/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.facebook.presto.testing;
import com.facebook.presto.metadata.QualifiedObjectName;
import com.facebook.presto.security.AccessControlManager;
import com.facebook.presto.security.AllowAllSystemAccessControl;
import com.facebook.presto.spi.CatalogSchemaName;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.transaction.TransactionId;
import com.facebook.presto.transaction.TransactionManager;
import com.google.common.collect.ImmutableMap;
import javax.inject.Inject;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import static com.facebook.presto.spi.security.AccessDeniedException.denyAddColumn;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateView;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDeleteTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropView;
import static com.facebook.presto.spi.security.AccessDeniedException.denyInsertTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameColumn;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denySelectTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denySelectView;
import static com.facebook.presto.spi.security.AccessDeniedException.denySetCatalogSessionProperty;
import static com.facebook.presto.spi.security.AccessDeniedException.denySetSystemSessionProperty;
import static com.facebook.presto.spi.security.AccessDeniedException.denySetUser;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.ADD_COLUMN;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_SCHEMA;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_VIEW;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.DELETE_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.DROP_SCHEMA;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.DROP_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.DROP_VIEW;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.INSERT_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.RENAME_COLUMN;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.RENAME_SCHEMA;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.RENAME_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.SELECT_TABLE;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.SELECT_VIEW;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.SET_SESSION;
import static com.facebook.presto.testing.TestingAccessControlManager.TestingPrivilegeType.SET_USER;
import static com.google.common.base.MoreObjects.toStringHelper;
import static java.util.Objects.requireNonNull;
public class TestingAccessControlManager
extends AccessControlManager
{
private final Set<TestingPrivilege> denyPrivileges = new HashSet<>();
@Inject
public TestingAccessControlManager(TransactionManager transactionManager)
{
super(transactionManager);
setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
}
public static TestingPrivilege privilege(String entityName, TestingPrivilegeType type)
{
return new TestingPrivilege(Optional.empty(), entityName, type);
}
public static TestingPrivilege privilege(String userName, String entityName, TestingPrivilegeType type)
{
return new TestingPrivilege(Optional.of(userName), entityName, type);
}
public void deny(TestingPrivilege... deniedPrivileges)
{
Collections.addAll(this.denyPrivileges, deniedPrivileges);
}
public void reset()
{
denyPrivileges.clear();
}
@Override
public void checkCanSetUser(Principal principal, String userName)
{
if (shouldDenyPrivilege(userName, userName, SET_USER)) {
denySetUser(principal, userName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanSetUser(principal, userName);
}
}
@Override
public void checkCanCreateSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName)
{
if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), CREATE_SCHEMA)) {
denyCreateSchema(schemaName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateSchema(transactionId, identity, schemaName);
}
}
@Override
public void checkCanDropSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName)
{
if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), DROP_SCHEMA)) {
denyDropSchema(schemaName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDropSchema(transactionId, identity, schemaName);
}
}
@Override
public void checkCanRenameSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName, String newSchemaName)
{
if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), RENAME_SCHEMA)) {
denyRenameSchema(schemaName.toString(), newSchemaName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanRenameSchema(transactionId, identity, schemaName, newSchemaName);
}
}
@Override
public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_TABLE)) {
denyCreateTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DROP_TABLE)) {
denyDropTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDropTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanRenameTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, QualifiedObjectName newTableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_TABLE)) {
denyRenameTable(tableName.toString(), newTableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanRenameTable(transactionId, identity, tableName, newTableName);
}
}
@Override
public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), ADD_COLUMN)) {
denyAddColumn(tableName.toString());
}
super.checkCanAddColumns(transactionId, identity, tableName);
}
@Override
public void checkCanRenameColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_COLUMN)) {
denyRenameColumn(tableName.toString());
}
super.checkCanRenameColumn(transactionId, identity, tableName);
}
@Override
public void checkCanSelectFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), SELECT_TABLE)) {
denySelectTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanSelectFromTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanInsertIntoTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), INSERT_TABLE)) {
denyInsertTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanInsertIntoTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DELETE_TABLE)) {
denyDeleteTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDeleteFromTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)
{
if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), CREATE_VIEW)) {
denyCreateView(viewName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateView(transactionId, identity, viewName);
}
}
@Override
public void checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)
{
if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), DROP_VIEW)) {
denyDropView(viewName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDropView(transactionId, identity, viewName);
}
}
@Override
public void checkCanSelectFromView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)
{
if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), SELECT_VIEW)) {
denySelectView(viewName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanSelectFromView(transactionId, identity, viewName);
}
}
@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
{
if (shouldDenyPrivilege(identity.getUser(), propertyName, SET_SESSION)) {
denySetSystemSessionProperty(propertyName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanSetSystemSessionProperty(identity, propertyName);
}
}
@Override
public void checkCanCreateViewWithSelectFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)
{
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_VIEW_WITH_SELECT_TABLE)) {
denySelectTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateViewWithSelectFromTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanCreateViewWithSelectFromView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)
{
if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), CREATE_VIEW_WITH_SELECT_VIEW)) {
denySelectView(viewName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateViewWithSelectFromView(transactionId, identity, viewName);
}
}
@Override
public void checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, String catalogName, String propertyName)
{
if (shouldDenyPrivilege(identity.getUser(), catalogName + "." + propertyName, SET_SESSION)) {
denySetCatalogSessionProperty(catalogName, propertyName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanSetCatalogSessionProperty(transactionId, identity, catalogName, propertyName);
}
}
private boolean shouldDenyPrivilege(String userName, String entityName, TestingPrivilegeType type)
{
TestingPrivilege testPrivilege = privilege(userName, entityName, type);
for (TestingPrivilege denyPrivilege : denyPrivileges) {
if (denyPrivilege.matches(testPrivilege)) {
return true;
}
}
return false;
}
public enum TestingPrivilegeType
{
SET_USER,
CREATE_SCHEMA, DROP_SCHEMA, RENAME_SCHEMA,
CREATE_TABLE, DROP_TABLE, RENAME_TABLE, SELECT_TABLE, INSERT_TABLE, DELETE_TABLE,
ADD_COLUMN, RENAME_COLUMN,
CREATE_VIEW, DROP_VIEW, SELECT_VIEW,
CREATE_VIEW_WITH_SELECT_TABLE, CREATE_VIEW_WITH_SELECT_VIEW,
SET_SESSION
}
public static class TestingPrivilege
{
private final Optional<String> userName;
private final String entityName;
private final TestingPrivilegeType type;
private TestingPrivilege(Optional<String> userName, String entityName, TestingPrivilegeType type)
{
this.userName = requireNonNull(userName, "userName is null");
this.entityName = requireNonNull(entityName, "entityName is null");
this.type = requireNonNull(type, "type is null");
}
public boolean matches(TestingPrivilege testPrivilege)
{
return userName.map(name -> testPrivilege.userName.get().equals(name)).orElse(true) &&
entityName.equals(testPrivilege.entityName) &&
type == testPrivilege.type;
}
@Override
public boolean equals(Object o)
{
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
TestingPrivilege that = (TestingPrivilege) o;
return Objects.equals(entityName, that.entityName) &&
Objects.equals(type, that.type);
}
@Override
public int hashCode()
{
return Objects.hash(entityName, type);
}
@Override
public String toString()
{
return toStringHelper(this)
.add("userName", userName)
.add("entityName", entityName)
.add("type", type)
.toString();
}
}
}