You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/10/17 21:54:50 UTC
ranger git commit: RANGER-2247: RangerRANGER-2247 Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is \

Repository: ranger
Updated Branches:
  refs/heads/master e20e7f4ca -> 70efa6810


RANGER-2247:
RangerRANGER-2247
Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is \


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/70efa681
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/70efa681
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/70efa681

Branch: refs/heads/master
Commit: 70efa6810d5880184578b54a205b62a1349f426b
Parents: e20e7f4
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Oct 17 14:54:33 2018 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Wed Oct 17 14:54:33 2018 -0700

----------------------------------------------------------------------
 .../resourcematcher/RangerPathResourceMatcher.java  |  4 ++--
 .../ranger/plugin/util/StringTokenReplacer.java     | 16 +++++++++++++++-
 .../policyengine/test_policyengine_hdfs.json        |  6 ++++++
 .../test_resourcematcher_dynamic.json               |  2 +-
 ...est_resourcematcher_wildcards_as_delimiters.json |  2 +-
 5 files changed, 25 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 78a3b8a..9cf31a2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -227,8 +227,8 @@ abstract class RecursiveMatcher extends ResourceMatcher {
 	}
 
 	String getStringToCompare(String policyValue) {
-		if (policyValue == null) {
-			return null;
+		if (StringUtils.isEmpty(policyValue)) {
+			return policyValue;
 		}
 		return (policyValue.lastIndexOf(levelSeparatorChar) == policyValue.length()-1) ?
 			policyValue.substring(0, policyValue.length()-1) : policyValue;

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
index ace04d6..2d09d44 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
@@ -50,11 +50,25 @@ public class StringTokenReplacer {
                 i++;
                 if(i < value.length()) {
                     c = value.charAt(i);
-                    if(token != null) {
+                    if (token != null) {
+                        // if next char is not the escape char or endChar, retain the escapeChar
+                        if (c != escapeChar && c != endChar) {
+                            token.append(escapeChar);
+                        }
                         token.append(c);
                     } else {
+                        // if next char is not the escape char or startChar, retain the escapeChar
+                        if (c != escapeChar && c != startChar) {
+                            ret.append(escapeChar);
+                        }
                         ret.append(c);
                     }
+                } else {
+                    if (token != null) {
+                        token.append(escapeChar);
+                    } else {
+                        ret.append(escapeChar);
+                    }
                 }
                 continue;
             }

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index ea167f4..3833ba1 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -60,6 +60,12 @@
            "values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"]
          }]}
      ]
+    },
+    {"id":4,"name":"invalid policy with a single backslash","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["\\"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+      ]
     }
   ],
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
index db19f76..6a2119d 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
@@ -25,7 +25,7 @@
 			  ,
 			  { "name":"exact-path","input":"/abc@%xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
 			  ,
-			  { "name":"exact-path","input":"/abc%xyzw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+			  { "name":"exact-path","input":"/abc%xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
 			  ,
 			  { "name":"exact-path","input":"/abcabcdw", "evalContext": {"token:somestuff": "somethingelse", "xyz":"abcd"}, "result":false}
 			  ,

http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
index 8e791d6..c1432d0 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
@@ -23,7 +23,7 @@
 			  ,
 			  { "name":"exact-path","input":"/xyzsomethingelsez", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
 			  ,
-			  { "name":"exact-path","input":"/abc*xyzw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+			  { "name":"exact-path","input":"/abc*xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
 		  ]
 	  }
   ]