[feature] Deduplicate contiguous entries in ACLs that target the same resource and access conditions

adamretter · adamretter · commit 3dd46be44872 · 2025-05-22T12:00:32.000+02:00
Closes eXist-db/exist#5138
diff --git a/exist-core/pom.xml b/exist-core/pom.xml
@@ -1097,6 +1097,7 @@
                                 <include>src/test/xquery/order.xqm</include>
                                 <include>src/test/xquery/positional-nested.xql</include>
                                 <include>src/test/xquery/root.xq</include>
+                                <include>src/test/xquery/securitymanager/acl.xqm</include>
                                 <include>src/test/xquery/securitymanager/id.xqm</include>
                                 <include>src/test/xquery/system/as-user.xqm</include>
                                 <include>src/test/xquery/treatAs.xq</include>
@@ -1240,6 +1241,7 @@
                                 <include>src/main/java/org/exist/scheduler/impl/QuartzSchedulerImpl.java</include>
                                 <include>src/main/java/org/exist/security/EffectiveSubject.java</include>
                                 <include>src/main/java/org/exist/security/SecurityManager.java</include>
+                                <include>src/main/java/org/exist/security/SimpleACLPermission.java</include>
                                 <include>src/main/java/org/exist/security/internal/AccountImpl.java</include>
                                 <include>src/main/java/org/exist/source/Source.java</include>
                                 <include>src/main/java/org/exist/source/SourceFactory.java</include>
@@ -1498,6 +1500,7 @@
                                 <exclude>src/main/java/org/exist/security/PermissionRequiredAspect.java</exclude>
                                 <exclude>src/main/java/org/exist/security/SecurityManager.java</exclude>
                                 <exclude>src/test/java/org/exist/security/SecurityManagerTest.java</exclude>
+                                <exclude>src/main/java/org/exist/security/SimpleACLPermission.java</exclude>
                                 <exclude>src/test/java/org/exist/security/XqueryApiTest.java</exclude>
                                 <exclude>src/main/java/org/exist/security/internal/AccountImpl.java</exclude>
                                 <exclude>src/main/java/org/exist/security/internal/aider/ACEAider.java</exclude>
@@ -1867,6 +1870,7 @@
                                 <exclude>src/test/xquery/order.xqm</exclude>
                                 <exclude>src/test/xquery/positional-nested.xql</exclude>
                                 <exclude>src/test/xquery/root.xq</exclude>
+                                <exclude>src/test/xquery/securitymanager/acl.xqm</exclude>
                                 <exclude>src/test/xquery/securitymanager/id.xqm</exclude>
                                 <exclude>src/test/xquery/system/as-user.xqm</exclude>
                                 <exclude>src/test/xquery/treatAs.xq</exclude>
diff --git a/exist-core/src/main/java/org/exist/security/SimpleACLPermission.java b/exist-core/src/main/java/org/exist/security/SimpleACLPermission.java
@@ -1,4 +1,31 @@
 /*
+ * Elemental
+ * Copyright (C) 2024, Evolved Binary Ltd
+ *
+ * admin@evolvedbinary.com
+ * https://www.evolvedbinary.com | https://www.elemental.xyz
+ *
+ * Use of this software is governed by the Business Source License 1.1
+ * included in the LICENSE file and at www.mariadb.com/bsl11.
+ *
+ * Change Date: 2028-04-27
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by the Apache License, Version 2.0.
+ *
+ * Additional Use Grant: Production use of the Licensed Work for a permitted
+ * purpose. A Permitted Purpose is any purpose other than a Competing Use.
+ * A Competing Use means making the Software available to others in a commercial
+ * product or service that: substitutes for the Software; substitutes for any
+ * other product or service we offer using the Software that exists as of the
+ * date we make the Software available; or offers the same or substantially
+ * similar functionality as the Software.
+ *
+ * NOTE: Parts of this file contain code from 'The eXist-db Authors'.
+ *       The original license header is included below.
+ *
+ * =====================================================================
+ *
  * eXist-db Open Source Native XML Database
  * Copyright (C) 2001 The eXist-db Authors
  *
@@ -27,6 +54,8 @@
 import org.exist.storage.io.VariableByteInput;
 import org.exist.storage.io.VariableByteOutputStream;
 
