Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-14883

User plugin: System role is not dropped when exception occurs

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: 5.3.2
    • Fix Version/s: None
    • Component/s: Plugins
    • Labels:
      None

      Description

      Consider the following plugin:

      enableUserProfile.groovy
      /*
       * Copyright (C) 2017 Motorola Solutions, Inc.
       *
       * Licensed under the Apache License, Version 2.0 (the "License");
       * you may not use this file except in compliance with the License.
       * You may obtain a copy of the License at
       *
       * http://www.apache.org/licenses/LICENSE-2.0
       *
       * Unless required by applicable law or agreed to in writing, software
       * distributed under the License is distributed on an "AS IS" BASIS,
       * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
       * See the License for the specific language governing permissions and
       * limitations under the License.
       */
      
      import org.artifactory.security.RealmPolicy
      
      realms {
          enableUserProfile(autoCreateUsers: false, realmPolicy: RealmPolicy.ADDITIVE) {
              authenticate { username, password ->
                  log.debug('Initial: Running as: {}', security.currentUsername) 
                  log.debug('In authenticate: user {}, profile enabled: {}', user.username, user.updatableProfile)
                  if (!user.updatableProfile) {
                      log.info('Enabling profile editing for user: {}', user.username)
                      user.updatableProfile = true
                      try {
                          asSystem {
                              log.debug('Switching context: Running as: {}', security.currentUsername)
      			throw new Exception('Failing intentionally!')
                              security.updateUser(user)
                          }
                      } catch(Exception e) {
                          log.warn('Failed to enable profile for user {}: {}', user.username, e.message)
                      }
                  }
                  log.debug('Finalizing: Running as: {}', security.currentUsername) 
                  return true
              }
      
              userExists { username ->
                  log.debug('In userExists: username {}', username)
                  return true
              }
          }
      }
      
      artifactory.log
      2017-08-31 14:36:49,109 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :22) - Initial: Running as: test-user
      2017-08-31 14:36:49,113 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :23) - In authenticate: user test-user, profile enabled: false
      2017-08-31 14:36:49,117 [http-nio-8081-exec-5] [INFO ] (enableUserProfile   :25) - Enabling profile editing for user: test-user
      2017-08-31 14:36:49,150 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :29) - Switching context: Running as: _system_
      2017-08-31 14:36:49,176 [http-nio-8081-exec-5] [WARN ] (enableUserProfile   :34) - Failed to enable profile for user test-user: Failing intentionally!
      2017-08-31 14:36:49,180 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :37) - Finalizing: Running as: _system_ 
      

      Note that when exception happens within `asSystem` block, system role is not dropped even though code execution exits `asSystem` scope and the whole request gets elevated to system account allowing it to perform any action. This is not something that one would expect from the code.

      Please update `asSystem` implementation to drop system role even when the block is exited through exception.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              akm022 Krzysztof Malinowski
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: