filtering the xref of '/' based on authorization (#1618)

tulinkry · Vladimir Kotal · commit ca9a8876126b · 2017-06-29T14:59:57.000+02:00
fixes #1610
diff --git a/src/org/opensolaris/opengrok/web/PageConfig.java b/src/org/opensolaris/opengrok/web/PageConfig.java
@@ -378,6 +378,11 @@ public String canProcess() {
      * @return an empty list, if the resource does not exist, is not a directory
      * or an error occurred when reading it, otherwise a list of filenames in
      * that directory, sorted alphabetically
+     *
+     * <p>
+     * For the root directory (/xref/) an authorization is performed for each
+     * project in case that projects are used.</p>
+     *
      * @see #getResourceFile()
      * @see #isDir()
      */
@@ -391,8 +396,29 @@ public List<String> getResourceFileList() {
                 dirFileList = Collections.emptyList();
             } else {
                 Arrays.sort(files, String.CASE_INSENSITIVE_ORDER);
-                dirFileList
-                        = Collections.unmodifiableList(Arrays.asList(files));
+                List<String> listOfFiles = Arrays.asList(files);
+                if (env.hasProjects() && getPath().isEmpty()) {
+                    /**
+                     * This denotes the source root directory, we need to filter
+                     * projects which aren't allowed by the authorization
+                     * because otherwise the main xref page expose the names of
+                     * all projects in OpenGrok even those which aren't allowed
+                     * for the particular user. E. g. remove all which aren't
+                     * among the filtered set of projects.
+                     *
+                     * The authorization check is made in
+                     * {@link ProjectHelper#getAllProjects()} as a part of all
+                     * projects filtering.
+                     */
+                    List<String> modifiableListOfFiles = new ArrayList<>(listOfFiles);
+                    modifiableListOfFiles.removeIf((t) -> {
+                        return !getProjectHelper().getAllProjects().stream().anyMatch((p) -> {
+                            return p.getName().equalsIgnoreCase(t);
+                        });
+                    });
+                    return dirFileList = Collections.unmodifiableList(modifiableListOfFiles);
+                }
+                dirFileList = Collections.unmodifiableList(listOfFiles);
             }
         }
         return dirFileList;
diff --git a/test/org/opensolaris/opengrok/web/PageConfigTest.java b/test/org/opensolaris/opengrok/web/PageConfigTest.java
@@ -17,7 +17,7 @@
  * CDDL HEADER END
  */
 
-/*
+ /*
  * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
  */
 package org.opensolaris.opengrok.web;
@@ -26,15 +26,23 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
+import org.opensolaris.opengrok.authorization.AuthControlFlag;
+import org.opensolaris.opengrok.authorization.AuthorizationFramework;
+import org.opensolaris.opengrok.authorization.AuthorizationPlugin;
+import org.opensolaris.opengrok.authorization.TestPlugin;
 import org.opensolaris.opengrok.condition.ConditionalRun;
 import org.opensolaris.opengrok.condition.ConditionalRunRule;
 import org.opensolaris.opengrok.condition.RepositoryInstalled;
+import org.opensolaris.opengrok.configuration.Project;
 import org.opensolaris.opengrok.configuration.RuntimeEnvironment;
 import org.opensolaris.opengrok.history.Annotation;
 import org.opensolaris.opengrok.history.HistoryGuru;
@@ -135,6 +143,73 @@ public void canProcessXref() {
         assertCanProcess(null, "/source", "/xref", "/mercurial/xyz/");
     }
 
+    /**
+     * Testing the root of /xref for authorization filtering.
+     */
+    @Test
+    public void testGetResourceFileList() {
+        RuntimeEnvironment env = RuntimeEnvironment.getInstance();
+
+        // backup original values
+        String oldSourceRootPath = env.getSourceRootPath();
+        AuthorizationFramework oldAuthorizationFramework = env.getAuthorizationFramework();
+        Map<String, Project> oldProjects = env.getProjects();
+
+        // set up the source root directory containing some projects
+        env.setSourceRoot(repository.getSourceRoot());
+
+        // enable projects
+        for (String file : new File(repository.getSourceRoot()).list()) {
+            env.getProjects().put(file, new Project(file));
+        }
+
+        HttpServletRequest req = createRequest("/source", "/xref", "");
+        PageConfig cfg = PageConfig.get(req);
+        List<String> allFiles = new ArrayList<>(cfg.getResourceFileList());
+
+        /**
+         * Check if there are some files (the "5" here is just a sufficient
+         * value for now which won't break any future repository tests) without
+         * any authorization.
+         */
+        assertTrue(allFiles.size() > 5);
+        assertTrue(allFiles.contains("git"));
+        assertTrue(allFiles.contains("mercurial"));
+
+        /**
+         * Now set up the same projects with authorization plugin enabling only
+         * some of them.
+         * <pre>
+         *  - disabling "git"
+         *  - disabling "mercurial"
+         * </pre>
+         */
+        env.setAuthorizationFramework(new AuthorizationFramework(null));
+        env.getAuthorizationFramework().getStack()
+                .add(new AuthorizationPlugin(AuthControlFlag.REQUIRED, new TestPlugin() {
+                    @Override
+                    public boolean isAllowed(HttpServletRequest request, Project project) {
+                        return !project.getName().startsWith("git")
+                                && !project.getName().startsWith("mercurial");
+                    }
+                }));
+
+        req = createRequest("/source", "/xref", "");
+        cfg = PageConfig.get(req);
+        List<String> filteredFiles = new ArrayList<>(cfg.getResourceFileList());
+        // list subtraction - retains only disabled files
+        allFiles.removeAll(filteredFiles);
+
+        assertEquals(2, allFiles.size());
+        assertTrue(allFiles.contains("git"));
+        assertTrue(allFiles.contains("mercurial"));
+
+        // restore original values
+        env.setAuthorizationFramework(oldAuthorizationFramework);
+        env.setSourceRoot(oldSourceRootPath);
+        env.setProjects(oldProjects);
+    }
+
     @Test
     public void testGetIntParam() {
         String[] attrs = {"a", "b", "c", "d", "e", "f", "g", "h"};
@@ -193,7 +268,6 @@ public String getParameter(String name) {
         }
     }
 
-
     @Test
     @ConditionalRun(condition = RepositoryInstalled.GitInstalled.class)
     public void testGetAnnotation() {
