This is an automated email from the ASF dual-hosted git repository. heneveld pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push: new 856b8a0 Controllin ADD_JAVA and ADD_CATALOG entitlements in BundleResource new 7359f19 This closes #1219 856b8a0 is described below commit 856b8a098de089931ee1944eccd341c9b28fe70d Author: Juan Cabrerizo <j...@cloudsoft.io> AuthorDate: Tue Aug 10 15:12:14 2021 +0100 Controllin ADD_JAVA and ADD_CATALOG entitlements in BundleResource --- .../brooklyn/rest/resources/BundleResource.java | 14 ++++++-- .../brooklyn/rest/resources/CatalogResource.java | 18 ++-------- .../rest/resources/CatalogResourceTest.java | 25 -------------- .../java/org/apache/brooklyn/util/io/FileUtil.java | 18 ++++++++++ .../org/apache/brooklyn/util/io/FileUtilTest.java | 38 ++++++++++++++++++--- .../brooklyn/files}/testNoJava-0.1.0-SNAPSHOT.jar | Bin .../files}/testWithJava-0.1.0-SNAPSHOT.jar | Bin 7 files changed, 65 insertions(+), 48 deletions(-) diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/BundleResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/BundleResource.java index c3650a4..824195a 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/BundleResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/BundleResource.java @@ -50,6 +50,7 @@ import org.apache.brooklyn.rest.util.WebResourceUtils; import org.apache.brooklyn.util.collections.MutableList; import org.apache.brooklyn.util.exceptions.Exceptions; import org.apache.brooklyn.util.exceptions.ReferenceWithError; +import org.apache.brooklyn.util.io.FileUtil; import org.apache.brooklyn.util.osgi.VersionedName; import org.apache.brooklyn.util.osgi.VersionedName.VersionedNameComparator; import org.apache.brooklyn.util.stream.InputStreamSource; @@ -209,14 +210,21 @@ public class BundleResource extends AbstractBrooklynRestResource implements Bund @Override @Deprecated public Response create(byte[] contents, String format, Boolean force) { - if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ROOT, null)) { - throw WebResourceUtils.forbidden("User '%s' is not authorized to add catalog items", + InputStreamSource source = InputStreamSource.of("REST bundle upload", contents); + if(!BrooklynBomYamlCatalogBundleResolver.FORMAT.equals(format) && FileUtil.isJava(source)){ + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ADD_JAVA, null)) { + throw WebResourceUtils.forbidden("User '%s' is not authorized to add catalog item containing java classes", + Entitlements.getEntitlementContext().user()); + } + } + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ADD_CATALOG_ITEM, null)) { + throw WebResourceUtils.forbidden("User '%s' is not authorized to add catalog item", Entitlements.getEntitlementContext().user()); } if (force==null) force = false; ReferenceWithError<OsgiBundleInstallationResult> result = ((ManagementContextInternal)mgmt()).getOsgiManager().get() - .install(InputStreamSource.of("REST bundle upload", contents), format, force); + .install(source, format, force); if (result.hasError()) { // (rollback already done as part of install, if necessary) diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java index 9bb88d9..35fd1c7 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java @@ -66,6 +66,7 @@ import org.apache.brooklyn.util.collections.MutableSet; import org.apache.brooklyn.util.core.ResourceUtils; import org.apache.brooklyn.util.exceptions.Exceptions; import org.apache.brooklyn.util.exceptions.ReferenceWithError; +import org.apache.brooklyn.util.io.FileUtil; import org.apache.brooklyn.util.stream.InputStreamSource; import org.apache.brooklyn.util.text.StringPredicates; import org.apache.brooklyn.util.text.Strings; @@ -146,7 +147,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements Cat @Override public Response create(byte[] archive, String format, boolean detail, boolean itemDetails, boolean