Partial Address review feedback

Author: singhpk234

polaris-core/src/main/java/org/apache/polaris/core/policy/AccessControlPolicyUtil.java

@@ -0,0 +1,151 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.polaris.core.policy;
+
+import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ACCESS_CONTROL;
+
+import com.google.common.collect.Lists;
+import java.util.List;
+import org.apache.iceberg.expressions.Expression;
+import org.apache.iceberg.expressions.ExpressionVisitors;
+import org.apache.iceberg.expressions.Expressions;
+import org.apache.iceberg.expressions.UnboundPredicate;
+import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
+import org.apache.polaris.core.policy.content.AccessControlPolicyContent;
+
+public class AccessControlPolicyUtil {
+  private AccessControlPolicyUtil() {}
+
+  public static String replaceContextVariable(
+      String content, PolicyType policyType, AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+    if (policyType == ACCESS_CONTROL) {
+      try {
+        AccessControlPolicyContent policyContent = AccessControlPolicyContent.fromString(content);
+        List<Expression> evaluatedRowFilterExpressions = Lists.newArrayList();
+
+        for (Expression rowFilterExpression : policyContent.getRowFilters()) {
+          Expression evaluatedExpression =
+              ExpressionVisitors.visit(
+                  rowFilterExpression,
+                  new ContextVariableReplacementVisitor(authenticatedPrincipal));
+          evaluatedRowFilterExpressions.add(evaluatedExpression);
+        }
+
+        // also nullify the principal role.
+        policyContent.setPrincipalRole(null);
+        policyContent.setRowFilters(evaluatedRowFilterExpressions);
+        return AccessControlPolicyContent.toString(policyContent);
+      } catch (Exception e) {
+        return content;
+      }
+    }
+    return content;
+  }
+
+  public static boolean filterApplicablePolicy(
+      PolicyEntity policyEntity, AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+    if (policyEntity.getPolicyType().equals(ACCESS_CONTROL)) {
+      AccessControlPolicyContent content =
+          AccessControlPolicyContent.fromString(policyEntity.getContent());
+      String applicablePrincipal = content.getPrincipalRole();
+      return applicablePrincipal == null
+          || authenticatedPrincipal.getActivatedPrincipalRoleNames().isEmpty()
+          || authenticatedPrincipal
+              .getActivatedPrincipalRoleNames()
+              .contains(content.getPrincipalRole());
+    }
+
+    return true;
+  }
+
+  /** Expression visitor that replaces context variables with evaluated expressions */
+  private static class ContextVariableReplacementVisitor
+      extends ExpressionVisitors.ExpressionVisitor<Expression> {
+    private final AuthenticatedPolarisPrincipal authenticatedPrincipal;
+
+    public ContextVariableReplacementVisitor(AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+      this.authenticatedPrincipal = authenticatedPrincipal;
+    }
+
+    @Override
+    public <T> Expression predicate(UnboundPredicate<T> pred) {
+      String refName = pred.ref().name();
+
+      if ("$current_principal_role".equals(refName)) {
+        return evaluateCurrentPrincipalRole(pred);
+      } else if ("$current_principal".equals(refName)) {
+        return evaluateCurrentPrincipal(pred);
+      }
+
+      // Return the original predicate if it doesn't reference context variables
+      return pred;
+    }
+
+    @Override
+    public Expression alwaysTrue() {
+      return Expressions.alwaysTrue();
+    }
+
+    @Override
+    public Expression alwaysFalse() {
+      return Expressions.alwaysFalse();
+    }
+
+    @Override
+    public Expression not(Expression result) {
+      return Expressions.not(result);
+    }
+
+    @Override
+    public Expression and(Expression leftResult, Expression rightResult) {
+      return Expressions.and(leftResult, rightResult);
+    }
+
+    @Override
+    public Expression or(Expression leftResult, Expression rightResult) {
+      return Expressions.or(leftResult, rightResult);
+    }
+
+    private Expression evaluateCurrentPrincipalRole(UnboundPredicate<?> pred) {
+      String val = (String) pred.literal().value();
+      boolean containsRole = authenticatedPrincipal.getActivatedPrincipalRoleNames().contains(val);
+
+      return getExpression(pred, containsRole);
+    }
+
+    private Expression evaluateCurrentPrincipal(UnboundPredicate<?> pred) {
+      String val = (String) pred.literal().value();
+      boolean principalMatches = authenticatedPrincipal.getName().equals(val);
+
+      return getExpression(pred, principalMatches);
+    }
+
+    private Expression getExpression(UnboundPredicate<?> pred, boolean principalMatches) {
+      if (pred.op().equals(Expression.Operation.EQ)) {
+        return principalMatches ? Expressions.alwaysTrue() : Expressions.alwaysFalse();
+      } else if (pred.op().equals(Expression.Operation.NOT_EQ)) {
+        return principalMatches ? Expressions.alwaysFalse() : Expressions.alwaysTrue();
+      } else {
+        // For other operations, return the original predicate
+        return pred;
+      }
+    }
+  }
+}

