[58] Do not allow renaming non-protected AVU to existing protected AVU.

irods · Feb 19, 2024 · ba1f6d4 · ba1f6d4
1 parent 4f7b7a2
commit ba1f6d4
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/packaging/test_rule_engine_plugin_metadata_guard.py b/packaging/test_rule_engine_plugin_metadata_guard.py
@@ -287,6 +287,32 @@ def test_plugin_cannot_be_bypassed_with_addw__issue_40(self):
             # Clean up.
             self.rods.assert_icommand(['imeta', 'rm', '-C', root_coll, self.metadata_guard_attribute_name(), json_config])
 
+    def test_plugin_cannot_be_bypassed_via_imeta_mod__issue_58(self):
+        config = IrodsConfig()
+
+        # Set JSON configuration for the root collection.
+        root_coll = os.path.join('/', self.admin.zone_name)
+        json_config = json.dumps({
+            'prefixes': ['irods::'],
+            'admin_only': True
+        })
+        self.rods.assert_icommand(['imeta', 'set', '-C', root_coll, self.metadata_guard_attribute_name(), json_config])
+
+        try:
+            with lib.file_backed_up(config.server_config_path):
+                self.enable_rule_engine_plugin(config)
+
+                self.user.assert_icommand(['imeta', 'add', '-C', self.user.session_collection, 'unprotected::issue58', 'v'])
+                self.user.assert_icommand(['imeta', 'mod', '-C', self.user.session_collection, 'unprotected::issue58', 'v', 'n:irods::issue58'], 'STDERR', ['CAT_INSUFFICIENT_PRIVILEGE_LEVEL'])
+
+                # Same as above, but with units
+                self.user.assert_icommand(['imeta', 'add', '-C', self.user.session_collection, 'unprotected::withunits', 'v', 'u'])
+                self.user.assert_icommand(['imeta', 'mod', '-C', self.user.session_collection, 'unprotected::withunits', 'v', 'u', 'n:irods::withunits'], 'STDERR', ['CAT_INSUFFICIENT_PRIVILEGE_LEVEL'])
+                self.user.assert_icommand(['imeta', 'mod', '-C', self.user.session_collection, 'unprotected::withunits', 'v', 'n:irods::withunits', 'u'], 'STDERR', ['CAT_INSUFFICIENT_PRIVILEGE_LEVEL'])
+        finally:
+            # Clean up.
+            self.rods.assert_icommand(['imeta', 'rm', '-C', root_coll, self.metadata_guard_attribute_name(), json_config])
+
     #
     # Utility Functions
     #

diff --git a/src/main.cpp b/src/main.cpp
@@ -173,10 +173,25 @@ namespace
 			//     {"type": "user",  "name": "jane#otherZone"}
 			//   ]
 			// }
+
+			// Per the API, any of arg5 to arg8 is eligible to be the new attribute
+			// (depending on which one starts with "n:")
+			// However, only one will be considered (multiples will throw CAT_INVALID_ARGUMENT)
+			// Therefore, find the first one that starts with "n:"
+			const auto candidates = {input->arg5, input->arg6, input->arg7, input->arg8};
+			const auto mod_attr_ptr = std::find_if(std::begin(candidates), std::end(candidates), [](char* arg) {
+				return arg && boost::starts_with(arg, "n:");
+			});
+			const char* mod_attr_name = nullptr;
+			if (mod_attr_ptr != std::end(candidates)) {
+				mod_attr_name = (*mod_attr_ptr) + 2;
+			}
 			for (auto&& prefix : config->at("prefixes")) {
 				// If the metadata attribute starts with the prefix, then verify that the user
 				// can modify the metadata attribute.
-				if (boost::starts_with(input->arg3, prefix.get_ref<const std::string&>())) {
+				if (boost::starts_with(input->arg3, prefix.get_ref<const std::string&>()) ||
+				    (mod_attr_name && boost::starts_with(mod_attr_name, prefix.get_ref<const std::string&>())))
+				{
 					// The "admin_only" flag supersedes the "editors" configuration option.
 					const auto& admin_iter = config->find("admin_only");
 					if (admin_iter != config->cend() && admin_iter->get<bool>()) {