KNOX-3219 - New function in Virtual Group mapper to test request parameters (#1112)

Author: smolnar82

gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapper.java

@@ -88,6 +88,8 @@ public static void addRequestFunctions(ServletRequest req, Interpreter interpret
         if (req instanceof HttpServletRequest) {
             interpreter.addFunction("request-attribute", Arity.UNARY, params ->
                     ensureNotNull(req.getAttribute((String)params.get(0))));
+            interpreter.addFunction("request-parameter", Arity.UNARY, params ->
+                    ensureNotNull(req.getParameter((String)params.get(0))));
             interpreter.addFunction("request-header", Arity.UNARY, params ->
                     ensureNotNull(((HttpServletRequest) req).getHeader((String)params.get(0))));
             interpreter.addFunction("session", Arity.UNARY, params ->

gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapperTest.java

@@ -19,6 +19,7 @@
 
 import static java.util.Arrays.asList;
 import static java.util.Collections.emptyList;
+import static java.util.Collections.emptySet;
 import static java.util.Collections.singletonList;
 import static org.junit.Assert.assertEquals;
 
@@ -27,12 +28,17 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 
 import org.apache.knox.gateway.plang.AbstractSyntaxTree;
 import org.apache.knox.gateway.plang.Parser;
+import org.easymock.EasyMock;
 import org.junit.Test;
 
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
 @SuppressWarnings("PMD.NonStaticInitializer")
 public class VirtualGroupMapperTest {
     private Parser parser = new Parser();
@@ -117,8 +123,37 @@ public void testMatchGroup() {
         assertEquals(0, virtualGroups("user4", emptyList()).size());
     }
 
+    @Test
+    public void testRequestParameterContainsParam() {
+        testRequestParameter(true);
+    }
+
+    @Test
+    public void testRequestParameterNotContainsParam() {
+        testRequestParameter(false);
+    }
+
+    private void testRequestParameter(boolean containsParam) {
+        final String groupName = "non_rejected_request";
+        final String requestParamName = "impala.doas.user";
+        mapper = new VirtualGroupMapper(new HashMap<String, AbstractSyntaxTree>(){{
+            put(groupName, parser.parse(String.format(Locale.US, "(= (strlen (request-parameter '%s')) 0)", requestParamName)));
+        }});
+        final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+        if (containsParam) {
+            EasyMock.expect(request.getParameter(requestParamName)).andReturn("impala").anyTimes();
+        }
+        EasyMock.replay(request);
+        final Set<String> expectedGroups = containsParam ? emptySet() : setOf(groupName);
+        assertEquals(expectedGroups, virtualGroups("user1", emptyList(), request));
+    }
+
     private Set<String> virtualGroups(String user1, List<String> ldapGroups) {
-        return mapper.mapGroups(user1, new HashSet<>(ldapGroups), null);
+        return virtualGroups(user1, ldapGroups, null);
+    }
+
+    private Set<String> virtualGroups(String user1, List<String> ldapGroups, ServletRequest request) {
+        return mapper.mapGroups(user1, new HashSet<>(ldapGroups), request);
     }
 
     private static Set<String> setOf(String... strings) {

knox-site/docs/config_id_assertion.md

@@ -423,6 +423,17 @@ Number of arguments: 1
 Example
 
     (request-attribute 'sourceRequestUrl')
+
+###### request-parameter ######
+Returns the value of the specified request parameter as a String. If the given key doesn't exist empty string is returned.
+
+Number of arguments: 1
+
+    (request-parameter aString)
+
+Example
+
+    (request-parameter 'sample.request.param')
 
 ###### session ######