[LPS-32200] As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations - Liferay Issues

Details

Type: Story
Status: Closed
Priority: Critical
Resolution: Completed
Affects Version/s: 6.1.1 CE GA2
Fix Version/s: 6.1.2 CE GA3, 6.1.30 EE GA3, 6.2.0 CE M5
Component/s: Accessibility, Application Security > PACL, Security Vulnerability
Labels:
None

Epic/Theme:
- platform
- release_planning

Description

When developing apps for Liferay's Marketplace, the official docs describe a process like this:

1. Develop app with PACL turned off
2. Turn PACL on
3. Run app, find a PACL error.
4. Try to figure out which PACL stanza will get you past the error. Add it to your liferay-plugin-package.properties
5. Re-deploy app
6. Return to step 3 until no more errors

This is very time consuming and error-prone. As a developer, I'd rather have a way for Liferay to tell me which PACL declarations I need, rather than me doing all the legwork.

See the numerous issues with fleshing out PACL declarations here:

http://www.liferay.com/forums/-/message_boards/message/17489093/maximized
http://www.liferay.com/forums/-/message_boards/message/17329080/maximized
... and others here: http://www.liferay.com/forums/-/message_boards/category/10919228/maximized

Options
- Show All
- Show Open

Sub-Tasks

1.	PACL - Read and track state by enum	Closed	Lawrence Lee
2.	PACL - Expose methods to get specific checkers	Closed	Lawrence Lee
3.	PACL - Rule generation API	Closed	Lawrence Lee
4.	PACL - Implement the rule generation API	Closed	Lawrence Lee
5.	PACL - Generating policy implementation	Closed	Lawrence Lee

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Raymond Auge added a comment - 09/Jan/13 1:17 PM - edited

Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool:

place the plugin into generate mode:
```
 
		security-manager-enabled=generate
```
with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)
however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
the rules will be collected and writen (on the fly) to a properties file

the default write location is:

		${liferay.home}/pacl-policy/${servletContextName}.policy

the following section was not implemented
1. if the developer specifies the property
  security-manager-generator-dir=/home/user/paclfoo
  then the generated policy file will be writen to that path, e.g.:
  /home/user/paclfoo/${servletContextName}.policy

new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin
once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin

revert the property

		security-manager-enabled=generate

to

	
		security-manager-enabled=true

submit the plugin

Show

Raymond Auge added a comment - 09/Jan/13 1:17 PM - edited Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool: place the plugin into generate mode: security-manager-enabled=generate with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks) however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check the rules will be collected and writen (on the fly) to a properties file the default write location is: ${liferay.home}/pacl-policy/${servletContextName}.policy the following section was not implemented if the developer specifies the property security-manager-generator-dir=/home/user/paclfoo then the generated policy file will be writen to that path, e.g.: /home/user/paclfoo/${servletContextName}.policy new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin revert the property security-manager-enabled=generate to security-manager-enabled= true submit the plugin

Hide

Permalink

Raymond Auge added a comment - 09/Jan/13 1:18 PM

What follows is the policy generated for the sample-service-builder-portlet:

security-manager-expando-bridge=\
    com.liferay.sampleservicebuilder.model.Foo

security-manager-files-read=\
    ./service-ext.properties,\
    /home/rotty/global-configuration.properties,\
    /home/rotty/service-ext.properties,\
    global-configuration.properties

security-manager-get-bean-property=\
    com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
    com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
    com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\
    com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\
    com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\
    com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\
    com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\
    com.liferay.portal.kernel.util.PropsUtil,\
    com.liferay.portal.kernel.uuid.PortalUUIDUtil,\
    com.liferay.portal.util.PortalUtil,\
    com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil

security-manager-services[portal]=\
    com.liferay.counter.service.CounterLocalService#increment,\
    com.liferay.portal.service.GroupLocalService#getGroup,\
    com.liferay.portal.service.LayoutLocalService#getLayout,\
    com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\
    com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\
    com.liferay.portal.service.ResourceBlockLocalService#isSupported,\
    com.liferay.portal.service.ResourceLocalService#addResources,\
    com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\
    com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\
    com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\
    com.liferay.portal.service.UserLocalService#getUserById,\
    com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\
    com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\
    com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\
    com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\
    com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\
    com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\
    com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\
    com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\
    com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\
    com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\
    com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\
    com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting

security-manager-sql-tables-insert=\
    AssetEntries_AssetTags,\
    AssetTag,\
    AssetTagStats,\
    ResourcePermission

security-manager-sql-tables-select=\
    AssetEntries_AssetTags,\
    AssetEntry,\
    AssetTag,\
    AssetTagStats,\
    ResourcePermission,\
    SSB_Foo

security-manager-sql-tables-update=\
    AssetEntry,\
    AssetTag,\
    AssetTagStats,\
    SSB_Foo

Show

Raymond Auge added a comment - 09/Jan/13 1:18 PM What follows is the policy generated for the sample-service-builder-portlet: security-manager-expando-bridge=\ com.liferay.sampleservicebuilder.model.Foo security-manager-files-read=\ ./service-ext.properties,\ /home/rotty/global-configuration.properties,\ /home/rotty/service-ext.properties,\ global-configuration.properties security-manager-get-bean-property=\ com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ com.liferay.portal.kernel.util.PropsUtil,\ com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ com.liferay.portal.util.PortalUtil,\ com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil security-manager-services[portal]=\ com.liferay.counter.service.CounterLocalService#increment,\ com.liferay.portal.service.GroupLocalService#getGroup,\ com.liferay.portal.service.LayoutLocalService#getLayout,\ com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ com.liferay.portal.service.ResourceLocalService#addResources,\ com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ com.liferay.portal.service.UserLocalService#getUserById,\ com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting security-manager-sql-tables-insert=\ AssetEntries_AssetTags,\ AssetTag,\ AssetTagStats,\ ResourcePermission security-manager-sql-tables-select=\ AssetEntries_AssetTags,\ AssetEntry,\ AssetTag,\ AssetTagStats,\ ResourcePermission,\ SSB_Foo security-manager-sql-tables-update=\ AssetEntry,\ AssetTag,\ AssetTagStats,\ SSB_Foo

Hide

Permalink

Raymond Auge added a comment - 09/Jan/13 1:21 PM

One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

Show

Raymond Auge added a comment - 09/Jan/13 1:21 PM One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

Hide

Permalink

Raymond Auge added a comment - 10/May/13 1:55 PM

The security-manager-generator-dir= property was not implemented in the final version.

Show

Raymond Auge added a comment - 10/May/13 1:55 PM The security-manager-generator-dir= property was not implemented in the final version.

As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations

Details

Description

Sub-Tasks

Activity

People

Dates

Development

Agile

Subcomponents