Send view security on view creation to OPA authorizer

Author: sbernauer

plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java

@@ -468,7 +468,7 @@ public void checkCanUpdateTableColumns(SystemSecurityContext securityContext, Ca
     @Override
     public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view, Optional<ViewSecurity> security)
     {
-        checkTableOperation(context, "CreateView", view, AccessDeniedException::denyCreateView);
+        checkViewOperation(context, "CreateView", view, security, AccessDeniedException::denyCreateView);
     }
 
     @Override
@@ -780,6 +780,17 @@ private void checkTableAndColumnsOperation(SystemSecurityContext context, String
                 OpaQueryInputResource.builder().table(new TrinoTable(table).withColumns(columns)).build());
     }
 
+    private void checkViewOperation(SystemSecurityContext context, String actionName, CatalogSchemaTableName view, Optional<ViewSecurity> security, Consumer<String> deny)
+    {
+        OpaQueryInputResource.Builder opaQueryInputResourceBuilder = OpaQueryInputResource.builder().table(new TrinoTable(view));
+        security.ifPresent(opaQueryInputResourceBuilder::security);
+        opaHighLevelClient.queryAndEnforce(
+                buildQueryContext(context),
+                actionName,
+                () -> deny.accept(view.toString()),
+                opaQueryInputResourceBuilder.build());
+    }
+
     private <T> void enforcePermissionManagementOperation(Consumer<T> deny, T arg)
     {
         if (!allowPermissionManagementOperations) {

plugin/trino-opa/src/main/java/io/trino/plugin/opa/schema/OpaQueryInputResource.java

@@ -14,6 +14,7 @@
 package io.trino.plugin.opa.schema;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
+import io.trino.spi.security.ViewSecurity;
 
 import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_NULL;
 import static java.util.Objects.requireNonNull;
@@ -27,7 +28,8 @@ public record OpaQueryInputResource(
         NamedEntity catalog,
         TrinoSchema schema,
         TrinoTable table,
-        TrinoColumn column)
+        TrinoColumn column,
+        ViewSecurity security)
 {
     public record NamedEntity(String name)
     {
@@ -52,6 +54,7 @@ public static class Builder
         private TrinoTable table;
         private TrinoFunction function;
         private TrinoColumn column;
+        private ViewSecurity security;
 
         private Builder() {}
 
@@ -109,6 +112,12 @@ public Builder column(TrinoColumn column)
             return this;
         }
 
+        public Builder security(ViewSecurity security)
+        {
+            this.security = security;
+            return this;
+        }
+
         public OpaQueryInputResource build()
         {
             return new OpaQueryInputResource(
@@ -119,7 +128,8 @@ public OpaQueryInputResource build()
                     this.catalog,
                     this.schema,
                     this.table,
-                    this.column);
+                    this.column,
+                    this.security);
         }
     }
 }

plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java

@@ -211,36 +211,55 @@ private void testTableWithPropertiesActions(
     }
 
     @Test
-    public void testViewResourceActions()
+    public void testCreateViewWithoutSecurity()
     {
-        testViewResourceActions("CreateView", OpaAccessControl::checkCanCreateView);
+        CatalogSchemaTableName viewName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_view");
+        ThrowingMethodWrapper wrappedMethod = new ThrowingMethodWrapper(
+                accessControl -> accessControl.checkCanCreateView(TEST_SECURITY_CONTEXT, viewName, Optional.empty()));
+        String expectedRequest =
+                """
+                {
+                    "operation": "CreateView",
+                    "resource": {
+                        "table": {
+                            "catalogName": "%s",
+                            "schemaName": "%s",
+                            "tableName": "%s"
+                        }
+                    }
+                }
+                """.formatted(
+                        viewName.getCatalogName(),
+                        viewName.getSchemaTableName().getSchemaName(),
+                        viewName.getSchemaTableName().getTableName());
+        assertAccessControlMethodBehaviour(wrappedMethod, ImmutableSet.of(expectedRequest));
     }
 
-    private void testViewResourceActions(
-            String actionName,
-            FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, Optional<ViewSecurity>> callable)
+    @Test
+    public void testCreateViewWithInvokerSecurity()
     {
         CatalogSchemaTableName viewName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_view");
         Optional<ViewSecurity> security = Optional.of(ViewSecurity.INVOKER);
         ThrowingMethodWrapper wrappedMethod = new ThrowingMethodWrapper(
-                accessControl -> callable.accept(accessControl, TEST_SECURITY_CONTEXT, viewName, security));
+                accessControl -> accessControl.checkCanCreateView(TEST_SECURITY_CONTEXT, viewName, security));
         String expectedRequest =
                 """
                 {
-                    "operation": "%s",
+                    "operation": "CreateView",
                     "resource": {
                         "table": {
                             "catalogName": "%s",
                             "schemaName": "%s",
                             "tableName": "%s"
-                        }
+                        },
+                        "security": "%s"
                     }
                 }
                 """.formatted(
-                        actionName,
                         viewName.getCatalogName(),
                         viewName.getSchemaTableName().getSchemaName(),
-                        viewName.getSchemaTableName().getTableName());
+                        viewName.getSchemaTableName().getTableName(),
+                        security.get());
         assertAccessControlMethodBehaviour(wrappedMethod, ImmutableSet.of(expectedRequest));
     }