♻️ Replace experimental override-users-db-header and override-acl-db-header with attached parameters

Author: ujibang

core/src/main/resources/restheart-default-config.yml

@@ -88,7 +88,6 @@ mongoRealmAuthenticator:
   enabled: true
   users-db: restheart 
   users-collection: users
-  override-users-db-header: null # eg. X-Auth-Db; when present override users-db from request header
   prop-id: _id
   prop-password: password
   json-path-roles: $.roles
@@ -160,7 +159,6 @@ mongoAclAuthorizer:
   enabled: true
   acl-db: restheart
   acl-collection: acl
-  override-acl-db-header: null # eg. X-Auth-Db; when present override acl-db from request header
   # clients with root-role can execute any request
   root-role: admin
   cache-enabled: true

security/src/main/java/org/restheart/security/authenticators/DenyFilterOnUserPwd.java

@@ -92,7 +92,7 @@ public void init() {
     public boolean resolve(MongoRequest request, MongoResponse response) {
         return enabled
             && request.isGet()
-            && (this.mra.overrideUsersDbHeader() != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
+            && (request.attachedParam("override-users-db") != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
             && this.usersCollection.equalsIgnoreCase(request.getCollectionName())
             && hasFilterOnPassword(request.getFiltersDocument());
     }

security/src/main/java/org/restheart/security/authenticators/MongoRealmAuthenticator.java

@@ -75,7 +75,6 @@ public class MongoRealmAuthenticator implements Authenticator {
 
     private String propId = "_id";
     private String usersDb;
-    private String overrideUsersDbHeader = null;
     private String usersCollection;
     private String propPassword = "password";
     private String jsonPathRoles = "$.roles";
@@ -102,7 +101,6 @@ private record CacheKey(String id, String db) {};
     public void init() {
         this.usersDb = argOrDefault(config, "users-db", "restheart");
         this.usersCollection = argOrDefault(config, "users-collection", "users");
-        this.overrideUsersDbHeader = argOrDefault(config, "override-users-db-header", null);
 
         final String _cacheExpirePolicy = arg(config, "cache-expire-policy");
         if (_cacheExpirePolicy != null) {
@@ -550,14 +548,11 @@ public String getUsersDb() {
 
     /**
      * @param req
-     * @return the usersDb taking into account the overrideUsersDbHeader option
+     * @return the usersDb taking into account the override-users-db attached parameter
      */
     public String getUsersDb(final Request<?> req) {
-        if (this.overrideUsersDbHeader != null && req.getHeaders().contains(this.overrideUsersDbHeader)) {
-            return req.getHeader(this.overrideUsersDbHeader);
-        } else {
-            return this.usersDb;
-        }
+        String overrideUsersDb = req.attachedParam("override-users-db");
+        return overrideUsersDb != null ? overrideUsersDb : this.usersDb;
     }
 
     /**
@@ -567,13 +562,6 @@ public void setUsersDb(final String usersDb) {
         this.usersDb = usersDb;
     }
 
-    /**
-     * @return the overrideUsersDbHeader
-     */
-    public String overrideUsersDbHeader() {
-        return this.overrideUsersDbHeader;
-    }
-
     /**
      * @return the usersCollection
      */

security/src/main/java/org/restheart/security/authenticators/UserPwdHasher.java

@@ -146,10 +146,10 @@ public void handle(MongoRequest request, MongoResponse response) throws Exceptio
     @Override
     public boolean resolve(MongoRequest request, MongoResponse response) {
         return enabled
-                && request.isHandledBy("mongo")
-                && request.isWriteDocument()
-                && request.isContentTypeJson()
-                && (this.mra.overrideUsersDbHeader() != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
-                && this.usersCollection.equalsIgnoreCase(request.getCollectionName());
+            && request.isHandledBy("mongo")
+            && request.isWriteDocument()
+            && request.isContentTypeJson()
+            && (request.attachedParam("override-users-db") != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
+            && this.usersCollection.equalsIgnoreCase(request.getCollectionName());
     }
 }

security/src/main/java/org/restheart/security/authenticators/UserPwdRemover.java

@@ -142,7 +142,7 @@ public void handle(MongoRequest request, MongoResponse response) throws Exceptio
     public boolean resolve(MongoRequest request, MongoResponse response) {
         return enabled
             && request.isGet()
-            && (this.mra.overrideUsersDbHeader() != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
+            && (request.attachedParam("override-users-db")  != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
             && this.usersCollection.equalsIgnoreCase(request.getCollectionName())
             && !request.isCollectionSize()
             && !request.isCollectionMeta()

security/src/main/java/org/restheart/security/authenticators/UserPwdStrengthEnforcer.java

@@ -196,7 +196,7 @@ public boolean resolve(MongoRequest request, MongoResponse response) {
             && request.isHandledBy("mongo")
             && request.isWriteDocument()
             && request.isContentTypeJson()
-            && (this.mra.overrideUsersDbHeader() != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
+            && (request.attachedParam("override-users-db") != null || this.mra.getUsersDb(request).equalsIgnoreCase(request.getDBName())) // if usersdb is overridden then any users collection in any db must be processed
             && this.usersCollection.equalsIgnoreCase(request.getCollectionName());
     }
 }

security/src/main/java/org/restheart/security/authorizers/MongoAclAuthorizer.java

@@ -76,7 +76,6 @@ public class MongoAclAuthorizer implements Authorizer {
 
     String aclDb;
     String aclCollection;
-    String overrideAclDbHeader;
     private String rootRole = null;
     private boolean cacheEnabled = false;
     private Integer cacheSize = 1_000; // 1000 entries
@@ -98,7 +97,6 @@ private record CacheKey(String role, String db) {};
     public void init() {
         this.aclDb = argOrDefault(config, "acl-db", "restheart");
         this.aclCollection = argOrDefault(config, "acl-collection", "acl");
-        this.overrideAclDbHeader = argOrDefault(config, "override-acl-db-header", null);
         this.rootRole = argOrDefault(config, "root-role", null);
 
         if (config != null && config.containsKey("cache-enabled")) {
@@ -257,12 +255,10 @@ public boolean isAuthenticationRequired(Request request) {
         }
     }
 
+
     private String aclDb(Request<?> req) {
-        if (this.overrideAclDbHeader != null && req.getHeaders().contains(this.overrideAclDbHeader)) {
-            return req.getHeader(overrideAclDbHeader);
-        } else {
-            return this.aclDb;
-        }
+        String overrideAclDb = req.attachedParam("override-acl-db");
+        return overrideAclDb != null ? overrideAclDb : this.aclDb;
     }
 
     private Stream<String> roles(HttpServerExchange exchange) {

security/src/main/java/org/restheart/security/interceptors/RootRoleGuard.java

@@ -162,7 +162,7 @@ private boolean contains(JsonArray array, String srt) {
 
     @Override
     public boolean resolve(MongoRequest request, MongoResponse response) {
-        if (this.mra.overrideUsersDbHeader() == null) {
+        if (request.attachedParam("override-users-db") == null) {
             return enabled && request.isWriteDocument() && request.getDBName().equals(this.mra.getUsersDb()) && request.getCollectionName().equals(this.usersCollection);
         } else {
             // when users db can be overridden, all dbs must be checked