Merge pull request #4349 from evolvedbinary/feature/system-as-user

dizzzz · web-flow · commit f8a036c510e1 · 2022-04-26T12:00:39.000+02:00
Improvements to system:as-user
diff --git a/exist-core/src/main/java/org/exist/xquery/functions/system/AsUser.java b/exist-core/src/main/java/org/exist/xquery/functions/system/AsUser.java
@@ -21,43 +21,59 @@
  */
 package org.exist.xquery.functions.system;
 
+import com.evolvedbinary.j8fu.function.SupplierE;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.exist.dom.QName;
 import org.exist.security.AuthenticationException;
 import org.exist.security.SecurityManager;
 import org.exist.security.Subject;
 import org.exist.storage.DBBroker;
 import org.exist.xquery.*;
-import org.exist.xquery.value.FunctionParameterSequenceType;
+import org.exist.xquery.value.FunctionReference;
 import org.exist.xquery.value.Item;
 import org.exist.xquery.value.Sequence;
-import org.exist.xquery.value.SequenceType;
 import org.exist.xquery.value.Type;
 
+import static org.exist.xquery.FunctionDSL.*;
+import static org.exist.xquery.functions.system.SystemModule.functionSignature;
+
 /**
  */
 public class AsUser extends Function {
 
     private final static Logger logger = LogManager.getLogger(AsUser.class);
 
-    public final static FunctionSignature signature = new FunctionSignature(
-        new QName("as-user", SystemModule.NAMESPACE_URI, SystemModule.PREFIX),
-        "A pseudo-function to execute a limited block of code as a different " +
-        "user. The first argument is the name of the user, the second is the " +
-        "password. If the user can be authenticated, the function will execute the " +
-        "code block given in the third argument with the permissions of that user and" +
-        "returns the result of the execution. Before the function completes, it switches " +
-        "the current user back to the old user.",
-        new SequenceType[] {
-            new FunctionParameterSequenceType("username", Type.STRING, Cardinality.EXACTLY_ONE, "The username of the user to run the code against"),
-            new FunctionParameterSequenceType("password", Type.STRING, Cardinality.ZERO_OR_ONE, "The password of the user to run the code against"),
-            new FunctionParameterSequenceType("code-block", Type.ITEM, Cardinality.ZERO_OR_MORE, "The code block to run as the identified user")
-        },
-        new FunctionParameterSequenceType("result", Type.ITEM, Cardinality.ZERO_OR_MORE, "the results of the code block executed")
+    private static String FS_AS_USER_NAME = "as-user";
+    public final static FunctionSignature FS_AS_USER = functionSignature(
+            FS_AS_USER_NAME,
+            "A pseudo-function to execute a limited block of code as a different " +
+            "user. The first argument is the name of the user, the second is the " +
+            "password. If the user can be authenticated, the function will execute the " +
+            "code block given in the third argument with the permissions of that user and" +
+            "returns the result of the execution. Before the function completes, it switches " +
+            "the current user back to the old user.",
+            returnsOptMany(Type.ITEM, "the results of the code block executed"),
+            param("username", Type.STRING, "The username of the user to run the code against"),
+            optParam("password", Type.STRING, "The password of the user to run the code against"),
+            optManyParam("code-block", Type.ITEM, "The code block to run as the identified user")
+    );
+
+    private static String FS_FUNCTION_AS_USER_NAME = "function-as-user";
+    public final static FunctionSignature FS_FUNCTION_AS_USER = functionSignature(
+            FS_FUNCTION_AS_USER_NAME,
+            "A pseudo-function to execute a function as a different " +
+                    "user. The first argument is the name of the user, the second is the " +
+                    "password. If the user can be authenticated, the function will execute the " +
+                    "function given in the third argument with the permissions of that user and" +
+                    "returns the result of the execution. Before the function completes, it switches " +
+                    "the current user back to the old user.",
+            returnsOptMany(Type.ITEM, "the results of the code block executed"),
+            param("username", Type.STRING, "The username of the user to run the code against"),
+            optParam("password", Type.STRING, "The password of the user to run the code against"),
+            param("function", Type.FUNCTION_REFERENCE, "The zero arity function to run as the identified user")
     );
 
-    public AsUser(final XQueryContext context) {
+    public AsUser(final XQueryContext context, final FunctionSignature signature) {
         super(context, signature);
     }
 
@@ -87,27 +103,40 @@ public Sequence eval(final Sequence contextSequence, final Item contextItem) thr
             throw exception;
         }
 
-        logger.info("Setting the effective user to: [{}]", username);
+        final SupplierE<Sequence, XPathException> function;
+        if (isCalledAs(FS_AS_USER_NAME)) {
+            final Expression codeBlock = getArgument(2);
+            function = () -> codeBlock.eval(contextSequence, contextItem);
+        } else if (isCalledAs(FS_FUNCTION_AS_USER_NAME)) {
+            final FunctionReference functionArg = (FunctionReference) getArgument(2).eval(contextSequence, contextItem).itemAt(0);
+            final int functionArgArity = functionArg.getSignature().getArgumentCount();
+            if (functionArgArity != 0) {
+                throw new XPathException(this, "$function argument must be a zero arity function, but found a function with arity: " + functionArgArity);
+            }
+            function = () -> functionArg.evalFunction(null, null, null);
+        } else {
+            throw new XPathException(this, "Unknown function: " + getSignature().getName());
+        }
+
+        if (logger.isTraceEnabled()) {
+            logger.trace("Setting the effective user to: [{}]", username);
+        }
         try {
             broker.pushSubject(user);
-            return getArgument(2).eval(contextSequence, contextItem);
+            return function.get();
         } finally {
             broker.popSubject();
-            logger.info("Returned the effective user to: [{}]", broker.getCurrentSubject());
+            if (logger.isTraceEnabled()) {
+                logger.trace("Returned the effective user to: [{}]", broker.getCurrentSubject());
+            }
         }
     }
 
