Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28841

Fix regression caused by NXP-26003

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 9.10-HF41, 10.10-HF23
    • Fix Version/s: 9.10-HF43, 10.10-HF25, 11.1
    • Component/s: Core
    • Release Notes Summary:
      A better implementation is done to compute the username's user workspace.
    • Backlog priority:
      1,000
    • Sprint:
      nxplatform 11.1.33
    • Story Points:
      3

      Description

      Code change brought by NXP-26003 can cause an infinite loop when calling AbstractUserWorkspaceImpl#getExistingUserWorkspace with principal parameter set to null e.g. from a security policy.

      at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.security.SecurityService.checkPermission(SecurityService.java:135) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:300) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:296) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getExistingUserWorkspace(AbstractUserWorkspaceImpl.java:278) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getCurrentUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:242) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl$UnrestrictedUserWorkspaceFinder.run(AbstractUserWorkspaceImpl.java:428) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:311) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.user.center.profile.UserProfileServiceImpl.getUserProfileDocument(UserProfileServiceImpl.java:98) ~[nuxeo-user-profile-10.10.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.lambda$getExpirationInfo$18(TenantManagementServiceImpl.java:409) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl$$Lambda$2711/1630972751.apply(Unknown Source) ~[?:?]
       at org.nuxeo.ecm.core.api.CoreInstance$1.run(CoreInstance.java:186) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.CoreInstance.doPrivileged(CoreInstance.java:188) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getExpirationInfo(TenantManagementServiceImpl.java:401) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getTenantsWhereUserIsDisabled(TenantManagementServiceImpl.java:323) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.security.SecurityService.checkPermission(SecurityService.java:135) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:300) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:296) ~[nuxeo-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getExistingUserWorkspace(AbstractUserWorkspaceImpl.java:278) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getCurrentUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:242) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl$UnrestrictedUserWorkspaceFinder.run(AbstractUserWorkspaceImpl.java:428) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:311) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
       at org.nuxeo.ecm.user.center.profile.UserProfileServiceImpl.getUserProfileDocument(UserProfileServiceImpl.java:98) ~[nuxeo-user-profile-10.10.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.lambda$getExpirationInfo$18(TenantManagementServiceImpl.java:409) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl$$Lambda$2711/1630972751.apply(Unknown Source) ~[?:?]
       at org.nuxeo.ecm.core.api.CoreInstance$1.run(CoreInstance.java:186) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at org.nuxeo.ecm.core.api.CoreInstance.doPrivileged(CoreInstance.java:188) ~[nuxeo-core-api-10.10-HF23.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getExpirationInfo(TenantManagementServiceImpl.java:401) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getTenantsWhereUserIsDisabled(TenantManagementServiceImpl.java:323) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
       at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]
      

      The change that caused this to fail is the fact that the above commit is now forcing a check on EVERYTHING permission with the principal owning the workspace if "null" is passed( as opposed of a check on the principal fetched from the session as before). This will trigger an infinite loop as our custom security policy will try to fetch this document ( since the UserProfileDocument is stored in the personal workspace) to resolve that check.

      This method is actually invoked by the UnrestrictedUserWorkspaceFinder#getCurrentUserPersonalWorkspace(null, userName, session); => so will fall into the case above.

      We should be able to fetch this workspace with an unrestricted session with no checks as before.

      A backport to 9.10 could be needed.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours
                  5h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.