Skip to content

Commit

Permalink
auth: fix resource type NONE and add resource type SCHEMA (#1362)
Browse files Browse the repository at this point in the history 
* let NONE allowed by any permission
* add ResourceType.SCHEMA which can represent any schema resource
* not set STATUS to be represented by other resource

Change-Id: Ib6281cb3dfdc917ecac0c9450f7919e3898f73db
  • Loading branch information
@javeme
javeme authored Mar 2, 2021
1 parent 98cf2b9 commit 949ff53
Show file tree
Hide file tree
Showing 5 changed files with 179 additions and 21 deletions.
8 changes: 8 additions & 0 deletions hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,14 @@ private void parseAction(String action) {
}

public static String roleFor(String owner, HugePermission perm) {
/*
* Construct required permission such as:
* $owner=graph1 $action=read
* (means required read permission of any one resource)
*
* In the future maybe also support:
* $owner=graph1 $action=vertex_read
*/
return String.format("%s=%s %s=%s", KEY_OWNER, owner,
KEY_ACTION, perm.string());
}
Expand Down
8 changes: 4 additions & 4 deletions hugegraph-core/src/main/java/com/baidu/hugegraph/auth/HugeResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
import org.apache.tinkerpop.shaded.jackson.databind.ser.std.StdSerializer;

import com.baidu.hugegraph.HugeException;
import com.baidu.hugegraph.auth.ResourceType;
import com.baidu.hugegraph.auth.SchemaDefine.UserElement;
import com.baidu.hugegraph.structure.HugeElement;
import com.baidu.hugegraph.traversal.optimize.TraversalUtil;
Expand Down Expand Up @@ -108,7 +107,7 @@ public void checkFormat() {
}

public boolean filter(ResourceObject<?> resourceObject) {
if (this.type == null || this.type == ResourceType.NONE) {
if (this.type == null) {
return false;
}

Expand All @@ -121,7 +120,7 @@ public boolean filter(ResourceObject<?> resourceObject) {
if (resType.isGraph()) {
return this.filter((HugeElement) resourceObject.operated());
}
if (resType.isUsers()) {
if (resType.isAuth()) {
return this.filter((UserElement) resourceObject.operated());
}
if (resType.isSchema() || CHECK_NAME_RESS.contains(resType)) {
Expand Down Expand Up @@ -193,6 +192,7 @@ private boolean matchLabel(String other) {
if (this.label == null || other == null) {
return false;
}
// It's ok if wildcard match or regular match
if (!this.label.equals(ANY) && !other.matches(this.label)) {
return false;
}
Expand Down Expand Up @@ -220,7 +220,7 @@ protected boolean contains(HugeResource other) {
if (this.equals(other)) {
return true;
}
if (this.type == null || this.type == ResourceType.NONE) {
if (this.type == null) {
return false;
}
if (!this.type.match(other.type)) {
Expand Down
2 changes: 1 addition & 1 deletion hugegraph-core/src/main/java/com/baidu/hugegraph/auth/ResourceObject.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ public V operated() {
@Override
public String toString() {
Object operated = this.operated;
if (this.type.isUsers()) {
if (this.type.isAuth()) {
operated = ((UserElement) this.operated).idString();
}
return String.format("Resource{graph=%s,type=%s,operated=%s}",
Expand Down
37 changes: 28 additions & 9 deletions hugegraph-core/src/main/java/com/baidu/hugegraph/auth/ResourceType.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ public enum ResourceType {

INDEX_LABEL, // include create/rebuild/delete index

SCHEMA,

META,

ALL,
Expand All @@ -63,12 +65,29 @@ public enum ResourceType {

ROOT;

public boolean match(ResourceType type) {
if (this == type || this == ROOT ||
(this == ALL && type.ordinal() <= ALL.ordinal())) {
public boolean match(ResourceType required) {
if (this == required) {
return true;
}
return this == type;

switch (required) {
case NONE:
return this != NONE;
default:
break;
}

switch (this) {
case ROOT:
case ALL:
return this.ordinal() >= required.ordinal();
case SCHEMA:
return required.isSchema();
default:
break;
}

return false;
}

public boolean isGraph() {
Expand All @@ -78,20 +97,20 @@ public boolean isGraph() {

public boolean isSchema() {
int ord = this.ordinal();
return PROPERTY_KEY.ordinal() <= ord && ord <= INDEX_LABEL.ordinal();
return PROPERTY_KEY.ordinal() <= ord && ord <= SCHEMA.ordinal();
}

