[feature] Allow access to specific Environment Variables when using fn:available-environment-variables#0 and fn:environment-variable#1 to be configured from conf.xml

Author: adamretter

exist-core/pom.xml

@@ -697,6 +697,8 @@
                                 <exclude>src/main/java/org/exist/xquery/Cardinality.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/ImportModuleTest.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/XQueryContextAttributesTest.java</exclude>
+                                <exclude>src/main/java/org/exist/xquery/functions/AccessUtil.java</exclude>
+                                <exclude>src/test/java/org/exist/xquery/functions/fn/FunEnvironmentTest.java</exclude>
                                 <exclude>src/main/java/org/exist/xquery/functions/map/MapType.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/functions/session/AbstractSessionTest.java</exclude>
                                 <exclude>src/test/java/org/exist/xquery/functions/xmldb/AbstractXMLDBTest.java</exclude>
@@ -845,6 +847,8 @@ The original license statement is also included below.]]></preamble>
                                 <include>src/main/java/org/exist/xquery/Cardinality.java</include>
                                 <include>src/test/java/org/exist/xquery/ImportModuleTest.java</include>
                                 <include>src/test/java/org/exist/xquery/XQueryContextAttributesTest.java</include>
+                                <include>src/main/java/org/exist/xquery/functions/AccessUtil.java</include>
+                                <include>src/test/java/org/exist/xquery/functions/fn/FunEnvironmentTest.java</include>
                                 <include>src/main/java/org/exist/xquery/functions/map/MapType.java</include>
                                 <include>src/test/java/org/exist/xquery/functions/session/AbstractSessionTest.java</include>
                                 <include>src/test/java/org/exist/xquery/functions/xmldb/AbstractXMLDBTest.java</include>

exist-core/src/main/java/org/exist/util/Configuration.java

@@ -410,9 +410,6 @@ private void configureXQuery( Element xquery ) throws DatabaseConfigurationExcep
      * @throws  DatabaseConfigurationException
      */
     private void loadModuleClasses( Element xquery, Map<String, Class<?>> modulesClassMap, Map<String, String> modulesSourceMap, Map<String, Map<String, List<? extends Object>>> moduleParameters) throws DatabaseConfigurationException {
-        // add the standard function module
-        modulesClassMap.put(Namespaces.XPATH_FUNCTIONS_NS, org.exist.xquery.functions.fn.FnModule.class);
-
         // add other modules specified in configuration
         final NodeList builtins = xquery.getElementsByTagName(XQUERY_BUILTIN_MODULES_CONFIGURATION_MODULES_ELEMENT_NAME);
 
@@ -474,6 +471,11 @@ private void loadModuleClasses( Element xquery, Map<String, Class<?>> modulesCla
                 }
             }
         }
+
+        // if not specified in the conf.xml, then add the standard function module anyway
+        if (!modulesClassMap.containsKey(Namespaces.XPATH_FUNCTIONS_NS)) {
+            modulesClassMap.put(Namespaces.XPATH_FUNCTIONS_NS, org.exist.xquery.functions.fn.FnModule.class);
+        }
     }
 
     /**

exist-core/src/main/java/org/exist/xquery/AbstractInternalModule.java

@@ -84,6 +84,15 @@ protected List<? extends Object> getParameter(final String paramName) {
         return parameters.get(paramName);
     }
 
+    /**
+     * Get the module parameters.
+     *
+     * @return the module parameters.
+     */
+    protected Map<String, List<? extends Object>> getParameters() {
+        return parameters;
+    }
+
     @Override
     public void setContextItem(final Sequence contextItem) {
         // not used for internal modules

