Fix world readable, writeable, runnable, ownership

Reamer · Oct 29, 2024 · 282c00c · 282c00c
1 parent 87694a0
commit 282c00c
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 38 deletions.
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java
@@ -244,50 +244,40 @@ public Set<String> getRoles(String user) {
   }
 
   public boolean isOwner(String noteId, Set<String> entities) {
-    Set<String> owners = new HashSet<>(getOwners(noteId));
-    owners.addAll(getDefaultOwners());
-    return isMember(entities, owners) || isAdmin(entities);
+    return isMember(entities, constructRoles(getOwners(noteId), getDefaultOwners())) ||
+           isAdmin(entities);
   }
 
   public boolean isWriter(String noteId, Set<String> entities) {
-    Set<String> owners = new HashSet<>(getOwners(noteId));
-    owners.addAll(getDefaultOwners());
-    Set<String> writers = new HashSet<>(getWriters(noteId));
-    writers.addAll(getDefaultWriters());
-    return isMember(entities, writers) ||
-           isMember(entities, owners) ||
+    return isMember(entities, constructRoles(getWriters(noteId), getDefaultWriters())) ||
+           isMember(entities, constructRoles(getOwners(noteId), getDefaultOwners())) ||
            isAdmin(entities);
   }
 
   public boolean isReader(String noteId, Set<String> entities) {
-    Set<String> owners = new HashSet<>(getOwners(noteId));
-    owners.addAll(getDefaultOwners());
-    Set<String> writers = new HashSet<>(getWriters(noteId));
-    writers.addAll(getDefaultWriters());
-    Set<String> runners = new HashSet<>(getRunners(noteId));
-    runners.addAll(getDefaultRunners());
-    Set<String> readers = new HashSet<>(getReaders(noteId));
-    readers.addAll(getDefaultReaders());
-    return isMember(entities, readers) ||
-           isMember(entities, owners) ||
-           isMember(entities, writers) ||
-           isMember(entities, runners) ||
+    return isMember(entities, constructRoles(getReaders(noteId), getDefaultReaders())) ||
+           isMember(entities, constructRoles(getOwners(noteId), getDefaultOwners())) ||
+           isMember(entities, constructRoles(getWriters(noteId), getDefaultWriters())) ||
+           isMember(entities, constructRoles(getRunners(noteId), getDefaultRunners())) ||
            isAdmin(entities);
   }
 
   public boolean isRunner(String noteId, Set<String> entities) {
-    Set<String> owners = new HashSet<>(getOwners(noteId));
-    owners.addAll(getDefaultOwners());
-    Set<String> writers = new HashSet<>(getWriters(noteId));
-    writers.addAll(getDefaultWriters());
-    Set<String> runners = new HashSet<>(getRunners(noteId));
-    runners.addAll(getDefaultRunners());
-    return isMember(entities, runners) ||
-           isMember(entities, writers) ||
-           isMember(entities, owners) ||
+    return isMember(entities, constructRoles(getRunners(noteId), getDefaultRunners())) ||
+           isMember(entities, constructRoles(getWriters(noteId), getDefaultWriters())) ||
+           isMember(entities, constructRoles(getOwners(noteId), getDefaultOwners())) ||
            isAdmin(entities);
   }
 
+  private Set<String> constructRoles(Set<String> noteRoles, Set<String> globalRoles) {
+    Set<String> roles = new HashSet<>(noteRoles);
+    // If the note has no role, the note right is for everyone, so we are not allowed to add the default roles
+    if (!roles.isEmpty()) {
+      roles.addAll(globalRoles);
+    }
+    return roles;
+  }
+
   private Set<String> getDefaultOwners() {
     return getDefaultRoles(ZeppelinConfiguration.ConfVars.ZEPPELIN_OWNER_ROLES);
   }

diff --git a/zeppelin-zengine/src/test/java/org/apache/zeppelin/notebook/AuthorizationServiceTest.java b/zeppelin-zengine/src/test/java/org/apache/zeppelin/notebook/AuthorizationServiceTest.java
@@ -24,6 +24,7 @@
 
 import java.io.IOException;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 
 import org.apache.zeppelin.conf.ZeppelinConfiguration;
@@ -40,6 +41,8 @@ class AuthorizationServiceTest {
   private AuthorizationService authorizationService;
   private static final String BLANK_ROLE = " ";
   private static final String EMPTY_ROLE = "";
+  private static final String TEST_USER_1 = "TestUser1";
+  private static final String TEST_USER_2 = "TestUser2";
 
