From 32b034164939a1d847b0c2f470e96032ff8bbe12 Mon Sep 17 00:00:00 2001
From: Johannes Schnatterer <johannes.schnatterer@cloudogu.com>
Date: Thu, 20 Dec 2018 17:56:28 +0100
Subject: [PATCH] Security System: Query permission.xmls from uber classloader.

Allows for finding permission.xmls from plugins.
Adds an examplary permission.xml for git plugin.
---
 .../resources/META-INF/scm/permissions.xml    | 48 +++++++++++++++++++
 .../scm/security/DefaultSecuritySystem.java   | 34 ++++++-------
 .../security/DefaultSecuritySystemTest.java   | 35 +++++++-------
 3 files changed, 82 insertions(+), 35 deletions(-)
 create mode 100644 scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml

diff --git a/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml b/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml
new file mode 100644
index 0000000000..a61077f61a
--- /dev/null
+++ b/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2010, Sebastian Sdorra
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright notice,
+       this list of conditions and the following disclaimer in the documentation
+       and/or other materials provided with the distribution.
+    3. Neither the name of SCM-Manager; nor the names of its
+       contributors may be used to endorse or promote products derived from this
+       software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+    DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+    DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+    (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+    LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+    ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.dd7s
+
+    http://bitbucket.org/sdorra/scm-manager
+
+
+-->
+<permissions>
+  
+  <permission>
+    <display-name>Git config (read)</display-name>
+    <description>Read access to git config</description>
+    <value>configuration:read:git</value>
+  </permission>
+  
+  <permission>
+    <display-name>Git config (write)</display-name>
+    <description>Write access to git config</description>
+    <value>configuration:write:git</value>
+  </permission>
+
+</permissions>
diff --git a/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java b/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
index e93d4de597..780b3832bc 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
@@ -36,7 +36,6 @@ package sonia.scm.security;
 //~--- non-JDK imports --------------------------------------------------------
 
 import com.github.legman.Subscribe;
-
 import com.google.common.base.Preconditions;
 import com.google.common.base.Predicate;
 import com.google.common.base.Strings;
@@ -44,30 +43,16 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableList.Builder;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
-
 import org.apache.shiro.SecurityUtils;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import sonia.scm.HandlerEventType;
 import sonia.scm.event.ScmEventBus;
 import sonia.scm.group.GroupEvent;
+import sonia.scm.plugin.PluginLoader;
 import sonia.scm.store.ConfigurationEntryStore;
 import sonia.scm.store.ConfigurationEntryStoreFactory;
 import sonia.scm.user.UserEvent;
-import sonia.scm.util.ClassLoaders;
-
-//~--- JDK imports ------------------------------------------------------------
-
-import java.io.IOException;
-
-import java.net.URL;
-
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.Map.Entry;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
@@ -75,6 +60,14 @@ import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Map.Entry;
+
+//~--- JDK imports ------------------------------------------------------------
 
 /**
  * TODO add events
@@ -99,6 +92,8 @@ public class DefaultSecuritySystem implements SecuritySystem
   private static final Logger logger =
     LoggerFactory.getLogger(DefaultSecuritySystem.class);
 
+  private PluginLoader pluginLoader;
+
   //~--- constructors ---------------------------------------------------------
 
   /**
@@ -109,12 +104,13 @@ public class DefaultSecuritySystem implements SecuritySystem
    */
   @Inject
   @SuppressWarnings("unchecked")
-  public DefaultSecuritySystem(ConfigurationEntryStoreFactory storeFactory)
+  public DefaultSecuritySystem(ConfigurationEntryStoreFactory storeFactory, PluginLoader pluginLoader)
   {
     store = storeFactory
       .withType(AssignedPermission.class)
       .withName(NAME)
       .build();
+    this.pluginLoader = pluginLoader;
     readAvailablePermissions();
   }
 
@@ -409,9 +405,9 @@ public class DefaultSecuritySystem implements SecuritySystem
       JAXBContext context =
         JAXBContext.newInstance(PermissionDescriptors.class);
 
+      // Querying permissions from uberClassLoader returns also the permissions from plugin
       Enumeration<URL> descirptorEnum =
-        ClassLoaders.getContextClassLoader(
-          DefaultSecuritySystem.class).getResources(PERMISSION_DESCRIPTOR);
+        pluginLoader.getUberClassLoader().getResources(PERMISSION_DESCRIPTOR);
 
       while (descirptorEnum.hasMoreElements())
       {
diff --git a/scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java b/scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java
index 2ccdb2b28a..efae4b8ee5 100644
--- a/scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java
@@ -35,26 +35,28 @@ package sonia.scm.security;
 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.common.base.Predicate;
-
 import org.apache.shiro.authz.UnauthorizedException;
 import org.apache.shiro.mgt.DefaultSecurityManager;
 import org.apache.shiro.realm.SimpleAccountRealm;
-
 import org.junit.Before;
 import org.junit.Test;
-
+import org.mockito.InjectMocks;
+import org.mockito.MockitoAnnotations;
 import sonia.scm.AbstractTestBase;
+import sonia.scm.plugin.PluginLoader;
 import sonia.scm.store.JAXBConfigurationEntryStoreFactory;
+import sonia.scm.util.ClassLoaders;
 import sonia.scm.util.MockUtil;
 
-import static org.hamcrest.Matchers.*;
+import java.util.List;
 
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.greaterThan;
 import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
 
 //~--- JDK imports ------------------------------------------------------------
 
-import java.util.List;
-
 /**
  *
  * @author Sebastian Sdorra
@@ -62,6 +64,12 @@ import java.util.List;
 public class DefaultSecuritySystemTest extends AbstractTestBase
 {
 
+  private JAXBConfigurationEntryStoreFactory jaxbConfigurationEntryStoreFactory;
+  private PluginLoader pluginLoader;
+  @InjectMocks
+  private DefaultSecuritySystem securitySystem;
+
+
   /**
    * Method description
    *
@@ -69,12 +77,12 @@ public class DefaultSecuritySystemTest extends AbstractTestBase
   @Before
   public void createSecuritySystem()
   {
-    JAXBConfigurationEntryStoreFactory factory =
-      new JAXBConfigurationEntryStoreFactory(contextProvider , repositoryLocationResolver, new UUIDKeyGenerator() );
+    jaxbConfigurationEntryStoreFactory =
+      spy(new JAXBConfigurationEntryStoreFactory(contextProvider , repositoryLocationResolver, new UUIDKeyGenerator() ) {});
+    pluginLoader = mock(PluginLoader.class);
+    when(pluginLoader.getUberClassLoader()).thenReturn(ClassLoaders.getContextClassLoader(DefaultSecuritySystem.class));
 
-    securitySystem = new DefaultSecuritySystem(factory);
-
-    // ScmEventBus.getInstance().register(listener);
+    MockitoAnnotations.initMocks(this);
   }
 
   /**
@@ -325,9 +333,4 @@ public class DefaultSecuritySystemTest extends AbstractTestBase
 
     setSubject(MockUtil.createUserSubject(sm));
   }
-
-  //~--- fields ---------------------------------------------------------------
-
-  /** Field description */
-  private DefaultSecuritySystem securitySystem;
 }