[NXP-28841] Fix regression caused by NXP-26003 - Nuxeo Issue Tracker

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 9.10-HF41, 10.10-HF23
Fix Version/s: 9.10-HF43, 10.10-HF25, 11.1, 2021.0
Component/s: Core

Release Notes Summary:
A better implementation is done to compute the username's user workspace.
Tags:
- SupCom
- nxplatform
Backlog priority:
1,000
Sprint:
nxplatform 11.1.33
Story Points:
3

Description

Code change brought by ~~NXP-26003~~ can cause an infinite loop when calling AbstractUserWorkspaceImpl#getExistingUserWorkspace with principal parameter set to null e.g. from a security policy.

at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.security.SecurityService.checkPermission(SecurityService.java:135) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:300) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:296) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getExistingUserWorkspace(AbstractUserWorkspaceImpl.java:278) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getCurrentUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:242) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl$UnrestrictedUserWorkspaceFinder.run(AbstractUserWorkspaceImpl.java:428) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:311) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.user.center.profile.UserProfileServiceImpl.getUserProfileDocument(UserProfileServiceImpl.java:98) ~[nuxeo-user-profile-10.10.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.lambda$getExpirationInfo$18(TenantManagementServiceImpl.java:409) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl$$Lambda$2711/1630972751.apply(Unknown Source) ~[?:?]
 at org.nuxeo.ecm.core.api.CoreInstance$1.run(CoreInstance.java:186) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.CoreInstance.doPrivileged(CoreInstance.java:188) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getExpirationInfo(TenantManagementServiceImpl.java:401) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getTenantsWhereUserIsDisabled(TenantManagementServiceImpl.java:323) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.security.SecurityService.checkPermission(SecurityService.java:135) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:300) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:296) ~[nuxeo-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getExistingUserWorkspace(AbstractUserWorkspaceImpl.java:278) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getCurrentUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:242) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl$UnrestrictedUserWorkspaceFinder.run(AbstractUserWorkspaceImpl.java:428) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.platform.userworkspace.core.service.AbstractUserWorkspaceImpl.getUserPersonalWorkspace(AbstractUserWorkspaceImpl.java:311) ~[nuxeo-platform-userworkspace-core-10.10-HF23.jar:?]
 at org.nuxeo.ecm.user.center.profile.UserProfileServiceImpl.getUserProfileDocument(UserProfileServiceImpl.java:98) ~[nuxeo-user-profile-10.10.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.lambda$getExpirationInfo$18(TenantManagementServiceImpl.java:409) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl$$Lambda$2711/1630972751.apply(Unknown Source) ~[?:?]
 at org.nuxeo.ecm.core.api.CoreInstance$1.run(CoreInstance.java:186) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:137) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at org.nuxeo.ecm.core.api.CoreInstance.doPrivileged(CoreInstance.java:188) ~[nuxeo-core-api-10.10-HF23.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getExpirationInfo(TenantManagementServiceImpl.java:401) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.TenantManagementServiceImpl.getTenantsWhereUserIsDisabled(TenantManagementServiceImpl.java:323) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at com.warnerbros.nuxeo.tenant.management.core.DisabledUserSecurityPolicy.checkPermission(DisabledUserSecurityPolicy.java:30) ~[com-warnerbros-nuxeo-bundle-bootstrap-backend-10.10-DEVELOP-SNAPSHOT.jar:?]
 at org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl.checkPermission(SecurityPolicyServiceImpl.java:161) ~[nuxeo-core-10.10-HF23.jar:?]

The change that caused this to fail is the fact that the above commit is now forcing a check on EVERYTHING permission with the principal owning the workspace if "null" is passed( as opposed of a check on the principal fetched from the session as before). This will trigger an infinite loop as our custom security policy will try to fetch this document ( since the UserProfileDocument is stored in the personal workspace) to resolve that check.

This method is actually invoked by the UnrestrictedUserWorkspaceFinder#getCurrentUserPersonalWorkspace(null, userName, session); => so will fall into the case above.

We should be able to fetch this workspace with an unrestricted session with no checks as before.

A backport to 9.10 could be needed.

Attachments

Issue Links

is caused by

NXP-26003 Fix retrieval of personal workspace for user with special characters

Resolved

Is referenced in

PR for master: #4165

PR for master: #4294

Fix regression caused by NXP-26003

Details

Description

Attachments

Issue Links

Activity

People

Dates

Time Tracking