From 84ef6e5b1c8d14291d6cf245467ae8166288434d Mon Sep 17 00:00:00 2001
From: Madhan Neethiraj <madhan@apache.org>
Date: Tue, 20 Feb 2024 21:23:26 -0800
Subject: [PATCH] RANGER-4723: updated zone matcher to handle descendent match

---
 .../plugin/policyengine/RangerSecurityZoneMatcher.java | 10 +++++++++-
 .../policyengine/TestRangerSecurityZoneMatcher.java    |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
index a36eda0b8c..822bb39028 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
@@ -26,6 +26,7 @@
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
 import org.apache.ranger.plugin.util.ServicePolicies.SecurityZoneInfo;
@@ -103,7 +104,14 @@ private Set<String> getZonesForResourceAndChildren(Map<String, ?> resource, Rang
                         LOG.debug("Trying to match resource:[{}] using matcher:[{}]", accessResource, matcher);
                     }
 
-                    if (matcher.getPolicyResourceMatcher().isMatch(accessResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
+                    RangerPolicyResourceMatcher policyResourceMatcher = matcher.getPolicyResourceMatcher();
+                    MatchType                   matchType             = policyResourceMatcher.getMatchType(accessResource, null);
+
+                    if (matchType == MatchType.DESCENDANT) { // add unzoned name
+                        ret.add("");
+                    }
+
+                    if (matchType != MatchType.NONE) {
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("Matched resource:[{}] using matcher:[{}]", accessResource, matcher);
                         }
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
index 2541844032..1506df3b5c 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
@@ -72,7 +72,7 @@ public void testZoneMatcher() {
 
         res   = createResource("database", "db3");
         zones = zoneMatcher.getZonesForResourceAndChildren(res);
-        assertEquals(createSet("z3", "z4"), zones);
+        assertEquals(createSet("", "z3", "z4"), zones);
     }
 
     private Map<String, SecurityZoneInfo> createSecurityZones() {