Allow resolving dependencies for multiple entities at once (#23268)

Author: thll

graylog2-server/src/main/java/org/graylog/security/entities/DefaultEntityDependencyResolver.java

@@ -23,7 +23,6 @@
 import org.graylog.grn.GRNDescriptorService;
 import org.graylog.grn.GRNRegistry;
 import org.graylog.grn.GRNType;
-import org.graylog.grn.GRNTypes;
 import org.graylog.security.DBGrantService;
 import org.graylog.security.shares.Grantee;
 import org.graylog2.contentpacks.ContentPackService;
@@ -32,6 +31,7 @@
 import org.graylog2.contentpacks.model.ModelTypes;
 
 import javax.annotation.Nullable;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
@@ -45,13 +45,6 @@ public class DefaultEntityDependencyResolver implements EntityDependencyResolver
     private final GRNRegistry grnRegistry;
     private final GRNDescriptorService descriptorService;
     private final DBGrantService grantService;
-    // Some dependencies can be ignored.
-    // E.g. To view a stream with a custom output, a user does not need output permissions
-    private static final Map<GRNType, Set<ModelType>> IGNORED_DEPENDENCIES = ImmutableMap.<GRNType, Set<ModelType>>builder()
-            .put(GRNTypes.SEARCH, ImmutableSet.of(ModelTypes.OUTPUT_V1))
-            .put(GRNTypes.STREAM, ImmutableSet.of(ModelTypes.OUTPUT_V1))
-            .put(GRNTypes.DASHBOARD, ImmutableSet.of(ModelTypes.OUTPUT_V1))
-            .build();
 
     @Inject
     public DefaultEntityDependencyResolver(ContentPackService contentPackService,
@@ -66,22 +59,31 @@ public DefaultEntityDependencyResolver(ContentPackService contentPackService,
 
     @Override
     public ImmutableSet<EntityDescriptor> resolve(GRN entity) {
-        final var contentPackEntityDescriptor = toContentPackEntityDescriptor(entity);
-        final ImmutableSet<GRN> dependencies = contentPackService.resolveEntities(Set.of(contentPackEntityDescriptor)).stream()
-                .filter(dep -> {
-                    // Filter dependencies that aren't needed for grants sharing
-                    // TODO This is another reason why we shouldn't be using the content pack resolver ¯\_(ツ)_/¯
-                    final Set<ModelType> ignoredDeps = IGNORED_DEPENDENCIES.getOrDefault(entity.grnType(), ImmutableSet.of());
-                    return !ignoredDeps.contains(dep.type());
-                })
+        return resolve(Set.of(entity));
+    }
+
+    @SuppressWarnings("UnstableApiUsage")
+    protected ImmutableSet<EntityDescriptor> resolve(Collection<GRN> entities) {
+        final var cpDescriptors = entities.stream().map(DefaultEntityDependencyResolver::toContentPackEntityDescriptor)
+                .collect(Collectors.toUnmodifiableSet());
+        final var dependencyGraph = contentPackService.resolveEntityDependencyGraph(cpDescriptors);
+        final var dependencies = dependencyGraph.nodes().stream()
+                .filter(dependency -> !cpDescriptors.contains(dependency)) // Don't include the given entity in dependencies
+                // Workaround to ignore outputs as dependencies of streams.
+                // To view a stream with a custom output, a user does not need output permissions. Therefore, we
+                // ignore outputs if they only appear as dependencies of streams.
+                // TODO This is another reason why we shouldn't be using the content pack resolver ¯\_(ツ)_/¯
+                .filter(dependency -> !ModelTypes.OUTPUT_V1.equals(dependency.type()) ||
+                        dependencyGraph.predecessors(dependency).stream().anyMatch(
+                                predecessor -> !ModelTypes.STREAM_V1.equals(predecessor.type()))
+                )
                 // TODO: Work around from using the content pack dependency resolver:
                 //  We've added stream_title content pack entities in https://github.com/Graylog2/graylog2-server/pull/17089,
                 //  but in this context we want to return the actual dependent Stream to add additional permissions to.
                 .map(cpDescriptor -> ModelTypes.STREAM_REF_V1.equals(cpDescriptor.type())
                         ? org.graylog2.contentpacks.model.entities.EntityDescriptor.create(cpDescriptor.id(), ModelTypes.STREAM_V1)
                         : cpDescriptor)
                 .map(cpDescriptor -> grnRegistry.newGRN(cpDescriptor.type().name(), cpDescriptor.id().id()))
-                .filter(dependency -> !entity.equals(dependency)) // Don't include the given entity in dependencies
                 .collect(ImmutableSet.toImmutableSet());
 
