THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
/**
* Check if the caller is authorized to perform the given ACL operation on at least one
* resource of the given type.
*
* @param requestContext Request context including request resourceType, security protocol, and listener name
* @param op The ACL operation to check
* @param resourceType The resource type
* @return Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the
* given ACL operation on at least one resource of the given type.
* Return {@link AuthorizationResult#DENIED} otherwise.
*/
default AuthorizationResult authorizeAny(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) {
if (resourceType == ResourceType.ANY) {
throw new IllegalArgumentException(
"Must specify a non-filter resource type for authorizeAny");
}
if (resourceType == ResourceType.UNKNOWN) {
throw new IllegalArgumentException(
"Unknown resource type");
}
if (op == AclOperation.ANY) {
throw new IllegalArgumentException(
"Must specify a non-filter operation type for authorizeAny");
}
if (op == AclOperation.UNKNOWN) {
throw new IllegalArgumentException(
"Unknown operation type");
}
ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter(
resourceType, null, PatternType.ANY);
AclBindingFilter aclFilter = new AclBindingFilter(
resourceTypeFilter, AccessControlEntryFilter.ANY);
Set<String> denyLiterals = new HashSet<>();
Set<String> denyPrefixes = new HashSet<>();
Set<String> allowLiterals = new HashSet<>();
Set<String> allowPrefixes = new HashSet<>();
boolean hasWildCardAllow = false;
for (AclBinding binding : acls(aclFilter)) {
if (!binding.entry().host().equals(requestContext.clientAddress().getHostAddress())
&& !binding.entry().host().equals("*"))
continue;
if (!binding.entry().principal().equals(requestContext.principal().toString())
&& !binding.entry().principal().equals("User:*"))
continue;
if (binding.entry().operation() != op
&& binding.entry().operation() != AclOperation.ALL)
continue;
if (binding.entry().permissionType() == AclPermissionType.DENY) {
switch (binding.pattern().patternType()) {
case LITERAL:
if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE))
return AuthorizationResult.DENIED;
if denyLiterals.add(binding.pattern().resourceTypename());
== ResourceType.CLUSTER &&
break;
binding.pattern().name().equals(Resource.CLUSTER_NAME))
case PREFIXED:
return AuthorizationResult.DENIED denyPrefixes.add(binding.pattern().name());
break;
}
case PREFIXED:
continue;
}
if (binding.patternentry().namepermissionType().isEmpty() != AclPermissionType.ALLOW)
continue;
return AuthorizationResult.DENIED;switch (binding.pattern().patternType()) {
case LITERAL:
denyPrefixes.add if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)); {
hasWildCardAllow break= true;
}
continue;
continue;
}
if allowLiterals.add(binding.entrypattern().permissionTypename());
!= AclPermissionType.ALLOW)
continue;
switch (binding.pattern().patternType()) { break;
case LITERALPREFIXED:
if allowPrefixes.add(binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) {;
break;
hasWildCardAllow = true;
}
}
if (hasWildCardAllow) continue;{
return AuthorizationResult.ALLOWED;
}
for (String allowPrefix : allowPrefixes) {
List<Action> action = Collections.singletonList(new Action(
StringBuilder sb = new StringBuilder();
boolean op, binding.pattern(), 1, false, false))hasDominatedDeny = false;
for if (authorize(requestContext, action).get(0) == AuthorizationResult.ALLOWED(char ch : allowPrefix.toCharArray()) {
sb.append(ch);
return AuthorizationResult.ALLOWED;
if (denyPrefixes.contains(sb.toString())) {
}
hasDominatedDeny = true;
break;
break;
case PREFIXED:
}
allowPrefixes.add(binding.pattern().name());}
if (!hasDominatedDeny)
break;
return }AuthorizationResult.ALLOWED;
}
iffor (hasWildCardAllowString allowLiteral : allowLiterals) {
return AuthorizationResult.ALLOWED;
if (denyLiterals.contains(allowLiteral))
}
for (String allowed : allowPrefixes) {continue;
StringBuilder sb = new StringBuilder();
boolean hasDominatedDeny = false;
for (intchar posch = 0; pos < allowed.length(); pos++: allowLiteral.toCharArray()) {
sb.append(allowed.charAt(pos)ch);
if (denyPrefixes.contains(sb.toString())) {
hasDominatedDeny = true;
break;
}
}
if (!hasDominatedDeny)
return AuthorizationResult.ALLOWED;
}
return AuthorizationResult.DENIED;
}
} |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
...