Merge pull request #14 from fireflyframework/fix/framework-hardening

casc84ab · web-flow · commit 4494ce90a7a4 · 2026-02-13T10:27:55.000+01:00
fix: NoOp security adapters deny-by-default
diff --git a/src/main/java/org/fireflyframework/ecm/adapter/noop/NoOpGenericAdapter.java b/src/main/java/org/fireflyframework/ecm/adapter/noop/NoOpGenericAdapter.java
@@ -36,11 +36,14 @@
  * <ul>
  *   <li>Methods returning {@link Mono}: Return empty Mono or error for modifications</li>
  *   <li>Methods returning {@link Flux}: Return empty Flux</li>
- *   <li>Methods returning {@link Boolean}: Return false for existence checks, true for permissions</li>
+ *   <li>Methods returning {@link Boolean}: Return false (deny by default) for ALL checks including permissions</li>
  *   <li>Methods returning {@link String}: Return adapter name for getAdapterName(), empty for others</li>
  *   <li>Other return types: Return null or appropriate defaults</li>
  * </ul>
  *
+ * <p><strong>Security Note:</strong> All permission/access checks return DENY by default.
+ * Configure a real adapter for production use.</p>
+ *
  * @param <T> the port interface type
  * @author Firefly Software Solutions Inc.
  * @version 1.0
@@ -121,12 +124,14 @@ public Object invoke(Object proxy, Method method, Object[] args) throws Throwabl
     private Mono<?> handleMonoReturn(String methodName) {
         String lowerMethodName = methodName.toLowerCase();
 
-        // For boolean permission/access methods, return true (permissive default) - CHECK FIRST
+        // SECURITY: Permission/access methods DENY by default when no adapter configured
         if (lowerMethodName.startsWith("can") ||
             lowerMethodName.contains("access") ||
             lowerMethodName.contains("permission") ||
             lowerMethodName.contains("allow")) {
-            return Mono.just(true);
+            log.warn("SECURITY: Permission check '{}' denied by NoOp {} adapter. " +
+                    "Configure a real adapter for production use.", methodName, getAdapterType());
+            return Mono.just(false);
         }
 
         // For boolean existence/status checks, return false
@@ -170,23 +175,17 @@ private Mono<?> handleMonoReturn(String methodName) {
     private boolean handleBooleanReturn(String methodName) {
         String lowerMethodName = methodName.toLowerCase();
 
-        // For permission/access methods, return true (permissive default)
+        // SECURITY: Permission/access methods DENY by default
         if (lowerMethodName.startsWith("can") ||
             lowerMethodName.contains("access") ||
             lowerMethodName.contains("permission") ||
             lowerMethodName.contains("allow")) {
-            return true;
-        }
-
-        // For existence/status checks, return false
-        if (lowerMethodName.startsWith("exists") ||
-            lowerMethodName.startsWith("has") ||
-            lowerMethodName.startsWith("is") ||
-            lowerMethodName.startsWith("contains")) {
+            log.warn("SECURITY: Permission check '{}' denied by NoOp {} adapter. " +
+                    "Configure a real adapter for production use.", methodName, getAdapterType());
             return false;
         }
 
-        // Default to false for other boolean methods
+        // For all other boolean methods, return false
         return false;
     }
 }
diff --git a/src/main/java/org/fireflyframework/ecm/config/EcmAutoConfiguration.java b/src/main/java/org/fireflyframework/ecm/config/EcmAutoConfiguration.java
@@ -338,7 +338,13 @@ public FolderHierarchyPort folderHierarchyPort(EcmPortProvider portProvider, NoO
     @ConditionalOnProperty(prefix = "firefly.ecm.features", name = "permissions", havingValue = "true", matchIfMissing = true)
     public PermissionPort permissionPort(EcmPortProvider portProvider, NoOpAdapterFactory noOpAdapterFactory) {
         return portProvider.getPermissionPort()
-            .orElseGet(noOpAdapterFactory::createPermissionPort);
+            .orElseGet(() -> {
+                log.warn("=========================================================================");
+                log.warn("ECM PermissionPort is using NoOp adapter — ALL permission checks will");
+                log.warn("DENY by default. Configure a real adapter for production use.");
+                log.warn("=========================================================================");
+                return noOpAdapterFactory.createPermissionPort();
+            });
     }
 
     /**
@@ -361,7 +367,13 @@ public PermissionPort permissionPort(EcmPortProvider portProvider, NoOpAdapterFa
     @ConditionalOnProperty(prefix = "firefly.ecm.features", name = "security", havingValue = "true", matchIfMissing = true)
     public DocumentSecurityPort documentSecurityPort(EcmPortProvider portProvider, NoOpAdapterFactory noOpAdapterFactory) {
         return portProvider.getDocumentSecurityPort()
-            .orElseGet(noOpAdapterFactory::createDocumentSecurityPort);
+            .orElseGet(() -> {
+                log.warn("=========================================================================");
+                log.warn("ECM DocumentSecurityPort is using NoOp adapter — ALL security operations");
+                log.warn("will be denied/no-op. Configure a real adapter for production use.");
+                log.warn("=========================================================================");
+                return noOpAdapterFactory.createDocumentSecurityPort();
+            });
     }
 
     /**
diff --git a/src/test/java/org/fireflyframework/ecm/adapter/noop/NoOpAdapterLoggingTest.java b/src/test/java/org/fireflyframework/ecm/adapter/noop/NoOpAdapterLoggingTest.java
@@ -145,9 +145,9 @@ void shouldLogWarningsForSecurityAdapterMethods() {
         UUID testDocumentId = UUID.randomUUID();
         UUID testUserId = UUID.randomUUID();
 
-        // Call a permission check method (should return true with warning)
+        // Call a permission check method (should return false with warning — deny by default)
         StepVerifier.create(adapter.canAccessDocument(testDocumentId, testUserId, "READ"))
-                .expectNext(true)
+                .expectNext(false)
                 .verifyComplete();
 
         // Call an encryption method and expect error
diff --git a/src/test/java/org/fireflyframework/ecm/config/EcmGracefulDegradationTest.java b/src/test/java/org/fireflyframework/ecm/config/EcmGracefulDegradationTest.java
@@ -120,24 +120,24 @@ void shouldReturnEmptyResultsForQueryOperations() {
     }
 
     /**
-     * Verifies that no-op adapters return permissive defaults for security operations.
+     * Verifies that no-op adapters return deny by default for security operations.
      */
     @Test
-    void shouldReturnPermissiveDefaultsForSecurityOperations() {
+    void shouldReturnDenyByDefaultForSecurityOperations() {
         UUID testDocumentId = UUID.randomUUID();
         UUID testUserId = UUID.randomUUID();
 
-        // Access checks should return true (permissive default)
+        // Access checks should return false (deny by default)
         StepVerifier.create(documentSecurityPort.canAccessDocument(testDocumentId, testUserId, "READ"))
-                .expectNext(true)
+                .expectNext(false)
                 .verifyComplete();
 
         StepVerifier.create(documentSecurityPort.canDeleteDocument(testDocumentId, testUserId))
-                .expectNext(true)
+                .expectNext(false)
                 .verifyComplete();
 
         StepVerifier.create(documentSecurityPort.canModifyDocument(testDocumentId, testUserId))
-                .expectNext(true)
+                .expectNext(false)
                 .verifyComplete();
     }
 
