Bumped to latest version of Trino. Adjusted overrides in OpaAuthorizer.

stackabletech · Dec 24, 2023 · 3cf4f52 · 3cf4f52
1 parent 24c6748
commit 3cf4f52
Show file tree

Hide file tree

Showing 8 changed files with 255 additions and 227 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -26,7 +26,7 @@ jobs:
           cache: maven
       - name: Set up OpenPolicyAgent
         run: |
-          curl -L -o opa https://openpolicyagent.org/downloads/v0.51.0/opa_linux_amd64_static
+          curl -L -o opa https://openpolicyagent.org/downloads/v0.60.0/opa_linux_amd64_static
           chmod +x opa
           sudo mv opa /usr/local/bin/opa
       - name: Build with Maven

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,10 @@
 .classpath
 .project
 .settings
-target
+target
+
+*.iml
+*.ipr
+*.iws
+
+.vscode
diff --git a/pom.xml b/pom.xml
@@ -8,26 +8,26 @@
     <artifactId>trino-opa-authorizer</artifactId>
     <!-- The trino version part (here 414) should be in sync with the "trino.version" in properties. We need to hardcode
          it here because Maven complains about variables/properties being used in "version" or "artifactId" -->
-    <version>414-stackable0.2.0</version>
+    <version>435-stackable0.2.0</version>
 
-    <name>trino-opa-authorizer-414</name>
+    <name>trino-opa-authorizer-435</name>
     <!-- FIXME change it to the project's website -->
     <url>https://github.com/stackabletech/trino-opa-authorizer</url>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.source>17</maven.compiler.source>
         <maven.compiler.target>17</maven.compiler.target>
-        <fasterxml.jackson.core.databind.version>2.13.4.2</fasterxml.jackson.core.databind.version>
-        <fasterxml.jackson.datatype.jdk8.version>2.13.4</fasterxml.jackson.datatype.jdk8.version>
-        <trino.version>414</trino.version>
+        <fasterxml.jackson.core.databind.version>2.15.3</fasterxml.jackson.core.databind.version>
+        <fasterxml.jackson.datatype.jdk8.version>2.15.3</fasterxml.jackson.datatype.jdk8.version>
+        <trino.version>435</trino.version>
     </properties>
 
     <dependencies>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>5.9.0</version>
+            <version>5.10.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -42,6 +42,12 @@
             <version>${trino.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.trino</groupId>
+            <artifactId>trino-main</artifactId>
+            <version>${trino.version}</version>
+            <type>test-jar</type>
+        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
@@ -52,6 +58,17 @@
             <artifactId>jackson-datatype-jdk8</artifactId>
             <version>${fasterxml.jackson.datatype.jdk8.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+            <version>${fasterxml.jackson.core.databind.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.trino</groupId>
+            <artifactId>trino-testing-services</artifactId>
+            <version>${trino.version}</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -89,12 +106,12 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.22.2</version>
+                    <version>3.2.3</version>
                     <dependencies>
                         <dependency>
                             <groupId>org.apache.maven.surefire</groupId>
                             <artifactId>surefire-junit-platform</artifactId>
-                            <version>2.22.2</version>
+                            <version>3.2.3</version>
                         </dependency>
                     </dependencies>
                 </plugin>

diff --git a/src/main/java/tech/stackable/trino/opa/OpaAuthorizer.java b/src/main/java/tech/stackable/trino/opa/OpaAuthorizer.java
diff --git a/src/main/java/tech/stackable/trino/opa/OpaQueryInput.java b/src/main/java/tech/stackable/trino/opa/OpaQueryInput.java
@@ -2,7 +2,7 @@
 
 import io.trino.spi.security.SystemSecurityContext;
 
-public class OpaQueryInput {
+public class OpaQueryInput extends OpaQueryInputGeneric {
     public final SystemSecurityContext context;
     public final OpaQueryInputAction action;
 

diff --git a/src/main/java/tech/stackable/trino/opa/OpaQueryInputGeneric.java b/src/main/java/tech/stackable/trino/opa/OpaQueryInputGeneric.java
@@ -0,0 +1,5 @@
+package tech.stackable.trino.opa;
+
+public abstract class OpaQueryInputGeneric {
+
+}
diff --git a/src/main/java/tech/stackable/trino/opa/OpaQueryInputIdentity.java b/src/main/java/tech/stackable/trino/opa/OpaQueryInputIdentity.java
@@ -0,0 +1,14 @@
+package tech.stackable.trino.opa;
+
+import io.trino.spi.security.Identity;
+import io.trino.spi.security.SystemSecurityContext;
+
+public class OpaQueryInputIdentity extends OpaQueryInputGeneric {
+    public final Identity identity;
+    public final OpaQueryInputAction action;
+
+    public OpaQueryInputIdentity(Identity identity, OpaQueryInputAction action) {
+        this.identity = identity;
+        this.action = action;
+    }
+}
diff --git a/src/test/java/tech/stackable/trino/opa/OpaAuthorizerTest.java b/src/test/java/tech/stackable/trino/opa/OpaAuthorizerTest.java
@@ -1,8 +1,15 @@
 package tech.stackable.trino.opa;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import io.trino.Session;
+import io.trino.server.testing.TestingTrinoServer;
+import io.trino.spi.security.Identity;
+import io.trino.testing.MaterializedResult;
+import io.trino.testing.MaterializedRow;
+import io.trino.testing.TestingTrinoClient;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Socket;
@@ -14,25 +21,39 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
 
