evolvedbinary / elemental / 982

Committed 29 Apr 2025 08:34PM UTC coverage: 56.409% (+0.007%) from 56.402%

Build # 982

Build Type

push

circleci

Committed by

adamretter

Commit Message

[feature] Improve README.md badges

Run Details

28451 of 55847 branches covered (50.94%)

Branch coverage included in aggregate %.

77468 of 131924 relevant lines covered (58.72%)

0.59 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

52.27

/exist-core/src/main/java/org/exist/security/PermissionRequiredAspect.java

/*
 * Elemental
 * Copyright (C) 2024, Evolved Binary Ltd
 *
 * admin@evolvedbinary.com
 * https://www.evolvedbinary.com | https://www.elemental.xyz
 *
 * Use of this software is governed by the Business Source License 1.1
 * included in the LICENSE file and at www.mariadb.com/bsl11.
 *
 * Change Date: 2028-04-27
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by the Apache License, Version 2.0.
 *
 * Additional Use Grant: Production use of the Licensed Work for a permitted
 * purpose. A Permitted Purpose is any purpose other than a Competing Use.
 * A Competing Use means making the Software available to others in a commercial
 * product or service that: substitutes for the Software; substitutes for any
 * other product or service we offer using the Software that exists as of the
 * date we make the Software available; or offers the same or substantially
 * similar functionality as the Software.
 */
package org.exist.security;

import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.annotation.Pointcut;
import org.aspectj.lang.reflect.MethodSignature;

import static org.exist.security.PermissionRequired.*;

/**
 * @author <a href="mailto:adam@exist-db.org">Adam Retter</a>
 */
@Aspect
public class PermissionRequiredAspect {

    
    
    @Pointcut("execution(* *(@org.exist.security.PermissionRequired (*),..)) && args(o,..) && this(permission)")
    public void methodParameterWithPermissionRequired(Permission permission, Object o) {
        
    }
    
    @Before("methodParameterWithPermissionRequired(permission, o)")
    public void enforcePermissionsOnParameter(JoinPoint joinPoint, Permission permission, Object o) throws PermissionDeniedException {
        
        //TODO(AR) the next two lines can be replaced when this aspectj bug is closed - https://bugs.eclipse.org/bugs/show_bug.cgi?id=259416
        final MethodSignature ms = (MethodSignature)joinPoint.getSignature(); 
        final PermissionRequired parameterPermissionRequired = (PermissionRequired)ms.getMethod().getParameterAnnotations()[0][0];
        
        // 1) check if we should allow DBA access
        if(((parameterPermissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) {
            return;
        }
        
        // 2) check if the user is in the target group
        if((parameterPermissionRequired.user() & IS_MEMBER) == IS_MEMBER) {
            final Integer groupId = (Integer)o;
            if(permission.isCurrentSubjectInGroup(groupId)) {
               return; 
            }
        }

        //  3) check if we should allow access when POSIX_CHOWN_RESTRICTED is not set
        if((parameterPermissionRequired.user() & NOT_POSIX_CHOWN_RESTRICTED) == NOT_POSIX_CHOWN_RESTRICTED
                && !permission.isPosixChownRestricted()) {
            final PermissionRequired methodPermissionRequired = ms.getMethod().getAnnotation(PermissionRequired.class);
            if ((methodPermissionRequired.user() & IS_OWNER) == IS_OWNER && permission.isCurrentSubjectOwner()) {
                return;
            }
        }

        // 4) check if we are looking for setGID
        if((parameterPermissionRequired.mode() & IS_SET_GID) == IS_SET_GID) {
            final Permission other = (Permission)o;
            if(other.isSetGid()) {
                return;
            }
        }
            
        throw new PermissionDeniedException("You must be a member of the group you are changing the item to");        
    }
    
    @Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(permissionRequired)")
    public void methodWithPermissionRequired(Permission permission, PermissionRequired permissionRequired) {
    }

    @Before("methodWithPermissionRequired(permission, permissionRequired)")
    public void enforcePermissions(JoinPoint joinPoint, Permission permission, PermissionRequired permissionRequired) throws PermissionDeniedException {

        //1) check if we should allow DBA access
        if(((permissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) {
            return;
        }

        //2) check for owner access
        if((permissionRequired.user() & IS_OWNER) == IS_OWNER && permission.isCurrentSubjectOwner()) {
            if(permissionRequired.group() == UNDEFINED) {
                return;
            } else {
                //check for group memebership
                if(permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) {
                    return;
                }
            }
        }

        //3) check for group access
        if(permissionRequired.user() == UNDEFINED && permissionRequired.group() != UNDEFINED) {
            if(permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) {
                return;
            }
        }
        
        //4) check for acl mode access
        if(permission instanceof ACLPermission && permissionRequired.mode() != UNDEFINED) {
            if((permissionRequired.mode() & ACL_WRITE) == ACL_WRITE && ((ACLPermission)permission).isCurrentSubjectCanWriteACL()) {
                return;
            }
        }

        throw new PermissionDeniedException("You do not have appropriate access rights to modify permissions on this object");
    }

    //TODO(AR) change Pointcut so that @annotation values are directly bound. see - https://bugs.eclipse.org/bugs/show_bug.cgi?id=347684
    /*
    @Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(org.exist.security.PermissionRequired(mode,user,group))")
    public void methodWithPermissionRequired(Permission permission, int mode, int user, int group) {
    }

    @Before("methodWithPermissionRequired(permission, mode, user, group)")
    public void enforcePermissions(JoinPoint joinPoint, Permission permission, int mode, int user, int group) {
        System.out.println("POINTCUT");
    }*/
}

