-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
General service class for exporting document list from a Mongo Collec… (
#19819) * General service class for exporting document list from a Mongo Collection. * License header... * Refactored method naming * Do not introduce new general method in MongoCollections
- Loading branch information
1 parent
d86af6d
commit 79e04cb
Showing
7 changed files
with
449 additions
and
111 deletions.
There are no files selected for viewing
94 changes: 94 additions & 0 deletions
94
graylog2-server/src/main/java/org/graylog2/database/export/MongoCollectionExportService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
* Copyright (C) 2020 Graylog, Inc. | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Server Side Public License, version 1, | ||
* as published by MongoDB, Inc. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Server Side Public License for more details. | ||
* | ||
* You should have received a copy of the Server Side Public License | ||
* along with this program. If not, see | ||
* <http://www.mongodb.com/licensing/server-side-public-license>. | ||
*/ | ||
package org.graylog2.database.export; | ||
|
||
import com.mongodb.client.FindIterable; | ||
import com.mongodb.client.MongoCollection; | ||
import com.mongodb.client.model.Filters; | ||
import com.mongodb.client.model.Projections; | ||
import com.mongodb.client.model.Sorts; | ||
import jakarta.inject.Inject; | ||
import org.apache.shiro.subject.Subject; | ||
import org.bson.Document; | ||
import org.bson.conversions.Bson; | ||
import org.graylog.plugins.views.search.searchtypes.Sort; | ||
import org.graylog2.database.MongoConnection; | ||
import org.graylog2.database.utils.MongoUtils; | ||
import org.graylog2.shared.security.EntityPermissionsUtils; | ||
|
||
import java.util.List; | ||
import java.util.Objects; | ||
import java.util.function.Predicate; | ||
import java.util.stream.Collectors; | ||
import java.util.stream.Stream; | ||
|
||
/** | ||
* A general service for exporting limited list of Documents (with a selection of fields) from a collection in MongoDB. | ||
* Meant to be used when users have permissions to read the whole entity collection. | ||
* It will work with selective permissions as well (users having permissions to view some entities in the collection), | ||
* but performance may be low in that particular case. | ||
*/ | ||
public class MongoCollectionExportService { | ||
|
||
private final MongoConnection mongoConnection; | ||
private final EntityPermissionsUtils permissionsUtils; | ||
|
||
@Inject | ||
public MongoCollectionExportService(final MongoConnection mongoConnection, | ||
final EntityPermissionsUtils permissionsUtils) { | ||
this.mongoConnection = mongoConnection; | ||
this.permissionsUtils = permissionsUtils; | ||
} | ||
|
||
public List<Document> export(final String collectionName, | ||
final List<String> exportedFieldNames, | ||
final int limit, | ||
final Bson dbFilter, | ||
final List<Sort> sorts, | ||
final Subject subject) { | ||
final MongoCollection<Document> collection = mongoConnection.getMongoDatabase().getCollection(collectionName); | ||
final FindIterable<Document> resultsWithoutLimit = collection.find(Objects.requireNonNullElse(dbFilter, Filters.empty())) | ||
.projection(Projections.fields(Projections.include(exportedFieldNames))) | ||
.sort(toMongoDbSort(sorts)); | ||
|
||
final var userCanReadAllEntities = permissionsUtils.hasAllPermission(subject) || permissionsUtils.hasReadPermissionForWholeCollection(subject, collectionName); | ||
final var checkPermission = permissionsUtils.createPermissionCheck(subject, collectionName); | ||
final var documents = userCanReadAllEntities | ||
? getFromMongo(resultsWithoutLimit, limit) | ||
: getWithInMemoryPermissionCheck(resultsWithoutLimit, limit, checkPermission); | ||
|
||
return documents.collect(Collectors.toList()); | ||
|
||
} | ||
|
||
private Bson toMongoDbSort(final List<Sort> sorts) { | ||
return Sorts.orderBy(sorts.stream() | ||
.map(srt -> srt.order() == Sort.Order.DESC ? | ||
Sorts.descending(srt.field()) : Sorts.ascending(srt.field())) | ||
.toList()); | ||
} | ||
|
||
private Stream<Document> getWithInMemoryPermissionCheck(FindIterable<Document> result, int limit, Predicate<Document> checkPermission) { | ||
return MongoUtils.stream(result) | ||
.filter(checkPermission) | ||
.limit(limit); | ||
} | ||
|
||
private Stream<Document> getFromMongo(FindIterable<Document> result, int limit) { | ||
return MongoUtils.stream(result.limit(limit)); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 63 additions & 0 deletions
63
graylog2-server/src/main/java/org/graylog2/shared/security/EntityPermissionsUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
* Copyright (C) 2020 Graylog, Inc. | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Server Side Public License, version 1, | ||
* as published by MongoDB, Inc. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Server Side Public License for more details. | ||
* | ||
* You should have received a copy of the Server Side Public License | ||
* along with this program. If not, see | ||
* <http://www.mongodb.com/licensing/server-side-public-license>. | ||
*/ | ||
package org.graylog2.shared.security; | ||
|
||
import jakarta.inject.Inject; | ||
import org.apache.shiro.authz.permission.AllPermission; | ||
import org.apache.shiro.subject.Subject; | ||
import org.bson.Document; | ||
import org.graylog2.database.DbEntity; | ||
import org.graylog2.database.dbcatalog.DbEntitiesCatalog; | ||
import org.graylog2.database.dbcatalog.DbEntityCatalogEntry; | ||
|
||
import java.util.Optional; | ||
import java.util.function.Predicate; | ||
|
||
public class EntityPermissionsUtils { | ||
|
||
public static final String ID_FIELD = "_id"; | ||
|
||
private final DbEntitiesCatalog catalog; | ||
|
||
@Inject | ||
public EntityPermissionsUtils(final DbEntitiesCatalog catalog) { | ||
this.catalog = catalog; | ||
} | ||
|
||
public Predicate<Document> createPermissionCheck(final Subject subject, final String collection) { | ||
final var readPermission = readPermissionForCollection(collection); | ||
return doc -> readPermission | ||
.map(permission -> subject.isPermitted(permission + ":" + doc.getObjectId(ID_FIELD).toString())) | ||
.orElse(false); | ||
} | ||
|
||
public boolean hasAllPermission(final Subject subject) { | ||
return subject.isPermitted(new AllPermission()); | ||
} | ||
|
||
public boolean hasReadPermissionForWholeCollection(final Subject subject, | ||
final String collection) { | ||
return readPermissionForCollection(collection) | ||
.map(rp -> rp.equals(DbEntity.ALL_ALLOWED) || subject.isPermitted(rp + ":*")) | ||
.orElse(false); | ||
} | ||
|
||
public Optional<String> readPermissionForCollection(final String collection) { | ||
return catalog.getByCollectionName(collection) | ||
.map(DbEntityCatalogEntry::readPermission); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.