Added policy engine test cases for checkForDescendantDenial

apache · Nov 15, 2024 · 9862f14 · 9862f14
1 parent 00c6835
commit 9862f14
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 6 deletions.
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -284,8 +284,8 @@ public void testPolicyEngine_hbase_with_multiple_matching_policies() {
 		runTestsFromResourceFiles(hbaseTestResourceFiles);
 	}
 	@Test
-	public void testPolicyEngine_hbase_ResourceMatchingScope_equals_SELF_AND_ALL_DESCENDANTS() {
-		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_selfandalldescendants.json" };
+	public void testPolicyEngine_hbase_checkForDescendantDenial() {
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_checkForDescendantDenial.json" };
 
 		runTestsFromResourceFiles(hbaseTestResourceFiles);
 	}

diff --git a/...cyengine_hbase_selfandalldescendants.json → ...ngine_hbase_checkForDescendantDenial.json b/...cyengine_hbase_selfandalldescendants.json → ...ngine_hbase_checkForDescendantDenial.json
@@ -34,23 +34,57 @@
   ],
 
   "tests":[
-    {"name":"TEST!!! DENY 'get' for restricted column family when ResourceMatchingScope=SELF_AND_ALL_DESCENDANTS",
+    {"name":"TEST1!!! DENY 'get' for restricted column family when ResourceMatchingScope=SELF_OR_DESCENDANTS,checkForDescendantDenial=true",
       "request":{
         "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
-        "resourceMatchingScope": "SELF_AND_ALL_DESCENDANTS",
+        "resourceMatchingScope": "SELF_OR_DESCENDANTS",
+        "checkForDescendantDenial": true,
         "accessType":"read","user":"user1","requestData":"deny get as there is a restricted column"
       },
       "result":{"isAudited":true,"isAllowed":false,"policyId":1}
     },
-    {"name":"TEST!!! Allow 'get' for restricted column family when ResourceMatchingScope=SELF",
+    {"name":"TEST2!!! ALLOW 'get' for restricted column family when ResourceMatchingScope=SELF_OR_DESCENDANTS,checkForDescendantDenial=false",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF_OR_DESCENDANTS",
+        "checkForDescendantDenial": false,
+        "accessType":"read","user":"user1","requestData":""
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST3!!! ALLOW 'get' for restricted column family when ResourceMatchingScope=SELF_OR_DESCENDANTS,checkForDescendantDenial=default",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF_OR_DESCENDANTS",
+        "accessType":"read","user":"user1","requestData":"deny get as there is a restricted column"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST4!!! Allow 'get' for restricted column family when ResourceMatchingScope=SELF, checkForDescendantDenial=true",
      "request":{
       "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
        "resourceMatchingScope": "SELF",
+       "checkForDescendantDenial": true,
       "accessType":"read","user":"user1","requestData":"allow get as restricted column policy not considered"
      },
      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST5!!! Allow 'get' for restricted column family when ResourceMatchingScope=SELF, checkForDescendantDenial=default",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF",
+        "accessType":"read","user":"user1","requestData":"allow get as restricted column policy not considered"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST6!!! Allow 'get' for restricted column family when ResourceMatchingScope=SELF, checkForDescendantDenial=false",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF",
+        "accessType":"read","user":"user1","requestData":"allow get as restricted column policy not considered"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
     }
-
   ]
 }