Update application.conf

Changed Flag to shared-packages-execute-only with default value set to false.

Author: bkemburu

common/scala/src/main/resources/application.conf

@@ -99,7 +99,7 @@ kamon {
 }
 
 whisk {
-    #packages-execute-only = true
+    shared-packages-execute-only = false
     metrics {
         # Enable/disable Prometheus support. If enabled then metrics would be exposed at `/metrics` endpoint
         # If Prometheus is enabled then please review `kamon.metric.tick-interval` (set to 1 sec by default above).

common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala

@@ -273,4 +273,4 @@ object ConfigKeys {
   val apacheClientConfig = "whisk.apache-client"
 
   val parameterStorage = "whisk.parameter-storage"
-}
+}

common/scala/src/main/scala/org/apache/openwhisk/http/ErrorResponse.scala

@@ -229,6 +229,15 @@ object Messages {
 
   /** Indicates that the container for the action could not be started. */
   val resourceProvisionError = "Failed to provision resources to run the action."
+
+  def forbiddenGetActionBinding(entityDocId: String) =
+    s"GET not permitted for '$entityDocId'. Resource does not exist or an action in a shared package binding."
+  def forbiddenGetAction(entityPath: String) =
+    s"GET not permitted for '$entityPath' since it's an action in a shared package"
+  def forbiddenGetPackageBinding(packageName: String) =
+    s"GET not permitted since $packageName is a binding of a shared package"
+  def forbiddenGetPackage(packageName: String) =
+    s"GET not permitted for '$packageName' since it's a shared package"
 }
 
 /** Replaces rejections with Json object containing cause and transaction id. */

core/controller/src/main/scala/org/apache/openwhisk/core/controller/Actions.scala

@@ -26,7 +26,6 @@ import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.server.RequestContext
 import akka.http.scaladsl.server.RouteResult
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
-import akka.http.scaladsl.model.StatusCode
 import akka.http.scaladsl.unmarshalling._
 import spray.json._
 import spray.json.DefaultJsonProtocol._
@@ -46,6 +45,7 @@ import org.apache.openwhisk.core.entitlement.Collection
 import org.apache.openwhisk.core.loadBalancer.LoadBalancerException
 import pureconfig._
 import org.apache.openwhisk.core.ConfigKeys
+
 /**
  * A singleton object which defines the properties that must be present in a configuration
  * in order to implement the actions API.
@@ -105,9 +105,10 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
   protected val activationStore: ActivationStore
 
   /** Config flag for Execute Only for Actions in Shared Packages */
-  protected def executeOnly = Try({
-    loadConfigOrThrow[Boolean](ConfigKeys.sharedPackageExecuteOnly)
-  }).getOrElse(false)
+  protected def executeOnly =
+    Try({
+      loadConfigOrThrow[Boolean](ConfigKeys.sharedPackageExecuteOnly)
+    }).getOrElse(false)
 
   /** Entity normalizer to JSON object. */
   import RestApiCommons.emptyEntityToJsObject
@@ -337,8 +338,6 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
     deleteEntity(WhiskAction, entityStore, entityName.toDocId, (a: WhiskAction) => Future.successful({}))
   }
 