forceUpdate) { InputStreamSource source = InputStreamSource.of("REST bundle upload", archive); - if(!BrooklynBomYamlCatalogBundleResolver.FORMAT.equals(format) && isJava(source)){ + if(!BrooklynBomYamlCatalogBundleResolver.FORMAT.equals(format) && FileUtil.isJava(source)){ if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ADD_JAVA, null)) { throw WebResourceUtils.forbidden("User '%s' is not authorized to add catalog item containing java classes", Entitlements.getEntitlementContext().user()); @@ -191,21 +192,6 @@ public class CatalogResource extends AbstractBrooklynRestResource implements Cat return Response.status(status).entity( detail ? resultR : resultR.getTypes() ).build(); } - @VisibleForTesting - protected boolean isJava(InputStreamSource archive) { - try { - ZipInputStream zipIS = new ZipInputStream(archive.get()); - for (ZipEntry entry = zipIS.getNextEntry(); entry != null; entry = zipIS.getNextEntry()) { - if (!entry.isDirectory() && (entry.getName().endsWith(".class") || entry.getName().endsWith(".jar"))) { - return true; - } - } - }catch (Exception e){ - log.debug("Error analyzing file to be added as a bundle", e); - } - return false; - } - @Override @Deprecated public void deleteApplication(String symbolicName, String version) throws Exception { diff --git a/rest/rest-resources/src/test/java/org/apache/brooklyn/rest/resources/CatalogResourceTest.java b/rest/rest-resources/src/test/java/org/apache/brooklyn/rest/resources/CatalogResourceTest.java index adbbc5c..9bbeb40 100644 --- a/rest/rest-resources/src/test/java/org/apache/brooklyn/rest/resources/CatalogResourceTest.java +++ b/rest/rest-resources/src/test/java/org/apache/brooklyn/rest/resources/CatalogResourceTest.java @@ -1295,32 +1295,7 @@ public class CatalogResourceTest extends BrooklynRestResourceTest { .applyAsserts(() -> client()); } - @Test - public void testIsJavaFileNull(){ - CatalogResource cut = new CatalogResource(); - assertFalse(cut.isJava(null)); - } - - @Test - public void testIsJavaFileText() throws IOException { - CatalogResource cut = new CatalogResource(); - byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/scanning.catalog.bom").getPath())); - assertFalse(cut.isJava(InputStreamSource.of("Test bom file", bytes))); - } - @Test - public void testIsJavaNoClassesJar() throws IOException { - CatalogResource cut = new CatalogResource(); - byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/rest/resources/testNoJava-0.1.0-SNAPSHOT.jar").getPath())); - assertFalse(cut.isJava(InputStreamSource.of("Test Jar without Java classes", bytes))); - } - - @Test - public void testIsJavaWithClassesJar() throws IOException { - CatalogResource cut = new CatalogResource(); - byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/rest/resources/testWithJava-0.1.0-SNAPSHOT.jar").getPath())); - assertTrue(cut.isJava(InputStreamSource.of("Test JAR with Java classes", bytes))); - } enum CatalogItemType { APPLICATION("applications", CatalogEntitySummary.class), diff --git a/utils/common/src/main/java/org/apache/brooklyn/util/io/FileUtil.java b/utils/common/src/main/java/org/apache/brooklyn/util/io/FileUtil.java index 176ad82..525ad4d 100644 --- a/utils/common/src/main/java/org/apache/brooklyn/util/io/FileUtil.java +++ b/utils/common/src/main/java/org/apache/brooklyn/util/io/FileUtil.java @@ -26,10 +26,13 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.util.List; +import java.util.zip.ZipEntry; +import java.util.zip.ZipInputStream; import org.apache.brooklyn.util.exceptions.Exceptions; import org.apache.brooklyn.util.guava.Maybe; import org.apache.brooklyn.util.os.Os; +import org.apache.brooklyn.util.stream.InputStreamSource; import org.apache.brooklyn.util.stream.StreamGobbler; import org.apache.brooklyn.util.stream.Streams; import org.apache.commons.io.FileUtils; @@ -39,6 +42,7 @@ import org.slf4j.LoggerFactory; import com.google.common.annotations.Beta; import