1	/*	1!
2	* Elemental
3	* Copyright (C) 2024, Evolved Binary Ltd
4	*
5	* admin@evolvedbinary.com
6	* https://www.evolvedbinary.com \| https://www.elemental.xyz
7	*
8	* Use of this software is governed by the Business Source License 1.1
9	* included in the LICENSE file and at www.mariadb.com/bsl11.
10	*
11	* Change Date: 2028-04-27
12	*
13	* On the date above, in accordance with the Business Source License, use
14	* of this software will be governed by the Apache License, Version 2.0.
15	*
16	* Additional Use Grant: Production use of the Licensed Work for a permitted
17	* purpose. A Permitted Purpose is any purpose other than a Competing Use.
18	* A Competing Use means making the Software available to others in a commercial
19	* product or service that: substitutes for the Software; substitutes for any
20	* other product or service we offer using the Software that exists as of the
21	* date we make the Software available; or offers the same or substantially
22	* similar functionality as the Software.
23	*/
24	package org.exist.security;
25
26	import org.aspectj.lang.JoinPoint;
27	import org.aspectj.lang.annotation.Aspect;
28	import org.aspectj.lang.annotation.Before;
29	import org.aspectj.lang.annotation.Pointcut;
30	import org.aspectj.lang.reflect.MethodSignature;
31
32	import static org.exist.security.PermissionRequired.*;
33
34	/**
35	* @author <a href="mailto:adam@exist-db.org">Adam Retter</a>
36	*/
37	@Aspect
38	public class PermissionRequiredAspect {	1✔
39
40
41
42	@Pointcut("execution(* (@org.exist.security.PermissionRequired (),..)) && args(o,..) && this(permission)")
43	public void methodParameterWithPermissionRequired(Permission permission, Object o) {
44
45	}
46
47	@Before("methodParameterWithPermissionRequired(permission, o)")
48	public void enforcePermissionsOnParameter(JoinPoint joinPoint, Permission permission, Object o) throws PermissionDeniedException {
49
50	//TODO(AR) the next two lines can be replaced when this aspectj bug is closed - https://bugs.eclipse.org/bugs/show_bug.cgi?id=259416
51	final MethodSignature ms = (MethodSignature)joinPoint.getSignature();	1✔
52	final PermissionRequired parameterPermissionRequired = (PermissionRequired)ms.getMethod().getParameterAnnotations()[0][0];	1✔
53
54	// 1) check if we should allow DBA access
55	if(((parameterPermissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) {	1✔
56	return;	1✔
57	}
58
59	// 2) check if the user is in the target group
60	if((parameterPermissionRequired.user() & IS_MEMBER) == IS_MEMBER) {	1✔
61	final Integer groupId = (Integer)o;	1✔
62	if(permission.isCurrentSubjectInGroup(groupId)) {	1✔
63	return;	1✔
64	}
65	}
66
67	// 3) check if we should allow access when POSIX_CHOWN_RESTRICTED is not set
68	if((parameterPermissionRequired.user() & NOT_POSIX_CHOWN_RESTRICTED) == NOT_POSIX_CHOWN_RESTRICTED	1✔
69	&& !permission.isPosixChownRestricted()) {	1!
70	final PermissionRequired methodPermissionRequired = ms.getMethod().getAnnotation(PermissionRequired.class);	1✔
71	if ((methodPermissionRequired.user() & IS_OWNER) == IS_OWNER && permission.isCurrentSubjectOwner()) {	1!
72	return;	1✔
73	}
74	}
75
76	// 4) check if we are looking for setGID
77	if((parameterPermissionRequired.mode() & IS_SET_GID) == IS_SET_GID) {	1!
78	final Permission other = (Permission)o;	1✔
79	if(other.isSetGid()) {	1!
80	return;	1✔
81	}
82	}
83
84	throw new PermissionDeniedException("You must be a member of the group you are changing the item to");	×
85	}
86
87	@Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(permissionRequired)")
88	public void methodWithPermissionRequired(Permission permission, PermissionRequired permissionRequired) {
89	}
90
91	@Before("methodWithPermissionRequired(permission, permissionRequired)")
92	public void enforcePermissions(JoinPoint joinPoint, Permission permission, PermissionRequired permissionRequired) throws PermissionDeniedException {
93
94	//1) check if we should allow DBA access
95	if(((permissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) {	1!
96	return;	1✔
97	}
98
99	//2) check for owner access
100	if((permissionRequired.user() & IS_OWNER) == IS_OWNER && permission.isCurrentSubjectOwner()) {	1!
101	if(permissionRequired.group() == UNDEFINED) {	1!
102	return;	1✔
103	} else {
104	//check for group memebership
105	if(permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) {	×
106	return;	×
107	}
108	}
109	}
110
111	//3) check for group access
112	if(permissionRequired.user() == UNDEFINED && permissionRequired.group() != UNDEFINED) {	×
113	if(permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) {	×
114	return;	×
115	}
116	}
117
118	//4) check for acl mode access
119	if(permission instanceof ACLPermission && permissionRequired.mode() != UNDEFINED) {	×
120	if((permissionRequired.mode() & ACL_WRITE) == ACL_WRITE && ((ACLPermission)permission).isCurrentSubjectCanWriteACL()) {	×
121	return;	×
122	}
123	}
124
125	throw new PermissionDeniedException("You do not have appropriate access rights to modify permissions on this object");	×
126	}
127
128	//TODO(AR) change Pointcut so that @annotation values are directly bound. see - https://bugs.eclipse.org/bugs/show_bug.cgi?id=347684
129	/*
130	@Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(org.exist.security.PermissionRequired(mode,user,group))")
131	public void methodWithPermissionRequired(Permission permission, int mode, int user, int group) {
132	}
133
134	@Before("methodWithPermissionRequired(permission, mode, user, group)")
135	public void enforcePermissions(JoinPoint joinPoint, Permission permission, int mode, int user, int group) {
136	System.out.println("POINTCUT");
137	}*/
138	}

evolvedbinary / elemental / 982

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous