feat(policy): expose customProperties in SpEL policy conditions (#27033)

Author: SaaiAravindhRaja

openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/ResourceContext.java

@@ -1,12 +1,14 @@
 package org.openmetadata.service.security.policyevaluator;
 
 import static org.openmetadata.common.utils.CommonUtil.nullOrEmpty;
+import static org.openmetadata.service.Entity.FIELD_EXTENSION;
 import static org.openmetadata.service.Entity.FIELD_OWNERS;
 
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 import lombok.Getter;
 import lombok.NonNull;
@@ -17,6 +19,7 @@
 import org.openmetadata.schema.type.EntityReference;
 import org.openmetadata.schema.type.Include;
 import org.openmetadata.schema.type.TagLabel;
+import org.openmetadata.schema.utils.JsonUtils;
 import org.openmetadata.service.Entity;
 import org.openmetadata.service.exception.EntityNotFoundException;
 import org.openmetadata.service.jdbi3.EntityRepository;
@@ -186,6 +189,20 @@ public List<EntityReference> getDomains() {
     return entity.getDomains();
   }
 
+  @Override
+  public Map<String, Object> getCustomProperties() {
+    resolveEntity();
+    if (entity == null || entity.getExtension() == null) {
+      return Collections.emptyMap();
+    }
+    try {
+      return JsonUtils.getMap(entity.getExtension());
+    } catch (Exception e) {
+      LOG.warn("Failed to get custom properties: {}", e.getMessage());
+      return Collections.emptyMap();
+    }
+  }
+
   private EntityInterface resolveEntity() {
     if (entity == null) {
       Fields fieldList;
@@ -210,6 +227,9 @@ private EntityInterface resolveEntity() {
         if (entityRepository.isSupportsReviewers()) {
           fields = EntityUtil.addField(fields, Entity.FIELD_REVIEWERS);
         }
+        if (supportsExtension()) {
+          fields = EntityUtil.addField(fields, FIELD_EXTENSION);
+        }
         fieldList = entityRepository.getFields(fields);
       }
 
@@ -251,4 +271,13 @@ private boolean useRepositoryCache() {
     return operation != ResourceContextInterface.Operation.PATCH
         && operation != ResourceContextInterface.Operation.PUT;
   }
+
+  private boolean supportsExtension() {
+    try {
+      entityRepository.getFields(FIELD_EXTENSION);
+      return true;
+    } catch (Exception e) {
+      return false;
+    }
+  }
 }

openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/ResourceContextInterface.java

@@ -1,6 +1,8 @@
 package org.openmetadata.service.security.policyevaluator;
 
+import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import org.openmetadata.schema.EntityInterface;
 import org.openmetadata.schema.type.EntityReference;
 import org.openmetadata.schema.type.TagLabel;
@@ -25,4 +27,10 @@ enum Operation {
   EntityInterface getEntity();
 
   List<EntityReference> getDomains();
+
+  // Get custom properties of a resource as a map for use in SpEL policy conditions.
+  // Returns an empty map if the resource has no custom properties.
+  default Map<String, Object> getCustomProperties() {
+    return Collections.emptyMap();
+  }
 }

openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/RuleEvaluator.java

@@ -4,7 +4,9 @@
 import static org.openmetadata.schema.type.Include.NON_DELETED;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
@@ -414,4 +416,12 @@ private void validateEntityByName(String entityType, String name) {
           name);
     }
   }
+
+  @SuppressWarnings("unused")
+  public Map<String, Object> getCustomProperties() {
+    if (resourceContext == null) {
+      return Collections.emptyMap();
+    }
+    return resourceContext.getCustomProperties();
+  }
 }

openmetadata-service/src/test/java/org/openmetadata/service/security/policyevaluator/RuleEvaluatorTest.java

@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.tuple.ImmutablePair;
@@ -1079,6 +1080,28 @@ void test_noDomain() {
     assertTrue(negatedNoDomainInherited != null && negatedNoDomainInherited);
   }
 
+  @Test
+  void test_customPropertiesExposedInSpEL() {
+    ResourceContextInterface customPropertiesContext = mock(ResourceContextInterface.class);
+    Mockito.when(customPropertiesContext.getCustomProperties())
+        .thenReturn(Map.of("sensitivity", "PII"));
+
+    SubjectContext localSubjectContext = new SubjectContext(user, null);
+    RuleEvaluator evaluator = new RuleEvaluator(null, localSubjectContext, customPropertiesContext);
+    StandardEvaluationContext context = new StandardEvaluationContext(evaluator);
+    Boolean result =
+        parseExpression("customProperties.get('sensitivity') == 'PII'")
+            .getValue(context, Boolean.class);
+    assertTrue(result != null && result);
+
+    RuleEvaluator validationEvaluator = new RuleEvaluator(false);
+    StandardEvaluationContext validationContext = new StandardEvaluationContext(validationEvaluator);
+    Boolean validationResult =
+        parseExpression("customProperties.get('sensitivity') == 'PII'")
+            .getValue(validationContext, Boolean.class);
+    assertTrue(validationResult != null && !validationResult);
+  }
+
   @AfterEach
   void resetContext() {
     subjectContext = new SubjectContext(user, null);