cziegeler closed pull request #6: SLING-3524: Allow distinguishing cloning from normal login in providers. URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/6
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/pom.xml b/pom.xml index 2d9af60..b2094b9 100644 --- a/pom.xml +++ b/pom.xml @@ -110,7 +110,7 @@ <dependency> <groupId>org.apache.sling</groupId> <artifactId>org.apache.sling.api</artifactId> - <version>2.18.0</version> + <version>2.18.1-SNAPSHOT</version> <scope>provided</scope> </dependency> <dependency> diff --git a/src/main/java/org/apache/sling/resourceresolver/impl/CommonResourceResolverFactoryImpl.java b/src/main/java/org/apache/sling/resourceresolver/impl/CommonResourceResolverFactoryImpl.java index 8cef27d..11c6b24 100644 --- a/src/main/java/org/apache/sling/resourceresolver/impl/CommonResourceResolverFactoryImpl.java +++ b/src/main/java/org/apache/sling/resourceresolver/impl/CommonResourceResolverFactoryImpl.java @@ -62,6 +62,8 @@ private static final Logger LOG = LoggerFactory.getLogger(CommonResourceResolverFactoryImpl.class); + private static final String[] FORBIDDEN_AUTH_INFO_KEYS = {ResourceProvider.AUTH_CLONE}; + /** Helper for the resource resolver. */ private MapEntriesHandler mapEntries = MapEntriesHandler.EMPTY; @@ -129,6 +131,32 @@ public void run() { } // ---------- Resource Resolver Factory ------------------------------------ + + /** + * Sanitize the authentication info passed from external code. This method will always make a defensive + * copy of the argument, also making sure that the copy is mutable. Nulls are turned into empty (mutable) maps. + * Keys that are used to communicate with resource providers are removed from the copy, and optionally + * other keys can be removed as well. + * @param authenticationInfo The authentication info to sanitize, may be null. + * @param extraForbiddenKeys Keys that should be removed from the returned copy. + * @return A sanitized mutable map. + */ + @Nonnull + static Map<String, Object> sanitizeAuthenticationInfo(Map<String, Object> authenticationInfo, String... extraForbiddenKeys) { + if (authenticationInfo == null) { + // nothing to sanitize, just return an empty mutable map + return new HashMap<>(); + } else { + Map<String, Object> sanitized = new HashMap<>(authenticationInfo); + for (String key : FORBIDDEN_AUTH_INFO_KEYS) { + sanitized.remove(key); + } + for (String key : extraForbiddenKeys) { + sanitized.remove(key); + } + return sanitized; + } + } /** * @see org.apache.sling.api.resource.ResourceResolverFactory#getAdministrativeResourceResolver(java.util.Map) @@ -139,15 +167,10 @@ public ResourceResolver getAdministrativeResourceResolver(final Map<String, Obje throws LoginException { checkIsLive(); - // create a copy of the passed authentication info as we modify the map - final Map<String, Object> authenticationInfo = new HashMap<>(); + // make sure there is no leaking of service info props + // (but the bundle info is passed on as we need it downstream) + final Map<String, Object> authenticationInfo = sanitizeAuthenticationInfo(passedAuthenticationInfo, SUBSERVICE); authenticationInfo.put(ResourceProvider.AUTH_ADMIN, Boolean.TRUE); - if ( passedAuthenticationInfo != null ) { - authenticationInfo.putAll(passedAuthenticationInfo); - // make sure there is no leaking of service info props - // (but the bundle info is passed on as we need it downstream) - authenticationInfo.remove(SUBSERVICE); - } return getResourceResolverInternal(authenticationInfo, true); } @@ -161,14 +184,8 @@ public ResourceResolver getResourceResolver(final Map<String, Object> passedAuth throws LoginException { checkIsLive(); - // create a copy of the passed authentication info as we modify the map - final Map<String, Object> authenticationInfo = new HashMap<>(); - if ( passedAuthenticationInfo != null ) { - authenticationInfo.putAll(passedAuthenticationInfo); - // make sure there is no leaking of service bundle and info props - authenticationInfo.remove(ResourceProvider.AUTH_SERVICE_BUNDLE); - authenticationInfo.remove(SUBSERVICE); - } + // make sure there is no leaking of service bundle and info props + final Map<String, Object> authenticationInfo = sanitizeAuthenticationInfo(passedAuthenticationInfo, ResourceProvider.AUTH_SERVICE_BUNDLE, SUBSERVICE); final ResourceResolver result = getResourceResolverInternal(authenticationInfo, false); Stack<WeakReference<ResourceResolver>> resolverStack = resolverStackHolder.get(); @@ -391,9 +408,10 @@ public ResourceAccessSecurityTracker getResourceAccessSecurityTracker () { @Nonnull @Override public ResourceResolver getServiceResourceResolver( - final Map<String, Object> authenticationInfo) throws LoginException { + final Map<String, Object> passedAuthenticationInfo) throws LoginException { checkIsLive(); + Map<String, Object> authenticationInfo = sanitizeAuthenticationInfo(passedAuthenticationInfo); return getResourceResolverInternal(authenticationInfo, false); } diff --git a/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverFactoryImpl.java b/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverFactoryImpl.java index f0f466c..4b9c6f6 100644 --- a/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverFactoryImpl.java +++ b/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverFactoryImpl.java @@ -63,17 +63,9 @@ public ResourceResolverFactoryImpl( */ @Override public ResourceResolver getServiceResourceResolver(final Map<String, Object> passedAuthenticationInfo) throws LoginException { - // create a copy of the passed authentication info as we modify the map - final Map<String, Object> authenticationInfo = new HashMap<>(); - final String subServiceName; - if ( passedAuthenticationInfo != null ) { - authenticationInfo.putAll(passedAuthenticationInfo); - authenticationInfo.remove(PASSWORD); - final Object info = passedAuthenticationInfo.get(SUBSERVICE); - subServiceName = (info instanceof String) ? (String) info : null; - } else { - subServiceName = null; - } + final Map<String, Object> authenticationInfo = CommonResourceResolverFactoryImpl.sanitizeAuthenticationInfo(passedAuthenticationInfo, PASSWORD); + final Object info = authenticationInfo.get(SUBSERVICE); + final String subServiceName = (info instanceof String) ? (String) info : null; // Ensure a mapped user or principal name(s): If no user/principal names is/are // defined for a bundle acting as a service, the user may be null. We can decide whether diff --git a/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java b/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java index 66eba96..4a825bf 100644 --- a/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java +++ b/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java @@ -59,6 +59,7 @@ import org.apache.sling.resourceresolver.impl.mapping.MapEntry; import org.apache.sling.resourceresolver.impl.params.ParsedParameters; import org.apache.sling.resourceresolver.impl.providers.ResourceProviderStorageProvider; +import org.apache.sling.spi.resource.provider.ResourceProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -117,6 +118,7 @@ private ResourceResolverImpl(final ResourceResolverImpl resolver, final Map<Stri if (authenticationInfo != null) { authInfo.putAll(authenticationInfo); } + authInfo.put(ResourceProvider.AUTH_CLONE, true); this.context = new ResourceResolverContext(this, factory.getResourceAccessSecurityTracker()); this.control = createControl(factory.getResourceProviderTracker(), authInfo, resolver.control.isAdmin()); this.factory.register(this, control); ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services