Merge pull request #67 from joewiz/fix-repo-group-permissions

Fix repo group permissions

Author: line-o

modules/config.xqm

@@ -71,13 +71,14 @@ declare function config:repo-descriptor() as element(repo:meta) {
 };
 
 (:~
- : Returns the user and group from the repo.xml descriptor.
+ : Returns the permissions information from the repo.xml descriptor.
  :)
 declare function config:repo-permissions() as map(*) { 
     config:repo-descriptor()/repo:permissions ! 
         map { 
             "user": ./@user/string(), 
-            "group": ./@group/string() 
+            "group": ./@group/string(),
+            "mode": ./@mode/string()
         }
 };
 

modules/log.xqm

@@ -27,6 +27,7 @@ xquery version "3.1";
 module namespace log="http://exist-db.org/xquery/app/log";
 
 import module namespace config="http://exist-db.org/xquery/apps/config" at "config.xqm";
+import module namespace scanrepo="http://exist-db.org/xquery/admin/scanrepo" at "scan.xqm";
 
 (:~
  : Append entries to the structured application event log
@@ -36,21 +37,21 @@ import module namespace config="http://exist-db.org/xquery/apps/config" at "conf
  :)
 declare function log:event($event as element(event)) as empty-sequence() {
     let $today := current-date()
-    let $log-collection := log:collection($today)
+    let $log-collection-name := log:collection($today)
+    let $log-collection := $config:logs-col || "/" || $log-collection-name
     let $log-document-name := log:document-name($today)
-    let $log-document-path :=
-        ($config:logs-col, $log-collection, $log-document-name) 
-        => string-join("/") 
-    let $_ :=
-        if (doc-available($log-document-path)) then 
-            update insert $event into doc($log-document-path)/public-repo-log
-        else ( 
-            log:mkcol($config:logs-col, $log-collection),
-            xmldb:store(
-                $config:logs-col || "/" || $log-collection,
-                $log-document-name, 
-                element public-repo-log { $event })
-        )
+    let $log-document := $log-collection || "/" || $log-document-name
+    let $store-log :=
+        if (doc-available($log-document)) then 
+            update insert $event into doc($log-document)/public-repo-log
+        else 
+            ( 
+                if (xmldb:collection-available($log-collection)) then
+                    ()
+                else
+                    log:mkcol($config:logs-col, $log-collection-name),
+                scanrepo:store($log-collection, $log-document-name, element public-repo-log { $event })
+            )
     return
         ()
 };
@@ -76,7 +77,11 @@ function log:mkcol-recursive($collection as xs:string, $components as xs:string*
     if (exists($components)) then
         let $newColl := concat($collection, "/", $components[1])
         return (
-            xmldb:create-collection($collection, $components[1]),
+            xmldb:create-collection($collection, $components[1]) ! 
+                (
+                    sm:chgrp(xs:anyURI(.), config:repo-permissions()?mode),
+                    .
+                ),
             log:mkcol-recursive($newColl, subsequence($components, 2))
         )
     else

modules/publish-package.xq

@@ -32,7 +32,7 @@ declare function local:log-put-package-event($filename as xs:string) as empty-se
 };
 
 declare function local:upload-and-publish($xar-filename as xs:string, $xar-binary as xs:base64Binary) {
-    let $path := xmldb:store($config:packages-col, $xar-filename, $xar-binary)
+    let $path := scanrepo:store($config:packages-col, $xar-filename, $xar-binary)
     let $publish := scanrepo:publish-package($xar-filename)
     return
         map { 

modules/scan.xqm

@@ -17,6 +17,18 @@ declare namespace xmldb="http://exist-db.org/xquery/xmldb";
 
 declare namespace expath="http://expath.org/ns/pkg";
 
+(:~
+ : Helper function to store resources and set permissions for access by repo group
+ :)
+declare function scanrepo:store($collection-uri as xs:string, $resource-name as xs:string, $contents as item()?) as xs:string {
+    xmldb:store($collection-uri, $resource-name, $contents) !
+        (
+            sm:chgrp(., config:repo-permissions()?group),
+            sm:chmod(., config:repo-permissions()?mode),
+            .
+        )
+};
+
 (:~
  : Helper function to store a package's icon and transform its metadata into the format needed for raw-metadata
  :)
@@ -26,7 +38,7 @@ function scanrepo:handle-icon($path as xs:string, $data as item()?, $param as it
     let $pkgName := substring-before($param, ".xar")
     let $suffix := replace($path, "^.*\.([^\.]+)", "$1")
     let $name := concat($pkgName, ".", $suffix)
-    let $stored := xmldb:store($config:icons-col, $name, $data)
+    let $stored := scanrepo:store($config:icons-col, $name, $data)
     return
         element icon { $name }
 };
@@ -214,7 +226,7 @@ declare function scanrepo:rebuild-package-groups() as xs:string {
                 $group
         }
     return
-        xmldb:store($config:metadata-col, $config:package-groups-doc-name, $package-groups)
+        scanrepo:store($config:metadata-col, $config:package-groups-doc-name, $package-groups)
 };
 
 (:~
@@ -229,7 +241,7 @@ declare function scanrepo:rebuild-raw-packages() as xs:string {
                 scanrepo:extract-raw-package($package-xar)
         }
     return
-        xmldb:store($config:metadata-col, $config:raw-packages-doc-name, $raw-packages)
+        scanrepo:store($config:metadata-col, $config:raw-packages-doc-name, $raw-packages)
 };
 
 (:~

post-install.xq

@@ -23,30 +23,60 @@ declare variable $dir external;
 (: the target collection into which the app is deployed :)
 declare variable $target external;
 
-(: Until https://github.com/eXist-db/exist/issues/3734 is fixed, we hard code the default group name :)
-declare variable $repo-group := 
-    (: config:repo-permissions()?group :)
-    "repo"
-;
-declare variable $repo-user := 
-    (: config:repo-permissions()?user :)
-    "repo"
-;
+(: Configuration file for the logs collection :)
+declare variable $logs-xconf := 
+    <collection xmlns="http://exist-db.org/collection-config/1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+        <index>
+            <range>
+                <create qname="type" type="xs:string"/>
+            </range>
+        </index>
+    </collection>;
+
+(: Helper function to recursively create a collection hierarchy :)
+declare function local:mkcol-recursive($collection as xs:string, $components as xs:string*) {
+    if (exists($components)) then
+        let $newColl := concat($collection, "/", $components[1])
+        return (
+            xmldb:create-collection($collection, $components[1]),
+            local:mkcol-recursive($newColl, subsequence($components, 2))
+        )
+    else
+        ()
+};
+
+(: Create a collection hierarchy :)
+declare function local:mkcol($collection as xs:string, $path as xs:string) {
+    local:mkcol-recursive($collection, tokenize($path, "/"))
+};
 
 (:~
  : Set user and group to be owner by values in repo.xml
  :)
 declare function local:set-data-collection-permissions($resource as xs:string) {
-    if (sm:get-permissions(xs:anyURI($resource))/sm:permission/@group = $repo-group) then
+    if (sm:get-permissions(xs:anyURI($resource))/sm:permission/@group = config:repo-permissions()?group) then
         ()
     else
         (
-            sm:chown($resource, $repo-user),
-            sm:chgrp($resource, $repo-group),
-            sm:chmod(xs:anyURI($resource), "rwxrwxr-x")
+            sm:chown($resource, config:repo-permissions()?user),
+            sm:chgrp($resource, config:repo-permissions()?group),
+            sm:chmod(xs:anyURI($resource), config:repo-permissions()?mode)
         )
 };
 
+(: Create the data collection hierarchy :)
+
+xmldb:create-collection($config:app-data-parent-col, $config:app-data-col-name),
+for $col-name in ($config:icons-col-name, $config:metadata-col-name, $config:packages-col-name, $config:logs-col-name)
+return
+    xmldb:create-collection($config:app-data-col, $col-name),
+
+(: Create log indexes :)
+
+local:mkcol("/db/system/config", $config:logs-col),
+xmldb:store("/db/system/config" || $config:logs-col, "collection.xconf", $logs-xconf),
+xmldb:reindex($config:logs-col),
+
 (: Set user and group ownership on the package data collection hierarchy :)
 
 for $col in ($config:app-data-col, xmldb:get-child-collections($config:app-data-col) ! ($config:app-data-col || "/" || .))
@@ -58,10 +88,8 @@ return
 if (doc-available($config:raw-packages-doc) and doc-available($config:package-groups-doc)) then
     ()
 else
-    (
-        scanrepo:rebuild-all-package-metadata(),
-        ($config:raw-packages-doc, $config:package-groups-doc) ! local:set-data-collection-permissions(.)
-    ),
+    scanrepo:rebuild-all-package-metadata(),
 
-(: execute get-package.xq as repo group, so that it can write to logs :)
-sm:chmod(xs:anyURI($target || "/modules/get-package.xq"), "rwsrwxr-x")
+(: Ensure get-package.xq is run as "repo" group, so that it can write to logs :)
+
+sm:chmod(xs:anyURI($target || "/modules/get-package.xq"), "g+s")

pre-install.xq

@@ -8,9 +8,9 @@
     <copyright>true</copyright>
     <type>application</type>
     <target>public-repo</target>
-    <prepare>pre-install.xq</prepare>
+    <prepare/>
     <finish>post-install.xq</finish>
-    <permissions password="repo" user="repo" group="repo" mode="rw-rw-r--"/>
+    <permissions password="repo" user="repo" group="repo" mode="rwxrwxr-x"/>
     <changelog>
         <change version="2.0.0">
             <ul xmlns="http://www.w3.org/1999/xhtml">