support OPTIONAL verb in authorization framework

fixes #3289

Author: Vladimir Kotal

opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthControlFlag.java

@@ -48,13 +48,17 @@ public enum AuthControlFlag {
      */
     REQUISITE("requisite"),
     /**
-     * If such a plugin succeeds and no prior required plugin has failed the
-     * authorization framework returns success to the application immediately
-     * without calling any further plugins in the stack. A failure of a
-     * sufficient plugin is ignored and processing of the plugin list continues
-     * unaffected.
+     * If such a plugin succeeds and no prior required plugin has failed,
+     * the authorization framework returns success immediately
+     * without calling any further plugins in the stack.
+     * A failure of a sufficient plugin is ignored and processing of the stack continues unaffected.
      */
-    SUFFICIENT("sufficient");
+    SUFFICIENT("sufficient"),
+    /**
+     * The failure is returned only if stack traversal finished and
+     * there was no prior result recorded.
+     */
+    OPTIONAL("optional");
 
     private final String flag;
 
@@ -79,6 +83,10 @@ public boolean isSufficient() {
         return SUFFICIENT.equals(this);
     }
 
+    public boolean isOptional() {
+        return OPTIONAL.equals(this);
+    }
+
     /**
      * Get the enum value for the string parameter.
      *

opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthorizationEntity.java

@@ -523,6 +523,15 @@ public boolean isRequisite() {
         return getFlag().isRequisite();
     }
 
+    /**
+     * Check if this plugin is marked as optional.
+     *
+     * @return true if is optional; false otherwise
+     */
+    public boolean isOptional() {
+        return getFlag().isOptional();
+    }
+
     /**
      * Print the entity hierarchy.
      *

opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthorizationStack.java

@@ -219,7 +219,13 @@ protected boolean processStack(Nameable entity,
             PluginDecisionPredicate pluginPredicate,
             PluginSkippingPredicate skippingPredicate) {
 
-        boolean overallDecision = true;
+        Boolean overallDecision = null;
+        boolean optionalFailure = false;
+
+        if (getStack().isEmpty()) {
+            return true;
+        }
+
         for (AuthorizationEntity authEntity : getStack()) {
 
             if (skippingPredicate.shouldSkip(authEntity)) {
@@ -232,24 +238,29 @@ protected boolean processStack(Nameable entity,
                 LOGGER.log(Level.FINEST, "AuthEntity \"{0}\" [{1}] testing a name \"{2}\"",
                         new Object[]{authEntity.getName(), authEntity.getFlag(), entity.getName()});
 
-                boolean pluginDecision = authEntity.isAllowed(entity, pluginPredicate, skippingPredicate);
+                boolean entityDecision = authEntity.isAllowed(entity, pluginPredicate, skippingPredicate);
 
                 LOGGER.log(Level.FINEST, "AuthEntity \"{0}\" [{1}] testing a name \"{2}\" => {3}",
                         new Object[]{authEntity.getName(), authEntity.getFlag(), entity.getName(),
-                                pluginDecision ? "true" : "false"});
+                                entityDecision ? "true" : "false"});
 
-                if (!pluginDecision && authEntity.isRequired()) {
+                if (!entityDecision && authEntity.isRequired()) {
                     // required sets a failure but still invokes all other plugins
                     overallDecision = false;
-                    continue;
-                } else if (!pluginDecision && authEntity.isRequisite()) {
+                } else if (!entityDecision && authEntity.isRequisite()) {
                     // requisite sets a failure and immediately returns the failure
                     overallDecision = false;
                     break;
-                } else if (overallDecision && pluginDecision && authEntity.isSufficient()) {
+                } else if (!entityDecision && authEntity.isOptional()) {
+                    optionalFailure = true;
+                } else if (entityDecision && authEntity.isSufficient()) {
                     // sufficient immediately returns the success
+                    if ((overallDecision == null) || overallDecision) {
+                        overallDecision = true;
+                        break;
+                    }
+                } else if (overallDecision == null && entityDecision) {
                     overallDecision = true;
-                    break;
                 }
             } catch (AuthorizationException ex) {
                 // Propagate up so that proper HTTP error can be given.
@@ -264,8 +275,12 @@ protected boolean processStack(Nameable entity,
 
