Skip to content

ACL can't be owned by a GrantedAuthoritySid #9425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bberto opened this issue Feb 10, 2021 · 5 comments
Closed

ACL can't be owned by a GrantedAuthoritySid #9425

bberto opened this issue Feb 10, 2021 · 5 comments
Assignees
@jgrandja
Labels
in: acl An issue in spring-security-acl type: enhancement A general enhancement
Milestone
5.5.0-M3

Comments

@bberto
Copy link
Contributor

bberto commented Feb 10, 2021

Describe the bug
ACL can't be owned by a GrantedAuthoritySid

To Reproduce
As user with a role named TEST, after successfully changing an ACL ownership in this way:

acl.setOwner(new GrantedAuthoritySid("ROLE_TEST"));
aclService.updateAcl(acl);

I can't perform further modifications to the ACL (eg. changing back the ownership to me).

see:
https://github.com/spring-projects/spring-security/blob/master/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java#L92

Expected behavior
Any user with ROLE_TEST granted authority should be able to change the ACL.
@bberto bberto added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Feb 10, 2021
@jgrandja
Copy link
Contributor

@bberto I'm trying to understand the issue but it's not clear at the moment. Can you put together a test that demonstrates the issue and another test that you would expect to pass.

@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 11, 2021
bberto added a commit to bberto/spring-security that referenced this issue Feb 12, 2021
@bberto
Allow ACL to be owned by GrantedAuthoritySid
44f0ad7 
Closes spring-projectsgh-9425
@bberto bberto mentioned this issue Feb 12, 2021
Closed
@bberto
Copy link
Contributor Author

bberto commented Feb 12, 2021

@jgrandja I created a pull request including the test and a proposed fix

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 12, 2021
@jgrandja
Copy link
Contributor

@bberto Thank you for providing the PR to demonstrate your use case.

The sample code you provided:

acl.setOwner(new GrantedAuthoritySid("ROLE_TEST"))

is not correct from a logical entity relationship viewpoint.

An Acl is an entity and so is the Acl.getOwner(). A Principal is an entity, which owns an Acl.
However, a GrantedAuthority is an attribute of a Principal and NOT an entity representation.
Therefore, an Acl cannot be owned by a GrantedAuthoritySid since it's an attribute representation and NOT an entity - only an entity can own an Acl.

Hope this makes sense?

Based on this, I'm going to close this issue and associated PR.

@jgrandja jgrandja self-assigned this Feb 23, 2021
@jgrandja jgrandja added in: acl An issue in spring-security-acl status: invalid An issue that we don't feel is valid and removed status: feedback-provided Feedback has been provided type: bug A general bug labels Feb 23, 2021
@bberto
Copy link
Contributor Author

bberto commented Feb 25, 2021
edited
Loading

Your explanation is reasonable. But, reading documentation, seems that Acl is not owned by a Principal but by a Sid:

Sid: The ACL module needs to refer to principals and GrantedAuthority[] s. A level of indirection is provided by the Sid interface, which is an abbreviation of "security identity". Common classes include PrincipalSid (to represent the principal inside an Authentication object) and GrantedAuthoritySid

ACL_SID allows us to uniquely identify any principal or authority in the system ("SID" stands for "security identity")
[...]
ACL_OBJECT_IDENTITY stores information for each unique domain object instance in the system. Columns include [...] a foreign key to the ACL_SID table to represent the owner of the domain object instance

I think that, if only a Principal can own an Acl, this should be enforced in the API. At the moment I can perform the provided code:
acl.setOwner(new GrantedAuthoritySid("ROLE_TEST"));
but this bring to an "invalid" ownership and after that I can't perform further changes.

My PR allow to correctly manage Acl after this assignment. Otherwise I think that setOwner method (and documentation) should be reviewed.

@jgrandja
Copy link
Contributor

jgrandja commented Mar 8, 2021

@bberto You have a valid point. I spoke to @rwinch about this and we're going to go ahead with the PR. I'll re-open and re-review.

@jgrandja jgrandja reopened this Mar 8, 2021
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: invalid An issue that we don't feel is valid labels Mar 8, 2021
@jgrandja jgrandja added this to the 5.5.0-M3 milestone Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: acl An issue in spring-security-acl type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M3
Development

Successfully merging a pull request may close this issue.

Allow ACL to be owned by GrantedAuthoritySid bberto/spring-security
3 participants
@bberto @jgrandja @spring-projects-issues