MLE-28498 11.3.5 Test Fixes for Security Update (#1074)

* MLE-28498 Permission fixes

This contains permission fixes for testing as a result of the 11.3.5 changes.

* MLE-28498 transform test fixes

Updated transforms tests to expect rest-transform-user as a result of 11.3.5 changes from ML-28684.

* MLE-28498 dmsdk fixes

Copilot fix for flakey dmsdk tests

* MLE-28498 Skip optic-fromDocs tests for < 12.1

After confirming with the MarkLogic Server team, op:from-docs is only supported in MLS 12.1 since it is a new feature. I have added a skip for anything lower than MLS 12.1

Author: jonmille

test-app/src/main/ml-config/security/roles/rest-evaluator.json

@@ -2,7 +2,8 @@
   "role-name": "rest-evaluator",
   "description": "REST writer who can eval, invoke, or set a dynamic databases",
   "role": [
-    "rest-writer"
+    "rest-writer",
+    "sparql-update-user"
   ],
   "privilege": [
     {
@@ -49,6 +50,21 @@
       "privilege-name": "xdmp-get-session-field",
       "action": "http://marklogic.com/xdmp/privileges/xdmp-get-session-field",
       "kind": "execute"
+    },
+    {
+      "privilege-name": "xdmp-login",
+      "action": "http://marklogic.com/xdmp/privileges/xdmp-login",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "unprotected-collections",
+      "action": "http://marklogic.com/xdmp/privileges/unprotected-collections",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "xdmp-xslt-invoke",
+      "action": "http://marklogic.com/xdmp/privileges/xslt-invoke",
+      "kind": "execute"
     }
   ]
-}
+}

test-app/src/main/ml-config/security/roles/rest-login.json

@@ -0,0 +1,11 @@
+{
+  "role-name": "rest-login",
+  "description": "Role granting xdmp:login privilege needed for REST transform invocations with different-transaction isolation",
+  "privilege": [
+    {
+      "privilege-name": "xdmp-login",
+      "action": "http://marklogic.com/xdmp/privileges/xdmp-login",
+      "kind": "execute"
+    }
+  ]
+}

test-app/src/main/ml-config/security/users/rest-admin.json

@@ -3,6 +3,9 @@
   "description": "rest-admin user",
   "password": "x",
   "role": [
-    "rest-admin"
+    "rest-admin",
+    "rest-evaluator",
+    "rest-extension-user",
+    "sparql-update-user"
   ]
-}
+}

test-app/src/main/ml-config/security/users/rest-reader.json

@@ -3,6 +3,8 @@
   "description": "rest-reader user",
   "password": "x",
   "role": [
-    "rest-reader"
+    "rest-reader",
+    "rest-extension-user",
+    "rest-login"
   ]
-}
+}

test-app/src/main/ml-config/security/users/rest-temporal-writer.json

@@ -3,6 +3,7 @@
   "description": "rest-writer user with temporal privileges",
   "password": "x",
   "role": [
-    "rest-temporal-writer"
+    "rest-temporal-writer",
+    "rest-extension-user"
   ]
-}
+}

test-app/src/main/ml-config/security/users/rest-transform-user.json

@@ -0,0 +1,10 @@
+{
+  "user-name": "rest-transform-user",
+  "description": "rest-transform-user user",
+  "password": "x",
+  "role": [
+    "rest-transform-internal",
+    "rest-reader",
+    "rest-login"
+  ]
+}

test-app/src/main/ml-config/security/users/rest-writer.json

@@ -5,6 +5,7 @@
   "role": [
     "rest-writer",
     "rest-evaluator",
-    "temporal-admin"
+    "temporal-admin",
+    "rest-extension-user"
   ]
 }

