IGNITE-20543 Wrap CacheStore creation to sandbox (#10971)

apache · Oct 4, 2023 · a675109 · a675109
1 parent 1c20202
commit a675109
Show file tree

Hide file tree

Showing 4 changed files with 130 additions and 4 deletions.
diff --git a/...es/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java b/...es/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java
@@ -153,6 +153,7 @@
 import org.apache.ignite.internal.processors.query.schema.message.SchemaAbstractDiscoveryMessage;
 import org.apache.ignite.internal.processors.query.schema.message.SchemaProposeDiscoveryMessage;
 import org.apache.ignite.internal.processors.security.IgniteSecurity;
+import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
 import org.apache.ignite.internal.suggestions.GridPerformanceSuggestions;
 import org.apache.ignite.internal.util.F0;
 import org.apache.ignite.internal.util.IgniteCollectors;
@@ -1221,7 +1222,14 @@ private void onKernalStop(GridCacheAdapter<?, ?> cache, boolean cancel) {
         else
             prepare(cfg, cfg.getCacheStoreFactory(), false);
 
-        CacheStore cfgStore = cfg.getCacheStoreFactory() != null ? cfg.getCacheStoreFactory().create() : null;
+        CacheStore cfgStore = null;
+
+        if (cfg.getCacheStoreFactory() != null) {
+            IgniteSandbox sandbox = ctx.security().sandbox();
+
+            cfgStore = sandbox.enabled() ?
+                sandbox.execute(() -> cfg.getCacheStoreFactory().create()) : cfg.getCacheStoreFactory().create();
+        }
 
         ValidationOnNodeJoinUtils.validate(ctx.config(), cfg, desc.cacheType(), cfgStore, ctx, log, (x, y) -> {
             try {
@@ -1280,11 +1288,14 @@ private void onKernalStop(GridCacheAdapter<?, ?> cache, boolean cancel) {
 
         if (cfgStore == null)
             storeMgr.initialize(cfgStore, sesHolders);
-        else
+        else {
+            final CacheStore cfgStoreRef = cfgStore;
+
             initializationProtector.protect(
                 cfgStore,
-                () -> storeMgr.initialize(cfgStore, sesHolders)
+                () -> storeMgr.initialize(cfgStoreRef, sesHolders)
             );
+        }
 
         GridCacheContext<?, ?> cacheCtx = new GridCacheContext(
             ctx,

diff --git a/...test/java/org/apache/ignite/internal/processors/security/sandbox/AbstractSandboxTest.java b/...test/java/org/apache/ignite/internal/processors/security/sandbox/AbstractSandboxTest.java
@@ -58,7 +58,7 @@ public abstract class AbstractSandboxTest extends AbstractSecurityTest {
     protected static final String CLNT_FORBIDDEN_WRITE_PROP = "clnt_forbidden";
 
     /** Test property name. */
-    private static final String PROP_NAME = "test.sandbox.property";
+    protected static final String PROP_NAME = "test.sandbox.property";
 
     /** Test property value. */
     private static final String PROP_VALUE = "propertyValue";

diff --git a/.../org/apache/ignite/internal/processors/security/sandbox/CacheStoreFactorySandboxTest.java b/.../org/apache/ignite/internal/processors/security/sandbox/CacheStoreFactorySandboxTest.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.sandbox;
+
+import java.security.AccessControlException;
+import java.security.Permissions;
+import java.util.PropertyPermission;
+import javax.cache.CacheException;
+import org.apache.ignite.IgniteCache;
+import org.apache.ignite.configuration.CacheConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.IgniteEx;
+import org.junit.Test;
+
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
+
+/** */
+public class CacheStoreFactorySandboxTest extends AbstractSandboxTest {
+    /** */
+    private static final String SRV_FORBIDDEN = "srv_forbidden";
+
+    /** */
+    private boolean staticCache;
+
+    /** */
+    private static Permissions sandboxPerm;
+
+    /** {@inheritDoc} */
+    @Override protected IgniteConfiguration getConfiguration(String instanceName) throws Exception {
+        IgniteConfiguration cfg = super.getConfiguration(instanceName);
+
+        if (staticCache)
+            cfg.setCacheConfiguration(cacheConfiguration());
+
+        return cfg;
+    }
+
+    /** {@inheritDoc} */
+    @Override protected void prepareCluster() {
+        Permissions perms = new Permissions();
+
+        perms.add(new PropertyPermission(PROP_NAME, "write"));
+
+        sandboxPerm = perms;
+    }
+
+    /** */
+    @Test
+    public void testStaticCacheStoreFactory() {
+        staticCache = true;
+
+        runForbiddenOperation(() ->
+            startGrid(SRV_FORBIDDEN, ALL_PERMISSIONS, false),
+            AccessControlException.class);
+
+        runOperation(() -> {
+            try (IgniteEx ign = startGrid(SRV_FORBIDDEN, ALL_PERMISSIONS, sandboxPerm, false)) {
+                ign.cache(DEFAULT_CACHE_NAME).put(0, 0);
+            }
+            catch (Exception e) {
+                assert false : e;
+            }
+        });
+    }
+
+    /** */
+    @Test
+    public void testDynamicCacheStoreFactory() throws Exception {
+        staticCache = false;
+
+        try (IgniteEx ign = startGrid("srv_forbidden", ALL_PERMISSIONS, false)) {
+            runForbiddenOperation(() -> ign.createCache(cacheConfiguration()), AccessControlException.class);
+        }
+
+        try (IgniteEx ign = startGrid("srv_forbidden", ALL_PERMISSIONS, sandboxPerm, false)) {
+            runOperation(() -> {
+                try {
+                    IgniteCache<Integer, Integer> c = ign.createCache(cacheConfiguration());
+
+                    c.put(0, 0);
+                }
+                catch (CacheException e) {
+                    assert false : e;
+                }
+            });
+        }
+    }
+
+    /** */
+    private CacheConfiguration<Integer, Integer> cacheConfiguration() {
+        return new CacheConfiguration<Integer, Integer>(DEFAULT_CACHE_NAME)
+            .setCacheStoreFactory(() -> {
+                controlAction();
+
+                return null;
+            });
+    }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -53,6 +53,7 @@
 import org.apache.ignite.internal.processors.security.messaging.MessagingRemoteSecurityContextCheckTest;
 import org.apache.ignite.internal.processors.security.sandbox.AccessToClassesInsideInternalPackageTest;
 import org.apache.ignite.internal.processors.security.sandbox.CacheSandboxTest;
+import org.apache.ignite.internal.processors.security.sandbox.CacheStoreFactorySandboxTest;
 import org.apache.ignite.internal.processors.security.sandbox.ComputeSandboxTest;
 import org.apache.ignite.internal.processors.security.sandbox.ContinuousQuerySandboxTest;
 import org.apache.ignite.internal.processors.security.sandbox.ContinuousQueryWithTransformerSandboxTest;
@@ -129,6 +130,7 @@
     EventsSandboxTest.class,
     PrivilegedProxyTest.class,
     SchedulerSandboxTest.class,
+    CacheStoreFactorySandboxTest.class,
 
     IgniteSecurityProcessorTest.class,
     MultipleSSLContextsTest.class,