RANGER-5342: USER-role users with names similar to admin or keyadmin can query those admin/keyadmin users.

Author: RakeshGuptaDev

security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java

@@ -23,6 +23,7 @@
 import java.util.Map;
 import java.util.List;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 
 import javax.servlet.http.HttpServletRequest;
@@ -437,15 +438,32 @@ else if ((searchCriteria.getParamList().containsKey("name")) && userName!= null
 					hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole;
 					hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole;
 				} else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) {
+					if ((CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 || !userRolesList.contains(RangerConstants.ROLE_USER)))
+                            || (userRole != null && !RangerConstants.ROLE_USER.equals(userRole))) {
+						throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
+					}
+
 					logger.info("Logged-In user having user role will be able to fetch his own user details.");
-					if (!searchCriteria.getParamList().containsKey("name")) {
-						searchCriteria.addParam("name", loggedInVXUser.getName());
-					}else if(searchCriteria.getParamList().containsKey("name")
-							&& !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString())
-							&& !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())){
+
+					if (searchCriteria.getParamList().containsKey("name") && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())) {
 						throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
 					}
-									
+
+
+					if (loggedInVXUser != null && !xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) {
+						loggedInVXUser = xUserMgr.getMaskedVXUser(loggedInVXUser);
+					}
+
+					VXUserList vXUserList = new VXUserList();
+					vXUserList.setVXUsers(Collections.singletonList(loggedInVXUser));
+					vXUserList.setStartIndex(searchCriteria.getStartIndex());
+					vXUserList.setResultSize(vXUserList.getVXUsers().size());
+					vXUserList.setTotalCount(vXUserList.getVXUsers().size());
+					vXUserList.setPageSize(searchCriteria.getMaxRows());
+					vXUserList.setSortBy(searchCriteria.getSortBy());
+					vXUserList.setSortType(searchCriteria.getSortType());
+
+					return vXUserList;
 				}
 			}
 		}

security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java

@@ -1890,7 +1890,7 @@ public void test112deleteUsersByUserNameNull() {
 	@SuppressWarnings({ "unchecked", "static-access" })
 	@Test
 	public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() {
-	
+
 		destroySession();
 		String userLoginID = "testuser";
 		Long userId = 8L;
@@ -1935,7 +1935,7 @@ public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() {
 	@SuppressWarnings({ "unchecked", "static-access" })
 	@Test
 	public void test114RoleUserWillGetOnlyHisOwnUserDetails() {
-	
+
 		destroySession();
 		String userLoginID = "testuser";
 		Long userId = 8L;
@@ -1977,8 +1977,8 @@ public void test114RoleUserWillGetOnlyHisOwnUserDetails() {
 		Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1);
 		Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null,null)).thenReturn(new ArrayList<String>());
 		Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn("");
+		Mockito.when(xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)).thenReturn(true);
 		Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser);
-		Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(expecteUserList);
 		VXUserList gotVXUserList=xUserRest.searchXUsers(request, null, null);
 
 		assertEquals(gotVXUserList.getList().size(), 1);
@@ -2017,7 +2017,7 @@ public void test116updateXGroupPermissionWithPermissionIdIsNull() {
 		assertEquals(retVXGroupPermission.getClass(), testVXGroupPermission.getClass());
 
 	}
-	
+
 	@After
 	public void destroySession() {
 		RangerSecurityContext context = new RangerSecurityContext();