GEODE-6986: Implement UnrestrictedMethodAuthorizer (apache#4105)

* GEODE-6986: Implement UnrestrictedMethodAuthorizer

- Made the class final, immutable and thread safe.
- Added comprehensive javadocs to the class and its methods.
- Added several unit tests for the class and all public methods.
- Improved javadocs for 'RestrictedMethodAuthorizer' and
  'MethodInvocationAuthorizer'.
- Fixed 'RestrictedMethodAuthorizer.isAllowedGeodeMethod()' to allow
  the execution of 'toString' and 'equals' on Geode objects.
- Removed 'getNanos' from the accepted methods for 'java.lang.Date' in
  'RestrictedMethodAuthorizer' (the method belong to
  'java.sql.Timestamp' instead).

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -493,6 +493,7 @@ javadoc/org/apache/geode/cache/query/package-summary.html
 javadoc/org/apache/geode/cache/query/package-tree.html
 javadoc/org/apache/geode/cache/query/security/MethodInvocationAuthorizer.html
 javadoc/org/apache/geode/cache/query/security/RestrictedMethodAuthorizer.html
+javadoc/org/apache/geode/cache/query/security/UnrestrictedMethodAuthorizer.html
 javadoc/org/apache/geode/cache/query/security/package-frame.html
 javadoc/org/apache/geode/cache/query/security/package-summary.html
 javadoc/org/apache/geode/cache/query/security/package-tree.html

geode-core/src/main/java/org/apache/geode/cache/query/security/MethodInvocationAuthorizer.java

@@ -16,21 +16,28 @@
 
 import java.lang.reflect.Method;
 
-import org.apache.geode.cache.query.internal.AttributeDescriptor;
-import org.apache.geode.cache.query.internal.MethodDispatch;
+import org.apache.geode.cache.Cache;
+import org.apache.geode.cache.Region;
 
 /**
  * The root interface that should be implemented by method invocation authorizer instances.
  * The authorizer is responsible for determining whether a {@link java.lang.reflect.Method} is
  * allowed to be executed on a specific {@link java.lang.Object} instance.
  * <p/>
  *
- * Implementations of this interface must be thread-safe: multiple threads might be authorizing
- * several method invocations using the same instance at the same time.
- * <p/>
+ * There are mainly four security risks when allowing users to execute arbitrary methods in OQL,
+ * which should be addressed by implementations of this interface:
+ * <p>
+ * <ul>
+ * <li>{@code Java Reflection}: do anything through {@link Object#getClass()} or similar.
+ * <li>{@code Cache Modification}: execute {@link Cache} operations (close, get regions, etc.).
+ * <li>{@code Region Modification}: execute {@link Region} operations (destroy, invalidate, etc.).
+ * <li>{@code Region Entry Modification}: execute in-place modifications on the region entries.
+ * </ul>
+ * </p>
  *
- * @see org.apache.geode.cache.query.internal.MethodDispatch
- * @see org.apache.geode.cache.query.internal.AttributeDescriptor
+ * Implementations of this interface should be thread-safe: multiple threads might be authorizing
+ * several method invocations using the same instance at the same time.
  */
 public interface MethodInvocationAuthorizer {
 
@@ -39,12 +46,11 @@ public interface MethodInvocationAuthorizer {
    * executed on the {@code target} object instance.
    * <p/>
    *
-   * <b>Implementation Note</b>: both the {@link MethodDispatch} and {@link AttributeDescriptor}
-   * classes will remember whether the method invocation is already authorized, so that
-   * {@code authorize} will be called once in the lifetime of a Geode member for every new method
-   * seen while traversing the objects.
-   * Nevertheless, the implementation should be lighting fast as it will be called by the OQL engine
-   * in runtime during the query execution.
+   * <b>Implementation Note</b>: the query engine will remember whether the method invocation has
+   * been already authorized or not for the current query context, so this method will be called
+   * once in the lifetime of a query for every new method seen while traversing the objects.
+   * Nevertheless, the implementation should be lighting fast as it will be called by the
+   * OQL engine in runtime during the query execution.
    *
    * @param method the {@link Method} that should be authorized.
    * @param target the {@link Object} on which the {@link Method} will be executed.

geode-core/src/main/java/org/apache/geode/cache/query/security/RestrictedMethodAuthorizer.java

@@ -37,11 +37,15 @@
 import org.apache.geode.security.ResourcePermission;
 
 /**
- * The default, immutable and thread-safe method invocation authorizer used by Geode to determine
- * whether a {@link java.lang.reflect.Method} is allowed to be executed on a specific
+ * The default, immutable and thread-safe {@link MethodInvocationAuthorizer} used by Geode to
+ * determine whether a {@link java.lang.reflect.Method} is allowed to be executed on a specific
  * {@link java.lang.Object} instance.
  * <p/>
  *
+ * This authorizer addresses the four known security risks: {@code Java Reflection},
+ * {@code Cache Modification}, {@code Region Modification} and {@code Region Entry Modification}.
+ * <p/>
+ *
  * Custom applications can delegate to this class and use it as the starting point for providing
  * use case specific authorizers.
  *
@@ -83,6 +87,12 @@ private static Set<String> createForbiddenList() {
   private static Map<String, Set<Class>> createGeodeAcceptanceList() {
     Map<String, Set<Class>> acceptanceListMap = new HashMap<>();
 
+    Set<Class> objectCallers = new HashSet<>();
+    objectCallers.add(Object.class);
+    objectCallers = Collections.unmodifiableSet(objectCallers);
+    acceptanceListMap.put("equals", objectCallers);
+    acceptanceListMap.put("toString", objectCallers);
+
     Set<Class> entryCallers = new HashSet<>();
     entryCallers.add(Region.Entry.class);
     entryCallers = Collections.unmodifiableSet(entryCallers);
@@ -134,7 +144,6 @@ private static Map<String, Set<Class>> createDefaultAcceptanceList() {
     dateCallers = Collections.unmodifiableSet(dateCallers);
     acceptanceListMap.put("after", dateCallers);
     acceptanceListMap.put("before", dateCallers);
-    acceptanceListMap.put("getNanos", dateCallers);
     acceptanceListMap.put("getTime", dateCallers);
 
     Set<Class> timestampCallers = new HashSet<>();

geode-core/src/main/java/org/apache/geode/cache/query/security/UnrestrictedMethodAuthorizer.java

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.geode.cache.query.security;
+
+import java.lang.reflect.Method;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.geode.cache.Cache;
+import org.apache.geode.cache.Declarable;
+import org.apache.geode.cache.Region;
+
+/**
+ * An immutable and thread-safe {@link MethodInvocationAuthorizer} that allows any method execution
+ * as long as the target object does not belong to a Geode package, or does belong but it's marked
+ * as safe (see {@link RestrictedMethodAuthorizer#isAllowedGeodeMethod(Method, Object)}).
+ * <p/>
+ *
+ * Some known dangerous methods, like {@link Object#getClass()}, are also rejected by this
+ * authorizer implementation, no matter whether the target object belongs to Geode or not
+ * (see {@link RestrictedMethodAuthorizer#isKnownDangerousMethod(Method, Object)}).
+ * <p/>
+ *
+ * This authorizer implementation addresses only three of the four known security risks:
+ * {@code Java Reflection}, {@code Cache Modification} and {@code Region Modification}.
+ * <p/>
+ *
+ * The {@code Region Entry Modification} security risk still exists: users with the
+ * {@code DATA:READ:RegionName} privilege will be able to execute ANY method (even mutators) on the
+ * objects stored within the region and on instances used as bind parameters of the OQL, so this
+ * authorizer implementation must be used with extreme care.
+ * <p/>
+ *
+ * Usage of this authorizer implementation is only recommended for secured clusters on which only
+ * trusted users and applications have access to the OQL engine. It might also be used on clusters
+ * on which the entries stored are immutable.
+ * <p/>
+ *
+ * @see org.apache.geode.cache.Cache
+ * @see org.apache.geode.cache.query.security.MethodInvocationAuthorizer
+ * @see org.apache.geode.cache.query.security.RestrictedMethodAuthorizer
+ */
+public final class UnrestrictedMethodAuthorizer implements MethodInvocationAuthorizer {
+  static final String NULL_CACHE_MESSAGE = "Cache should be provided to configure the authorizer.";
+  static final String NULL_AUTHORIZER_MESSAGE =
+      "RestrictedMethodAuthorizer should be provided to create this authorizer.";
+  private static final String GEODE_BASE_PACKAGE = "org.apache.geode";
+  private final RestrictedMethodAuthorizer restrictedMethodAuthorizer;
+
+  /**
+   * Creates a {@code UnrestrictedMethodAuthorizer} object and initializes it so it can be safely
+   * used in a multi-threaded environment.
+   * <p/>
+   *
+   * Applications can use this constructor as part of the initialization for custom authorizers
+   * (see {@link Declarable#initialize(Cache, Properties)}), when using a declarative approach.
+   *
+   * @param cache the {@code Cache} instance that owns this authorizer, required in order to
+   *        configure the default {@link RestrictedMethodAuthorizer}.
+   */
+  public UnrestrictedMethodAuthorizer(Cache cache) {
+    Objects.requireNonNull(cache, NULL_CACHE_MESSAGE);
+    this.restrictedMethodAuthorizer = new RestrictedMethodAuthorizer(cache);
+  }
+
+  /**
+   * Creates a {@code UnrestrictedMethodAuthorizer} object and initializes it so it can be safely
+   * used in a multi-threaded environment.
+   * <p/>
+   *
+   * @param restrictedMethodAuthorizer the default {@code RestrictedMethodAuthorizer} to use.
+   */
+  public UnrestrictedMethodAuthorizer(RestrictedMethodAuthorizer restrictedMethodAuthorizer) {
+    Objects.requireNonNull(restrictedMethodAuthorizer, NULL_AUTHORIZER_MESSAGE);
+    this.restrictedMethodAuthorizer = restrictedMethodAuthorizer;
+  }
+
+  /**
+   * Executes the authorization logic to determine whether the {@code method} is allowed to be
+   * executed on the {@code target} object instance.
+   * If the {@code target} object is an instance of {@link Region}, this methods also ensures that
+   * the user has the {@code DATA:READ} permission granted for the target {@link Region}.
+   * <p/>
+   *
+   * @param method the {@link Method} that should be authorized.
+   * @param target the {@link Object} on which the {@link Method} will be executed.
+   * @return {@code true} if the {@code method} can be executed on on the {@code target} instance,
+   *         {@code false} otherwise.
+   *
+   * @see org.apache.geode.cache.query.security.MethodInvocationAuthorizer
+   */
+  @Override
+  public boolean authorize(Method method, Object target) {
+    // Return false for known dangerous methods.
+    if (restrictedMethodAuthorizer.isKnownDangerousMethod(method, target)) {
+      return false;
+    }
+
+    // Return true for non Geode classes.
+    String packageName = target.getClass().getPackage().getName().toLowerCase();
+    if (!packageName.startsWith(GEODE_BASE_PACKAGE)) {
+      return true;
+    }
+
+    // Delegate to the default authorizer.
+    return restrictedMethodAuthorizer.isAllowedGeodeMethod(method, target);
+  }
+}