exist-core/src/main/java/org/exist/xquery/functions/AccessUtil.java

@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2014, Evolved Binary Ltd
+ *
+ * This file was originally ported from FusionDB to eXist-db by
+ * Evolved Binary, for the benefit of the eXist-db Open Source community.
+ * Only the ported code as it appears in this file, at the time that
+ * it was contributed to eXist-db, was re-licensed under The GNU
+ * Lesser General Public License v2.1 only for use in eXist-db.
+ *
+ * This license grant applies only to a snapshot of the code as it
+ * appeared when ported, it does not offer or infer any rights to either
+ * updates of this source code or access to the original source code.
+ *
+ * The GNU Lesser General Public License v2.1 only license follows.
+ *
+ * ---------------------------------------------------------------------
+ *
+ * Copyright (C) 2014, Evolved Binary Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; version 2.1.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+package org.exist.xquery.functions;
+
+import com.evolvedbinary.j8fu.tuple.Tuple2;
+import io.lacuna.bifurcan.IMap;
+import io.lacuna.bifurcan.ISet;
+import io.lacuna.bifurcan.LinearSet;
+import io.lacuna.bifurcan.LinearMap;
+import io.lacuna.bifurcan.Map;
+import io.lacuna.bifurcan.Set;
+import org.exist.security.Subject;
+import org.exist.security.internal.SecurityManagerImpl;
+
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static com.evolvedbinary.j8fu.tuple.Tuple.Tuple;
+
+/**
+ * @author <a href="mailto:[email protected]">Adam Retter</a>
+ */
+public class AccessUtil {
+
+    static final String OTHERWISE = "*";
+
+    /**
+     * Parse access parameters into Group Access Rules and User Access Rules.
+     *
+     * @param accessRulePattern A pattern whose first group matches a "name",
+     *                          and whose second pattern matches the String "Group" or "User".
+     * @param parameters the module parameters.
+     *
+     * @return a Tuple where the first entry is the Group Access Rules, and the second entry is the User Access Rules.
+     */
+    public static Tuple2<IMap<String, ISet<String>>, IMap<String, ISet<String>>> parseAccessParameters(
+            final Pattern accessRulePattern, final java.util.Map<String, List<?>> parameters) {
+        IMap<String, ISet<String>> accessGroupRules = null;
+        IMap<String, ISet<String>> accessUserRules = null;
+
+        if (parameters != null) {
+            Matcher matcher = null;
+            for (final java.util.Map.Entry<String, List<?>> parameter : parameters.entrySet()) {
+                final String parameterName = parameter.getKey();
+                if (matcher == null) {
+                    matcher = accessRulePattern.matcher(parameterName);
+                } else {
+                    matcher.reset(parameterName);
+                }
+
+                if (matcher.matches()) {
+                    final String principalType = matcher.group(2);
+                    if ("Group".equals(principalType)) {
+                        if (accessGroupRules == null) {
+                            accessGroupRules = new LinearMap<>();
+                        }
+                        final String name = matcher.group(1);
+                        accessGroupRules.put(name, toSet(parameter.getValue()));
+                    } else if ("User".equals(principalType)) {
+                        if (accessUserRules == null) {
+                            accessUserRules = new LinearMap<>();
+                        }
+                        final String name = matcher.group(1);
+                        accessUserRules.put(name, toSet(parameter.getValue()));
+                    }
+                }
+            }
+        }
+
+        if ((accessGroupRules == null || !accessGroupRules.contains(OTHERWISE))
+                && ((accessUserRules == null) || !accessUserRules.contains(OTHERWISE))) {
+            if (accessGroupRules == null) {
+                accessGroupRules = new LinearMap<>(1);
+                ISet<String> otherwiseDba = new LinearSet<>(1);
+                otherwiseDba.add(SecurityManagerImpl.DBA_GROUP);
+                otherwiseDba = otherwiseDba.forked();
+                accessGroupRules.put(OTHERWISE, otherwiseDba);
+            }
+        }
+
+        if (accessGroupRules == null) {
+            accessGroupRules = Map.empty();
+        } else {
+            accessGroupRules = accessGroupRules.forked();
+        }
+
+        if (accessUserRules == null) {
+            accessUserRules = Map.empty();
+        } else {
+            accessUserRules = accessUserRules.forked();
+        }
+
+        return Tuple(accessGroupRules, accessUserRules);
+    }
+
+    private static ISet<String> toSet(final List<?> values) {
+        ISet<String> set;
+        if (values.size() > 0) {
+            set = new LinearSet<>();
+            for (final Object value : values) {
+                set.add(value.toString());
+            }
+            set = set.forked();
+        } else {
+            set = Set.empty();
+        }
+        return set;
+    }
+
+    /**
+     * Returns true of the user is allowed access to the name.
+     *
+     * @param user the user to test the access rules against.
+     * @param accessGroupRules the group access rules.
+     * @param accessUserRules the user access rules.
+     * @param name the name of the resource that the user wishes to access.
+     */
+    public static boolean isAllowedAccess(final Subject user, final IMap<String, ISet<String>> accessGroupRules,
+                                          final IMap<String, ISet<String>> accessUserRules, final String name) {
+        return hasGroupAccess(user, accessGroupRules, name)
+                || hasUserAccess(user, accessUserRules, name);
+    }
+
+    private static boolean hasGroupAccess(final Subject user, final IMap<String, ISet<String>> accessGroupRules,
+            final String name) {
+        ISet<String> accessGroups = accessGroupRules.get(name, null);
+
+        // fallback to "otherwise"
+        if (accessGroups == null) {
+            accessGroups = accessGroupRules.get(OTHERWISE, null);
+        }
+
+        if (accessGroups != null) {
+            final String[] userGroups = user.getGroups();
+            for (final String userGroup : userGroups) {
+                if (accessGroups.contains(userGroup)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    private static boolean hasUserAccess(final Subject user, final IMap<String, ISet<String>> accessUserRules,
+            final String name) {
+        ISet<String> accessUsers = accessUserRules.get(name, null);
+
+        // fallback to "otherwise"
+        if (accessUsers == null) {
+            accessUsers = accessUserRules.get(OTHERWISE, null);
+        }
+
+        if (accessUsers != null) {
+            return accessUsers.contains(user.getUsername());
+        }
+
+        return false;
+    }
+}

