Added support for different combos of user accm readons

raft-tech · Aug 2, 2024 · 89f6077 · 89f6077
1 parent 274b0f7
commit 89f6077
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 11 deletions.
diff --git a/engine/src/main/java/com/arcadedb/security/ACCM/Argument.java b/engine/src/main/java/com/arcadedb/security/ACCM/Argument.java
@@ -309,6 +309,15 @@ private boolean evaluateInternal(JSONObject json) {
 
                 LogManager.instance().log(this, Level.INFO, "this.value type: " + this.value.getClass().getSimpleName());
 
+                if (this.value instanceof List) {
+                    List<?> list = (List<?>) this.value;
+                    for (Object element : list) {
+                        if (element instanceof String) {
+                            listToCheck.add((String) element);
+                        }
+                    }
+                }
+
                 if (this.value instanceof String) {
                     String str = (String) this.value;
                     str = str.substring(1, str.length() - 1).replace("\"", "");
@@ -320,11 +329,6 @@ private boolean evaluateInternal(JSONObject json) {
                     listToCheck = Arrays.asList((String[]) this.value).stream().map(String::trim).collect(Collectors.toList());
                 }
 
-                LogManager.instance().log(this, Level.INFO, "docValuList: " + docValList + " " + docValList.size());
-                LogManager.instance().log(this, Level.INFO, "list2Check: " + listToCheck + " " + listToCheck.size());
-
-                LogManager.instance().log(this, Level.INFO, "result: " + listToCheck.containsAll(docValList));
-
                 return listToCheck.containsAll(docValList);
             case NONE_IN:
                 for (Object val : (Object[]) this.value) {

diff --git a/server/src/main/java/com/arcadedb/server/security/oidc/OpaClient.java b/server/src/main/java/com/arcadedb/server/security/oidc/OpaClient.java
@@ -116,27 +116,30 @@ public static OpaResponse getPolicy(String username, Set<String> databaseNames)
         List<Argument> accmArgs = new ArrayList<>();
         // if user has readons, only permit rows where all required readons are present
         if (opaPolicyJson.get("user_has_access_to_accm").asBoolean()) {
-            var readons = opaPolicyJson.get("programReadons").asText().split(",");
+            var readons = opaPolicyJson.get("programReadons").asText().replaceAll(" ","").split(",");
             Arrays.asList(readons);
 
             // need an or expression to support any valid combo of program nicknames
-            Argument arg = new Argument("components.programNicknames", ArgumentOperator.ALL_IN, readons);
-            arg.setNullEvaluatesToGrantAccess(true);
-            accmArgs.add(arg);
+            for (List<String> combo : getAllCombinations(Arrays.asList(readons))) {
+                Argument arg = new Argument("components.programNicknames", ArgumentOperator.ALL_IN, combo);
+                arg.setNullEvaluatesToGrantAccess(true);
+                accmArgs.add(arg);
+            }
         } else {
             var arg = new Argument("components.nonICmarkings", ArgumentOperator.CONTAINS, "ACCM", true);
             accmArgs.add(arg);
         }
 
+        Expression accm = new Expression(ExpressionOperator.OR, new ArrayList<>(), accmArgs);
+
         var allOuterArgs = new ArrayList<Argument>();
         allOuterArgs.addAll(classificationArguments);
-        allOuterArgs.addAll(accmArgs);
         allOuterArgs.addAll(disseminationArgs);
 
-
         Expression outer = new Expression();
         outer.setOperator(ExpressionOperator.AND);
         outer.setArguments(allOuterArgs);
+        outer.setExpressions(List.of(accm));
 
 
         List<Expression> expressions = new ArrayList<>();
@@ -163,4 +166,22 @@ public static OpaResponse getPolicy(String username, Set<String> databaseNames)
         OpaResult result = new OpaResult(true, roles, json.getJSONObject("user_attributes").toMap(), policies);
         return new OpaResponse(result);
     }
+
+    public static List<List<String>> getAllCombinations(List<String> list) {
+        List<List<String>> result = new ArrayList<>();
+        generateCombinations(list, 0, new ArrayList<>(), result);
+        return result;
+    }
+
+    private static void generateCombinations(List<String> list, int index, List<String> current, List<List<String>> result) {
+        // Add the current combination to the result
+        result.add(new ArrayList<>(current));
+
+        // Generate further combinations
+        for (int i = index; i < list.size(); i++) {
+            current.add(list.get(i));
+            generateCombinations(list, i + 1, current, result);
+            current.remove(current.size() - 1);
+        }
+    }
 }