HPCC-30111 Look up internal file scope name

Previously, "hpccinternal::" was hardcoded. Signed-off-by: Dan S. Camper <[email protected]>
hpcc-systems · Aug 17, 2023 · e9d94de · e9d94de
1 parent 9e51f66
commit e9d94de
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/system/security/plugins/jwtSecurity/jwtSecurity.cpp b/system/security/plugins/jwtSecurity/jwtSecurity.cpp
@@ -125,6 +125,10 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity
 
         if (secretsName.empty())
             throw makeStringException(-1, "CJwtSecurityManager: secretsName not found in configuration");
+
+        // Grab a copy of the name of the internal file scope
+        hpccInternalScope = queryDfsXmlBranchName(DXB_Internal);
+        hpccInternalScope += "::";
     }
 
     virtual ~CJwtSecurityManager()
@@ -794,10 +798,16 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity
                     {
                         // Scope hpccinternal::<username> always has full access for their own scope, but
                         // explicitly denied when attempting to access someone else's
-                        // hpccinternal::<username> scope
-                        if (resourceName && strncmp(resourceName, "hpccinternal::", 14) == 0)
+                        // hpccinternal::<username> scope; note that resourceName may contain more
+                        // scope levels
+                        if (startsWithIgnoreCase(resourceName, hpccInternalScope.c_str()))
                         {
-                            if (strisame(&resourceName[14], user.getName()))
+                            // Extract the username provided in the resourceName
+                            StringBuffer rezUserName;
+                            for (const char * p = &resourceName[hpccInternalScope.length()]; *p && *p != ':'; p++)
+                                rezUserName.append(*p);
+
+                            if (strisame(rezUserName.str(), user.getName()))
                                 accessFlag = SecAccess_Full;
                             else
                                 accessFlag = SecAccess_None;
@@ -1059,6 +1069,7 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity
     std::string                 keyContents;                //!< Contents of secret key; @see ensureKeyLoaded()
     bool                        keyIsPublicKey;             //!< True if keyContents contains a public key, false otherwise
     CDALIKVStore                daliStore;                  //!< Handle to Dali's key/value store (external token cache)
+    std::string                 hpccInternalScope;          //!< File scope used by the cluster for interim results
     static const SecFeatureSet  implementedFeaturesMask = SMF_Authorize
                                                             | SMF_AuthorizeEx_Named
                                                             | SMF_AuthorizeFileScope_List