exist-core/src/main/java/org/exist/xquery/functions/fn/FnModule.java

@@ -24,9 +24,15 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
+import com.evolvedbinary.j8fu.tuple.Tuple2;
+import io.lacuna.bifurcan.IMap;
+import io.lacuna.bifurcan.ISet;
 import org.exist.dom.QName;
+import org.exist.util.PatternFactory;
 import org.exist.xquery.*;
+import org.exist.xquery.functions.AccessUtil;
 import org.exist.xquery.value.FunctionParameterSequenceType;
 import org.exist.xquery.value.FunctionReturnSequenceType;
 
@@ -274,7 +280,12 @@ public class FnModule extends AbstractInternalModule {
     public final static ErrorCodes.ErrorCode SEPM0019 = new ErrorCodes.ErrorCode("SEPM0019", "It is an error if an instance of the data model " +
             "used to specify the settings of serialization parameters specifies the value of the same parameter more than once.");
 
-    public FnModule(Map<String, List<?>> parameters) {
+    private static final Pattern PTN_ENVIRONMENT_VARIABLE_ACCESS = PatternFactory.getInstance().getPattern("environmentVariableAccess\\.([^=\\00])+\\.requires((?:Group)|(?:User))");
+
+    private IMap<String, ISet<String>> environmentVariableAccessGroups = null;
+    private IMap<String, ISet<String>> environmentVariableAccessUsers = null;
+
+    public FnModule(final Map<String, List<?>> parameters) {
         super(functions, parameters, true);
     }
 
@@ -303,6 +314,34 @@ public String getReleaseVersion() {
         return RELEASED_IN_VERSION;
     }
 
+    /**
+     * Get the environment variable names and groups that are allowed to access them.
+     *
+     * @return a map where the key is the environment variable name, and the value is a set of group names.
+     */
+    IMap<String, ISet<String>> getEnvironmentVariableAccessGroups() {
+        if (environmentVariableAccessGroups == null) {
+            final Tuple2<IMap<String, ISet<String>>, IMap<String, ISet<String>>> accessRules = AccessUtil.parseAccessParameters(PTN_ENVIRONMENT_VARIABLE_ACCESS, getParameters());
+            this.environmentVariableAccessGroups = accessRules._1;
+            this.environmentVariableAccessUsers = accessRules._2;
+        }
+        return environmentVariableAccessGroups;
+    }
+
+    /**
+     * Get the environment variable names and users that are allowed to access them.
+     *
+     * @return a map where the key is the environment variable name, and the value is a set of usernames.
+     */
+    IMap<String, ISet<String>> getEnvironmentVariableAccessUsers() {
+        if (environmentVariableAccessUsers == null) {
+            final Tuple2<IMap<String, ISet<String>>, IMap<String, ISet<String>>> accessRules = AccessUtil.parseAccessParameters(PTN_ENVIRONMENT_VARIABLE_ACCESS, getParameters());
+            this.environmentVariableAccessGroups = accessRules._1;
+            this.environmentVariableAccessUsers = accessRules._2;
+        }
+        return environmentVariableAccessUsers;
+    }
+
     static FunctionSignature functionSignature(final String name, final String description, final FunctionReturnSequenceType returnType, final FunctionParameterSequenceType... paramTypes) {
         return FunctionDSL.functionSignature(new QName(name, Function.BUILTIN_FUNCTION_NS), description, returnType, paramTypes);
     }