-    /* (non-Javadoc)
-     * @see org.exist.xquery.AbstractExpression#getDependencies()
-     */
     @Override
     public int getDependencies() {
         return getArgument(2).getDependencies();
     }
 
-    /* (non-Javadoc)
-     * @see org.exist.xquery.PathExpr#returnsType()
-     */
     @Override
     public int returnsType() {
         return getArgument(2).returnsType();
diff --git a/exist-core/src/main/java/org/exist/xquery/functions/system/SystemModule.java b/exist-core/src/main/java/org/exist/xquery/functions/system/SystemModule.java
@@ -66,7 +66,8 @@ public class SystemModule extends AbstractInternalModule {
             new FunctionDef(Shutdown.signatures[1], Shutdown.class),
             new FunctionDef(GetModuleLoadPath.signature, GetModuleLoadPath.class),
             new FunctionDef(TriggerSystemTask.signature, TriggerSystemTask.class),
-            new FunctionDef(AsUser.signature, AsUser.class),
+            new FunctionDef(AsUser.FS_AS_USER, AsUser.class),
+			new FunctionDef(AsUser.FS_FUNCTION_AS_USER, AsUser.class),
             new FunctionDef(GetIndexStatistics.signature, GetIndexStatistics.class),
             new FunctionDef(UpdateStatistics.signature, UpdateStatistics.class),
             new FunctionDef(GetRunningXQueries.signature, GetRunningXQueries.class),
diff --git a/exist-core/src/test/java/xquery/system/SystemTests.java b/exist-core/src/test/java/xquery/system/SystemTests.java
@@ -0,0 +1,32 @@
+/*
+ * eXist-db Open Source Native XML Database
+ * Copyright (C) 2001 The eXist-db Authors
+ *
+ * info@exist-db.org
+ * http://www.exist-db.org
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+package xquery.system;
+
+import org.exist.test.runner.XSuite;
+import org.junit.runner.RunWith;
+
+@RunWith(XSuite.class)
+@XSuite.XSuiteFiles({
+        "src/test/xquery/system"
+})
+public class SystemTests {
+}
diff --git a/exist-core/src/test/xquery/system/as-user.xqm b/exist-core/src/test/xquery/system/as-user.xqm
@@ -0,0 +1,71 @@
+(:
+ : eXist-db Open Source Native XML Database
+ : Copyright (C) 2001 The eXist-db Authors
+ :
+ : info@exist-db.org
+ : http://www.exist-db.org
+ :
+ : This library is free software; you can redistribute it and/or
+ : modify it under the terms of the GNU Lesser General Public
+ : License as published by the Free Software Foundation; either
+ : version 2.1 of the License, or (at your option) any later version.
+ :
+ : This library is distributed in the hope that it will be useful,
+ : but WITHOUT ANY WARRANTY; without even the implied warranty of
+ : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ : Lesser General Public License for more details.
+ :
+ : You should have received a copy of the GNU Lesser General Public
+ : License along with this library; if not, write to the Free Software
+ : Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ :)
+xquery version "3.1";
+
+module namespace sysau = "http://exist-db.org/test/system/as-user";
+
+import module namespace sm = "http://exist-db.org/xquery/securitymanager";
+import module namespace system = "http://exist-db.org/xquery/system";
+
+declare namespace test = "http://exist-db.org/xquery/xqsuite";
+
+declare
+    %test:assertEquals('admin')
+function sysau:function-as-user-admin-inline() {
+    system:function-as-user("admin", "", function() {
+        (sm:id()//sm:username)[last()]/string(.)
+    })
+};
+
+declare
+    %test:assertEquals('guest')
+function sysau:function-as-user-guest-inline() {
+    system:function-as-user("guest", "guest", function() {
+        (sm:id()//sm:username)[last()]/string(.)
+    })
+};
+
+declare
+    %test:assertEquals('admin')
+function sysau:function-as-user-admin-reference() {
+    system:function-as-user("admin", "", sysau:get-effective-user-id#0)
+};
+
+declare
+    %test:assertEquals('guest')
+function sysau:function-as-user-guest-reference() {
+    system:function-as-user("guest", "guest", sysau:get-effective-user-id#0)
+};
+
+declare
+    %test:assertError
+function sysau:function-as-user-unknown() {
+    system:function-as-user("unknown", "", function() {
+        ()
+    })
+};
+
+declare
+    %private
+function sysau:get-effective-user-id() as xs:string {
+    (sm:id()//sm:username)[last()]/string(.)
+};
