diff --git oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidator.java oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidator.java new file mode 100644 index 0000000..c258a2a --- /dev/null +++ oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidator.java @@ -0,0 +1,132 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.plugins.document.bundlor; + +import java.security.Principal; +import java.util.Collections; +import java.util.List; +import java.util.Set; + +import javax.annotation.Nonnull; + +import com.google.common.collect.Iterables; +import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Service; +import org.apache.jackrabbit.api.security.principal.PrincipalManager; +import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil; +import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.DefaultValidator; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; +import org.apache.jackrabbit.oak.spi.commit.SubtreeValidator; +import org.apache.jackrabbit.oak.spi.commit.Validator; +import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; +import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; +import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; +import org.apache.jackrabbit.oak.spi.security.principal.EmptyPrincipalProvider; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalManagerImpl; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; +import org.apache.jackrabbit.oak.spi.state.NodeState; + +import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS; + +@Service({SecurityConfiguration.class, PrincipalConfiguration.class}) +@Component(immediate = true) +public class BundlingConfigSecurityValidator extends ConfigurationBase implements PrincipalConfiguration { + private final ValidatorProvider allowed = new BundlingConfigValidatorProvider(true); + private final ValidatorProvider notAllowed = new BundlingConfigValidatorProvider(false); + + @Nonnull + @Override + public List getValidators(@Nonnull String workspaceName, + @Nonnull Set principals, + @Nonnull MoveTracker moveTracker) { + boolean systemOrAdminSession = PermissionUtil.isAdminOrSystem(principals, getParameters()); + ValidatorProvider provider = systemOrAdminSession ? allowed : notAllowed; + return Collections.singletonList(provider); + } + + //~--------------------------------< PrincipalConfiguration > + + //SecurityProvider does not allow plain SecurityConfiguration hence need to provide + //an empty PrincipalConfiguration to provide our validator + @Nonnull + @Override + public PrincipalManager getPrincipalManager(Root root, NamePathMapper namePathMapper) { + return new PrincipalManagerImpl(EmptyPrincipalProvider.INSTANCE); + } + + @Nonnull + @Override + public PrincipalProvider getPrincipalProvider(Root root, NamePathMapper namePathMapper) { + return EmptyPrincipalProvider.INSTANCE; + } + + private static class BundlingConfigValidatorProvider extends ValidatorProvider { + private static final String[] PATH_ELEMENTS = Iterables.toArray(PathUtils.elements(BundlingConfigHandler.CONFIG_PATH), String.class); + private final Validator validator; + + public BundlingConfigValidatorProvider(boolean allowed) { + this.validator = new BundlingConfigValidator(allowed); + } + + @Override + protected Validator getRootValidator(NodeState before, NodeState after, CommitInfo info) { + return new SubtreeValidator(validator, PATH_ELEMENTS); + } + } + + private static class BundlingConfigValidator extends DefaultValidator { + private final boolean allowed; + + public BundlingConfigValidator(boolean allowed) { + this.allowed = allowed; + } + + @Override + public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException { + checkPermission(); + return this; + } + + @Override + public Validator childNodeChanged(String name, NodeState before, NodeState after) + throws CommitFailedException { + checkPermission(); + return this; + } + + @Override + public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException { + checkPermission(); + return this; + } + + private void checkPermission() throws CommitFailedException { + if (!allowed) { + throw new CommitFailedException(ACCESS, 0, "Access denied"); + } + } + } +} diff --git oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java index 1e38db4..f8cd60d 100644 --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java @@ -91,7 +91,8 @@ import static com.google.common.collect.Lists.newCopyOnWriteArrayList; "org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl", "org.apache.jackrabbit.oak.spi.security.user.action.DefaultAuthorizableActionProvider", "org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl", - "org.apache.jackrabbit.oak.security.user.UserAuthenticationFactoryImpl" + "org.apache.jackrabbit.oak.security.user.UserAuthenticationFactoryImpl", + "org.apache.jackrabbit.oak.plugins.document.bundlor.BundlingConfigSecurityValidator" }, unbounded = PropertyUnbounded.ARRAY ) diff --git oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidatorTest.java oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidatorTest.java new file mode 