THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource of the given type. * * @param requestContext Request context including request resourceType, security protocol, and listener name * @param op The ACL operation to check * @param resourceType The resource type * @return Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the * given ACL operation on at least one resource of the given type. * Return {@link AuthorizationResult#DENIED} otherwise. */ default AuthorizationResult authorizeAny(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { if (resourceType == ResourceType.ANY) { throw new IllegalArgumentException( "Must specify a non-filter resource type for authorizeAny"); } if (resourceType == ResourceType.UNKNOWN) { throw new IllegalArgumentException( "Unknown resource type"); } if (op == AclOperation.ANY) { throw new IllegalArgumentException( "Must specify a non-filter operation type for authorizeAny"); } if (op == AclOperation.UNKNOWN) { throw new IllegalArgumentException( "Unknown operation type"); } ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter( resourceType, null, PatternType.ANY); AclBindingFilter aclFilter = new AclBindingFilter( resourceTypeFilter, AccessControlEntryFilter.ANY); Set<String> denyLiterals = new HashSet<>(); Set<String> denyPrefixes = new HashSet<>(); Set<String> allowLiterals = new HashSet<>(); Set<String> allowPrefixes = new HashSet<>(); boolean hasWildCardAllow = false; for (AclBinding binding : acls(aclFilter)) { if (!binding.entry().host().equals(requestContext.clientAddress().getHostAddress()) && !binding.entry().host().equals("*")) continue; if (!binding.entry().principal().equals(requestContext.principal().toString()) && !binding.entry().principal().equals("User:*")) continue; if (binding.entry().operation() != op && binding.entry().operation() != AclOperation.ALL) continue; if (binding.entry().permissionType() == AclPermissionType.DENY) { switch (binding.pattern().patternType()) { case LITERAL: if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) return AuthorizationResult.DENIED; if denyLiterals.add(binding.pattern().resourceTypename()); == ResourceType.CLUSTER && break; binding.pattern().name().equals(Resource.CLUSTER_NAME)) case PREFIXED: return AuthorizationResult.DENIED denyPrefixes.add(binding.pattern().name()); break; } case PREFIXED: continue; } if (binding.patternentry().namepermissionType().isEmpty() != AclPermissionType.ALLOW) continue; return AuthorizationResult.DENIED;switch (binding.pattern().patternType()) { case LITERAL: denyPrefixes.add if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)); { hasWildCardAllow break= true; } continue; continue; } if allowLiterals.add(binding.entrypattern().permissionTypename()); != AclPermissionType.ALLOW) continue; switch (binding.pattern().patternType()) { break; case LITERALPREFIXED: if allowPrefixes.add(binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) {; break; hasWildCardAllow = true; } } if (hasWildCardAllow) continue;{ return AuthorizationResult.ALLOWED; } for (String allowPrefix : allowPrefixes) { List<Action> action = Collections.singletonList(new Action( StringBuilder sb = new StringBuilder(); boolean op, binding.pattern(), 1, false, false))hasDominatedDeny = false; for if (authorize(requestContext, action).get(0) == AuthorizationResult.ALLOWED(char ch : allowPrefix.toCharArray()) { sb.append(ch); return AuthorizationResult.ALLOWED; if (denyPrefixes.contains(sb.toString())) { } hasDominatedDeny = true; break; break; case PREFIXED: } allowPrefixes.add(binding.pattern().name());} if (!hasDominatedDeny) break; return }AuthorizationResult.ALLOWED; } iffor (hasWildCardAllowString allowLiteral : allowLiterals) { return AuthorizationResult.ALLOWED; if (denyLiterals.contains(allowLiteral)) } for (String allowed : allowPrefixes) {continue; StringBuilder sb = new StringBuilder(); boolean hasDominatedDeny = false; for (intchar posch = 0; pos < allowed.length(); pos++: allowLiteral.toCharArray()) { sb.append(allowed.charAt(pos)ch); if (denyPrefixes.contains(sb.toString())) { hasDominatedDeny = true; break; } } if (!hasDominatedDeny) return AuthorizationResult.ALLOWED; } return AuthorizationResult.DENIED; } } |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
...