polaris-core/src/main/java/org/apache/polaris/core/policy/PolicyUtil.java

@@ -656,7 +656,6 @@ public void testAttachAccessControlPolicyToTableAndCheckApplicablePolicy() {
     // attach a different type of policy to namespace
     policyCatalog.attachPolicy(POLICY1, POLICY_ATTACH_TARGET_NS, null);
     var applicablePolicies = policyCatalog.getApplicablePolicies(NS, TABLE.name(), ACCESS_CONTROL);
-    System.out.println(applicablePolicies);
     // only p2 is with the type fetched
     assertThat(applicablePolicies.contains(policyToApplicablePolicy(p2, false, NS))).isTrue();
   }
@@ -676,7 +675,7 @@ private static ApplicablePolicy policyToApplicablePolicy(
 
   private static String replaceContextVariable(String content, String policyType) {
     if (policyType.equals(ACCESS_CONTROL.getName())) {
-      return "{\"principalRole\":\"ANALYST\",\"columnProjections\":[\"name\",\"location\"],\"rowFilters\":[\"{\\\"type\\\":\\\"eq\\\",\\\"term\\\":\\\"country\\\",\\\"value\\\":\\\"USA\\\"}\",\"false\"]}";
+      return "{\"principalRole\":null,\"columnProjections\":[\"name\",\"location\"],\"rowFilters\":[\"{\\\"type\\\":\\\"eq\\\",\\\"term\\\":\\\"country\\\",\\\"value\\\":\\\"USA\\\"}\",\"false\"]}";
     }
     return content;
   }

runtime/service/src/test/java/org/apache/polaris/service/quarkus/catalog/AbstractPolicyCatalogTest.java

@@ -54,9 +54,9 @@
 import org.apache.polaris.core.persistence.dao.entity.LoadPolicyMappingsResult;
 import org.apache.polaris.core.persistence.pagination.PageToken;
 import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifestCatalogView;
+import org.apache.polaris.core.policy.AccessControlPolicyUtil;
 import org.apache.polaris.core.policy.PolicyEntity;
 import org.apache.polaris.core.policy.PolicyType;
-import org.apache.polaris.core.policy.PolicyUtil;
 import org.apache.polaris.core.policy.exceptions.NoSuchPolicyException;
 import org.apache.polaris.core.policy.exceptions.PolicyAttachException;
 import org.apache.polaris.core.policy.exceptions.PolicyInUseException;
@@ -428,10 +428,12 @@ private List<ApplicablePolicy> getEffectivePolicies(
 
     return Stream.concat(
             nonInheritablePolicies.stream()
-                .filter(p -> PolicyUtil.filterApplicablePolicy(p, authenticatedPrincipal))
+                .filter(
+                    p -> AccessControlPolicyUtil.filterApplicablePolicy(p, authenticatedPrincipal))
                 .map(policy -> constructApplicablePolicy(policy, false)),
             inheritablePolicies.values().stream()
-                .filter(p -> PolicyUtil.filterApplicablePolicy(p, authenticatedPrincipal))
+                .filter(
+                    p -> AccessControlPolicyUtil.filterApplicablePolicy(p, authenticatedPrincipal))
                 .map(
                     policy ->
                         constructApplicablePolicy(
@@ -544,7 +546,7 @@ private ApplicablePolicy constructApplicablePolicy(PolicyEntity policyEntity, bo
         .setName(policyEntity.getName())
         .setDescription(policyEntity.getDescription())
         .setContent(
-            PolicyUtil.replaceContextVariable(
+            AccessControlPolicyUtil.replaceContextVariable(
                 policyEntity.getContent(), policyEntity.getPolicyType(), authenticatedPrincipal))
         .setVersion(policyEntity.getPolicyVersion())
         .setInherited(inherited)