From efce8eb017ff03ddb8f14b2084c95527db6caaba Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Fri, 24 Nov 2017 09:33:23 +0100 Subject: [PATCH 01/17] Update dependencies for AEM 6.1 This fixes #240. --- pom.xml | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/pom.xml b/pom.xml index 4531e39d..0913cf34 100644 --- a/pom.xml +++ b/pom.xml @@ -86,37 +86,39 @@ org.apache.jackrabbit jackrabbit-jcr-commons - 2.11.2 + 2.10.0 provided org.apache.sling org.apache.sling.settings - 1.2.2 + 1.7.6 provided com.day.jcr.vault com.day.jcr.vault - 2.4.32 + 2.5.10 provided com.day.cq cq-commons - 5.6.4 + 5.8.32 provided + org.osgi - org.osgi.core - 4.2.0 + osgi.core + 6.0.0 provided + org.osgi - org.osgi.compendium - 4.2.0 + osgi.cmpn + 5.0.0 provided @@ -140,22 +142,16 @@ 1.9.10 provided - - biz.aQute - bndlib - 1.43.0 - provided - org.slf4j slf4j-api - 1.5.10 + 1.7.6 provided javax.servlet servlet-api - 2.5 + 3.1 provided @@ -167,19 +163,19 @@ org.apache.sling org.apache.sling.api - 2.2.0 + 2.9.0 provided org.apache.sling org.apache.sling.jcr.api - 2.2.0 + 2.2.2 provided org.apache.sling org.apache.sling.commons.osgi - 2.2.0 + 2.2.2 provided @@ -203,19 +199,19 @@ com.adobe.granite com.adobe.granite.jmx - 0.2.6 + 0.3.0 provided org.apache.jackrabbit jackrabbit-api - 2.9.0 + 2.10.0 provided com.day.cq cq-security - 5.6.2 + 5.8.18 provided @@ -224,6 +220,7 @@ 1.13 bundle + junit junit From 13a9bf2715260776619da86bfbf1b76df2940f14 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Thu, 25 Jan 2018 20:10:48 +0100 Subject: [PATCH 02/17] updating poms for 2.0.6-SNAPSHOT development --- accesscontroltool-bundle/pom.xml | 2 +- accesscontroltool-exampleconfig-package/pom.xml | 2 +- accesscontroltool-oakindex-package/pom.xml | 2 +- accesscontroltool-package/pom.xml | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml index 7153fa0e..9eb28a77 100644 --- a/accesscontroltool-bundle/pom.xml +++ b/accesscontroltool-bundle/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5-SNAPSHOT + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-exampleconfig-package/pom.xml b/accesscontroltool-exampleconfig-package/pom.xml index 92863fa7..0524ad5f 100644 --- a/accesscontroltool-exampleconfig-package/pom.xml +++ b/accesscontroltool-exampleconfig-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5-SNAPSHOT + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-oakindex-package/pom.xml b/accesscontroltool-oakindex-package/pom.xml index cc69f8c4..9e046a78 100644 --- a/accesscontroltool-oakindex-package/pom.xml +++ b/accesscontroltool-oakindex-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5-SNAPSHOT + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-package/pom.xml b/accesscontroltool-package/pom.xml index f33f500e..584d1fca 100644 --- a/accesscontroltool-package/pom.xml +++ b/accesscontroltool-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5-SNAPSHOT + 2.0.6-SNAPSHOT diff --git a/pom.xml b/pom.xml index 726ce68a..c5f19301 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5-SNAPSHOT + 2.0.6-SNAPSHOT pom Access Control Tool - Reactor Project From 3efe9b8d2659620fd3ff48a9af11cb3950a954f2 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Thu, 25 Jan 2018 20:17:06 +0100 Subject: [PATCH 03/17] updating develop poms to master versions to avoid merge conflicts --- accesscontroltool-bundle/pom.xml | 2 +- accesscontroltool-exampleconfig-package/pom.xml | 2 +- accesscontroltool-oakindex-package/pom.xml | 2 +- accesscontroltool-package/pom.xml | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml index 9eb28a77..9bbe4959 100644 --- a/accesscontroltool-bundle/pom.xml +++ b/accesscontroltool-bundle/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.5 diff --git a/accesscontroltool-exampleconfig-package/pom.xml b/accesscontroltool-exampleconfig-package/pom.xml index 0524ad5f..b8ffe5ad 100644 --- a/accesscontroltool-exampleconfig-package/pom.xml +++ b/accesscontroltool-exampleconfig-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.5 diff --git a/accesscontroltool-oakindex-package/pom.xml b/accesscontroltool-oakindex-package/pom.xml index 9e046a78..e29723ac 100644 --- a/accesscontroltool-oakindex-package/pom.xml +++ b/accesscontroltool-oakindex-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.5 diff --git a/accesscontroltool-package/pom.xml b/accesscontroltool-package/pom.xml index 584d1fca..d7097633 100644 --- a/accesscontroltool-package/pom.xml +++ b/accesscontroltool-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.5 