#284 Security user is used when server has external security

Author: rjrudin

src/main/java/com/marklogic/mgmt/AbstractManager.java

@@ -22,6 +22,17 @@ protected boolean useSecurityUser() {
         return false;
     }
 
+	/**
+	 * Some payloads - such as a server payload that uses external security - require a condition to determine if the
+	 * security user should be used or not.
+	 *
+	 * @param payload
+	 * @return
+	 */
+	protected boolean useSecurityUser(String payload) {
+    	return useSecurityUser();
+    }
+
     /**
      * Assumes the resource name is based on the class name - e.g. RoleManager would have a resource name of "role".
      *
@@ -48,15 +59,15 @@ protected String getResourceId(String payload) {
     }
 
     protected ResponseEntity<String> putPayload(ManageClient client, String path, String payload) {
-        boolean requiresSecurityUser = useSecurityUser();
+        boolean requiresSecurityUser = useSecurityUser(payload);
         if (payloadParser.isJsonPayload(payload)) {
             return requiresSecurityUser ? client.putJsonAsSecurityUser(path, payload) : client.putJson(path, payload);
         }
         return requiresSecurityUser ? client.putXmlAsSecurityUser(path, payload) : client.putXml(path, payload);
     }
 
     protected ResponseEntity<String> postPayload(ManageClient client, String path, String payload) {
-        boolean requiresSecurityUser = useSecurityUser();
+        boolean requiresSecurityUser = useSecurityUser(payload);
         if (payloadParser.isJsonPayload(payload)) {
             return requiresSecurityUser ? client.postJsonAsSecurityUser(path, payload) : client.postJson(path, payload);
         }

src/main/java/com/marklogic/mgmt/resource/appservers/ServerManager.java

@@ -1,5 +1,6 @@
 package com.marklogic.mgmt.resource.appservers;
 
+import com.marklogic.mgmt.SaveReceipt;
 import com.marklogic.mgmt.resource.AbstractResourceManager;
 import com.marklogic.mgmt.ManageClient;
 import com.marklogic.rest.util.Fragment;
@@ -20,6 +21,24 @@ public ServerManager(ManageClient manageClient, String groupName) {
         this.groupName = groupName != null ? groupName : DEFAULT_GROUP;
     }
 
+	/**
+	 * This is hacky, but it should be close to 100% reliable. Worst case is that the payload has the string
+	 * "external-security" in some other field and we unnecessarily use the security user.
+	 *
+	 * Public so that it can be unit-tested easily.
+	 *
+	 * @param payload
+	 * @return
+	 */
+	@Override
+	public boolean useSecurityUser(String payload) {
+		boolean b = payload != null && payload.contains("external-security");
+		if (b && logger.isInfoEnabled()) {
+			logger.info("Server payload contains external-security, so using the security user");
+		}
+		return b;
+	}
+
 	/**
 	 * When doing an existence check, have to take the group name into account.
 	 *

src/test/java/com/marklogic/appdeployer/command/servers/DeployServerWithExternalSecurityTest.java

@@ -0,0 +1,22 @@
+package com.marklogic.appdeployer.command.servers;
+
+import com.marklogic.mgmt.resource.appservers.ServerManager;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DeployServerWithExternalSecurityTest extends Assert {
+
+	@Test
+	public void test() {
+		ServerManager mgr = new ServerManager(null);
+
+		assertTrue(mgr.useSecurityUser("{\"server-name\": \"my-server\", \"external-security\": [\"my-external-security\"]}"));
+		assertFalse(mgr.useSecurityUser("{\"server-name\": \"my-server\"}"));
+
+		assertTrue(
+			"This is an expected false positive, but it's considered fine because it just means that the security user " +
+				"will be used in the rare event that some other field in the payload has the string 'external-security' in it",
+			mgr.useSecurityUser("{\"server-name\": \"my-external-security-test\"}")
+		);
+	}
+}