[feature] Add a function for executing a function as a different effective user - system:function-as-user#3

Author: adamretter

exist-core/src/main/java/org/exist/xquery/functions/system/AsUser.java

@@ -21,13 +21,15 @@
  */
 package org.exist.xquery.functions.system;
 
+import com.evolvedbinary.j8fu.function.SupplierE;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.exist.security.AuthenticationException;
 import org.exist.security.SecurityManager;
 import org.exist.security.Subject;
 import org.exist.storage.DBBroker;
 import org.exist.xquery.*;
+import org.exist.xquery.value.FunctionReference;
 import org.exist.xquery.value.Item;
 import org.exist.xquery.value.Sequence;
 import org.exist.xquery.value.Type;
@@ -56,6 +58,21 @@ public class AsUser extends Function {
             optManyParam("code-block", Type.ITEM, "The code block to run as the identified user")
     );
 
+    private static String FS_FUNCTION_AS_USER_NAME = "function-as-user";
+    public final static FunctionSignature FS_FUNCTION_AS_USER = functionSignature(
+            FS_FUNCTION_AS_USER_NAME,
+            "A pseudo-function to execute a function as a different " +
+                    "user. The first argument is the name of the user, the second is the " +
+                    "password. If the user can be authenticated, the function will execute the " +
+                    "function given in the third argument with the permissions of that user and" +
+                    "returns the result of the execution. Before the function completes, it switches " +
+                    "the current user back to the old user.",
+            returnsOptMany(Type.ITEM, "the results of the code block executed"),
+            param("username", Type.STRING, "The username of the user to run the code against"),
+            optParam("password", Type.STRING, "The password of the user to run the code against"),
+            param("function", Type.FUNCTION_REFERENCE, "The zero arity function to run as the identified user")
+    );
+
     public AsUser(final XQueryContext context, final FunctionSignature signature) {
         super(context, signature);
     }
@@ -86,12 +103,27 @@ public Sequence eval(final Sequence contextSequence, final Item contextItem) thr
             throw exception;
         }
 
+        final SupplierE<Sequence, XPathException> function;
+        if (isCalledAs(FS_AS_USER_NAME)) {
+            final Expression codeBlock = getArgument(2);
+            function = () -> codeBlock.eval(contextSequence, contextItem);
+        } else if (isCalledAs(FS_FUNCTION_AS_USER_NAME)) {
+            final FunctionReference functionArg = (FunctionReference) getArgument(2).eval(contextSequence, contextItem).itemAt(0);
+            final int functionArgArity = functionArg.getSignature().getArgumentCount();
+            if (functionArgArity != 0) {
+                throw new XPathException(this, "$function argument must be a zero arity function, but found a function with arity: " + functionArgArity);
+            }
+            function = () -> functionArg.evalFunction(null, null, null);
+        } else {
+            throw new XPathException(this, "Unknown function: " + getSignature().getName());
+        }
+
         if (logger.isTraceEnabled()) {
             logger.trace("Setting the effective user to: [{}]", username);
         }
         try {
             broker.pushSubject(user);
-            return getArgument(2).eval(contextSequence, contextItem);
+            return function.get();
         } finally {
             broker.popSubject();
             if (logger.isTraceEnabled()) {

exist-core/src/main/java/org/exist/xquery/functions/system/SystemModule.java

@@ -67,6 +67,7 @@ public class SystemModule extends AbstractInternalModule {
             new FunctionDef(GetModuleLoadPath.signature, GetModuleLoadPath.class),
             new FunctionDef(TriggerSystemTask.signature, TriggerSystemTask.class),
             new FunctionDef(AsUser.FS_AS_USER, AsUser.class),
+			new FunctionDef(AsUser.FS_FUNCTION_AS_USER, AsUser.class),
             new FunctionDef(GetIndexStatistics.signature, GetIndexStatistics.class),
             new FunctionDef(UpdateStatistics.signature, UpdateStatistics.class),
             new FunctionDef(GetRunningXQueries.signature, GetRunningXQueries.class),

exist-core/src/test/java/xquery/system/SystemTests.java

@@ -0,0 +1,32 @@
+/*
+ * eXist-db Open Source Native XML Database
+ * Copyright (C) 2001 The eXist-db Authors
+ *
+ * [email protected]
+ * http://www.exist-db.org
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+package xquery.system;
+
+import org.exist.test.runner.XSuite;
+import org.junit.runner.RunWith;
+
+@RunWith(XSuite.class)
+@XSuite.XSuiteFiles({
+        "src/test/xquery/system"
+})
+public class SystemTests {
+}

exist-core/src/test/xquery/system/as-user.xqm

@@ -0,0 +1,71 @@
+(:
+ : eXist-db Open Source Native XML Database
+ : Copyright (C) 2001 The eXist-db Authors
+ :
+ : [email protected]
+ : http://www.exist-db.org
+ :
+ : This library is free software; you can redistribute it and/or
+ : modify it under the terms of the GNU Lesser General Public
+ : License as published by the Free Software Foundation; either
+ : version 2.1 of the License, or (at your option) any later version.
+ :
+ : This library is distributed in the hope that it will be useful,
+ : but WITHOUT ANY WARRANTY; without even the implied warranty of
+ : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ : Lesser General Public License for more details.
+ :
+ : You should have received a copy of the GNU Lesser General Public
+ : License along with this library; if not, write to the Free Software
+ : Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ :)
+xquery version "3.1";
+
+module namespace sysau = "http://exist-db.org/test/system/as-user";
+
+import module namespace sm = "http://exist-db.org/xquery/securitymanager";
+import module namespace system = "http://exist-db.org/xquery/system";
+
+declare namespace test = "http://exist-db.org/xquery/xqsuite";
+
+declare
+    %test:assertEquals('admin')
+function sysau:function-as-user-admin-inline() {
+    system:function-as-user("admin", "", function() {
+        sm:id()//sm:effective//sm:username/string()
+    })
+};
+
+declare
+    %test:assertEquals('guest')
+function sysau:function-as-user-guest-inline() {
+    system:function-as-user("guest", "guest", function() {
+        sm:id()//sm:effective//sm:username/string()
+    })
+};
+
+declare
+    %test:assertEquals('admin')
+function sysau:function-as-user-admin-reference() {
+    system:function-as-user("admin", "", sysau:get-effective-user-id#0)
+};
+
+declare
+    %test:assertEquals('guest')
+function sysau:function-as-user-guest-reference() {
+    system:function-as-user("guest", "guest", sysau:get-effective-user-id#0)
+};
+
+declare
+    %test:assertError
+function sysau:function-as-user-unknown() {
+    system:function-as-user("unknown", "", function() {
+        ()
+    })
+};
+
+declare
+    %private
+function sysau:get-effective-user-id() as xs:string {
+    sm:id()//sm:effective//sm:username/string()
+};