[RTFACT-14883] User plugin: System role is not dropped when exception occurs Created: 31/Aug/17  Updated: 25/May/18

Status: Open
Project: Artifactory Binary Repository
Component/s: Plugins
Affects Version/s: 5.3.2
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Krzysztof Malinowski Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Consider the following plugin:

enableUserProfile.groovy
/*
 * Copyright (C) 2017 Motorola Solutions, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import org.artifactory.security.RealmPolicy

realms {
    enableUserProfile(autoCreateUsers: false, realmPolicy: RealmPolicy.ADDITIVE) {
        authenticate { username, password ->
            log.debug('Initial: Running as: {}', security.currentUsername) 
            log.debug('In authenticate: user {}, profile enabled: {}', user.username, user.updatableProfile)
            if (!user.updatableProfile) {
                log.info('Enabling profile editing for user: {}', user.username)
                user.updatableProfile = true
                try {
                    asSystem {
                        log.debug('Switching context: Running as: {}', security.currentUsername)
			throw new Exception('Failing intentionally!')
                        security.updateUser(user)
                    }
                } catch(Exception e) {
                    log.warn('Failed to enable profile for user {}: {}', user.username, e.message)
                }
            }
            log.debug('Finalizing: Running as: {}', security.currentUsername) 
            return true
        }

        userExists { username ->
            log.debug('In userExists: username {}', username)
            return true
        }
    }
}
artifactory.log
2017-08-31 14:36:49,109 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :22) - Initial: Running as: test-user
2017-08-31 14:36:49,113 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :23) - In authenticate: user test-user, profile enabled: false
2017-08-31 14:36:49,117 [http-nio-8081-exec-5] [INFO ] (enableUserProfile   :25) - Enabling profile editing for user: test-user
2017-08-31 14:36:49,150 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :29) - Switching context: Running as: _system_
2017-08-31 14:36:49,176 [http-nio-8081-exec-5] [WARN ] (enableUserProfile   :34) - Failed to enable profile for user test-user: Failing intentionally!
2017-08-31 14:36:49,180 [http-nio-8081-exec-5] [DEBUG] (enableUserProfile   :37) - Finalizing: Running as: _system_ 

Note that when exception happens within `asSystem` block, system role is not dropped even though code execution exits `asSystem` scope and the whole request gets elevated to system account allowing it to perform any action. This is not something that one would expect from the code.

Please update `asSystem` implementation to drop system role even when the block is exited through exception.



 Comments   
Comment by Yehuda Hadad [ 14/May/18 ]

Hi Krzysztof,

 

Thank you for reporting this issue, you are welcome to watch and vote for this JIRA ticket in order to get updated with the issue resolution progress.

Generated at Tue Jan 21 12:22:35 UTC 2020 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.