[feature] Allow access to specific Java System Properties when using fn:available-system-properties#0 and fn:system-property#1 to be configured from conf.xml

adamretter · adamretter · commit 491539e1d666 · 2022-06-21T16:09:25.000+02:00
diff --git a/exist-core/pom.xml b/exist-core/pom.xml
@@ -705,6 +705,7 @@
                                 <exclude>src/test/java/org/exist/xquery/functions/session/AttributeTest.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/functions/xmldb/XMLDBAuthenticateTest.java</exclude>
                                 <exclude>src/main/java/org/exist/xquery/functions/util/Eval.java</exclude>
+                                <include>src/test/java/org/exist/xquery/functions/util/SystemPropertyTest.java</include>
                                 <exclude>src/test/java/org/exist/xquery/util/URIUtilsTest.java</exclude>
                                 <exclude>src/main/java/org/exist/xquery/value/ArrayListValueSequence.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/value/BifurcanMapTest.java</exclude>
@@ -855,6 +856,7 @@ The original license statement is also included below.]]></preamble>
                                 <include>src/test/java/org/exist/xquery/functions/session/AttributeTest.java</include>
                                 <include>src/test/java/org/exist/xquery/functions/xmldb/XMLDBAuthenticateTest.java</include>
                                 <include>src/main/java/org/exist/xquery/functions/util/Eval.java</include>
+                                <include>src/test/java/org/exist/xquery/functions/util/SystemPropertyTest.java</include>
                                 <include>src/test/java/org/exist/xquery/util/URIUtilsTest.java</include>
                                 <include>src/main/java/org/exist/xquery/value/ArrayListValueSequence.java</include>
                                 <include>src/test/java/org/exist/xquery/value/BifurcanMapTest.java</include>
diff --git a/exist-core/src/main/java/org/exist/xquery/functions/util/SystemProperty.java b/exist-core/src/main/java/org/exist/xquery/functions/util/SystemProperty.java
@@ -21,11 +21,16 @@
  */
 package org.exist.xquery.functions.util;
 
+import io.lacuna.bifurcan.IMap;
+import io.lacuna.bifurcan.ISet;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.exist.ExistSystemProperties;
 import org.exist.xquery.BasicFunction;
 import org.exist.xquery.FunctionSignature;
 import org.exist.xquery.XPathException;
 import org.exist.xquery.XQueryContext;
+import org.exist.xquery.functions.AccessUtil;
 import org.exist.xquery.value.Sequence;
 import org.exist.xquery.value.StringValue;
 import org.exist.xquery.value.Type;
@@ -42,9 +47,12 @@
  *
  * @author Wolfgang Meier
  * @author Loren Cahlander
+ * @author <a href="mailto:adam@evolvedbinary.com>Adam Retter</a>
  */
 public class SystemProperty extends BasicFunction {
 
+    private static final Logger LOGGER = LogManager.getLogger(SystemProperty.class);
+
     private final static String FS_AVAILABLE_SYSTEM_PROPERTIES_NAME = "available-system-properties";
     public final static FunctionSignature FS_AVAILABLE_SYSTEM_PROPERTIES = functionSignature(
             FS_AVAILABLE_SYSTEM_PROPERTIES_NAME,
@@ -70,11 +78,21 @@ public SystemProperty(final XQueryContext context, final FunctionSignature signa
 
     @Override
     public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
+        final UtilModule utilModule = (UtilModule) getParentModule();
+        final IMap<String, ISet<String>> systemPropertyAccessGroups = utilModule.getSystemPropertyAccessGroups();
+        final IMap<String, ISet<String>> systemPropertyAccessUsers = utilModule.getSystemPropertyAccessUsers();
+
         if (isCalledAs(FS_AVAILABLE_SYSTEM_PROPERTIES_NAME)) {
 
             final Set<String> availableProperties = new HashSet<>();
             availableProperties.addAll(ExistSystemProperties.getInstance().getAvailableExistSystemProperties());
-            availableProperties.addAll(context.getJavaSystemProperties().keys().toSet());
+
+            // add any Java System Properties that the user has access to
+            for (final String systemPropertyName : context.getJavaSystemProperties().keys()) {
+                if (AccessUtil.isAllowedAccess(context.getEffectiveUser(), systemPropertyAccessGroups, systemPropertyAccessUsers, systemPropertyName)) {
+                    availableProperties.add(systemPropertyName);
+                }
+            }
 
             final ValueSequence result = new ValueSequence(availableProperties.size());
             for (final String availableProperty : availableProperties) {
@@ -84,11 +102,22 @@ public Sequence eval(final Sequence[] args, final Sequence contextSequence) thro
             return result;
 
         } else {
-            final String key = args[0].getStringValue();
-            String value = ExistSystemProperties.getInstance().getExistSystemProperty(key, null);
+            final String systemPropertyName = args[0].getStringValue();
+
+            // always allow access to all eXist-db System Properties
+            String value = ExistSystemProperties.getInstance().getExistSystemProperty(systemPropertyName, null);
             if (value == null) {
-                value = context.getJavaSystemProperties().get(key, null);
+
+                // check for a Java System Property that the user has access to
+                if (!AccessUtil.isAllowedAccess(context.getEffectiveUser(), systemPropertyAccessGroups, systemPropertyAccessUsers, systemPropertyName)) {
+                    final String txt = "Permission denied, calling user '" + context.getSubject().getName() + "' must be granted access to the Java System Property: " + systemPropertyName + ".";
+                    LOGGER.error(txt);
+                    return Sequence.EMPTY_SEQUENCE;
+                }
+
+                value = context.getJavaSystemProperties().get(systemPropertyName, null);
             }
+
             return value == null ? Sequence.EMPTY_SEQUENCE : new StringValue(value);
         }
     }
diff --git a/exist-core/src/main/java/org/exist/xquery/functions/util/UtilModule.java b/exist-core/src/main/java/org/exist/xquery/functions/util/UtilModule.java
@@ -24,9 +24,15 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
+import com.evolvedbinary.j8fu.tuple.Tuple2;
+import io.lacuna.bifurcan.IMap;
+import io.lacuna.bifurcan.ISet;
 import org.exist.dom.QName;
+import org.exist.util.PatternFactory;
 import org.exist.xquery.*;
+import org.exist.xquery.functions.AccessUtil;
 import org.exist.xquery.value.FunctionParameterSequenceType;
 import org.exist.xquery.value.FunctionReturnSequenceType;
 
@@ -37,7 +43,7 @@
  * @author <a href="mailto:wolfgang@exist-db.org">Wolfgang Meier</a>
  * @author ljo
  * @author <a href="mailto:andrzej@chaeron.com">Andrzej Taramina</a>
- * @author <a href="mailto:adam@evolvedbinary.com">Adam retter</a>
+ * @author <a href="mailto:adam@evolvedbinary.com>Adam Retter</a>
  */
 public class UtilModule extends AbstractInternalModule {
 
@@ -166,6 +172,11 @@ public class UtilModule extends AbstractInternalModule {
 
     public final static QName ERROR_CODE_QNAME = new QName("error-code", UtilModule.NAMESPACE_URI, UtilModule.PREFIX);
 
+    private static final Pattern PTN_SYSTEM_PROPERTY_ACCESS = PatternFactory.getInstance().getPattern("systemPropertyAccess\\.([^=\\00])+\\.requires((?:Group)|(?:User))");
+
+    private IMap<String, ISet<String>> systemPropertyAccessGroups = null;
+    private IMap<String, ISet<String>> systemPropertyAccessUsers = null;
+
     public UtilModule(final Map<String, List<? extends Object>> parameters) throws XPathException {
         super(functions, parameters, true);
 
@@ -218,6 +229,34 @@ public void reset(final XQueryContext xqueryContext, final boolean keepGlobals)
         super.reset(xqueryContext, keepGlobals);
     }
 
