XWIKI-22758: Analyze required rights of the context macro's source parameter

* Add support for the source parameter in the context macro's required
  rights analyzer.
* Add translations for the context macro.
* Extend the tests of the required rights analyzer.

(cherry picked from commit cc74dc80)

xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-context/src/main/java/org/xwiki/rendering/internal/macro/context/ContextMacroRequiredRightsAnalyzer.java

@@ -19,17 +19,21 @@
  */
 package org.xwiki.rendering.internal.macro.context;
 
+import java.util.List;
+
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.inject.Singleton;
 
 import org.xwiki.component.annotation.Component;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
 import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
 import org.xwiki.platform.security.requiredrights.MacroRequiredRightsAnalyzer;
 import org.xwiki.properties.BeanManager;
 import org.xwiki.properties.PropertyException;
 import org.xwiki.rendering.block.MacroBlock;
 import org.xwiki.rendering.macro.context.ContextMacroParameters;
+import org.xwiki.rendering.macro.source.MacroContentSourceReference;
 
 /**
  * Required rights analyzer for the context macro.
@@ -53,8 +57,35 @@ public void analyze(MacroBlock macroBlock, MacroRequiredRightReporter reporter)
         try {
             this.beanManager.populate(parameters, macroBlock.getParameters());
 
-            // Analyze the content only when it isn't restricted.
-            if (!parameters.isRestricted()) {
+            // If the source parameter is set, the content is ignored, and we should analyze the source parameter
+            // instead.
+            if (parameters.getSource() != null) {
+                String sourceType = parameters.getSource().getType();
+
+                switch (sourceType) {
+                    case MacroContentSourceReference.TYPE_STRING:
+                        if (!parameters.isRestricted()) {
+                            reporter.analyzeContent(macroBlock, parameters.getSource().getReference());
+                        }
+                        break;
+
+                    case MacroContentSourceReference.TYPE_SCRIPT:
+                        if (parameters.isRestricted()) {
+                            reporter.report(macroBlock, List.of(MacroRequiredRight.SCRIPT),
+                                "rendering.macro.context.requiredRights.restrictedScriptSource");
+                        } else {
+                            // We don't know the actual content, but at least script right is needed and the content
+                            // could contain anything, so it might require programming right.
+                            reporter.report(macroBlock,
+                                List.of(MacroRequiredRight.SCRIPT, MacroRequiredRight.MAYBE_PROGRAM),
+                                "rendering.macro.context.requiredRights.arbitraryScriptSource");
+                        }
+                        break;
+
+                    default:
+                        // Do nothing.
+                }
+            } else if (!parameters.isRestricted()) {
                 reporter.analyzeContent(macroBlock, macroBlock.getContent());
             }
         } catch (PropertyException e) {

xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-context/src/main/resources/ApplicationResources.properties

+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+
+###############################################################################
+# XWiki Core localization
+#
+# This contains the translations of the module in the default language
+# (generally English).
+# 
+# See https://dev.xwiki.org/xwiki/bin/view/Community/L10N/Conventions/ for more details about about
+# translation key naming.
+#
+# Comments: it's possible to add some detail about a key to make easier to
+#   translate it by adding a comment before it. To make sure a comment is not
+#   assigned to the following key use at least three sharps (###) for the comment
+#   or after it.
+# 
+# Deprecated keys:
+#   * when deleting a key it should be moved to deprecated section at the end
+#     of the file (between #@deprecatedstart and #@deprecatedend) and associated to the
+#     first version in which it started to be deprecated
+#   * when renaming a key, it should be moved to the same deprecated section
+#     and a comment should be added with the following syntax:
+#     #@deprecated new.key.name
+#     old.key.name=Some translation
+###############################################################################
+
+rendering.macro.context.requiredRights.restrictedScriptSource=Referencing a script variable in the source parameter \
+  of the context macro requires script right.
+rendering.macro.context.requiredRights.arbitraryScriptSource=Referencing a script variable in the source parameter \
+  of the context macro requires script right. Additionally, the script variable could contain arbitrary wiki syntax \
+  that could require any right including programming right.

xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-context/src/test/java/org/xwiki/rendering/internal/macro/context/ContextMacroRequiredRightsAnalyzerTest.java

@@ -19,12 +19,18 @@
  */
 package org.xwiki.rendering.internal.macro.context;
 
+import java.util.List;
+
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
 import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
 import org.xwiki.properties.BeanManager;
 import org.xwiki.properties.PropertyException;
 import org.xwiki.rendering.block.MacroBlock;
 import org.xwiki.rendering.macro.context.ContextMacroParameters;
+import org.xwiki.rendering.macro.source.MacroContentSourceReference;
 import org.xwiki.test.junit5.mockito.ComponentTest;
 import org.xwiki.test.junit5.mockito.InjectMockComponents;
 import org.xwiki.test.junit5.mockito.MockComponent;
@@ -35,6 +41,7 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.when;
 
 /**
@@ -98,4 +105,56 @@ void analyzeWhenPropertyExceptionOccurs() throws PropertyException
 
         verifyNoInteractions(reporter);
     }
+
+    @ParameterizedTest
+    @ValueSource(booleans = { true, false })
+    void analyzeWithStringSource(boolean restricted) throws PropertyException
+    {
+        MacroBlock macroBlock = mock(MacroBlock.class);
+        MacroRequiredRightReporter reporter = mock(MacroRequiredRightReporter.class);
+        String sourceContent = "reference";
+
+        setupMock(restricted, MacroContentSourceReference.TYPE_STRING, sourceContent);
+
+        this.analyzer.analyze(macroBlock, reporter);
+
+        if (!restricted) {
+            verify(reporter).analyzeContent(macroBlock, sourceContent);
+            verifyNoMoreInteractions(reporter);
+        } else {
+            verifyNoInteractions(reporter);
+        }
+    }
+
+    @ParameterizedTest
+    @ValueSource(booleans = { true, false })
+    void analyzeWithScriptSource(boolean restricted) throws PropertyException
+    {
+        MacroBlock macroBlock = mock(MacroBlock.class);
+        MacroRequiredRightReporter reporter = mock(MacroRequiredRightReporter.class);
+
+        setupMock(restricted, MacroContentSourceReference.TYPE_SCRIPT, "script");
+
+        this.analyzer.analyze(macroBlock, reporter);
+
+        if (restricted) {
+            verify(reporter).report(macroBlock, List.of(MacroRequiredRight.SCRIPT),
+                "rendering.macro.context.requiredRights.restrictedScriptSource");
+            verifyNoMoreInteractions(reporter);
+        } else {
+            verify(reporter).report(macroBlock, List.of(MacroRequiredRight.SCRIPT, MacroRequiredRight.MAYBE_PROGRAM),
+                "rendering.macro.context.requiredRights.arbitraryScriptSource");
+            verifyNoMoreInteractions(reporter);
+        }
+    }
+
+    private void setupMock(boolean restricted, String sourceType, String sourceReference) throws PropertyException
+    {
+        doAnswer(invocation -> {
+            ContextMacroParameters params = invocation.getArgument(0);
+            params.setRestricted(restricted);
+            params.setSource(new MacroContentSourceReference(sourceType, sourceReference));
+            return null;
+        }).when(this.beanManager).populate(any(), any());
+    }
 }