         final ImmutableMap<GRN, Optional<String>> entityExcerpts = entityExcerpts();

graylog2-server/src/main/java/org/graylog2/contentpacks/ContentPackService.java

@@ -30,10 +30,9 @@
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
 import jakarta.ws.rs.ForbiddenException;
-import org.apache.shiro.authz.annotation.Logical;
+import org.graylog.security.GrantDTO;
 import org.graylog.security.UserContext;
 import org.graylog.security.UserContextMissingException;
-import org.graylog.security.GrantDTO;
 import org.graylog2.Configuration;
 import org.graylog2.contentpacks.constraints.ConstraintChecker;
 import org.graylog2.contentpacks.exceptions.ContentPackException;
@@ -397,6 +396,10 @@ public Map<String, EntityExcerpt> getEntityExcerpts() {
     }
 
     public Set<EntityDescriptor> resolveEntities(Collection<EntityDescriptor> unresolvedEntities) {
+        return resolveEntityDependencyGraph(unresolvedEntities).nodes();
+    }
+
+    public Graph<EntityDescriptor> resolveEntityDependencyGraph(Collection<EntityDescriptor> unresolvedEntities) {
         final MutableGraph<EntityDescriptor> dependencyGraph = GraphBuilder.directed()
                 .allowsSelfLoops(false)
                 .nodeOrder(ElementOrder.insertion())
@@ -408,7 +411,7 @@ public Set<EntityDescriptor> resolveEntities(Collection<EntityDescriptor> unreso
 
         LOG.debug("Final dependency graph: {}", finalDependencyGraph);
 
-        return finalDependencyGraph.nodes();
+        return finalDependencyGraph;
     }
 
     private MutableGraph<EntityDescriptor> resolveDependencyGraph(Graph<EntityDescriptor> dependencyGraph, Set<EntityDescriptor> resolvedEntities) {

graylog2-server/src/test/java/org/graylog/security/entities/DefaultEntityDependencyResolverTest.java

@@ -17,11 +17,13 @@
 package org.graylog.security.entities;
 
 import com.google.common.collect.ImmutableSet;
+import com.google.common.graph.GraphBuilder;
 import org.graylog.grn.GRN;
 import org.graylog.grn.GRNDescriptor;
 import org.graylog.grn.GRNDescriptorService;
 import org.graylog.grn.GRNRegistry;
 import org.graylog.grn.GRNType;
+import org.graylog.grn.GRNTypes;
 import org.graylog.security.DBGrantService;
 import org.graylog.testing.GRNExtension;
 import org.graylog.testing.mongodb.MongoDBExtension;
@@ -46,6 +48,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 
+@SuppressWarnings("UnstableApiUsage")
 @ExtendWith(MongoDBExtension.class)
 @ExtendWith(MongoJackExtension.class)
 @ExtendWith(GRNExtension.class)
@@ -83,7 +86,9 @@ void resolve() {
         when(contentPackService.listAllEntityExcerpts()).thenReturn(ImmutableSet.of(streamExcerpt));
 
         final EntityDescriptor streamDescriptor = EntityDescriptor.builder().type(ModelTypes.STREAM_V1).id(ModelId.of("54e3deadbeefdeadbeefaffe")).build();
-        when(contentPackService.resolveEntities(any())).thenReturn(ImmutableSet.of(streamDescriptor));
+        final var dependencyGraph = GraphBuilder.directed().<EntityDescriptor>build();
+        dependencyGraph.addNode(streamDescriptor);
+        when(contentPackService.resolveEntityDependencyGraph(any())).thenReturn(dependencyGraph);
 
         when(grnDescriptorService.getDescriptor(any(GRN.class))).thenAnswer(a -> {
             GRN grnArg = a.getArgument(0);
@@ -108,7 +113,9 @@ void resolveWithInclompleteDependency() {
 
         when(contentPackService.listAllEntityExcerpts()).thenReturn(ImmutableSet.of());
         final EntityDescriptor streamDescriptor = EntityDescriptor.builder().type(ModelTypes.STREAM_V1).id(ModelId.of("54e3deadbeefdeadbeefaffe")).build();
-        when(contentPackService.resolveEntities(any())).thenReturn(ImmutableSet.of(streamDescriptor));
+        final var dependencyGraph = GraphBuilder.directed().<EntityDescriptor>build();
+        dependencyGraph.addNode(streamDescriptor);
+        when(contentPackService.resolveEntityDependencyGraph(any())).thenReturn(dependencyGraph);
 
