This is an automated email from the ASF dual-hosted git repository. mehul pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 2cc56e127e0962cd50afefbc0efa65e52942d38f Author: Pradeep AgrawaL <[email protected]> AuthorDate: Thu Aug 17 15:21:47 2023 +0530 RANGER-4356: Ranger CSV Report extract may fail with Null pointer exception Signed-off-by: Mehul Parikh <[email protected]> --- .../ranger/plugin/errors/ValidationErrorCode.java | 3 + .../model/validation/RangerPolicyValidator.java | 45 +++++++-- .../java/org/apache/ranger/biz/ServiceDBStore.java | 101 ++++++++++++--------- 3 files changed, 100 insertions(+), 49 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index 85c42bcc8..d8c214c0f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -104,6 +104,9 @@ public enum ValidationErrorCode { POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone name={0} in policy create"), POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name = {0} is not associated to Zone name = {1}"), POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE(3049, "Deny or deny-exceptions are not supported if policy has isDenyAllElse flag set to true"), + POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER(3053, "policy items user was null"), + POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP(3054, "policy items group was null"), + POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE(3055, "policy items role was null"), POLICY_VALIDATION_ERR_INVALID_SERVICE_TYPE(4009," Invalid service type [{0}] provided for service [{1}]"), // SECURITY_ZONE Validations diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index e1b5fe8f1..b8c287c29 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -947,7 +947,9 @@ public class RangerPolicyValidator extends RangerValidator { if(LOG.isDebugEnabled()) { LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", policyItem, failures, serviceDef)); } - + + List<String> invalidItems = new ArrayList<String>(Arrays.asList("null", "NULL", "Null", null)); + boolean valid = true; if (policyItem == null) { LOG.debug("policy item was null!"); @@ -973,12 +975,43 @@ public class RangerPolicyValidator extends RangerValidator { if (CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) { ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_USER_AND_GROUPS; failures.add(new ValidationFailureDetailsBuilder() - .field("policy item users/user-groups/roles") - .isMissing() - .becauseOf(error.getMessage()) - .errorCode(error.getErrorCode()) - .build()); + .field("policy item users/user-groups/roles") + .isMissing() + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) + .build()); valid = false; + } else { + if (CollectionUtils.isNotEmpty(policyItem.getUsers()) && CollectionUtils.containsAny(policyItem.getUsers(), invalidItems)) { + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER; + failures.add(new ValidationFailureDetailsBuilder() + .field("policy item users") + .isMissing() + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) + .build()); + valid = false; + } + if (CollectionUtils.isNotEmpty(policyItem.getGroups()) && CollectionUtils.containsAny(policyItem.getGroups(), invalidItems)) { + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP; + failures.add(new ValidationFailureDetailsBuilder() + .field("policy item groups") + .isMissing() + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) + .build()); + valid = false; + } + if (CollectionUtils.isNotEmpty(policyItem.getRoles()) && CollectionUtils.containsAny(policyItem.getRoles(), invalidItems)) { + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE; + failures.add(new ValidationFailureDetailsBuilder() + .field("policy item roles") + .isMissing() + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) + .build()); + valid = false; + } } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 8f1174ac4..036dbfec6 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -4401,40 +4401,52 @@ public class ServiceDBStore extends AbstractServiceStore { filterInfo = rowFilterPolicyItem.getRowFilterInfo(); filterExpr = filterInfo.getFilterExpr(); } - if (CollectionUtils.isNotEmpty(accesses)) { - for (RangerPolicyItemAccess access : accesses) { - accessType = accessType - + access.getType().replace("#", "") - .replace("|", "") + "#"; - } - accessType = accessType.substring(0, - accessType.lastIndexOf("#")); - } - if (CollectionUtils.isNotEmpty(roles)) { - for (String role : roles) { - role = role.replace("|", ""); - role = role.replace("#", ""); - roleNames = roleNames + role + "#"; - } - roleNames = roleNames.substring(0, roleNames.lastIndexOf("#")); - } - if (CollectionUtils.isNotEmpty(groups)) { - for (String group : groups) { - group = group.replace("|", ""); - group = group.replace("#", ""); - groupNames = groupNames + group + "#"; - } - groupNames = groupNames.substring(0, - groupNames.lastIndexOf("#")); - } - if (CollectionUtils.isNotEmpty(users)) { - for (String user : users) { - user = user.replace("|", ""); - user = user.replace("#", ""); - userNames = userNames + user + "#"; - } - userNames = userNames.substring(0, userNames.lastIndexOf("#")); - } + if (CollectionUtils.isNotEmpty(accesses)) { + for (RangerPolicyItemAccess access : accesses) { + if (access != null) { + accessType = accessType + access.getType().replace("#", "").replace("|", "") + "#"; + } + } + if (accessType.length() > 0) { + accessType = accessType.substring(0, accessType.lastIndexOf("#")); + } + } + if (CollectionUtils.isNotEmpty(roles)) { + for (String role : roles) { + if (StringUtils.isNotBlank(role)) { + role = role.replace("|", ""); + role = role.replace("#", ""); + roleNames = roleNames + role + "#"; + } + } + if (roleNames.length() > 0) { + roleNames = roleNames.substring(0, roleNames.lastIndexOf("#")); + } + } + if (CollectionUtils.isNotEmpty(groups)) { + for (String group : groups) { + if (StringUtils.isNotBlank(group)) { + group = group.replace("|", ""); + group = group.replace("#", ""); + groupNames = groupNames + group + "#"; + } + } + if (groupNames.length() > 0) { + groupNames = groupNames.substring(0, groupNames.lastIndexOf("#")); + } + } + if (CollectionUtils.isNotEmpty(users)) { + for (String user : users) { + if (StringUtils.isNotBlank(user)) { + user = user.replace("|", ""); + user = user.replace("#", ""); + userNames = userNames + user + "#"; + } + } + if (userNames.length() > 0) { + userNames = userNames.substring(0, userNames.lastIndexOf("#")); + } + } String conditionValue = ""; for (RangerPolicyItemCondition conditions : conditionsList) { String conditionType = conditions.getType(); @@ -4478,15 +4490,18 @@ public class ServiceDBStore extends AbstractServiceStore { policyType = POLICY_TYPE_ROWFILTER; break; } - if (CollectionUtils.isNotEmpty(policyLabels)) { - for (String policyLabel : policyLabels) { - policyLabel = policyLabel.replace("|", ""); - policyLabel = policyLabel.replace("#", ""); - policyLabelName = policyLabelName + policyLabel + "#"; - } - policyLabelName = policyLabelName.substring(0, - policyLabelName.lastIndexOf("#")); - } + if (CollectionUtils.isNotEmpty(policyLabels)) { + for (String policyLabel : policyLabels) { + if (StringUtils.isNotBlank(policyLabel)) { + policyLabel = policyLabel.replace("|", ""); + policyLabel = policyLabel.replace("#", ""); + policyLabelName = policyLabelName + policyLabel + "#"; + } + } + if (policyLabelName.length() > 0) { + policyLabelName = policyLabelName.substring(0, policyLabelName.lastIndexOf("#")); + } + } csvBuffer.append(policy.getId()); csvBuffer.append(COMMA_DELIMITER);