   @BeforeEach
   private void setup() throws IOException {
@@ -54,7 +57,7 @@ private void setup() throws IOException {
   @Test
   void testDefaultOwners() throws IOException {
     Note testNote = new Note();
-    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo("TestUser"));
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
 
     // Comma separated with trim
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_OWNER_ROLES)).thenReturn("TestGroup, TestGroup2");
@@ -73,14 +76,14 @@ void testDefaultOwners() throws IOException {
     assertFalse(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(EMPTY_ROLE))));
     // Empty - null
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_OWNER_ROLES)).thenReturn(null);
-    assertTrue(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList("TestUser"))));
+    assertTrue(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_1))));
 
   }
 
   @Test
   void testDefaultRunners() throws IOException {
     Note testNote = new Note();
-    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo("TestUser"));
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
 
     // Comma separated with trim
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_RUNNER_ROLES)).thenReturn("TestGroup, TestGroup2");
@@ -99,13 +102,13 @@ void testDefaultRunners() throws IOException {
     assertFalse(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(EMPTY_ROLE))));
     // Empty - null
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_RUNNER_ROLES)).thenReturn(null);
-    assertTrue(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList("TestUser"))));
+    assertTrue(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_1))));
   }
 
   @Test
   void testDefaultWriters() throws IOException {
     Note testNote = new Note();
-    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo("TestUser"));
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
 
     // Comma separated with trim
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_WRITER_ROLES)).thenReturn("TestGroup, TestGroup2");
@@ -124,13 +127,13 @@ void testDefaultWriters() throws IOException {
     assertFalse(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(EMPTY_ROLE))));
     // Empty - null
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_WRITER_ROLES)).thenReturn(null);
-    assertTrue(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList("TestUser"))));
+    assertTrue(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_1))));
   }
 
   @Test
   void testDefaultReaders() throws IOException {
     Note testNote = new Note();
-    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo("TestUser"));
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
 
     // Comma separated with trim
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_READER_ROLES)).thenReturn("TestGroup, TestGroup2");
@@ -149,6 +152,55 @@ void testDefaultReaders() throws IOException {
     assertFalse(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(EMPTY_ROLE))));
     // Empty - null
     when(zConf.getString(ZeppelinConfiguration.ConfVars.ZEPPELIN_READER_ROLES)).thenReturn(null);
-    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList("TestUser"))));
+    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_1))));
   }
+
+  @Test
+  void testWorldReadable() throws IOException {
+    Note testNote = new Note();
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
+    authorizationService.setReaders(testNote.getId(), Collections.emptySet());
+
+    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+  }
+
+  @Test
+  void testWorldRunnable() throws IOException {
+    Note testNote = new Note();
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
+    authorizationService.setRunners(testNote.getId(), Collections.emptySet());
+
+    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+  }
+
+  @Test
+  void testWorldWritable() throws IOException {
+    Note testNote = new Note();
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
+    authorizationService.setWriters(testNote.getId(), Collections.emptySet());
+
+    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertFalse(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+  }
+
+  @Test
+  void testWorldOwnership() throws IOException {
+    Note testNote = new Note();
+    authorizationService.createNoteAuth(testNote.getId(), new AuthenticationInfo(TEST_USER_1));
+    authorizationService.setOwners(testNote.getId(), Collections.emptySet());
+
+    assertTrue(authorizationService.isReader(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isRunner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isWriter(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+    assertTrue(authorizationService.isOwner(testNote.getId(), new HashSet<>(Arrays.asList(TEST_USER_2))));
+  }
+
 }