Ticket #963 (closed Defect: fixed)

Opened 5 years ago

Last modified 4 years ago

self-registration process is affected by change in dm4-config plugin / writing to Administration workspace

Reported by: Malte Owned by: jri
Priority: Major Milestone: Release 4.8.1
Component: DeepaMehta Standard Distribution Version: 4.8
Keywords: Cc: jri, JuergeN
Complexity: 3 Area:
Module:

Description

Is it the case that some config topics during account creation should be assigned to the "Administration" workspace? This should break user self registration as "Administration" is a confidential workspace and thus a self-registering users has no right to WRITE.

Apr 20, 2016 1:23:22 PM de.deepamehta.thymeleaf.provider.ThymeleafViewProcessor writeTo
INFORMATION: Processing template "/views/sign-up.html" of plugin "DeepaMehta 4 Sign up"
Apr 20, 2016 1:23:34 PM de.deepamehta.accesscontrol.AccessControlPlugin createUserAccount
INFORMATION: Creating user account "tester"
Apr 20, 2016 1:23:34 PM de.deepamehta.config.ConfigPlugin createConfigTopic
INFORMATION: ### Creating config topic of type "dm4.files.disk_quota" for topic 5880
Apr 20, 2016 1:23:34 PM de.deepamehta.workspaces.WorkspacesPlugin workspaceAssignmentIsSuppressed
INFORMATION: Standard workspace assignment for topic 5883 (typeUri="dm4.files.disk_quota", uri="") SUPPRESSED
Apr 20, 2016 1:23:34 PM de.deepamehta.workspaces.WorkspacesPlugin workspaceAssignmentIsSuppressed
INFORMATION: Standard workspace assignment for association 5886 (typeUri="dm4.config.configuration") SUPPRESSED
Apr 20, 2016 1:23:34 PM de.deepamehta.core.util.UniversalExceptionMapper logException
SCHWERWIEGEND: Request "GET /sign-up/handle/tester/-SHA256-56390e23069fa1252aa173b6aa9dd214fbe6e04b88fe2ab2c3ed19e20d84bc00/tester%40test.de" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: Creating simple user account FAILED!
	at org.deepamehta.plugins.signup.SignupPlugin.createSimpleUserAccount(SignupPlugin.java:420)
	at org.deepamehta.plugins.signup.SignupPlugin.handleSignupRequest(SignupPlugin.java:179)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1480)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1411)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1360)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1350)
	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:339)
	at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:300)
	at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
	at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
	at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
	at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:76)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:49)
	at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: Creating user account "tester" failed
	at de.deepamehta.accesscontrol.AccessControlPlugin.createUserAccount(AccessControlPlugin.java:275)
	at org.deepamehta.plugins.signup.SignupPlugin.createSimpleUserAccount(SignupPlugin.java:379)
	... 52 more
Caused by: java.lang.RuntimeException: Creating topic 5879 failed (typeUri="dm4.accesscontrol.user_account")
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:156)
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:129)
	at de.deepamehta.core.impl.CoreServiceImpl.createTopic(CoreServiceImpl.java:118)
	at de.deepamehta.core.impl.CoreServiceImpl.createTopic(CoreServiceImpl.java:34)
	at de.deepamehta.accesscontrol.AccessControlPlugin$3.call(AccessControlPlugin.java:242)
	at de.deepamehta.accesscontrol.AccessControlPlugin$3.call(AccessControlPlugin.java:239)
	at de.deepamehta.core.impl.AccessControlImpl.runWithoutWorkspaceAssignment(AccessControlImpl.java:228)
	at de.deepamehta.accesscontrol.AccessControlPlugin.createUserAccount(AccessControlPlugin.java:239)
	... 53 more
Caused by: java.lang.RuntimeException: Storing the child topics of object 5879 failed ({dm4.accesscontrol.password=topic (id=-1, uri="null", typeUri="dm4.accesscontrol.password", value="-SHA256-56390e23069fa1252aa173b6aa9dd214fbe6e04b88fe2ab2c3ed19e20d84bc00", childTopics={}), relating association (id=-1, uri="null", typeUri="null", value="null", childTopics={}, null, null), dm4.accesscontrol.username=topic (id=5880, uri="", typeUri="dm4.accesscontrol.username", value="tester", childTopics={}), relating association (id=-1, uri="null", typeUri="null", value="null", childTopics={}, null, null)})
	at de.deepamehta.core.impl.ValueStorage.storeChildTopics(ValueStorage.java:158)
	at de.deepamehta.core.impl.ValueStorage.storeValue(ValueStorage.java:101)
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:141)
	... 60 more
Caused by: java.lang.RuntimeException: Creating topic 5880 failed (typeUri="dm4.accesscontrol.username")
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:156)
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:129)
	at de.deepamehta.core.impl.ValueStorage.storeChildTopic(ValueStorage.java:168)
	at de.deepamehta.core.impl.ValueStorage.storeChildTopics(ValueStorage.java:144)
	... 62 more
Caused by: java.lang.RuntimeException: An error occurred in the PostCreateTopicListener of plugin "DeepaMehta 4 Config"
	at de.deepamehta.core.impl.EventManager.dispatchEvent(EventManager.java:96)
	at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:59)
	at de.deepamehta.core.impl.PersistenceLayer.createTopic(PersistenceLayer.java:153)
	... 65 more
Caused by: java.lang.RuntimeException: Creating config topic of type "dm4.files.disk_quota" for topic 5880 failed
	at de.deepamehta.config.ConfigPlugin.createConfigTopic(ConfigPlugin.java:159)
	at de.deepamehta.config.ConfigPlugin.postCreateTopic(ConfigPlugin.java:128)
	at de.deepamehta.core.impl.CoreEvent$5.dispatch(CoreEvent.java:72)
	at de.deepamehta.core.impl.EventManager.dispatchEvent(EventManager.java:83)
	... 67 more
Caused by: java.lang.RuntimeException: Fetching topic failed (key="uri", value="dm4.workspaces.administration")
	at de.deepamehta.core.impl.PersistenceLayer.getTopicByValue(PersistenceLayer.java:90)
	at de.deepamehta.core.impl.PersistenceLayer.getTopicByUri(PersistenceLayer.java:81)
	at de.deepamehta.core.impl.AccessControlImpl.getWorkspace(AccessControlImpl.java:143)
	at de.deepamehta.core.impl.AccessControlImpl.getAdministrationWorkspaceId(AccessControlImpl.java:159)
	at de.deepamehta.config.ConfigPlugin.assignConfigTopicToWorkspace(ConfigPlugin.java:169)
	at de.deepamehta.config.ConfigPlugin.access$800(ConfigPlugin.java:29)
	at de.deepamehta.config.ConfigPlugin$1.call(ConfigPlugin.java:153)
	at de.deepamehta.config.ConfigPlugin$1.call(ConfigPlugin.java:146)
	at de.deepamehta.core.impl.AccessControlImpl.runWithoutWorkspaceAssignment(AccessControlImpl.java:228)
	at de.deepamehta.config.ConfigPlugin.createConfigTopic(ConfigPlugin.java:146)
	... 70 more
Caused by: de.deepamehta.core.service.accesscontrol.AccessControlException: user <anonymous> has no READ permission for object 3413
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkReadPermission(AccessControlPlugin.java:838)
	at de.deepamehta.accesscontrol.AccessControlPlugin.preGetTopic(AccessControlPlugin.java:463)
	at de.deepamehta.core.impl.CoreEvent$1.dispatch(CoreEvent.java:32)
	at de.deepamehta.core.impl.EventManager.dispatchEvent(EventManager.java:83)
	at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:59)
	at de.deepamehta.core.impl.PersistenceLayer.checkReadAccess(PersistenceLayer.java:484)
	at de.deepamehta.core.impl.PersistenceLayer.checkReadAccessAndInstantiate(PersistenceLayer.java:457)
	at de.deepamehta.core.impl.PersistenceLayer.getTopicByValue(PersistenceLayer.java:87)
	... 79 more

