root.children == null || root.children.size() < 2) throw new VisibilityParseException("AND has less than 2 children", expression, root.start); for (ColumnVisibility.Node child : root.children) { if (!evaluate(expression, child)) return false; } return true; case OR: if (root.children == null || root.children.size() < 2) throw new VisibilityParseException("OR has less than 2 children", expression, root.start); for (ColumnVisibility.Node child : root.children) { if (evaluate(expression, child)) return true; } return false; default: throw new VisibilityParseException("No such node type", expression, root.start); } } }
/** * Properly quotes terms in a column visibility expression. If no quoting is needed, then nothing is done. * * @param term term to quote, encoded as UTF-8 bytes * @return quoted term (unquoted if unnecessary), encoded as UTF-8 bytes * @see #quote(String) */ public static byte[] quote(byte[] term) { boolean needsQuote = false; for (int i = 0; i < term.length; i++) { if (!Authorizations.isValidAuthChar(term[i])) { needsQuote = true; break; } } if (!needsQuote) return term; return VisibilityEvaluator.escape(term, true); } }
private final boolean evaluate(final byte[] expression, final ColumnVisibility.Node root) throws VisibilityParseException { if (expression.length == 0) return true; switch (root.type) { case TERM: return auths.contains(root.getTerm(expression)); case AND: if (root.children == null || root.children.size() < 2) throw new VisibilityParseException("AND has less than 2 children", expression, root.start); for (ColumnVisibility.Node child : root.children) { if (!evaluate(expression, child)) return false; } return true; case OR: if (root.children == null || root.children.size() < 2) throw new VisibilityParseException("OR has less than 2 children", expression, root.start); for (ColumnVisibility.Node child : root.children) { if (evaluate(expression, child)) return true; } return false; default: throw new VisibilityParseException("No such node type", expression, root.start); } } }
/** * Creates a new {@link Authorizations} object with escaped forms of the * authorizations in the given object. * * @param auths original authorizations * @return authorizations object with escaped authorization strings * @see #escape(byte[], boolean) */ static Authorizations escape(Authorizations auths) { ArrayList<byte[]> retAuths = new ArrayList<byte[]>(auths.getAuthorizations().size()); for (byte[] auth : auths.getAuthorizations()) retAuths.add(escape(auth, false)); return new Authorizations(retAuths); }
/** * Creates a new {@link Authorizations} object with escaped forms of the * authorizations in the given object. * * @param auths original authorizations * @return authorizations object with escaped authorization strings * @see #escape(byte[], boolean) */ static Authorizations escape(Authorizations auths) { ArrayList<byte[]> retAuths = new ArrayList<byte[]>(auths.getAuthorizations().size()); for (byte[] auth : auths.getAuthorizations()) retAuths.add(escape(auth, false)); return new Authorizations(retAuths); }