[bugfix] allow public downloads, tighten security

Do not allow members of group "repo" to modify package contents.
Set UID for get-package.xq to allow guest to download packages while
still be able to write logs.

Author: line-o

modules/config.xqm

@@ -76,7 +76,7 @@ declare function config:repo-descriptor() as element(repo:meta) {
 declare function config:repo-permissions() as map(*) { 
     config:repo-descriptor()/repo:permissions ! 
         map { 
-            "user": ./@user/string(), 
+            "owner": ./@user/string(), 
             "group": ./@group/string(),
             "mode": ./@mode/string()
         }

modules/db-utility.xqm

@@ -30,7 +30,7 @@ function dbu:ensure-collection($path as xs:string) as xs:string {
  : will throw an error if the current user does not have the appropriate rights
  :
  : @param $path xs:string
- : @param $permissions map(xs:string, xs:string) user, group, mode
+ : @param $permissions map(xs:string, xs:string) with "owner", "group", "mode"
  : @returns the path that was entered
  :)
 declare
@@ -60,18 +60,15 @@ function dbu:set-repo-permissions ($resource-or-collection as xs:string) as xs:s
  : will throw an error, if the current user does not have the appropriate rights
  :
  : @param $resource-or-collection xs:string
- : @param $permissions map(xs:string, xs:string) with "user", "group", "mode"
+ : @param $permissions map(xs:string, xs:string) with "owner", "group", "mode"
  : @returns the path that was entered
  :)
 declare 
 function dbu:set-permissions ($resource-or-collection as xs:string, $permissions as map(*)) as xs:string {
-    let $set := (
-        sm:chown($resource-or-collection, $permissions?owner),
-        sm:chgrp($resource-or-collection, $permissions?group),
-        sm:chmod(xs:anyURI($resource-or-collection), $permissions?mode)
-    )
-
-    return $resource-or-collection
+    sm:chown($resource-or-collection, $permissions?owner),
+    sm:chgrp($resource-or-collection, $permissions?group),
+    sm:chmod(xs:anyURI($resource-or-collection), $permissions?mode),
+    $resource-or-collection
 };
 
 declare 

modules/log.xqm

@@ -27,7 +27,13 @@ xquery version "3.1";
 module namespace log="http://exist-db.org/xquery/app/log";
 
 import module namespace config="http://exist-db.org/xquery/apps/config" at "config.xqm";
-import module namespace scanrepo="http://exist-db.org/xquery/admin/scanrepo" at "scan.xqm";
+import module namespace dbu="http://exist-db.org/xquery/utility/db" at "db-utility.xqm";
+
+declare variable $log:base-collection := $config:logs-col;
+declare variable $log:file-permission := map:merge((
+    $dbu:default-permissions,
+    map { "mode": "rw-rw-r--" }
+));
 
 (:~
  : Append entries to the structured application event log
@@ -37,53 +43,37 @@ import module namespace scanrepo="http://exist-db.org/xquery/admin/scanrepo" at
  :)
 declare function log:event($event as element(event)) as empty-sequence() {
     let $today := current-date()
-    let $log-collection-name := log:collection($today)
-    let $log-collection := $config:logs-col || "/" || $log-collection-name
+    let $log-collection := log:collection($today)
     let $log-document-name := log:document-name($today)
-    let $log-document := $log-collection || "/" || $log-document-name
-    let $store-log :=
-        if (doc-available($log-document)) then 
-            update insert $event into doc($log-document)/public-repo-log
-        else 
-            ( 
-                if (xmldb:collection-available($log-collection)) then
-                    ()
-                else
-                    log:mkcol($config:logs-col, $log-collection-name),
-                scanrepo:store($log-collection, $log-document-name, element public-repo-log { $event })
-            )
+    
     return
-        ()
+        if (doc-available($log-collection || "/" || $log-document-name))
+        then log:append-log($log-collection, $log-document-name, $event)
+        else log:create-log($log-collection, $log-document-name, $event)
 };
 
-declare %private function log:collection($date as xs:date) {
-    format-date($date, "[Y]/[M01]")
+declare %private
+function log:append-log ($log-collection as xs:string, $log-document-name as xs:string, $event as element(event)) as empty-sequence() {
+    let $node := doc($log-collection || "/" || $log-document-name)/public-repo-log
+    let $update := update insert $event into $node
+    return ()
 };
 
-declare %private function log:document-name($date as xs:date) {
-    "public-repo-log-" || format-date($date, "[Y]-[M01]-[D01]") || ".xml"
+declare %private
+function log:create-log ($log-collection as xs:string, $log-document-name as xs:string, $event as element(event)) as empty-sequence() {
+    dbu:ensure-collection($log-collection)
+    => xmldb:store($log-document-name, element public-repo-log { $event })
+    => dbu:set-permissions($log:file-permission)
+    => log:return-empty()
 };
 
-(:~
- : Recursively create a collection hierarchy
- :)
-declare %private function log:mkcol($collection as xs:string, $path as xs:string) {
-    log:mkcol-recursive($collection, tokenize($path, "/"))
+declare %private
+function log:return-empty ($item as item()*) as empty-sequence() {}; 
+
+declare %private function log:collection($date as xs:date) as xs:string {
+    $log:base-collection || "/" || format-date($date, "[Y]/[M01]")
 };
 
