Security Inspector Application

Version 11.1 by Denis Gervalle on 2018/03/19 21:22

cogTools for inspecting internal XWiki security structures
TypeXAR
CategoryApplication
Developed by

Denis Gervalle

Active Installs3
Rating
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager

Description

Tools for inspecting internal XWiki security structures

Currently there is only one tool, but let leave the room for more later.

Live Security Cache Viewer

Accessible only by Admin users

Once installed, this extension will activate a WebSocket service that provide live updates about the Security Cache content.
To be able to access this information, you should ensure that you have access to the WebSocket port (8093 by default) of your XWiki server. For more information about the WebSocket setup, see the WebSocket Integration extension.

A live viewer of the information delivered by the installed service is available on page Admin.LiveSecurityCacheViewer. You should be patient when you load the page, since it could be long before seeing some activities, depending on the number of node in your cache (could reach up to 10k nodes by default). Over several thousand nodes, it could also be quite slow to animate. Using a Chrome navigator is recommended, since FireFox seems to be slower. Any recent modern navigator should be compatible.

You are successful, you will be able to see a nice dynamic, navigable and zoomable graph that could be as complex as this snapshot taken from the xwiki.org farm:

xwiki-org-seccache.png

For the sake of giving some clue about how to understand what you see, and not just find it fun, let probably take the smallest content possible in your cache, which already illustrates almost all the cases that you might encounter in a single wiki:

sample-seccache.png

Here is what you can see:

  • Represented as a red database, you see the xwiki wiki node. This node hold the security rules at the wiki level (or farm level for the main wiki). On the main wiki only, it also has a secondary meaning (killing two birds with one stone), it represents the public access user (the old XWiki.XWikiGuest).
  • Represented as a orange dot, you see the XWiki space node. This node hold the security rules at the space level. It is linked to its containing wiki by a orange link.
  • Represented as blues dots, you see two documents (XWiki.AdminSheet and XWiki.XWikiPreferences).  These nodes hold security rules at the document level. They linked to their containing space with a blue link.
  • Represented as a blue diamond, you see a special kind of document node, groups, and here the XWikiAllGroup group. Like document nodes, it holds security rules for the document it represents, and it is linked with a blue link to the XWiki space. But it also has a special meaning, linking (currently known) members of the group with cyan links.
  • Represented as a blue star, another special kind of document node, users, and here the Admin user. Like document nodes, it holds security rules for the document it represents and it is linked with a blue link to the XWiki space. It is also linked to the groups that the user is a member with cyan links.
  • Finally, represented as smaller red dots, the finalities of this cache, the access decisions. These decisions hold the access right that have been computed for a given user on a given entity. The decision nodes are linked to the user concerned with a purple link, and to the entity concerned with a red link. Here you see that the cache hold the access decision for the Admin user on the XWiki.AdminSheet and on the XWiki.XWikiPreference documents, but also a decision for the public access to the XWiki.AdminSheet.

The above cache situation is a very contrived example, and content of the cache will rarely look like this in a normally used wiki. Here is another sample, to help you confirm your understanding so far:

sample2-seccache.png

However, this is still a very contrived sample, since it considers only 2 users, 3 groups, a couple of very incompletely cached spaces and documents (you can already see nested spaces however), and really a few decisions. Let grow this sample with a second subwiki in order to introduce a new kind of node:

sample3-seccache.png

As you can see on this one, you have a new kind of nodes, represented by black dots, and some new black links as well. Lets first look at the bleu stars linked by black links to the black dots. These dots represent "shadow" of the global users from the main wiki, in the subwiki. Using these shadows prevent links between wikis, and therefore influences between wikis during cache eviction. In the subwiki, all relation to these global users are made to their shadow. Global groups can also be shadowed in the same way, and the membership relation (cyan links) between global groups and global users are replicated between their respective shadows.

There is also a black link which links the main wiki and the subwiki, showing the subordination link between main wiki rules and subwiki rules. Moreover, you see a black link, linking the main wiki to a black dot. This black dot represents the shadow of the public access user (if you remember well, the main wiki node also represents the public access user). The public access user is also linked to the subwiki since its access rights might be influenced by the subwiki rule as well.

Finally, since the views you are looking at evolves live while the wiki is being used, you might see a lot of movement that might prevent you to really see anything useful, let see how it could go with this small animation (here the cache is limited to a low 500 entries only, causing evictions and still reasonable schemas):

animated-seccache.gif

In that situation you will find helpful to be able to freeze the cache when you want to observe something. The freeze button located on the top right of the viewer is a toggle button that allows ignoring updates while you are looking at the detail. Next to it, there is also a reload button to start fresh if ever needed, only use it when not frozen, else it is useless.

freeze0.png
freeze1.png

In the opposite corner, on the left you can also see the number of nodes currently being displayed.

Enjoy this nice looking tool and don't forget that it is not a game but a debugging tool !

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:

  1. Log in the wiki with a user having Administration rights
  2. Go to the Administration page and select the Import category
  3. Follow the on-screen instructions to upload the downloaded XAR
  4. Click on the uploaded XAR and follow the instructions
  5. You'll also need to install all dependent Extensions that are not already installed in your wiki

Release Notes

v1.0.1

Version 1.0 is affected by a serious issue that prevent a proper display.
This version 1.0.1 is the cure.

Dependencies

Dependencies for this extension (org.xwiki.contrib.securityinspector:application-securityinspector-ui 1.0.1):

Tags:
    

Get Connected