         when(grnDescriptorService.getDescriptor(any(GRN.class))).thenAnswer(a -> {
             GRN grnArg = a.getArgument(0);
@@ -139,7 +146,9 @@ void resolveStreamReference() {
         when(contentPackService.listAllEntityExcerpts()).thenReturn(ImmutableSet.of(streamExcerpt, streamRefExcerpt));
 
         final EntityDescriptor streamDescriptor = EntityDescriptor.builder().type(ModelTypes.STREAM_REF_V1).id(ModelId.of("54e3deadbeefdeadbeefaffe")).build();
-        when(contentPackService.resolveEntities(any())).thenReturn(ImmutableSet.of(streamDescriptor));
+        final var dependencyGraph = GraphBuilder.directed().<EntityDescriptor>build();
+        dependencyGraph.addNode(streamDescriptor);
+        when(contentPackService.resolveEntityDependencyGraph(any())).thenReturn(dependencyGraph);
 
         when(grnDescriptorService.getDescriptor(any(GRN.class))).thenAnswer(a -> {
             GRN grnArg = a.getArgument(0);
@@ -163,11 +172,41 @@ void resolveStreamReference() {
     void resolveEventProcedureDependency() {
         final EntityDescriptor definitionDescriptor = EntityDescriptor.builder().type(ModelTypes.EVENT_DEFINITION_V1).id(ModelId.of("54e3deadbeefdeadbeefafff")).build();
         final EntityDescriptor procedureDescriptor = EntityDescriptor.builder().type(ModelTypes.EVENT_PROCEDURE_V1).id(ModelId.of("54e3deadbeefdeadbeefaffe")).build();
-        when(contentPackService.resolveEntities(any())).thenReturn(ImmutableSet.of(definitionDescriptor, procedureDescriptor));
+        final var dependencyGraph = GraphBuilder.directed().<EntityDescriptor>build();
+        dependencyGraph.addNode(definitionDescriptor);
+        dependencyGraph.putEdge(definitionDescriptor, procedureDescriptor);
+        when(contentPackService.resolveEntityDependencyGraph(any())).thenReturn(dependencyGraph);
 
         final GRN definitionGrn = grnRegistry.newGRN("event_definition", "54e3deadbeefdeadbeefafff");
         grnRegistry.registerType(GRNType.create("event_procedure"));
         final ImmutableSet<org.graylog.security.entities.EntityDescriptor> missingDependencies = entityDependencyResolver.resolve(definitionGrn);
         assertThat(missingDependencies).hasSize(1);
     }
+
+    @Test
+    @DisplayName("Try to resolve with an output dependency")
+    void resolveWithOutputDependency() {
+        final var output1 = EntityDescriptor.builder().type(ModelTypes.OUTPUT_V1).id(ModelId.of("output-1-id")).build();
+        final var output2 = EntityDescriptor.builder().type(ModelTypes.OUTPUT_V1).id(ModelId.of("output-2-id")).build();
+        final var stream = EntityDescriptor.builder().type(ModelTypes.STREAM_V1).id(ModelId.of("stream-id")).build();
+        // just for testing purposes, let's assume we'd allow event definitions to depend directly on outputs
+        final var dashboard = EntityDescriptor.builder().type(ModelTypes.EVENT_DEFINITION_V1).id(ModelId.of("event-definition-id")).build();
+
+        // we'll resolve this dependency graph for whatever entity we pass in
+        final var dependencyGraph = GraphBuilder.directed().<EntityDescriptor>build();
+        dependencyGraph.addNode(stream);
+        dependencyGraph.addNode(dashboard);
+        dependencyGraph.putEdge(stream, output1);
+        dependencyGraph.putEdge(dashboard, output2);
+        when(contentPackService.resolveEntityDependencyGraph(any())).thenReturn(dependencyGraph);
+
+        // output1 should be ignored because it is only a dependency of the stream
+        final var dependencies = entityDependencyResolver.resolve(grnRegistry.newGRN(GRNTypes.DASHBOARD, "dashboard-id"));
+        assertThat(dependencies)
+                .extracting(org.graylog.security.entities.EntityDescriptor::id)
+                .containsExactlyInAnyOrder(grnRegistry.newGRN(GRNTypes.EVENT_DEFINITION, "event-definition-id"),
+                        grnRegistry.newGRN(GRNTypes.STREAM, "stream-id"),
+                        grnRegistry.newGRN(GRNTypes.OUTPUT, "output-2-id")
+                );
+    }
 }