+    /**
+     * Get the system property names and groups that are allowed to access them.
+     *
+     * @return a map where the key is the system property name, and the value is a set of group names.
+     */
+    IMap<String, ISet<String>> getSystemPropertyAccessGroups() {
+        if (systemPropertyAccessGroups == null) {
+            final Tuple2<IMap<String, ISet<String>>, IMap<String, ISet<String>>> accessRules = AccessUtil.parseAccessParameters(PTN_SYSTEM_PROPERTY_ACCESS, getParameters());
+            this.systemPropertyAccessGroups = accessRules._1;
+            this.systemPropertyAccessUsers = accessRules._2;
+        }
+        return systemPropertyAccessGroups;
+    }
+
+    /**
+     * Get the system property names and users that are allowed to access them.
+     *
+     * @return a map where the key is the system property name, and the value is a set of usernames.
+     */
+    IMap<String, ISet<String>> getSystemPropertyAccessUsers() {
+        if (systemPropertyAccessUsers == null) {
+            final Tuple2<IMap<String, ISet<String>>, IMap<String, ISet<String>>> accessRules = AccessUtil.parseAccessParameters(PTN_SYSTEM_PROPERTY_ACCESS, getParameters());
+            this.systemPropertyAccessGroups = accessRules._1;
+            this.systemPropertyAccessUsers = accessRules._2;
+        }
+        return systemPropertyAccessUsers;
+    }
+
     static FunctionSignature functionSignature(final String name, final String description, final FunctionReturnSequenceType returnType, final FunctionParameterSequenceType... paramTypes) {
         return FunctionDSL.functionSignature(new QName(name, NAMESPACE_URI, PREFIX), description, returnType, paramTypes);
     }
diff --git a/exist-core/src/test/java/org/exist/xquery/functions/util/SystemPropertyTest.java b/exist-core/src/test/java/org/exist/xquery/functions/util/SystemPropertyTest.java
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2014, Evolved Binary Ltd
+ *
+ * This file was originally ported from FusionDB to eXist-db by
+ * Evolved Binary, for the benefit of the eXist-db Open Source community.
+ * Only the ported code as it appears in this file, at the time that
+ * it was contributed to eXist-db, was re-licensed under The GNU
+ * Lesser General Public License v2.1 only for use in eXist-db.
+ *
+ * This license grant applies only to a snapshot of the code as it
+ * appeared when ported, it does not offer or infer any rights to either
+ * updates of this source code or access to the original source code.
+ *
+ * The GNU Lesser General Public License v2.1 only license follows.
+ *
+ * ---------------------------------------------------------------------
+ *
+ * Copyright (C) 2014, Evolved Binary Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; version 2.1.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+package org.exist.xquery.functions.util;
+
+import org.exist.EXistException;
+import org.exist.ExistSystemProperties;
+import org.exist.security.PermissionDeniedException;
+import org.exist.storage.BrokerPool;
+import org.exist.storage.DBBroker;
+import org.exist.test.ExistEmbeddedServer;
+import org.exist.util.DatabaseConfigurationException;
+import org.exist.xquery.XPathException;
+import org.exist.xquery.XQuery;
+import org.exist.xquery.value.Sequence;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+
+import static org.junit.Assert.*;
+
+@RunWith(Parameterized.class)
+public class SystemPropertyTest {
+
+    @Parameterized.Parameters(name = "{0}")
+    public static java.util.Collection<Object[]> data() {
+        return Arrays.asList(new Object[][] {
+                { "non-secure", null, false },
+                { "secure", "conf-sys-props-admins-only.xml", true }
+        });
+    }
+
+    @Parameterized.Parameter(value = 0)
+    public String testTypeName;
+
+    @Parameterized.Parameter(value = 1)
+    public String confFileName;
+
+    @Parameterized.Parameter(value = 2)
+    public boolean shouldReturnEmptySequence;
+
+    private ExistEmbeddedServer existEmbeddedServer = null;
+
+    @Before
+    public void setup() throws URISyntaxException, DatabaseConfigurationException, EXistException, IOException {
+        if (confFileName == null) {
+            existEmbeddedServer = new ExistEmbeddedServer(true, true);
+        } else {
+            final Path confFile = Paths.get(getClass().getResource(confFileName).toURI());
+            existEmbeddedServer = new ExistEmbeddedServer(null, confFile, null, true, true);
+        }
+        existEmbeddedServer.startDb();
+    }
+
+    @After
+    public void teardown() {
+        if (existEmbeddedServer != null) {
+            existEmbeddedServer.stopDb();
+        }
+        existEmbeddedServer = null;
+    }
+
+    @Test
+    public void availableSystemProperties() throws EXistException, XPathException, PermissionDeniedException {
+        final BrokerPool pool = existEmbeddedServer.getBrokerPool();
+        final XQuery xqueryService = pool.getXQueryService();
+        try (final DBBroker broker = pool.get(Optional.of(pool.getSecurityManager().getSystemSubject()))) {
+
+            final String query = "util:available-system-properties()";
+            final Sequence result = xqueryService.execute(broker, query, null);
+            assertFalse(result.isEmpty());
+
+            final Set<String> set = new HashSet<>(result.getItemCount());
+            for (int i = 0; i < result.getItemCount(); i++) {
+                set.add(result.itemAt(i).getStringValue());
+            }
+
+            assertTrue(set.contains(ExistSystemProperties.PROP_PRODUCT_VERSION));
+
+            if (shouldReturnEmptySequence) {
+                assertFalse(set.contains("os.name"));
+            } else {
+                assertTrue(set.contains("os.name"));
+            }
+        }
+    }
+
+    @Test
+    public void systemProperty() throws EXistException, XPathException, PermissionDeniedException {
+        final BrokerPool pool = existEmbeddedServer.getBrokerPool();
+        final XQuery xqueryService = pool.getXQueryService();
+        try (final DBBroker broker = pool.get(Optional.of(pool.getSecurityManager().getSystemSubject()))) {
+
+            String query = "util:system-property('" + ExistSystemProperties.PROP_PRODUCT_NAME + "')";
+            Sequence result = xqueryService.execute(broker, query, null);
+            assertEquals(1, result.getItemCount());
+
+            query = "util:system-property('os.name')";
+            result = xqueryService.execute(broker, query, null);
+
+            if (shouldReturnEmptySequence) {
+                assertTrue(result.isEmpty());
+            } else {
+                assertFalse(result.isEmpty());
+            }
+        }
+    }
+}
diff --git a/exist-core/src/test/resources/org/exist/xquery/functions/util/conf-sys-props-admins-only.xml b/exist-core/src/test/resources/org/exist/xquery/functions/util/conf-sys-props-admins-only.xml
diff --git a/exist-distribution/src/main/config/conf.xml b/exist-distribution/src/main/config/conf.xml