-declare 
-    %private
-function log:mkcol-recursive($collection as xs:string, $components as xs:string*) {
-    if (exists($components)) then
-        let $newColl := concat($collection, "/", $components[1])
-        return (
-            xmldb:create-collection($collection, $components[1]) ! 
-                (
-                    sm:chgrp(xs:anyURI(.), config:repo-permissions()?mode),
-                    .
-                ),
-            log:mkcol-recursive($newColl, subsequence($components, 2))
-        )
-    else
-        ()
+declare %private function log:document-name($date as xs:date) as xs:string {
+    "public-repo-log-" || format-date($date, "[Y]-[M01]-[D01]") || ".xml"
 };

post-install.xq

@@ -8,6 +8,7 @@ xquery version "3.1";
  :)
 
 import module namespace config="http://exist-db.org/xquery/apps/config" at "modules/config.xqm";
+import module namespace dbu="http://exist-db.org/xquery/utility/db" at "modules/db-utility.xqm";
 import module namespace scanrepo="http://exist-db.org/xquery/admin/scanrepo" at "modules/scan.xqm";
 
 declare namespace sm="http://exist-db.org/xquery/securitymanager";
@@ -33,63 +34,33 @@ declare variable $logs-xconf :=
         </index>
     </collection>;
 
-(: Helper function to recursively create a collection hierarchy :)
-declare function local:mkcol-recursive($collection as xs:string, $components as xs:string*) {
-    if (exists($components)) then
-        let $newColl := concat($collection, "/", $components[1])
-        return (
-            xmldb:create-collection($collection, $components[1]),
-            local:mkcol-recursive($newColl, subsequence($components, 2))
-        )
-    else
-        ()
-};
+declare variable $permissions := config:repo-permissions();
 
-(: Create a collection hierarchy :)
-declare function local:mkcol($collection as xs:string, $path as xs:string) {
-    local:mkcol-recursive($collection, tokenize($path, "/"))
-};
+(: Create the data collection hierarchy and set the package permissions :)
 
-(:~
- : Set user and group to be owner by values in repo.xml
- :)
-declare function local:set-data-collection-permissions($resource as xs:string) {
-    if (sm:get-permissions(xs:anyURI($resource))/sm:permission/@group = config:repo-permissions()?group) then
-        ()
-    else
-        (
-            sm:chown($resource, config:repo-permissions()?user),
-            sm:chgrp($resource, config:repo-permissions()?group),
-            sm:chmod(xs:anyURI($resource), config:repo-permissions()?mode)
-        )
-};
-
-(: Create the data collection hierarchy :)
-
-xmldb:create-collection($config:app-data-parent-col, $config:app-data-col-name),
-for $col-name in ($config:icons-col-name, $config:metadata-col-name, $config:packages-col-name, $config:logs-col-name)
-return
-    xmldb:create-collection($config:app-data-col, $col-name),
+for-each((
+$config:app-data-col,
+$config:packages-col,
+$config:icons-col,
+$config:metadata-col,
+$config:logs-col
+), dbu:ensure-collection(?)),
 
 (: Create log indexes :)
 
-local:mkcol("/db/system/config", $config:logs-col),
-xmldb:store("/db/system/config" || $config:logs-col, "collection.xconf", $logs-xconf),
+"/db/system/config" || $config:logs-col
+=> dbu:ensure-collection(map {"owner": "SYSTEM", "group": "dba", "mode": "rwxr-xr-x"})
+=> xmldb:store("collection.xconf", $logs-xconf)
+=> dbu:set-permissions(map {"owner": "SYSTEM", "group": "dba", "mode": "rw-r--r--"})
+,
 xmldb:reindex($config:logs-col),
 
-(: Set user and group ownership on the package data collection hierarchy :)
-
-for $col in ($config:app-data-col, xmldb:get-child-collections($config:app-data-col) ! ($config:app-data-col || "/" || .))
-return
-    local:set-data-collection-permissions($col),
-
 (: Build package metadata if missing :)
 
 if (doc-available($config:raw-packages-doc) and doc-available($config:package-groups-doc)) then
     ()
 else
     scanrepo:rebuild-all-package-metadata(),
 
-(: Ensure get-package.xq is run as "repo" group, so that it can write to logs :)
-
-sm:chmod(xs:anyURI($target || "/modules/get-package.xq"), "g+s")
+(: Ensure get-package.xq is run as "repo:repo", so that logs will always be writable :)
+sm:chmod(xs:anyURI($target || "/modules/get-package.xq"), "rwsr-sr-x")

repo.xml

@@ -10,7 +10,7 @@
     <target>public-repo</target>
     <prepare/>
     <finish>post-install.xq</finish>
-    <permissions password="repo" user="repo" group="repo" mode="rwxrwxr-x"/>
+    <permissions password="repo" user="repo" group="repo" mode="rwxr-xr-x"/>
     <changelog>
         <change version="2.0.0">
             <ul xmlns="http://www.w3.org/1999/xhtml">