Permissions for groups - bug report and patch
I submit a bug report+patch here because I could not find out how to get a JIRA account.
We encountered an exception while trying to remove a permission associated to a group. The issue is related to the group ID format that includes “:” characters that conflicts with Nuxeo's ACE format that also uses “:” as a separator.
The exception we get while trying to remove permissions for group “ur1:dsi:snum:groupes:groupe2” : chain
Name: Document.RemovePermission
Exception: OperationException
Caught error: Failed to invoke operation Document.RemovePermission
Caused by: java.lang.NumberFormatException: For input string: “groupe2”
Hierarchy calls
org.nuxeo.ecm.automation.core.operations.document.RemovePermission
at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:232)
at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:115)
at org.nuxeo.ecm.automation.server.jaxrs.OperationResource.execute(OperationResource.java:51)
at org.nuxeo.ecm.automation.server.jaxrs.ExecutableResource.doPost(ExecutableResource.java:61)
… 88 more
Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation Document.RemovePermission
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:182)
at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(CompiledChainImpl.java:128)
at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(CompiledChainImpl.java:114)
at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:208)
… 91 more
Caused by: java.lang.NumberFormatException: For input string: “groupe2”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Long.parseLong(Long.java:589)
at java.lang.Long.valueOf(Long.java:803)
at org.nuxeo.ecm.core.api.security.ACE.fromId(ACE.java:82)
at org.nuxeo.ecm.automation.core.operations.document.RemovePermission.removePermission(RemovePermission.java:83)
at org.nuxeo.ecm.automation.core.operations.document.RemovePermission.run(RemovePermission.java:61)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:164)
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:170)
… 94 more
Attached is a patch that preserves the groupId within an ACE; the aceId is analyzed using a regular expression instead of split().
Thank you for your quick answer. I will do a submit a pull request for this.
Regarding the relevance of this proposal, I forgot to mention that our Nuxeo platform is configured to use external users and groups defined in our LDAP directory. This type of group IDs were correctly supported with Nuxeo 5.8 and we can't afford to change our groups naming schema because it would have consequences for all LDAP consuming apps.
Note also that the proposed code change does not break the ACE format logic; it just makes the ACE parser more precise and therefore more robust to unexpected username/group ID formats.
Regards
https://github.com/nuxeo/nuxeo-platform-shibboleth-groups-web/blob/master/src/main/resources/OSGI-INF/shibboleth-groups-service-contrib.xml