+import javax.annotation.Nullable;
+
 import static org.exist.security.PermissionRequired.IS_DBA;
 import static org.exist.security.PermissionRequired.IS_OWNER;
 import static org.exist.security.PermissionRequired.ACL_WRITE;
@@ -85,10 +114,68 @@ private void addACE(final ACE_ACCESS_TYPE access_type, final ACE_TARGET target,
             throw new PermissionDeniedException("Maximum of " + MAX_ACL_LENGTH + " ACEs has been reached.");
         }
 
-        final int[] newAcl = new int[acl.length + 1];
-        System.arraycopy(acl, 0, newAcl, 0, acl.length);
-        newAcl[newAcl.length - 1] = encodeAsACE(access_type, target, id, mode);
-        this.acl = newAcl;
+        // this is the final mode of all ACEs in the ACL for the targeted `id`
+        @Nullable Integer computedAclMode = null;
+
+        // Walk through the existing ACE and see what the permissions are for the id
+        for (int i = 0; i < acl.length; i++) {
+            final ACE_TARGET aceTarget = getACETarget(i);
+            final int aceId = getACEId(i);
+            final int aceMode = getACEMode(i);
+            final ACE_ACCESS_TYPE aceAccessType = getACEAccessType(i);
+
+            if (aceId == id && aceTarget == target) {
+                // ids match, and existing ACE is `user` and requested addition is `user`, or existing ACE is `group` and requested addition is `group`
+
+                if (aceMode == mode) {
+                    // NOTE(AR) exit - we do not want to add a duplicate mode entry for same target and id
+                    return;
+                }
+
+                computedAclMode = computeCumulativeAclMode(computedAclMode, aceAccessType, aceMode);
+            }
+        }
+
+        final int newMode;
+        if (computedAclMode == null) {
+            newMode = mode;
+        } else {
+            newMode = (computedAclMode ^ mode) & mode;
+        }
+
+        if (newMode > 0) {
+            final int[] newAcl = new int[acl.length + 1];
+            System.arraycopy(acl, 0, newAcl, 0, acl.length);
+            newAcl[newAcl.length - 1] = encodeAsACE(access_type, target, id, newMode);
+            this.acl = newAcl;
+        }
+    }
+
+    private int computeCumulativeAclMode(@Nullable final Integer existingComputedAclMode, final ACE_ACCESS_TYPE aceAccessType, final int aceMode) {
+        if (existingComputedAclMode == null) {
+            return aceMode;
+        }
+
+        if (aceAccessType == ACE_ACCESS_TYPE.ALLOWED) {
+            // ALLOWED, so we set bits
+            return existingComputedAclMode | aceMode;
+        } else {
+            int computedAclMode = existingComputedAclMode;
+            // DENIED, so we unset bits
+            if ((aceMode & READ) == READ) {
+                // unset read bit
+                computedAclMode = computedAclMode & 3;
+            }
+            if ((aceMode & WRITE) == WRITE) {
+                // unset write bit
+                computedAclMode = computedAclMode & 5;
+            }
+            if ((aceMode & EXECUTE) == EXECUTE) {
+                // unset execute bit
+                computedAclMode = computedAclMode & 6;
+            }
+            return computedAclMode;
+        }
     }
 
     public void insertUserACE(final int index, final ACE_ACCESS_TYPE access_type, final int userId, final int mode) throws PermissionDeniedException {
diff --git a/exist-core/src/test/xquery/securitymanager/acl.xqm b/exist-core/src/test/xquery/securitymanager/acl.xqm
