Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27841

[VCS] Failing to catch if the query is a proxy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 10.10, 10.10-HF10
    • Fix Version/s: None
    • Environment:
      H2DB
    • Tags:
    • Sprint:
      nxFG 11.1.10, nxFG 11.1.11, nxFG 11.1.12

      Description

      Hello,
      we are working on a custom security policy and we had to enrich the queries to apply security restrictions like:

      Security Policy Example

      Given that the current user is member of X groups,
      We are searching for document from the original query that in addition are filtered by
      not having the facet CustomDocument
      have the confidentiality level C1
      have the confidentiality level C2 and the groups of the current user is referenced in any of the following document properties: recipients entities, authors entities, publisher entity
      have the confidentiality level C3 and the user is referenced in any of following document properties recipient, author, creator

      When we run the previously defined policy it in local (h2db) we have a nullpointer coming from how nuxeo generates SQL queries based upon the NXQL AST.

      The failing query is something like:

      SELECT * FROM Document WHERE ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
      

      if you add the security predicates it would look to something like:

      SELECT * FROM Document WHERE 
      ecm:mixinType <> 'CustomDocument' AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
      OR 
      confidentiality:confidentialityLevel = 'C1' AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
      OR 
      confidentiality:confidentialityLevel = 'C2' AND (ent:authorsEntities in ('ENT_X') OR ent:publisherEntity in ('ENT_X') OR ent:recipientEntities in ('ENT_X')) AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
      

      To bypass the nullpointer I added some code that do not apply the security policy when the WHERE condition predicate has a first Operand checking the ecm:isProxy property and it works (for now).

      Caused by: java.lang.NullPointerException
      	at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.getSpecialColumnInfo(NXQLQueryMaker.java:1703) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.getColumnInfo(NXQLQueryMaker.java:1720) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1908) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.query.sql.model.DefaultQueryVisitor.visitExpression(DefaultQueryVisitor.java:103) ~[nuxeo-core-query-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1950) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.query.sql.model.DefaultQueryVisitor.visitExpression(DefaultQueryVisitor.java:103) ~[nuxeo-core-query-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1950) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?]
      	at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?]
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.