Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31501

Unused Content Selectors and duplicate permissions are used for the permission check

    Details

    • Story Points:
      2
    • Sprint:
      NXRM Immortals Sprint 30, NXRM Immortals Sprint 31
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      SYMPTOM:

      Noticed the Search API slowness on the Nexus which has many content selectors / roles / privileges.

      REPRODUCE STEPS:

      1. Upload a component into maven-snapshot (eg: com.example:my-app:1.0-SNAPSHOT)
      2. Create three content selectors: test1, test2, test3 with just "path =~ ".*""
      3. Create one privileges "test-csel-priv" with above "test1" and All Repositories and "*" actions
      4. Create a test user (eg: testuser)
      5. Create a test role (eg: testRole) with "nx-search-read" and "test-csel-priv"
      6. Enable TRACE logging for "org.sonatype.nexus.security.SecurityHelper"
      7. Search the uploaded component, for example:
        curl -D- -u "testuser:testuser" "http://localhost:8081/service/rest/v1/search/assets?repository=maven-snapshots&group=com.example&name=my-app"

      EXPECTED BEHAVIOUR:

      For above search, Nexus should check the permissions for "maven-snapshots" and for "test1" content selector.

      ACTUAL BEHAVIOUR:

      • The TRACE log shows it checked 112 permissions:
        $ rg "Checking if subject .+\[([^\]]+)" -o -r '$1' qtp325515609-763.log | tr ',' '\n' | wc -l
        112
        
      • Also, it somehow includes test2 and test3:
        $ rg -w test2 -c qtp325515609-763.log
        28
        $ rg -w test3 -c qtp325515609-763.log
        28
        
      • Also, most of them are duplicates (so probably checking 4 permissions would be enough?):
        $ rg "Checking if subject .+\[([^\]]+)" -o -r '$1' qtp325515609-763.log | tr ',' '\n' | sort | uniq | wc -l
        8
        $ rg "Checking if subject .+\[([^\]]+)" -o -r '$1' qtp325515609-763.log | tr ',' '\n' | sort | uniq | rg -v 'test[23]' | wc -l
        4
        

      NOTE: If one permission returns true, remaining permissions in the same set won't be checked.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mpiggott Matthew Piggott
              Reporter:
              hosako Hajime Osako
              Last Updated By:
              Hardeep Nagra Hardeep Nagra
              Team:
              NXRM - Optimus
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title