Maybe this permission error could be circumvented if the config module uses the privileged acCore.assignToWorkspace() method.

But also the request fails because the administration workspace cannot be fetched in first place. So, if the administration workspaces URI is know, no fetch should be involved and the privileged method would indeed provide us with a working solution:

acCore.assignToWorkspace(String workspaceUri);

Or what do you think?

Change History

comment:1 Changed 5 years ago by Malte

Two corrections:

  • the new "Administration" workspace is in fact "Collaborative" (and not "Confidential")
  • the acCore.assignToWorkspace(); expects the ID of a workspace (and not the URI)

Sorry for the confusion.

comment:2 Changed 5 years ago by Malte

Then this issue might very well also apply for our planned adaption of the sign-up plugin:

  • Store users mailboxes in the "Administration" workspace

Which i could not yet implement but which i would expect, by now, to trigger a similar exception since i cannot fetch the workspace in first place, right?

comment:3 Changed 4 years ago by jri

  • Status changed from new to accepted

comment:4 Changed 4 years ago by Jörg Richter <jri@…>

In 6a70a76149d347a5416bf58d9449d9f2e157c16b/deepamehta:

acCore.getWorkspace() is a privileged call (#963).

As a consequence the assignment of a config topic (e.g. "Disk Quota") to the Administration workspace works for a not-authorized request.

This is required for the DM4 Sign-up plugin.

Thank you, Malte, for reporting!

Please test whether the Sign-up plugin is now working with DM 4.8

See #963.

comment:5 follow-up: ↓ 6 Changed 4 years ago by Malte

BTW: I could get the sign-up plugin to work without your new call but after finding the privileged "acCore.getAdministrationWorkspaceId()" method. Are you sure about adding this "generic workspace" fetcher? OK, thanks, just wanted to let you know.

comment:6 in reply to: ↑ 5 Changed 4 years ago by jri

Replying to Malte:

BTW: I could get the sign-up plugin to work without your new call but after finding the privileged "acCore.getAdministrationWorkspaceId()" method. Are you sure about adding this "generic workspace" fetcher? OK, thanks, just wanted to let you know.

Yes, I'm sure acCore.getWorkspace() must be privileged. Even if you don't call it directly, it will be called indirectly when you create an user account. Namely when the Config service creates the new user's config topics which belong to the Administration workspace.

Note also that acCore.getAdministrationWorkspaceId() relies on acCore.getWorkspace().

See your stacktrace:

at de.deepamehta.core.impl.AccessControlImpl.getWorkspace(AccessControlImpl.java:143)
at de.deepamehta.core.impl.AccessControlImpl.getAdministrationWorkspaceId(AccessControlImpl.java:159)	

comment:7 Changed 4 years ago by Malte

  • Status changed from accepted to closed
  • Resolution set to fixed

Glad that we found out and adapted (see #976, #978), amazing i had completely forgotten about this issue in the matter of just four weeks...

Anyway, i could test it and the self-registration process is not affected anymore. Users mailboxes end up in the new "Administration" workspace automatically (and can thus edited by members of this workspace). The new sign-up plugin version compatible with 4.8.1. provides a migration which moves all existing mailboxes from the "System" to "Administration" workspace.

Note: See TracTickets for help on using tickets.