Merge pull request #20 from evolvedbinary/fix-explorer-permission-denied

adamretter · web-flow · commit 567dcdf814c8 · 2020-08-21T11:54:47.000+02:00
Explorer API should return HTTP 403 Forbidden when user does not have permission
diff --git a/pom.xml b/pom.xml
@@ -48,6 +48,8 @@
         <project.build.source>1.8</project.build.source>
         <project.build.target>1.8</project.build.target>
 
+        <rest-assured.version>4.3.1</rest-assured.version>
+
         <!-- default supported exist-db version -->
         <exist.version>5.0.0</exist.version>
 
@@ -72,7 +74,21 @@
         <dependency>
             <groupId>io.rest-assured</groupId>
             <artifactId>rest-assured</artifactId>
-            <version>4.3.1</version>
+            <version>${rest-assured.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>json-schema-validator</artifactId>
+            <version>${rest-assured.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore</artifactId>
+            <version>4.4.6</version>
             <scope>test</scope>
         </dependency>
 
@@ -91,6 +107,10 @@
         </resources>
 
         <testResources>
+            <testResource>
+                <directory>src/test/resources</directory>
+                <filtering>false</filtering>
+            </testResource>
             <testResource>
                 <directory>src/test/resources-filtered</directory>
                 <filtering>true</filtering>
diff --git a/src/main/xar-resources/api.xqm b/src/main/xar-resources/api.xqm
@@ -75,9 +75,23 @@ declare
     %rest:produces("application/json")
     %output:method("json")
 function api:explorer($uri) {
-    api:cors-allow(
-        exp:describe($uri)
-    )
+    api:with-valid-uri-ex($uri, function($uri) {
+        if (sm:has-access($uri, "r-x"))
+        then
+            [
+                (),
+                exp:describe($uri)
+            ]
+        else
+        [
+            map {
+                "code": $hsc:forbidden,
+                "reason": "User: " || (sm:id()//sm:username)[1] || " is not permitted to access: " || $uri
+            },
+            ()
+        ]
+
+    })
 };
 