100644 index 0000000..a593496 --- /dev/null +++ oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/document/bundlor/BundlingConfigSecurityValidatorTest.java @@ -0,0 +1,103 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.plugins.document.bundlor; + +import java.io.IOException; + +import javax.jcr.security.AccessControlManager; + +import org.apache.jackrabbit.JcrConstants; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; +import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.security.principal.PrincipalConfigurationImpl; +import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +public class BundlingConfigSecurityValidatorTest extends AbstractSecurityTest { + private ContentSession session; + + @Before + public void setupValidator(){ + CompositeConfiguration cc = + (CompositeConfiguration) getSecurityProvider().getConfiguration(PrincipalConfiguration.class); + cc.addConfiguration(new PrincipalConfigurationImpl(getSecurityProvider())); + //Add the default config also + cc.addConfiguration(new BundlingConfigSecurityValidator()); + } + + @After + public void closeSession() throws IOException { + if (session != null){ + session.close(); + } + } + + @Test + public void writesByAdminUser() throws Exception{ + session = login(getAdminCredentials()); + writeUnderBundlorConfigNode(session); + } + + @Test + public void writesByNonAdminUser() throws Exception{ + AccessControlManager acMgr = getAccessControlManager(root); + JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/jcr:system"); + acl.addEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_ALL), true); + acMgr.setPolicy("/jcr:system", acl); + root.commit(); + + ContentSession session = createTestSession(); + try { + writeUnderBundlorConfigNode(session); + fail("Writes should have failed"); + }catch(CommitFailedException ce){ + assertTrue(ce.isAccessViolation()); + } + + //Writes to other part of tree should work + Root root = session.getLatestRoot(); + root.getTree("/jcr:system").addChild("foo").setProperty(JcrConstants.JCR_PRIMARYTYPE, "oak:Unstructured", Type.NAME); + root.commit(); + } + + private static void writeUnderBundlorConfigNode(ContentSession session) throws CommitFailedException, IOException { + Root root = session.getLatestRoot(); + Tree tree = root.getTree(BundlingConfigHandler.CONFIG_PATH); + + //Check if session has read permission as validator only blocks writes + assertTrue(tree.exists()); + + tree.addChild("foo").setProperty(JcrConstants.JCR_PRIMARYTYPE, "oak:Unstructured", Type.NAME); + root.commit(); + } +} \ No newline at end of file diff --git oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/BundleConfigSecurityTest.groovy oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/BundleConfigSecurityTest.groovy new file mode 100644 index 0000000..d1181e0 --- /dev/null +++ oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/BundleConfigSecurityTest.groovy @@ -0,0 +1,94 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.run.osgi + +import org.apache.felix.connect.launch.PojoServiceRegistry +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils +import org.apache.jackrabbit.oak.plugins.document.bundlor.BundlingConfigHandler +import org.apache.jackrabbit.oak.spi.security.SecurityProvider +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants +import org.junit.After +import org.junit.Before +import org.junit.Test + +import javax.jcr.GuestCredentials +import javax.jcr.Session +import javax.jcr.Node as JNode +import javax.jcr.SimpleCredentials +import javax.jcr.security.AccessControlManager +import javax.jcr.security.Privilege +import java.nio.file.AccessDeniedException + +import static org.apache.jackrabbit.oak.run.osgi.OakOSGiRepositoryFactory.REPOSITORY_CONFIG_FILE +import static org.junit.Assert.fail + + +class BundleConfigSecurityTest extends AbstractRepositoryFactoryTest { + private PojoServiceRegistry registry + private Session session + + @Before + void initializeRegistry() { + config[REPOSITORY_CONFIG_FILE] = createConfigValue("oak-base-config.json", "oak-tar-config.json") + repository = repositoryFactory.getRepository(config) + } + + @After + void logout(){ + if (session){ + session.logout() + } + } + + @Test + void bundleConfigValidator() throws Exception{ + session = createAdminSession() + writeUnderBundlorConfigNode(session) + } + + @Test + void bundleConfigValidatorNonAdmin() throws Exception{ + Session admin = createAdminSession() + AccessControlManager acMgr = admin.accessControlManager + JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/jcr:system"); + acl.addEntry(EveryonePrincipal.instance, [acMgr.privilegeFromName(PrivilegeConstants + .JCR_ALL)] as Privilege[], true) + acMgr.setPolicy("/jcr:system", acl) + admin.save() + admin.logout() + + session = repository.login(new GuestCredentials()) + + try { + writeUnderBundlorConfigNode(session) + fail() + } catch (AccessDeniedException ignore){ + + } + } + + private static void writeUnderBundlorConfigNode(Session s){ + JNode node = s.getNode(BundlingConfigHandler.CONFIG_PATH) + node.addNode("foo") + s.save() + } +}