exist-core/src/main/java/org/exist/xquery/functions/fn/FunEnvironment.java

@@ -32,6 +32,7 @@
 import org.exist.xquery.FunctionSignature;
 import org.exist.xquery.XPathException;
 import org.exist.xquery.XQueryContext;
+import org.exist.xquery.functions.AccessUtil;
 import org.exist.xquery.value.FunctionParameterSequenceType;
 import org.exist.xquery.value.FunctionReturnSequenceType;
 import org.exist.xquery.value.Sequence;
@@ -50,17 +51,19 @@ public class FunEnvironment extends BasicFunction {
                     "Returns a list of environment variable names.",
                     null,
                     new FunctionReturnSequenceType(Type.STRING, Cardinality.ZERO_OR_MORE,
-                            "Returns a sequence of strings, being the names of the environment variables. User must be DBA.")
+                            "Returns a sequence of strings, being the names of the environment variables. " +
+                                    "Only the Environment Variables that the calling user has been granted access to are returned (see conf.xml).")
             ),
             new FunctionSignature(
                     new QName("environment-variable", Function.BUILTIN_FUNCTION_NS),
                     "Returns the value of a system environment variable, if it exists.",
-                    new SequenceType[]{
+                    new SequenceType[] {
                             new FunctionParameterSequenceType("name", Type.STRING,
                                     Cardinality.EXACTLY_ONE, "Name of environment variable.")
                     },
-                    new FunctionReturnSequenceType(Type.STRING, Cardinality.ZERO_OR_ONE, "Corresponding value of the environment variable, "
-                            + "if there is no environment variable with a matching name, the function returns the empty sequence. User must be DBA.")
+                    new FunctionReturnSequenceType(Type.STRING, Cardinality.ZERO_OR_ONE, "Corresponding value of the environment variable, " +
+                            "if there is no environment variable with a matching name, the function returns the empty sequence. " +
+                            "User must have been granted access to the Environment Variable (see conf.xml).")
             )
     };
 
@@ -70,33 +73,33 @@ public FunEnvironment(final XQueryContext context, final FunctionSignature signa
 
     @Override
     public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
-
-        if (!context.getSubject().hasDbaRole()) {
-            final String txt = "Permission denied, calling user '" + context.getSubject().getName() + "' must be a DBA to call this function.";
-            LOGGER.error(txt);
-            return Sequence.EMPTY_SEQUENCE;
-        }
+        final FnModule fnModule = (FnModule) getParentModule();
+        final IMap<String, ISet<String>> environmentVariableAccessGroups = fnModule.getEnvironmentVariableAccessGroups();
+        final IMap<String, ISet<String>> environmentVariableAccessUsers = fnModule.getEnvironmentVariableAccessUsers();
 
         if (isCalledAs("available-environment-variables")) {
 
             final Sequence result = new ValueSequence();
 
             final IMap<String, String> environmentVariables = context.getEnvironmentVariables();
             for (final String environmentVariableName : environmentVariables.keys()) {
-                result.add(new StringValue(environmentVariableName));
+                if (AccessUtil.isAllowedAccess(context.getEffectiveUser(), environmentVariableAccessGroups, environmentVariableAccessUsers, environmentVariableName)) {
+                    result.add(new StringValue(environmentVariableName));
+                }
             }
 
             return result;
 
         } else {
 
-            if (args[0].isEmpty()) {
+            final String environmentVariableName = args[0].itemAt(0).getStringValue();
+            if (!AccessUtil.isAllowedAccess(context.getEffectiveUser(), environmentVariableAccessGroups, environmentVariableAccessUsers, environmentVariableName)) {
+                final String txt = "Permission denied, calling user '" + context.getSubject().getName() + "' must be granted access to the Environment Variable: " + environmentVariableName + ".";
+                LOGGER.error(txt);
                 return Sequence.EMPTY_SEQUENCE;
             }
 
-            final String parameter = args[0].itemAt(0).getStringValue();
-
-            final String value = context.getEnvironmentVariables().get(parameter, null);
+            final String value = context.getEnvironmentVariables().get(environmentVariableName, null);
             if (value == null) {
                 return Sequence.EMPTY_SEQUENCE;
             }