diff --git a/pom.xml b/pom.xml index c5f19301..b363ba3f 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.5 pom Access Control Tool - Reactor Project From 40e5e88be376b1ea5faf7c75e0348800737d4b51 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Thu, 25 Jan 2018 20:17:07 +0100 Subject: [PATCH 04/17] Updating develop poms back to pre merge state --- accesscontroltool-bundle/pom.xml | 2 +- accesscontroltool-exampleconfig-package/pom.xml | 2 +- accesscontroltool-oakindex-package/pom.xml | 2 +- accesscontroltool-package/pom.xml | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml index 9bbe4959..9eb28a77 100644 --- a/accesscontroltool-bundle/pom.xml +++ b/accesscontroltool-bundle/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5 + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-exampleconfig-package/pom.xml b/accesscontroltool-exampleconfig-package/pom.xml index b8ffe5ad..0524ad5f 100644 --- a/accesscontroltool-exampleconfig-package/pom.xml +++ b/accesscontroltool-exampleconfig-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5 + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-oakindex-package/pom.xml b/accesscontroltool-oakindex-package/pom.xml index e29723ac..9e046a78 100644 --- a/accesscontroltool-oakindex-package/pom.xml +++ b/accesscontroltool-oakindex-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5 + 2.0.6-SNAPSHOT diff --git a/accesscontroltool-package/pom.xml b/accesscontroltool-package/pom.xml index d7097633..584d1fca 100644 --- a/accesscontroltool-package/pom.xml +++ b/accesscontroltool-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5 + 2.0.6-SNAPSHOT diff --git a/pom.xml b/pom.xml index b363ba3f..c5f19301 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.5 + 2.0.6-SNAPSHOT pom Access Control Tool - Reactor Project From 1288a64e23f5f7abd669e926a506dc1dc40b59f4 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Mon, 19 Feb 2018 16:56:43 +0100 Subject: [PATCH 05/17] Prevent NPE while logging errors The ProgressTrackerListener doesn't support a null exception in its onError message. Therefore remove all error messages not receiving a throwable (or a null throwable). This closes #260 --- .../tools/actool/history/InstallationLogger.java | 4 ---- .../history/PersistableInstallationLogger.java | 14 ++------------ .../ProgressTrackerListenerInstallationLogger.java | 6 ------ .../actool/impl/AcInstallationServiceImpl.java | 3 +-- 4 files changed, 3 insertions(+), 24 deletions(-) diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/InstallationLogger.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/InstallationLogger.java index c5a647a2..85338465 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/InstallationLogger.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/InstallationLogger.java @@ -11,10 +11,6 @@ public interface InstallationLogger extends InstallationLog { void addVerboseMessage(Logger log, String message); - void addError(final String error); - - void addError(Logger log, String error); - void addError(String error, Throwable e); void addError(Logger log, String error, Throwable e); diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/PersistableInstallationLogger.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/PersistableInstallationLogger.java index 4f84a77c..b454bedc 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/PersistableInstallationLogger.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/PersistableInstallationLogger.java @@ -138,20 +138,10 @@ public void addError(Logger log, String error, Throwable e) { addError(error, e); } - @Override - public void addError(Logger log, String error) { - log.error(error); - addError(error); - } - public void addError(final String error, Throwable e) { - addError(error + " / e=" + e); - } - - @Override - public void addError(final String error) { + String fullErrorValue = error + " / e=" + e; errors.add(new HistoryEntry(msgIndex, new Timestamp( - new Date().getTime()), MSG_IDENTIFIER_ERROR + error)); + new Date().getTime()), MSG_IDENTIFIER_ERROR + fullErrorValue)); success = false; msgIndex++; } diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/ProgressTrackerListenerInstallationLogger.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/ProgressTrackerListenerInstallationLogger.java index 1467ac40..f637419f 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/ProgressTrackerListenerInstallationLogger.