-import io.trino.Session;
-import io.trino.execution.QueryIdGenerator;
-import io.trino.metadata.SessionPropertyManager;
-import io.trino.server.testing.TestingTrinoServer;
-import io.trino.spi.security.Identity;
-import io.trino.testing.MaterializedResult;
-import io.trino.testing.MaterializedRow;
-import io.trino.testing.TestingTrinoClient;
+import static io.trino.testing.TestingSession.testSessionBuilder;
+import static org.junit.jupiter.api.Assertions.*;
 
 public class OpaAuthorizerTest {
     private static URI opaServerUri;
     private static Process opaServer;
     private static TestingTrinoServer trinoServer;
     private static TestingTrinoClient trinoClient;
 
+    private static final String POLICY = """
+            package trino
+                        
+            import future.keywords.if
+            import future.keywords.in
+                        
+            default allow := false
+                        
+            allow if {
+            	is_bob
+            	can_be_accessed_by_bob
+            }
+                        
+            is_bob if input.identity.user == "bob"
+                        
+            is_bob if input.context.identity.user == "bob"
+                        
+            can_be_accessed_by_bob if {
+            	input.action.operation in ["ImpersonateUser", "FilterCatalogs", "AccessCatalog", "ExecuteQuery", "SetUser"]
+            }
+                        
+            """;
+
     /**
      * Get an unused TCP port on a local interface from the system
      *
@@ -84,14 +105,17 @@ public static void setupTrino() throws IOException, InterruptedException {
         opaServerUri =
                 URI.create("http://" + opaSocket.getHostString() + ":" + opaSocket.getPort() + "/");
 
-        QueryIdGenerator idGen = new QueryIdGenerator();
-        Identity identity = Identity.forUser("bob").build();
-        SessionPropertyManager sessionPropertyManager = new SessionPropertyManager();
-        Session session = Session.builder(sessionPropertyManager)
-                .setQueryId(idGen.createNextQueryId()).setIdentity(identity).build();
+        Identity identity = new Identity.Builder("bob").build();
+
+        Session session = testSessionBuilder()
+                .setOriginalIdentity(identity)
+                .setIdentity(identity)
+                .build();
+
         trinoServer = TestingTrinoServer.builder()
-                .setSystemAccessControls(Collections.singletonList(new OpaAuthorizer(opaServerUri.resolve("v1/data/trino/allow"))))
+                .setSystemAccessControl(new OpaAuthorizer(opaServerUri.resolve("v1/data/trino/allow")))
                 .build();
+
         trinoClient = new TestingTrinoClient(trinoServer, session);
     }
 
@@ -137,21 +161,8 @@ private void submitPolicy(String... policyLines) throws IOException, Interrupted
 
     @Test
     public void testShouldAllowQueryIfDirected() throws IOException, InterruptedException {
-        submitPolicy(
-            "package trino",
-            "import future.keywords.in",
-            "default allow = false",
-            "allow {",
-            "  is_bob",
-            "  can_be_accessed_by_bob",
-            "}",
-            "is_bob() {",
-            "  input.context.identity.user == \"bob\"",
-            "}",
-            "can_be_accessed_by_bob() { ",
-            "  input.action.operation in [\"ImpersonateUser\", \"FilterCatalogs\", \"AccessCatalog\", \"ExecuteQuery\"]",
-            "}"
-        );
+        submitPolicy(POLICY);
+
         List<String> catalogs = new ArrayList<>();
         MaterializedResult result =
                 trinoClient.execute("SHOW CATALOGS").getResult();
@@ -163,21 +174,8 @@ public void testShouldAllowQueryIfDirected() throws IOException, InterruptedExce
 
     @Test
     public void testShouldDenyQueryIfDirected() throws IOException, InterruptedException {
-        submitPolicy(
-            "package trino",
-            "import future.keywords.in",
-            "default allow = false",
-            "allow {",
-            "  is_bob",
-            "  can_be_accessed_by_bob",
-            "}",
-            "is_bob() {",
-            "  input.context.identity.user == \"bob\"",
-            "}",
-            "can_be_accessed_by_bob() { ",
-            "  input.action.operation in [\"ImpersonateUser\", \"FilterCatalogs\", \"AccessCatalog\", \"ExecuteQuery\"]",
-            "}"
-        );
+        submitPolicy(POLICY);
+
         RuntimeException error = assertThrows(RuntimeException.class, () -> {
             trinoClient.execute("SHOW SCHEMAS IN system");
         });