test-basic/documents-transform.js

@@ -187,7 +187,8 @@ describe('document transform', function(){
         documents.length.should.equal(1);
         documents[0].content.should.have.property('timestamp');
         documents[0].content.should.have.property('userName');
-        documents[0].content.userName.should.eql('rest-writer');
+        documents[0].content.userName.should.eql('rest-transform-user',
+          'As of MarkLogic 11.3.5 and 12.0.2 JavaScript transforms execute as the dedicated rest-transform-user rather than the calling user\'s identity, preventing privilege escalation via malicious transforms');
         done();
         })
       .catch(done);
@@ -202,7 +203,8 @@ describe('document transform', function(){
         documents.length.should.equal(1);
         documents[0].content.should.have.property('timestamp');
         documents[0].content.should.have.property('userName');
-        documents[0].content.userName.should.eql('rest-writer');
+        documents[0].content.userName.should.eql('rest-transform-user',
+          'As of MarkLogic 11.3.5 and 12.0.2 JavaScript transforms execute as the dedicated rest-transform-user rather than the calling user\'s identity, preventing privilege escalation via malicious transforms');
         done();
         })
       .catch(done);
@@ -221,7 +223,8 @@ describe('document transform', function(){
           documents.length.should.equal(1);
           documents[0].content.should.have.property('timestamp');
           documents[0].content.should.have.property('userName');
-          documents[0].content.userName.should.eql('rest-writer');
+          documents[0].content.userName.should.eql('rest-transform-user',
+            'As of MarkLogic 11.3.5 and 12.0.2 JavaScript transforms execute as the dedicated rest-transform-user rather than the calling user\'s identity, preventing privilege escalation via malicious transforms');
           done();
           })
         .catch(done);

test-basic/optic-fromDocs.js

@@ -20,6 +20,8 @@ let uris = [];
 let serverConfiguration = {};
 
 describe('optic-update fromDocs tests', function() {
+    // NOTE: op.fromDocs() with op.columnBuilder() is only supported in MarkLogic 12.1.0 and later.
+    // Tests in this suite are skipped automatically on earlier versions.
 
     this.timeout(15000);
     before(function (done) {
@@ -34,6 +36,10 @@ describe('optic-update fromDocs tests', function() {
     describe('fromDocs', function () {
 
         before(function (done) {
+            if (serverConfiguration.serverVersion < 12.1) {
+                this.skip();
+                return;
+            }
             // Insert test documents
             const testDocs = [
                 {
@@ -73,7 +79,7 @@ describe('optic-update fromDocs tests', function() {
                     }
                 },
                 {
-                    // we already have a geospatial element index for 'point' in wgs84 
+                    // we already have a geospatial element index for 'point' in wgs84
                     // in the test-app ml-gradle project. Use that.  Use 'point' to indicate location.
                     uri: '/test/fromDocs/location-portland.json',
                     contentType: 'application/json',
@@ -127,14 +133,14 @@ describe('optic-update fromDocs tests', function() {
                     }
                 }
             ];
-            
+
             let readable = new Stream.Readable({objectMode: true});
             testDocs.forEach(doc => {
                 readable.push(doc);
                 uris.push(doc.uri);
             });
             readable.push(null);
-            
+
             db.documents.writeAll(readable, {
                 onCompletion: () => done()
             });
@@ -252,7 +258,7 @@ describe('optic-update fromDocs tests', function() {
 
             const portlandPoint = op.cts.point(45.52, -122.68);
             const searchRadius = 650; // miles
-            // geospatial element index is defined for 'point' in wgs84 
+            // geospatial element index is defined for 'point' in wgs84
             const plan = op.fromDocs(
                     op.cts.collectionQuery('fromDocs'),
                     '/location',
@@ -270,7 +276,7 @@ describe('optic-update fromDocs tests', function() {
                         ['coordinate-system=wgs84']
                     )
                 );
-            
+
             execPlan(plan).then(function (response) {
                 const output = getResults(response);
                 output.length.should.be.equal(3);
@@ -340,4 +346,4 @@ describe('optic-update fromDocs tests', function() {
 
 
     });
-});
+});

test-complete/nodejs-dmsdk-readall-1.js

@@ -1,6 +1,6 @@
 /*
-* Copyright (c) 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
-*/
+ * Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ */
 var fs     = require('fs');
 const path = require('path');
 
@@ -143,6 +143,7 @@ describe('readAll-tests-one', function () {
         function (err, arr) {
             if (err) {
                 done(err);
+                return;
             }
             arr.forEach(item => {
                 setTimeout(() => {
@@ -158,8 +159,8 @@ describe('readAll-tests-one', function () {
             for (var c of resulContents) {
                 expect(verifyCurrentContents(c)).to.be.true;
             }
+            done();
         });
-        done();
     });
 
     it('readAll one document with batch options', function (done) {
@@ -173,15 +174,16 @@ describe('readAll-tests-one', function () {
         function (err, arr) {
             if (err) {
                 done(err);
+                return;
             }
             arr.forEach(item => {
                 setTimeout(() => {
                     var i = 0; i++;
                 }, 3000);
                 expect(item.uri).to.equal('dmsdk.txt');
             });
+            done();
         });
-        done();
     });
 
     //Verify no errors when readAll has no Uris to read