 declare
diff --git a/src/test/java/com/fusiondb/studio/api/ExplorerIT.java b/src/test/java/com/fusiondb/studio/api/ExplorerIT.java
@@ -0,0 +1,50 @@
+/*
+ * Fusion Studio API - API for Fusion Studio
+ * Copyright © 2017 Evolved Binary (tech@evolvedbinary.com)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package com.fusiondb.studio.api;
+
+import org.junit.jupiter.api.Test;
+
+import static com.fusiondb.studio.api.API.getApiBaseUri;
+import static io.restassured.RestAssured.when;
+import static io.restassured.module.jsv.JsonSchemaValidator.matchesJsonSchemaInClasspath;
+import static org.apache.http.HttpStatus.SC_FORBIDDEN;
+import static org.apache.http.HttpStatus.SC_OK;
+
+public class ExplorerIT {
+
+    @Test
+    public void root() {
+        when().
+                get(getApiBaseUri() + "/explorer?uri=/db").
+        then().
+                statusCode(SC_OK).
+        assertThat().
+                body(matchesJsonSchemaInClasspath("explorer-schema.json"));
+    }
+
+    /**
+     * Attempt to access a non-public Collection as guest user.
+     */
+    @Test
+    public void insufficientPermissions() {
+        when().
+                get(getApiBaseUri() + "/explorer?uri=/db/system/security").
+        then().
+                statusCode(SC_FORBIDDEN);
+    }
+}
diff --git a/src/test/resources/ace-schema.json b/src/test/resources/ace-schema.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "ACE",
+  "type": "object",
+  "required" : [ "accessType", "mode", "target", "who" ],
+  "properties" : {
+    "mode" : {
+      "pattern" : "[rwx-]{3}",
+      "type" : "string",
+      "example" : "-wx"
+    },
+    "target" : {
+      "type" : "string",
+      "example" : "USER",
+      "enum" : [ "USER", "GROUP" ]
+    },
+    "accessType" : {
+      "type" : "string",
+      "example" : "DENIED",
+      "enum" : [ "ALLOWED", "DENIED" ]
+    },
+    "who" : {
+      "type" : "string",
+      "example" : "a-read-only-user"
+    }
+  }
+}
diff --git a/src/test/resources/collection-schema.json b/src/test/resources/collection-schema.json
@@ -0,0 +1,55 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Collection",
+  "type": "object",
+  "required": [
+    "acl",
+    "created",
+    "group",
+    "mode",
+    "owner",
+    "uri"
+  ],
+  "properties": {
+    "uri": {
+      "type": "string",
+      "format": "uri",
+      "example": "/db/col1"
+    },
+    "created": {
+      "type": "string",
+      "format": "date-time",
+      "example": "2018-11-14T15:45:26.539+08:00"
+    },
+    "owner": {
+      "type": "string",
+      "example": "SYSTEM"
+    },
+    "group": {
+      "type": "string",
+      "example": "dba"
+    },
+    "mode": {
+      "type": "string",
+      "example": "rwxr-xr-x"
+    },
+    "acl": {
+      "type": "array",
+      "items": {
+        "$ref": "ace-schema.json"
+      }
+    },
+    "collections": {
+      "type": "array",
+      "items": {
+        "$ref": "sub-collection-schema.json"
+      }
+    },
+    "documents": {
+      "type": "array",
+      "items": {
+        "$ref": "document-schema.json"
+      }
+    }
+  }
+}
diff --git a/src/test/resources/document-schema.json b/src/test/resources/document-schema.json
@@ -0,0 +1,54 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Document",
+  "type": "object",
+  "required" : [ "acl", "binaryDoc", "created", "group", "lastModified", "mediaType", "mode", "owner", "size", "uri" ],
+  "properties" : {
+    "uri" : {
+      "type" : "string",
+      "format" : "uri",
+      "example" : "/db/doc1.xml"
+    },
+    "created" : {
+      "type" : "string",
+      "format" : "date-time",
+      "example" : "2018-11-14T15:45:26.539+08:00"
+    },
+    "lastModified" : {
+      "type" : "string",
+      "format" : "date-time",
+      "example" : "2018-11-14T15:45:26.539+08:00"
+    },
+    "mediaType" : {
+      "type" : "string",
+      "example" : "application/xml"
+    },
+    "binaryDoc" : {
+      "type" : "boolean",
+      "example" : false
+    },
+    "size" : {
+      "type" : "integer",
+      "format" : "int64",
+      "example" : 8192
+    },
+    "owner" : {
+      "type" : "string",
+      "example" : "SYSTEM"
+    },
+    "group" : {
+      "type" : "string",
+      "example" : "dba"
+    },
+    "mode" : {
+      "type" : "string",
+      "example" : "rwxr-xr-x"
+    },
+    "acl" : {
+      "type" : "array",
+      "items" : {
+        "$ref" : "ace-schema.json"
+      }
+    }
+  }
+}
diff --git a/src/test/resources/explorer-schema.json b/src/test/resources/explorer-schema.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Explorer Response",
+  "type" : "object",
+  "required" : [ "collections", "documents" ],
+  "properties" : {
+    "collections" : {
+      "type" : "array",
+      "items" : {
+        "$ref" : "collection-schema.json"
+      }
+    },
+    "documents" : {
+      "type" : "array",
+      "items" : {
+      "$ref" : "document-schema.json"
+      }
+    }
+  }
+}
diff --git a/src/test/resources/sub-collection-schema.json b/src/test/resources/sub-collection-schema.json
@@ -0,0 +1,43 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "SubCollection",
+  "type": "object",
+  "required": [
+    "acl",
+    "created",
+    "group",
+    "mode",
+    "owner",
+    "uri"
+  ],
+  "properties": {
+    "uri": {
+      "type": "string",
+      "format": "uri",
+      "example": "/db/col1"
+    },
+    "created": {
+      "type": "string",
+      "format": "date-time",
+      "example": "2018-11-14T15:45:26.539+08:00"
+    },
+    "owner": {
+      "type": "string",
+      "example": "SYSTEM"
+    },
+    "group": {
+      "type": "string",
+      "example": "dba"
+    },
+    "mode": {
+      "type": "string",
+      "example": "rwxr-xr-x"
+    },
+    "acl": {
+      "type": "array",
+      "items": {
+        "$ref": "ace-schema.json"
+      }
+    }
+  }
+}
