Gitlab Community Edition Instance

Commit d677cb93 authored by mhellka's avatar mhellka
Browse files

Changed cdstar-proxy-search to support privileged search queries.

Admin users with special permissions should be able to submit privileged
unfiltered searches in the future.
parent d3f0d3e9
Pipeline #116338 passed with stages
in 8 minutes and 1 second
......@@ -45,11 +45,13 @@ The search gateway should accept POST requests at the configured target URL with
| limit | int | User provided limit for results per page. (optional)
| scroll | string | User provided scroll handle. (optional)
| vault | string | Name of the vault this search is performed on.
| principal | string | Principal name (including domain) of the user performing the search. (optional)
| groups | array(string) | List of groups the searching user belongs to. (optional)
| principal | object | Security context for this search request. If missing or None, assume an unauthenticated user.
| principal.name | string | Name (including domain) of the user performing the search. (optional)
| principal.groups | array(string) | List of groups the searching user belongs to. (optional)
| principal.privileged | boolean | If true, assume the user can see all results. (default: false)
|=========
The `q`, `order`, `limit` and `scroll` fields correspond to the (cleaned up) user provided search parameters as defined by the CDSTAR search API. `vault`, `principal` and `groups` are added by CDSTAR. The search target should use `principal` and `groups` to limit search results to entities visible to the logged-in user. If these are not defined, the search should only return public results.
The `q`, `order`, `limit` and `scroll` fields correspond to the (cleaned up) user provided search parameters as defined by the CDSTAR search API. `vault` and `principal` are added by CDSTAR. The search target should limit search results to entities visible to the specified `principal`. If no principal is present (null, missing or empty), the search should only return publicly visible results. If `principal.privileged` is true, the search should not filter by visibility and return all matching results.
.Example Request
[source,json]
......@@ -61,8 +63,11 @@ Content-Type: application/json
"order": ["-score"],
"limit": 100,
"vault": "myVault",
"principal": "alice@realm",
"groups": ["users@realm"]
"principal": {
"name": "alice@realm",
"groups": ["users@realm"],
"privileged": false
}
}
----
......
......@@ -12,6 +12,11 @@ public class JsonQuery {
public String scroll;
public String vault;
public String principal;
public List<String> groups;
public PrincipalInfo principal = new PrincipalInfo();
public static class PrincipalInfo {
public String name;
public List<String> groups;
public boolean privileged;
}
}
......@@ -185,8 +185,8 @@ class ProxySearchProvider implements SearchProvider, Closeable {
// Trusted parameters
queryDoc.vault = q.getVault();
queryDoc.principal = q.getPrincipal();
queryDoc.groups = new ArrayList<>(q.getGroups());
queryDoc.principal.name = q.getPrincipal();
queryDoc.principal.groups = new ArrayList<>(q.getGroups());
return queryDoc;
}
......
......@@ -64,8 +64,8 @@ public class ProxySearchProviderTest {
assertHeader("Accept", "application/json", rs);
assertEquals("q", jq.q);
assertEquals("testP", jq.principal);
assertEquals(Arrays.asList("g1", "g2"), jq.groups);
assertEquals("testP", jq.principal.name);
assertEquals(Arrays.asList("g1", "g2"), jq.principal.groups);
}
......@@ -82,8 +82,8 @@ public class ProxySearchProviderTest {
assertEquals(Arrays.asList("a", "b"), jq.order);
assertEquals("s", jq.scroll);
assertEquals("p", jq.principal);
assertEquals(Arrays.asList("g1", "g2"), jq.groups);
assertEquals("p", jq.principal.name);
assertEquals(Arrays.asList("g1", "g2"), jq.principal.groups);
}
@Test
......@@ -97,8 +97,8 @@ public class ProxySearchProviderTest {
assertEquals(0, jq.limit);
assertNull(jq.order);
assertNull(jq.scroll);
assertNull(jq.principal);
assertNull(jq.groups);
assertNull(jq.principal.name);
assertTrue(jq.principal.groups.isEmpty());
}
@Test
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment