ColumnMaskingHelper.java

/*
 * JBoss, Home of Professional Open Source.
 * See the COPYRIGHT.txt file distributed with this work for information
 * regarding copyright ownership.  Some portions may be licensed
 * to Red Hat, Inc. under one or more contributor license agreements.
 * 
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 * 
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 */

package org.teiid.query.optimizer.relational;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import org.teiid.adminapi.DataPolicy;
import org.teiid.adminapi.impl.DataPolicyMetadata;
import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData;
import org.teiid.api.exception.query.QueryMetadataException;
import org.teiid.core.TeiidComponentException;
import org.teiid.core.TeiidException;
import org.teiid.core.TeiidProcessingException;
import org.teiid.core.types.DataTypeManager;
import org.teiid.metadata.FunctionMethod.Determinism;
import org.teiid.query.QueryPlugin;
import org.teiid.query.metadata.QueryMetadataInterface;
import org.teiid.query.parser.QueryParser;
import org.teiid.query.resolver.QueryResolver;
import org.teiid.query.resolver.util.ResolverUtil;
import org.teiid.query.resolver.util.ResolverVisitor;
import org.teiid.query.rewriter.QueryRewriter;
import org.teiid.query.sql.lang.Criteria;
import org.teiid.query.sql.lang.SubqueryContainer;
import org.teiid.query.sql.navigator.PreOrPostOrderNavigator;
import org.teiid.query.sql.symbol.ElementSymbol;
import org.teiid.query.sql.symbol.Expression;
import org.teiid.query.sql.symbol.GroupSymbol;
import org.teiid.query.sql.symbol.SearchedCaseExpression;
import org.teiid.query.sql.visitor.ExpressionMappingVisitor;
import org.teiid.query.sql.visitor.ValueIteratorProviderCollectorVisitor;
import org.teiid.query.util.CommandContext;
import org.teiid.query.validator.ValidationVisitor;
import org.teiid.query.validator.Validator;
import org.teiid.query.validator.ValidatorFailure;
import org.teiid.query.validator.ValidatorReport;

public class ColumnMaskingHelper {
	
	private static class WhenThen implements Comparable<WhenThen> {
		int order;
		Criteria when;
		Expression then;
		
		public WhenThen(Integer order, Criteria when, Expression then) {
			this.order = (order == null?0:order);
			this.when = when;
			this.then = then;
		}

		@Override
		public int compareTo(WhenThen arg0) {
			return arg0.order - order; //highest first
		}
	}

	private static Expression maskColumn(ElementSymbol col, GroupSymbol unaliased, QueryMetadataInterface metadata, ExpressionMappingVisitor emv, Map<String, DataPolicy> policies, CommandContext cc) throws TeiidComponentException, TeiidProcessingException {
		Object metadataID = col.getMetadataID();
		String fullName = metadata.getFullName(metadataID);
		final GroupSymbol group = col.getGroupSymbol();
		String elementType = metadata.getElementRuntimeTypeName(col.getMetadataID());
		Class<?> expectedType = DataTypeManager.getDataTypeClass(elementType);
		List<WhenThen> cases = null;
		Collection<GroupSymbol> groups = Arrays.asList(unaliased);
		for (Map.Entry<String, DataPolicy> entry : policies.entrySet()) {
			DataPolicyMetadata dpm = (DataPolicyMetadata)entry.getValue();
			PermissionMetaData pmd = dpm.getPermissionMap().get(fullName);
			if (pmd == null) {
				continue;
			}
			String maskString = pmd.getMask();
			if (maskString == null) {
				continue;
			}
			Criteria condition = null;
			if (pmd.getCondition() != null) {
				condition = RowBasedSecurityHelper.resolveCondition(metadata, group, metadata.getFullName(group.getMetadataID()), entry, pmd, pmd.getCondition());
			} else {
				condition = QueryRewriter.TRUE_CRITERIA;
			}
			Expression mask = (Expression)pmd.getResolvedMask();
			if (mask == null) {
				try {
					mask = QueryParser.getQueryParser().parseExpression(pmd.getMask());
					for (SubqueryContainer container : ValueIteratorProviderCollectorVisitor.getValueIteratorProviders(mask)) {
			        	container.getCommand().pushNewResolvingContext(groups);
			            QueryResolver.resolveCommand(container.getCommand(), metadata, false);
			        }
					ResolverVisitor.resolveLanguageObject(mask, groups, metadata);
					ValidatorReport report = Validator.validate(mask, metadata, new ValidationVisitor());
			        if (report.hasItems()) {
			        	ValidatorFailure firstFailure = report.getItems().iterator().next();
			        	throw new QueryMetadataException(QueryPlugin.Event.TEIID31139, QueryPlugin.Util.gs(QueryPlugin.Event.TEIID31139, dpm.getName(), fullName) + " " + firstFailure); //$NON-NLS-1$
				    }
					if (mask.getType() != expectedType) {
						mask = ResolverUtil.convertExpression(mask, elementType, metadata);
					}
			        pmd.setResolvedMask(mask.clone());
					if (!dpm.isAnyAuthenticated()) {
						//we treat this as user deterministic since the data roles won't change.  this may change if the logic becomes dynamic
						//TODO: this condition may not even be used
						cc.setDeterminismLevel(Determinism.USER_DETERMINISTIC);
					}
				} catch (QueryMetadataException e) {
					throw e;
				} catch (TeiidException e) {
					throw new QueryMetadataException(QueryPlugin.Event.TEIID31129, e, QueryPlugin.Util.gs(QueryPlugin.Event.TEIID31129, dpm.getName(), fullName));
				}
			} else {
				mask = (Expression) mask.clone();
			}
			if (group.getDefinition() != null) {
		        PreOrPostOrderNavigator.doVisit(mask, emv, PreOrPostOrderNavigator.PRE_ORDER, true);
			}
			if (cases == null) {
				cases = new ArrayList<ColumnMaskingHelper.WhenThen>();
			}
			cases.add(new WhenThen(pmd.getOrder(), condition, mask));
		}
		if (cases == null) {
			return col;
		}
		Collections.sort(cases);
		List<Criteria> whens = new ArrayList<Criteria>();
		List<Expression> thens = new ArrayList<Expression>();
		for (WhenThen whenThen : cases) {
			whens.add(whenThen.when);
			thens.add(whenThen.then);
		}
		SearchedCaseExpression sce = new SearchedCaseExpression(whens, thens);
		sce.setElseExpression(col);
		sce.setType(expectedType);
		Expression mask = QueryRewriter.rewriteExpression(sce, cc, metadata, true);
		return mask;
	}

	public static List<? extends Expression> maskColumns(List<ElementSymbol> cols,
			final GroupSymbol group, QueryMetadataInterface metadata,
			CommandContext cc) throws QueryMetadataException, TeiidComponentException, TeiidProcessingException {
		Map<String, DataPolicy> policies = cc.getAllowedDataPolicies();
		if (policies == null || policies.isEmpty()) {
			return cols;
		}

		ArrayList<Expression> result = new ArrayList<Expression>(cols.size());
		ExpressionMappingVisitor emv = new RowBasedSecurityHelper.RecontextVisitor(group);
		GroupSymbol gs = group;
		if (gs.getDefinition() != null) {
			gs = new GroupSymbol(metadata.getFullName(group.getMetadataID()));
			gs.setMetadataID(group.getMetadataID());
		}
        for (int i = 0; i < cols.size(); i++) {
        	result.add(maskColumn(cols.get(i), gs, metadata, emv, policies, cc));
        }
        return result;
	}
	
}