[ranger] branch master updated: RANGER-4316: path recursive matcher fix to correctly handle path ending with separator

Thu, 13 Jul 2023 16:34:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 73ce97e0c RANGER-4316: path recursive matcher fix to correctly handle 
path ending with separator
73ce97e0c is described below

commit 73ce97e0c93177cdc0be8ea90857765014e40047
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Thu Jul 13 12:43:11 2023 -0700

    RANGER-4316: path recursive matcher fix to correctly handle path ending 
with separator
---
 .../resourcematcher/RangerPathResourceMatcher.java |  9 +++--
 .../RangerPathResourceMatcherTest.java             | 44 +++++++++++++---------
 .../resourcematcher/test_resourcematcher_path.json |  4 +-
 3 files changed, 34 insertions(+), 23 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 1af967fbd..3c1523c25 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -24,7 +24,6 @@ import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOCase;
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.util.ServiceDefUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -189,8 +188,12 @@ public class RangerPathResourceMatcher extends 
RangerDefaultResourceMatcher {
                                        sb.append(pathSeparatorChar);
                                        pathElementIndex++;
                                }
-                               if (useStringMatching && pathElements.length == 
wildcardPathElements.length) { // Loop finished normally and all sub-paths 
string-matched..
-                                       ret = true;
+                               if (useStringMatching) {
+                                       if (pathElements.length == 
wildcardPathElements.length) { // Loop finished normally and all sub-paths 
string-matched..
+                                               ret = true;
+                                       } else if 
(pathToCheck.charAt(pathToCheck.length() - 1) == pathSeparatorChar) { // 
pathToCheck ends with separator, like /home/
+                                               ret = pathElements.length == 
(wildcardPathElements.length - 1) && 
WILDCARD_ASTERISK.equals(wildcardPathElements[wildcardPathElements.length - 1]);
+                                       }
                                }
 
                                sb = null;
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
index 5e8efb720..ed02be674 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
@@ -35,24 +35,32 @@ import static org.junit.Assert.assertEquals;
 public class RangerPathResourceMatcherTest {
 
     Object[][] data = {
-            // { resource, policy, optWildcard, recursive, result
-            { "/app/hive/test.db",    "/",                 true, false, false, 
"user" },
-            { "/app/hive/test.db",    "/",                 true, true,  true, 
"user" },
-            { "/app/hive/test.db",    "/*",                true, false, true, 
"user" },
-            { "/app/hbase/test.tbl",  "/*",                true, false, true, 
"user" },
-            { "/app/hive/test.db",    "/app",              true, false, false, 
"user" },
-            { "/app/hive/test.db",    "/app/",             true, false, false, 
"user" },
-            { "/app/hive/test.db",    "/app/",             true, true,  true, 
"user" },
-            { "/app/hive/test.db",    "/app/*",            true, false, true, 
"user" },
-            { "/app/hbase/test.tbl",  "/app/*",            true, false, true, 
"user" },
-            { "/app/hive/test.db",    "/app/hive/*",       true, false, true, 
"user" },
-            { "/app/hbase/test.tbl",  "/app/hive/*",       true, false, false, 
"user" },
-            { "/app/hive/test.db",    "/app/hive/test*",   true, false, true, 
"user" },
-            { "/app/hbase/test.tbl",  "/app/hive/test*",   true, false, false, 
"user" },
-            { "/app/hive/test.db",    "/app/hive/test.db", true, false, true, 
"user" },
-            { "/app/hbase/test.tbl",  "/app/hive/test.db", true, false, false, 
"user" },
-            { "app/hive/*",           "app/hive/*",        false, false, true, 
"user" },  // simple string match
-            { "app/hive/test.db",     "app/hive/*",        false, false, 
false, "user" }, // simple string match
+            // resource               policy               wildcard  recursive 
 result user
+            { "/app/hive/test.db",    "/",                 true,     false,    
 false, "user" },
+            { "/app/hive/test.db",    "/",                 true,     true,     
 true,  "user" },
+            { "/app/hive/test.db",    "/*",                true,     false,    
 true,  "user" },
+            { "/app/hbase/test.tbl",  "/*",                true,     false,    
 true,  "user" },
+            { "/app/hive/test.db",    "/app",              true,     false,    
 false, "user" },
+            { "/app/hive/test.db",    "/app/",             true,     false,    
 false, "user" },
+            { "/app/hive/test.db",    "/app/",             true,     true,     
 true,  "user" },
+            { "/app/hive/test.db",    "/app/*",            true,     false,    
 true,  "user" },
+            { "/app/hbase/test.tbl",  "/app/*",            true,     false,    
 true,  "user" },
+            { "/app/hive/test.db",    "/app/hive/*",       true,     false,    
 true,  "user" },
+            { "/app/hbase/test.tbl",  "/app/hive/*",       true,     false,    
 false, "user" },
+            { "/app/hive/test.db",    "/app/hive/test*",   true,     false,    
 true,  "user" },
+            { "/app/hbase/test.tbl",  "/app/hive/test*",   true,     false,    
 false, "user" },
+            { "/app/hive/test.db",    "/app/hive/test.db", true,     false,    
 true,  "user" },
+            { "/app/hbase/test.tbl",  "/app/hive/test.db", true,     false,    
 false, "user" },
+            { "app/hive/*",           "app/hive/*",        false,    false,    
 true,  "user" },  // simple string match
+            { "app/hive/test.db",     "app/hive/*",        false,    false,    
 false, "user" }, // simple string match
+            { "/app/",                "/app/",             true,     true,     
 true,  "user" },
+            { "/app/",                "/app/",             true,     false,    
 true,  "user" },
+            { "/app",                 "/app/",             true,     true,     
 false, "user" },
+            { "/app",                 "/app/",             true,     false,    
 false, "user" },
+            { "/app/",                "/app/*",            true,     true,     
 true,  "user" },
+            { "/app/",                "/app/*",            true,     false,    
 true,  "user" },
+            { "/app",                 "/app/*",            true,     true,     
 false, "user" },
+            { "/app",                 "/app/*",            true,     false,    
 false, "user" },
     };
 
     Object[][] dataForSelfOrChildScope = {
diff --git 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
index 97765f94d..7af8c92d5 100644
--- 
a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
+++ 
b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
@@ -180,7 +180,7 @@
                          "isRecursive": true
                  },
                  "tests": [
-                         {"name": "seemingly-correct-path", "input": "/home/", 
"result": false},
+                         {"name": "seemingly-correct-path", "input": "/home/", 
"result": true},
                          {"name": "correct-path", "input": "/home/a.txt", 
"result": true}
                  ]
          },
@@ -265,7 +265,7 @@
                  },
                  "policyResource": {"values": ["/home/"], "isRecursive": true},
                  "tests": [
-                         {"name": "slash-at-end-path", "input": "/home/", 
"result": false},
+                         {"name": "slash-at-end-path", "input": "/home/", 
"result": true},
                          {"name": "correct-path", "input": "/home/a.txt", 
"result": true},
                          {"name": "incomplete-path", "input": "/home", 
"result": false}
                  ]

Reply via email to