-
-
   /**
    * Gets action. The action name is prefixed with the namespace to create the primary index key.
    *
@@ -352,56 +351,60 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
     parameter('code ? true) { code =>
       //check if execute only is enabled, and if there is a discrepancy between the current user's namespace
       //and that of the entity we are trying to fetch
-     if (executeOnly && user.namespace.name.toString != entityName.namespace.toString) {
-        val value = entityName.path
-        terminate(StatusCode.int2StatusCode(403), s"GET not permitted for '$value' since it's an action in a shared package")
+
+      if (executeOnly && user.namespace.name != entityName.namespace) {
+        terminate(Forbidden, forbiddenGetAction(entityName.path.asString))
       } else {
-        code match {
-          case true =>
-              //Resolve Binding(Package) of the action
-              getEntity(
-                WhiskPackage.resolveBinding(entityStore, entityName.path.toDocId, mergeParameters = true),
-                Some {pkg: WhiskPackage =>
-                  val originalPackageLocation = pkg.fullyQualifiedName(withVersion = false).namespace
-                  if (executeOnly && originalPackageLocation != entityName.namespace){
-                    terminate(StatusCode.int2StatusCode(403),
-                      s"GET not permitted for '${entityName.toDocId}'. Resource does not exist or an action in a shared package binding")
-                  }else{
-                    getEntity(WhiskAction.resolveActionAndMergeParameters(entityStore, entityName), Some {
-                      action: WhiskAction =>
-                        val mergedAction = env map {
-                          action inherit _
-                        } getOrElse action
-                        complete(OK, mergedAction)
-                    })
-                  }
+        val getEntityWhiskActionCase =
+          getEntity(WhiskAction.resolveActionAndMergeParameters(entityStore, entityName), Some { action: WhiskAction =>
+            val mergedAction = env map {
+              action inherit _
+            } getOrElse action
+            complete(OK, mergedAction)
+          })
+        val getEntityWhiskMetaDataCase =
+          getEntity(WhiskActionMetaData.resolveActionAndMergeParameters(entityStore, entityName), Some {
+            action: WhiskActionMetaData =>
+              val mergedAction = env map {
+                action inherit _
+              } getOrElse action
+              complete(OK, mergedAction)
+          })
+        if (code) {
+          if (entityName.path.defaultPackage) {
+            getEntityWhiskActionCase
+          } else {
+            getEntity(
+              WhiskPackage.resolveBinding(entityStore, entityName.path.toDocId, mergeParameters = true),
+              Some { pkg: WhiskPackage =>
+                val originalPackageLocation = pkg.fullyQualifiedName(withVersion = false).namespace
+                if (executeOnly && originalPackageLocation != entityName.namespace) {
+                  terminate(Forbidden, forbiddenGetActionBinding(entityName.toDocId.asString))
+                } else {
+                  getEntityWhiskActionCase
                 }
-              )
-          case false =>
+              })
+          }
+        } else {
+          if (entityName.path.defaultPackage) {
+            getEntityWhiskMetaDataCase
+          } else {
             getEntity(
               WhiskPackage.resolveBinding(entityStore, entityName.path.toDocId, mergeParameters = true),
-              Some {pkg: WhiskPackage =>
+              Some { pkg: WhiskPackage =>
                 val originalPackageLocation = pkg.fullyQualifiedName(withVersion = false).namespace
-                if (executeOnly && originalPackageLocation != entityName.namespace){
-                  terminate(StatusCode.int2StatusCode(403),
-                    s"GET not permitted for '${entityName.toDocId}'. Resource does not exist or an action in a shared package binding")
-                }else{
-                  getEntity(WhiskActionMetaData.resolveActionAndMergeParameters(entityStore, entityName), Some {
-                    action: WhiskActionMetaData =>
-                      val mergedAction = env map {
-                        action inherit _
-                      } getOrElse action
-                      complete(OK, mergedAction)
-                  })
+                if (executeOnly && originalPackageLocation != entityName.namespace) {
+                  terminate(Forbidden, forbiddenGetActionBinding(entityName.toDocId.asString))
+                } else {
+                  getEntityWhiskMetaDataCase
                 }
-              }
-            )
-         }
-     }
+              })
+          }
+        }
+      }
     }
   }
 
-
   /**
    * Gets all actions in a path.
    *

core/controller/src/main/scala/org/apache/openwhisk/core/controller/Packages.scala

@@ -20,7 +20,6 @@ package org.apache.openwhisk.core.controller
 import scala.concurrent.Future
 import scala.util.{Failure, Success, Try}
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
-import akka.http.scaladsl.model.StatusCode
 import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.server.{RequestContext, RouteResult}
 import akka.http.scaladsl.unmarshalling.Unmarshaller
@@ -32,6 +31,7 @@ import org.apache.openwhisk.core.entity._
 import org.apache.openwhisk.core.entity.types.EntityStore
 import org.apache.openwhisk.http.ErrorResponse.terminate
 import org.apache.openwhisk.http.Messages
+import org.apache.openwhisk.http.Messages._
 import pureconfig._
 import org.apache.openwhisk.core.ConfigKeys
 
@@ -44,10 +44,10 @@ trait WhiskPackagesApi extends WhiskCollectionAPI with ReferencedEntities {
   protected val entityStore: EntityStore
 
   /** Config flag for Execute Only for Shared Packages */
-
-  protected def executeOnly = Try({
-    loadConfigOrThrow[Boolean](ConfigKeys.sharedPackageExecuteOnly)
-  }).getOrElse(false)
+  protected def executeOnly =
+    Try({
+      loadConfigOrThrow[Boolean](ConfigKeys.sharedPackageExecuteOnly)
+    }).getOrElse(false)
 
   /** Notification service for cache invalidation. */
   protected implicit val cacheChangeNotification: Some[CacheChangeNotification]
@@ -153,7 +153,6 @@ trait WhiskPackagesApi extends WhiskCollectionAPI with ReferencedEntities {
       })
   }
 
-
   /**
    * Gets package/binding.
    * The package/binding name is prefixed with the namespace to create the primary index key.
@@ -167,10 +166,10 @@ trait WhiskPackagesApi extends WhiskCollectionAPI with ReferencedEntities {
   //within the mergePackageWithBinding() method
   override def fetch(user: Identity, entityName: FullyQualifiedEntityName, env: Option[Parameters])(
     implicit transid: TransactionId) = {
-    if (executeOnly && user.namespace.name.toString != entityName.namespace.toString) {
-        val value = entityName.toString
-        terminate(StatusCode.int2StatusCode(403), s"GET not permitted for '$value' since it's a shared package")
-    }else {
+    if (executeOnly && user.namespace.name != entityName.namespace) {
+      val value = entityName.toString
+      terminate(Forbidden, forbiddenGetPackage(entityName.asString))
+    } else {
       getEntity(WhiskPackage.get(entityStore, entityName.toDocId), Some {
         mergePackageWithBinding() _
       })
@@ -320,13 +319,14 @@ trait WhiskPackagesApi extends WhiskCollectionAPI with ReferencedEntities {
           logging.error(this, s"unexpected package binding refers to itself: $docid")
           terminate(UnprocessableEntity, Messages.packageBindingCircularReference(b.fullyQualifiedName.toString))
         } else {
+
           /** Here's where I check package execute only case with package binding. */
-          val packagePath = wp.namespace.toString()
-          val bindingPath = wp.binding.iterator.next().toString()
+          val packagePath = wp.namespace.asString
+          val bindingPath = wp.binding.iterator.next().toString
           val indexOfSlash = bindingPath.indexOf('/')
-          if (executeOnly && packagePath != bindingPath.take(indexOfSlash)){
-            terminate(StatusCode.int2StatusCode(403), s"GET not permitted since ${wp.name.toString} is a binding of a shared package")
-          }else {
+          if (executeOnly && packagePath != bindingPath.take(indexOfSlash)) {
+            terminate(Forbidden, forbiddenGetPackageBinding(wp.name.asString))
+          } else {
             getEntity(WhiskPackage.get(entityStore, docid), Some {
               mergePackageWithBinding(Some {
                 wp

tests/src/test/scala/org/apache/openwhisk/core/controller/test/PackageActionsApiTests.scala

@@ -639,7 +639,7 @@ class PackageActionsApiTests extends ControllerTestCommon with WhiskActionsApi {
   var testExecuteOnly = false
   override def executeOnly = testExecuteOnly
 
-  it should("allow access to get of action in binding of shared package when config option is disabled") in {
+  it should ("allow access to get of action in binding of shared package when config option is disabled") in {
     testExecuteOnly = false
     implicit val tid = transid()
     val auser = WhiskAuthHelpers.newIdentity()
@@ -654,18 +654,18 @@ class PackageActionsApiTests extends ControllerTestCommon with WhiskActionsApi {
     }
   }
 
-  it should("deny access to get of action in binding of shared package when config option is enabled") in {
-      testExecuteOnly = true
-      implicit val tid = transid()
-      val auser = WhiskAuthHelpers.newIdentity()
-      val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
-      val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
-      val action = WhiskAction(provider.fullPath, aname(), jsDefault("??"), Parameters("a", "A"))
-      put(entityStore, provider)
-      put(entityStore, binding)
-      put(entityStore, action)
-      Get(s"$collectionPath/${binding.name}/${action.name}") ~> Route.seal(routes(auser)) ~> check {
-        status should be(Forbidden)
-      }
+  it should ("deny access to get of action in binding of shared package when config option is enabled") in {
+    testExecuteOnly = true
+    implicit val tid = transid()
+    val auser = WhiskAuthHelpers.newIdentity()
+    val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
+    val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
+    val action = WhiskAction(provider.fullPath, aname(), jsDefault("??"), Parameters("a", "A"))
+    put(entityStore, provider)
+    put(entityStore, binding)
+    put(entityStore, action)
+    Get(s"$collectionPath/${binding.name}/${action.name}") ~> Route.seal(routes(auser)) ~> check {
+      status should be(Forbidden)
+    }
   }
 }

tests/src/test/scala/org/apache/openwhisk/core/controller/test/PackagesApiTests.scala

@@ -888,54 +888,54 @@ class PackagesApiTests extends ControllerTestCommon with WhiskPackagesApi {
   var testExecuteOnly = false
   override def executeOnly = testExecuteOnly
 
-  it should("allow access to get of shared package binding when config option is disabled") in {
-      testExecuteOnly = false
-      implicit val tid = transid()
-      val auser = WhiskAuthHelpers.newIdentity()
-      val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
-      val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
-      put(entityStore, provider)
-      put(entityStore, binding)
-      Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
-        status should be(OK)
-      }
+  it should ("allow access to get of shared package binding when config option is disabled") in {
+    testExecuteOnly = false
+    implicit val tid = transid()
+    val auser = WhiskAuthHelpers.newIdentity()
+    val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
+    val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
+    put(entityStore, provider)
+    put(entityStore, binding)
+    Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
+      status should be(OK)
+    }
   }
 
-  it should("allow access to get of shared package when config option is disabled") in {
-      testExecuteOnly = false
-      implicit val tid = transid()
-      val auser = WhiskAuthHelpers.newIdentity()
-      val provider = WhiskPackage(namespace, aname(), None, publish = true)
-      put(entityStore, provider)
+  it should ("allow access to get of shared package when config option is disabled") in {
+    testExecuteOnly = false
+    implicit val tid = transid()
+    val auser = WhiskAuthHelpers.newIdentity()
+    val provider = WhiskPackage(namespace, aname(), None, publish = true)
+    put(entityStore, provider)
 
-      Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
-        status should be(OK)
-      }
+    Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
+      status should be(OK)
+    }
   }
 
   it should ("deny access to get of shared package binding when config option is enabled") in {
-      testExecuteOnly = true
-      implicit val tid = transid()
-      val auser = WhiskAuthHelpers.newIdentity()
-      val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
-      val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
-      put(entityStore, provider)
-      put(entityStore, binding)
-      Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
-        status should be(Forbidden)
-      }
+    testExecuteOnly = true
+    implicit val tid = transid()
+    val auser = WhiskAuthHelpers.newIdentity()
+    val provider = WhiskPackage(namespace, aname(), None, Parameters("p", "P"), publish = true)
+    val binding = WhiskPackage(EntityPath(auser.subject.asString), aname(), provider.bind, Parameters("b", "B"))
+    put(entityStore, provider)
+    put(entityStore, binding)
+    Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
+      status should be(Forbidden)
+    }
 
   }
 
-  it should("deny access to get of shared package when config option is enabled") in {
-      testExecuteOnly = true
-      implicit val tid = transid()
-      val auser = WhiskAuthHelpers.newIdentity()
-      val provider = WhiskPackage(namespace, aname(), None, publish = true)
-      put(entityStore, provider)
+  it should ("deny access to get of shared package when config option is enabled") in {
+    testExecuteOnly = true
+    implicit val tid = transid()
+    val auser = WhiskAuthHelpers.newIdentity()
+    val provider = WhiskPackage(namespace, aname(), None, publish = true)
+    put(entityStore, provider)
 
-      Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
-        status should be(Forbidden)
-      }
+    Get(s"/$namespace/${collection.path}/${provider.name}") ~> Route.seal(routes(auser)) ~> check {
+      status should be(Forbidden)
+    }
   }
-}
+}