                 LOGGER.log(Level.FINEST, "AuthEntity \"{0}\" [{1}] testing a name \"{2}\" => {3}",
                         new Object[]{authEntity.getName(), authEntity.getFlag(), entity.getName(),
-                            "false (failed)"});
+                                "false (failed)"});
 
+                if (authEntity.isOptional()) {
+                    optionalFailure = true;
+                    continue;
+                }
                 // set the return value to false for this faulty plugin
                 if (!authEntity.isSufficient()) {
                     overallDecision = false;
@@ -277,6 +292,14 @@ protected boolean processStack(Nameable entity,
             }
         }
 
+        if (overallDecision == null && optionalFailure) {
+            return false;
+        }
+
+        if (overallDecision == null) {
+            return true;
+        }
+
         return overallDecision;
     }
 

opengrok-indexer/src/test/java/org/opengrok/indexer/authorization/AuthorizationFrameworkTest.java

@@ -654,6 +654,57 @@ public static StackSetup[][] params() {
                 NewTest(false, createAllowedProject()),
                 NewTest(false, createAllowedGroup()))
             },
+            {
+                new StackSetup(
+                    NewStack(AuthControlFlag.REQUIRED,
+                        new AuthorizationPlugin(AuthControlFlag.OPTIONAL, createTestFailingPlugin()),
+                        new AuthorizationPlugin(AuthControlFlag.REQUIRED, createAllowedPrefixPlugin())),
+                    // optional plugin returns false
+                    // required plugin returns false => false
+                    NewTest(false, createUnallowedProject()),
+                    NewTest(false, createUnallowedGroup()),
+                    // optional plugin returns false
+                    // required plugin returns true => true
+                    NewTest(true, createAllowedProject()),
+                    NewTest(true, createAllowedGroup()))
+            },
+            {
+                new StackSetup(
+                    NewStack(AuthControlFlag.REQUIRED,
+                            new AuthorizationPlugin(AuthControlFlag.OPTIONAL, createAllowedPrefixPlugin()),
+                            new AuthorizationPlugin(AuthControlFlag.REQUIRED, createNotAllowedPrefixPlugin())),
+                    // optional plugin returns false
+                    // required plugin returns true => true
+                    NewTest(true, createUnallowedProject()),
+                    NewTest(true, createUnallowedGroup()),
+                    // optional plugin returns true
+                    // required plugin returns false => false
+                    NewTest(false, createAllowedProject()),
+                    NewTest(false, createAllowedGroup()))
+            },
+            {
+                new StackSetup(
+                    NewStack(AuthControlFlag.REQUIRED,
+                            new AuthorizationPlugin(AuthControlFlag.OPTIONAL, createTestFailingPlugin())
+                            ),
+                    // optional plugin returns false => false
+                    NewTest(false, createUnallowedProject()),
+                    NewTest(false, createUnallowedGroup()),
+                    NewTest(false, createAllowedProject()),
+                    NewTest(false, createAllowedGroup()))
+            },
+            {
+                new StackSetup(
+                    NewStack(AuthControlFlag.REQUIRED,
+                            new AuthorizationPlugin(AuthControlFlag.OPTIONAL, createAllowedPrefixPlugin())
+                    ),
+                    // optional plugin returns false => false
+                    NewTest(false, createUnallowedProject()),
+                    NewTest(false, createUnallowedGroup()),
+                    // optional plugin returns true => true
+                    NewTest(true, createAllowedProject()),
+                    NewTest(true, createAllowedGroup()))
+            },
         };
     }
 
@@ -668,11 +719,13 @@ public void testPluginsGeneric() {
         for (TestCase innerSetup : setup.setup) {
             String entityName = (innerSetup.entity == null ? "null" : innerSetup.entity.getName());
             try {
+                // group test
                 actual = framework.isAllowed(innerSetup.request, (Group) innerSetup.entity);
                 Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, entityName),
                         innerSetup.expected,
                         actual);
             } catch (ClassCastException ex) {
+                // project test
                 actual = framework.isAllowed(innerSetup.request, (Project) innerSetup.entity);
                 Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, entityName),
                         innerSetup.expected,