public boolean isUsers() {
public boolean isAuth() {
int ord = this.ordinal();
return GRANT.ordinal() <= ord && ord <= TARGET.ordinal();
}

public boolean isGrantOrUser() {
return this == GRANT && this == USER_GROUP;
return this == GRANT || this == USER_GROUP;
}

public boolean isAny() {
return this == ALL || this == ROOT;
public boolean isRepresentative() {
return this == ROOT || this == ALL || this == SCHEMA;
}

public static ResourceType from(HugeType type) {
Expand Down
145 changes: 138 additions & 7 deletions hugegraph-test/src/main/java/com/baidu/hugegraph/unit/core/RolePermissionTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,132 @@ public void testContains() {
Assert.assertFalse(roleContains(role, r14));
}

@Test
public void testResourceType() {
// ROOT
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.NONE));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.STATUS));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.VERTEX));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.EDGE));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.VERTEX_LABEL));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.META));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.ALL));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.GRANT));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.USER_GROUP));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.TARGET));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.METRICS));
Assert.assertTrue(ResourceType.ROOT.match(ResourceType.ROOT));

// ALL
Assert.assertTrue(ResourceType.ALL.match(ResourceType.NONE));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.STATUS));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.VERTEX));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.EDGE));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.VERTEX_LABEL));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.META));
Assert.assertTrue(ResourceType.ALL.match(ResourceType.ALL));

Assert.assertFalse(ResourceType.ALL.match(ResourceType.GRANT));
Assert.assertFalse(ResourceType.ALL.match(ResourceType.USER_GROUP));
Assert.assertFalse(ResourceType.ALL.match(ResourceType.TARGET));
Assert.assertFalse(ResourceType.ALL.match(ResourceType.METRICS));
Assert.assertFalse(ResourceType.ALL.match(ResourceType.ROOT));

// SCHEMA
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.NONE));
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.PROPERTY_KEY));
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.VERTEX_LABEL));
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.EDGE_LABEL));
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.INDEX_LABEL));
Assert.assertTrue(ResourceType.SCHEMA.match(ResourceType.SCHEMA));

Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.STATUS));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.VERTEX));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.EDGE));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.VERTEX_AGGR));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.EDGE_AGGR));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.VAR));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.GREMLIN));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.TASK));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.META));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.ALL));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.GRANT));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.USER_GROUP));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.TARGET));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.METRICS));
Assert.assertFalse(ResourceType.SCHEMA.match(ResourceType.ROOT));

// isRepresentative
Assert.assertTrue(ResourceType.ROOT.isRepresentative());
Assert.assertTrue(ResourceType.ALL.isRepresentative());
Assert.assertTrue(ResourceType.SCHEMA.isRepresentative());

Assert.assertFalse(ResourceType.NONE.isRepresentative());
Assert.assertFalse(ResourceType.VERTEX.isRepresentative());
Assert.assertFalse(ResourceType.META.isRepresentative());
Assert.assertFalse(ResourceType.METRICS.isRepresentative());

// isAuth
Assert.assertTrue(ResourceType.GRANT.isAuth());
Assert.assertTrue(ResourceType.USER_GROUP.isAuth());
Assert.assertTrue(ResourceType.TARGET.isAuth());

Assert.assertFalse(ResourceType.ROOT.isAuth());
Assert.assertFalse(ResourceType.ALL.isAuth());
Assert.assertFalse(ResourceType.SCHEMA.isAuth());
Assert.assertFalse(ResourceType.NONE.isAuth());
Assert.assertFalse(ResourceType.VERTEX.isAuth());
Assert.assertFalse(ResourceType.META.isAuth());
Assert.assertFalse(ResourceType.METRICS.isAuth());

// isGrantOrUser
Assert.assertTrue(ResourceType.GRANT.isGrantOrUser());
Assert.assertTrue(ResourceType.USER_GROUP.isGrantOrUser());
Assert.assertFalse(ResourceType.TARGET.isGrantOrUser());

Assert.assertFalse(ResourceType.ROOT.isGrantOrUser());
Assert.assertFalse(ResourceType.ALL.isGrantOrUser());
Assert.assertFalse(ResourceType.SCHEMA.isGrantOrUser());
Assert.assertFalse(ResourceType.NONE.isGrantOrUser());
Assert.assertFalse(ResourceType.VERTEX.isGrantOrUser());
Assert.assertFalse(ResourceType.META.isGrantOrUser());
Assert.assertFalse(ResourceType.METRICS.isGrantOrUser());