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/ProgressTrackerListenerInstallationLogger.java @@ -24,12 +24,6 @@ protected void addMessage(String message) { super.addMessage(message); } - @Override - public void addError(String error) { - listener.onError(ProgressTrackerListener.Mode.TEXT, MSG_IDENTIFIER_ERROR + error, null); - super.addError(error); - } - @Override public void addError(String error, Throwable t) { Exception e; diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java index 3254cdb2..da5f352c 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java @@ -214,8 +214,7 @@ public void installConfigurationFiles(PersistableInstallationLogger installLog, LOG.info("Successfully applied AC Tool configuration in " + msHumanReadable(executionTime)); installLog.setExecutionTime(executionTime); } catch (Exception e) { - // TODO: separate exception - installLog.addError(e.toString()); // ensure exception is added to installLog before it's persisted in log in finally clause + installLog.addError("Could not process yaml files", e); // ensure exception is added to installLog before it's persisted in log in finally clause throw e; // handling is different depending on JMX or install hook case } finally { try { From 30a3f9c01321c6ab966ad143654ac1c22e9dcefd Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Mon, 19 Feb 2018 17:17:04 +0100 Subject: [PATCH 06/17] fix small typo in warning message --- .../cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java index d06385e2..db5bd5f5 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java @@ -100,7 +100,7 @@ public void installPathBasedACEs( if (history.getMissingParentPathsForInitialContent() > 0) { history.addWarning(LOG, "There were " + history.getMissingParentPathsForInitialContent() - + " parent paths missing for creation of intial content (those paths were skipped, see verbose log for details)"); + + " parent paths missing for creation of initial content (those paths were skipped, see verbose log for details)"); } history.addMessage(LOG, "ACL Update Statistics: Changed=" + history.getCountAclsChanged() + " Unchanged=" + history.getCountAclsUnchanged() From 7e351002a832673c203741e5274db019fbf439f2 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 21 Feb 2018 16:14:43 +0100 Subject: [PATCH 07/17] Clarify path property made clearer how this influence the final full group path and also explain how relative paths work --- docs/Configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 5d97c0da..1275ad8f 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -41,7 +41,7 @@ property | comment | required name | Name of the group as shown in UI | optional, if empty group id is taken description | Description of the group | optional externalId | Required for AC setups since AEM 6.2 SP1 that synchronize groups from LDAP to AEM. The value has to be in format LDAP-DN;IDP-NAME where LDAP-DN is the full distinguished name and IDP-NAME is configured in OSGI config PID org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider property "provider-name". Example: `externalId: "cn=group-name,ou=mydepart,ou=Groups,dc=comp,dc=com;IDPNAME"`. Since v1.9.3 | optional -path | Path of the group either relative or absolute | optional +path | Path of the intermediate node either relative or absolute. If relative, /home/groups is automatically prefixed. By default some implementation specific path is choosen. Usually the full group path the concatenated (intermediate) path and the authorizable id | optional isMemberOf | comma separated list of groups this groups is a member of | optional members | comma separated list of groups that are member of this group (allows to specify the relationshipo from the other side, however prefer `isMemberOf` over members if possible) | optional migrateFrom | a group name assigned member users are taken over from | optional From f35487973bbec28980ce41abd41bd0107388478f Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 21 Feb 2018 17:22:16 +0100 Subject: [PATCH 08/17] Update AdvancedFeatures.md --- docs/AdvancedFeatures.