com.google.common.collect.ImmutableList; + public class FileUtil { private static final Logger LOG = LoggerFactory.getLogger(FileUtil.class); @@ -201,4 +205,18 @@ public class FileUtil { } } } + + public static boolean isJava(InputStreamSource archive) { + try { + ZipInputStream zipIS = new ZipInputStream(archive.get()); + for (ZipEntry entry = zipIS.getNextEntry(); entry != null; entry = zipIS.getNextEntry()) { + if (!entry.isDirectory() && (entry.getName().endsWith(".class") || entry.getName().endsWith(".jar"))) { + return true; + } + } + }catch (Exception e){ + LOG.debug("Error analyzing file to be added as a bundle", e); + } + return false; + } } diff --git a/utils/common/src/test/java/org/apache/brooklyn/util/io/FileUtilTest.java b/utils/common/src/test/java/org/apache/brooklyn/util/io/FileUtilTest.java index be8a33c..db16672 100644 --- a/utils/common/src/test/java/org/apache/brooklyn/util/io/FileUtilTest.java +++ b/utils/common/src/test/java/org/apache/brooklyn/util/io/FileUtilTest.java @@ -18,13 +18,12 @@ */ package org.apache.brooklyn.util.io; -import static org.testng.Assert.assertEquals; -import static org.testng.Assert.assertFalse; - import java.io.File; +import java.io.IOException; +import java.nio.file.Paths; -import org.apache.brooklyn.util.io.FileUtil; import org.apache.brooklyn.util.os.Os; +import org.apache.brooklyn.util.stream.InputStreamSource; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; @@ -33,6 +32,8 @@ import com.google.common.base.Charsets; import com.google.common.collect.ImmutableList; import com.google.common.io.Files; +import static org.testng.Assert.*; + public class FileUtilTest { private File file; @@ -115,4 +116,33 @@ public class FileUtilTest { FileUtil.setFilePermissionsTo700(file); FileUtil.setFilePermissionsTo700(file); } + + @Test + public void testIsJavaFileNull(){ + assertFalse(FileUtil.isJava(null)); + } + + @Test + public void testIsJavaFileText() throws IOException { + byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/osgi/brooklyn-osgi-test-a_0.1.0.txt").getPath())); + assertFalse(FileUtil.isJava(InputStreamSource.of("Test bom file", bytes))); + } + + @Test + public void testIsJavaNoClassesJar() throws IOException { + byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/files/testNoJava-0.1.0-SNAPSHOT.jar").getPath())); + assertFalse(FileUtil.isJava(InputStreamSource.of("Test Jar without Java classes", bytes))); + } + + @Test + public void testIsFakeJavaWithClassesJar() throws IOException { + byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/files/testWithJava-0.1.0-SNAPSHOT.jar").getPath())); + assertTrue(FileUtil.isJava(InputStreamSource.of("Test fail JAR with files renamed as .class", bytes))); + } + + @Test + public void testIsRealJavaFileText() throws IOException { + byte[] bytes = java.nio.file.Files.readAllBytes(Paths.get(this.getClass().getClassLoader().getResource("brooklyn/osgi/brooklyn-osgi-test-a_0.1.0.jar").getPath())); + assertTrue(FileUtil.isJava(InputStreamSource.of("Test real JAR with Java classes", bytes))); + } } diff --git a/rest/rest-resources/src/test/resources/brooklyn/rest/resources/testNoJava-0.1.0-SNAPSHOT.jar b/utils/common/src/test/resources/brooklyn/files/testNoJava-0.1.0-SNAPSHOT.jar similarity index 100% rename from rest/rest-resources/src/test/resources/brooklyn/rest/resources/testNoJava-0.1.0-SNAPSHOT.jar rename to utils/common/src/test/resources/brooklyn/files/testNoJava-0.1.0-SNAPSHOT.jar diff --git a/rest/rest-resources/src/test/resources/brooklyn/rest/resources/testWithJava-0.1.0-SNAPSHOT.jar b/utils/common/src/test/resources/brooklyn/files/testWithJava-0.1.0-SNAPSHOT.jar similarity index 100% rename from rest/rest-resources/src/test/resources/brooklyn/rest/resources/testWithJava-0.1.0-SNAPSHOT.jar rename to utils/common/src/test/resources/brooklyn/files/testWithJava-0.1.0-SNAPSHOT.jar