// isSchema
Assert.assertTrue(ResourceType.PROPERTY_KEY.isSchema());
Assert.assertTrue(ResourceType.VERTEX_LABEL.isSchema());
Assert.assertTrue(ResourceType.EDGE_LABEL.isSchema());
Assert.assertTrue(ResourceType.INDEX_LABEL.isSchema());
Assert.assertTrue(ResourceType.SCHEMA.isSchema());

Assert.assertFalse(ResourceType.ROOT.isSchema());
Assert.assertFalse(ResourceType.ALL.isSchema());
Assert.assertFalse(ResourceType.NONE.isSchema());
Assert.assertFalse(ResourceType.STATUS.isSchema());
Assert.assertFalse(ResourceType.VAR.isSchema());
Assert.assertFalse(ResourceType.GREMLIN.isSchema());
Assert.assertFalse(ResourceType.TASK.isSchema());
Assert.assertFalse(ResourceType.META.isSchema());
Assert.assertFalse(ResourceType.METRICS.isSchema());

// isGraph
Assert.assertTrue(ResourceType.VERTEX.isGraph());
Assert.assertTrue(ResourceType.EDGE.isGraph());

Assert.assertFalse(ResourceType.ROOT.isGraph());
Assert.assertFalse(ResourceType.ALL.isGraph());
Assert.assertFalse(ResourceType.SCHEMA.isGraph());
Assert.assertFalse(ResourceType.NONE.isGraph());
Assert.assertFalse(ResourceType.STATUS.isGraph());
Assert.assertFalse(ResourceType.VERTEX_AGGR.isGraph());
Assert.assertFalse(ResourceType.EDGE_AGGR.isGraph());
Assert.assertFalse(ResourceType.VAR.isGraph());
Assert.assertFalse(ResourceType.GREMLIN.isGraph());
Assert.assertFalse(ResourceType.TASK.isGraph());
Assert.assertFalse(ResourceType.META.isGraph());
Assert.assertFalse(ResourceType.METRICS.isGraph());
}

@Test
public void testHugeResource() {
HugeResource r = new HugeResource(ResourceType.VERTEX, "person",
Expand Down Expand Up @@ -201,22 +327,25 @@ public void testHugeResourceFilter() {
@Test
public void testHugeResourceFilterSchema() {
HugeResource all = HugeResource.ALL;
HugeResource schema = new HugeResource(ResourceType.SCHEMA,
HugeResource.ANY, null);

// schema
HugeResource vlp = new HugeResource(ResourceType.VERTEX_LABEL,
"p-.*", null);
HugeResource vlPrefix = new HugeResource(ResourceType.VERTEX_LABEL,
"p-.*", null);

ResourceObject<?> r3 = ResourceObject.of("g1",
ResourceType.VERTEX_LABEL,
NameObject.of("test"));
Assert.assertTrue(all.filter(r3));
Assert.assertFalse(vlp.filter(r3));
Assert.assertTrue(schema.filter(r3));
Assert.assertFalse(vlPrefix.filter(r3));

ResourceObject<?> r4 = ResourceObject.of("g1",
ResourceType.VERTEX_LABEL,
NameObject.of("p-test"));
Assert.assertTrue(all.filter(r4));
Assert.assertTrue(vlp.filter(r4));
Assert.assertTrue(schema.filter(r4));
Assert.assertTrue(vlPrefix.filter(r4));

FakeObjects fo = new FakeObjects();

Expand All @@ -225,14 +354,16 @@ public void testHugeResourceFilterSchema() {
IdGenerator.of("1"));
ResourceObject<?> r5 = ResourceObject.of("g1", vl1);
Assert.assertTrue(all.filter(r5));
Assert.assertFalse(vlp.filter(r5));
Assert.assertTrue(schema.filter(r5));
Assert.assertFalse(vlPrefix.filter(r5));

VertexLabel vl2 = fo.newVertexLabel(IdGenerator.of("id1"), "p-person",
IdStrategy.PRIMARY_KEY,
IdGenerator.of("1"));
ResourceObject<?> r6 = ResourceObject.of("g1", vl2);
Assert.assertTrue(all.filter(r6));
Assert.assertTrue(vlp.filter(r6));
Assert.assertTrue(schema.filter(r6));
Assert.assertTrue(vlPrefix.filter(r6));
}

@Test
Expand Down

0 comments on commit 949ff53

Please sign in to comment.