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md index 34527026..299c1ad8 100644 --- a/docs/AdvancedFeatures.md +++ b/docs/AdvancedFeatures.md @@ -179,9 +179,11 @@ Variables can also be declared to be an array and used in a loop: NOTE: The scope of a variable is always limited to the lines in the very same yaml file following the definition till it is either redefined or the end of the yaml file is reached (this limitation will supposably be lifted with [#257][i257]). -## Configure permissions for anonymous +## Configure permissions for built-in users or groups (like anonymous) -To configure permissions for out-of-the-box anonymous user, it's best to create a custom group and add user `anonymous` to the `members` attribute of that group. The ACEs added to the custom group will then be effective for anonyomous user. +To configure permissions for already existing users, it's best to create a custom group and add this user to the `members` attribute of that group. The ACEs added to the custom group will then be effective for that user as well. + +Another alternative is to list the built-in user in the YAML file (with the correct path and system user flag) and leverage `unmanagedAcePathsRegex` as outlined below. ## Configure memberships of/towards externally managed groups @@ -203,16 +205,27 @@ That way relationships that are created programmatically or manually can be left ## Limiting where the AC Tool creates and removes ACEs -The property `unmanagedAcePathsRegx` for authorizable configurations (users or groups) can be used to ensure certain paths are not managed by the AC Tool: +The property `unmanagedAcePathsRegex` for authorizable configurations (users or groups) can be used to ensure certain paths are not managed by the AC Tool. This property must contain a regular expression which is matched against all ACE paths bound to the authorizable found in the system. All ACEs with matching paths are not touched: +### Examples ``` - testgroup: - name: "Test Group" unmanagedAcePathsRegex: /content/dam/.* ``` +That way for `testgroup`, ACEs in `/content/dam/` will be left untouched for this particular group. -That way for `testgroup`, ACE in `/content/dam/` will be left as they are for this particular group. +You can use negative lookaheads to whitelist management of certain paths: +``` +- user_config: + - version-manager-service: + # the user does exist already, make sure the path is set correctly + - path: /home/users/system/wcm + isSystemUser: true + # everything outside /conf should not be managed by the ac tool + unmanagedAcePathsRegex: /(?!conf).* +``` ## Automatically purge obsolete groups and users The root element `obsolete_authorizables` can be used to automatically purge authorizables that are not in use anymore: From e968ee2c5057253afcbed0855710238ff3360674 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Mon, 26 Feb 2018 13:17:12 +0100 Subject: [PATCH 09/17] Update Configuration.md --- docs/Configuration.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Configuration.md b/docs/Configuration.md index 1275ad8f..1cac007c 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -43,6 +43,7 @@ description | Description of the group | optional externalId | Required for AC setups since AEM 6.2 SP1 that synchronize groups from LDAP to AEM. The value has to be in format LDAP-DN;IDP-NAME where LDAP-DN is the full distinguished name and IDP-NAME is configured in OSGI config PID org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider property "provider-name". Example: `externalId: "cn=group-name,ou=mydepart,ou=Groups,dc=comp,dc=com;IDPNAME"`. Since v1.9.3 | optional path | Path of the intermediate node either relative or absolute. If relative, /home/groups is automatically prefixed. By default some implementation specific path is choosen. Usually the full group path the concatenated (intermediate) path and the authorizable id | optional isMemberOf | comma separated list of groups this groups is a member of | optional +memberOf | same meaning as `isMemberOf`. This property is *deprecated*, please use `isMemberOf` instead. Only supported for backwards-compatibility reasons | optional members | comma separated list of groups that are member of this group (allows to specify the relationshipo from the other side, however prefer `isMemberOf` over members if possible) | optional migrateFrom | a group name assigned member users are taken over from | optional unmanaged* Properties | Only use sparsely and with care, see [Advanced Features](AdvancedFeatures.md) | optional From 3ebffb65fe9aa22c6d166762c80e73609ce15ec5 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Mon, 26 Feb 2018 13:55:43 +0100 Subject: [PATCH 10/17] clarify name property for both user and group --- docs/Configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 1cac007c..2aaaf8f7 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -38,7 +38,7 @@ Groups are specified in the **group_config**. A group record in the configuratio property | comment | required --- | --- | --- -name | Name of the group as shown in UI | optional, if empty group id is taken +name | Name of the group as shown in UI. Sets the property `profile/givenName` of that group. | optional description | Description of the group | optional externalId | Required for AC setups since AEM 6.2 SP1 that synchronize groups from LDAP to AEM. The value has to be in format LDAP-DN;IDP-NAME where LDAP-DN is the full distinguished name and IDP-NAME is configured in OSGI config PID org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider property "provider-name". Example: `externalId: "cn=group-name,ou=mydepart,ou=Groups,dc=comp,dc=com;IDPNAME"`. Since v1.9.3 | optional path | Path of the intermediate node either relative or absolute. If relative, /home/groups is automatically prefixed. By default some implementation specific path is choosen. Usually the full group path the concatenated (intermediate) path and the authorizable id | optional @@ -76,7 +76,7 @@ Users can be configured in the same way as groups in the **user_config** section property | comment | required --- | --- | --- -name | Works mostly like for groups, except that the string is split up in first and last name using the last space found in string. For instance "Johann Sebastian Bach" will result in first name "Johann Sebastian" and last name "Bach". For names where the split has to be explicitly configured, use a comma: "Van der Broek, Sebastian" will result in first name "Sebastian" and last name "Van der Broek" | optional +name | Works mostly like for groups, except that the string is split up in first and last name using the last space found in string. For instance "Johann Sebastian Bach" will result in first name "Johann Sebastian" and last name "Bach". For names where the split has to be explicitly configured, use a comma: "Van der Broek, Sebastian" will result in first name "Sebastian" and last name "Van der Broek". Sets the properties `profile/familyName` and `profile/givenName` of the user. | optional description, path, isMemberOf | Work exactly as for groups | optional password | The PW for the user. Can be stored in plain text (only to be used for test users). If a password value is enclosed in brackets, then it will be automatically decrypted using com.adobe.granite.crypto.CryptoSupport. `/system/console/crypto` on target instance can be used to get encrypted password. Encrypted password (together with braces) should also be enclosed in double quotes. | Required for non-system users, otherwise must not be set isSystemUser | Create users as system user (AEM 6.1 and later) | optional From 6dfde7fe195e5ba54ed533554490a59cc047e873 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Wed, 7 Mar 2018 08:13:54 +0100 Subject: [PATCH 11/17] #260 Added length method to available functions in yaml --- .../cq/tools/actool/configreader/YamlMacroElEvaluator.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlMacroElEvaluator.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlMacroElEvaluator.java index a588b45a..e8f8d74b 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlMacroElEvaluator.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlMacroElEvaluator.java @@ -109,7 +109,8 @@ public ElFunctionMapper() { StringUtils.class.getMethod("contains", new Class[] { String.class, String.class }), StringUtils.class.getMethod("endsWith", new Class[] { String.class, String.class }), StringUtils.class.getMethod("startsWith", new Class[] { String.class, String.class }), - StringUtils.class.getMethod("replace", new Class[] { String.class, String.class, String.class }) + StringUtils.class.getMethod("replace", new Class[] { String.class, String.class, String.class }), + StringUtils.class.getMethod("length", new Class[] { String.class }) }; for (Method method : exportedMethods) { functionMap.put(method.getName(), method); From f32a96125a23ac49d5224ae083a9969c6dd5228f Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Wed, 7 Mar 2018 10:07:59 +0100 Subject: [PATCH 12/17] #269 Adding config properties unmanagedExternalIsMemberOfRegex and unmanagedExternalMembersRegex to authorizable config and defaultUnmanagedAcePathsRegex to globa config --- .../aceinstaller/BaseAceBeanInstaller.java | 3 +- .../AuthorizableInstallerServiceImpl.java | 22 +++-- .../configmodel/AuthorizableConfigBean.java | 27 +++++- .../configmodel/AuthorizablesConfig.java | 4 +- .../configmodel/GlobalConfiguration.java | 23 ++++- .../actool/configreader/YamlConfigReader.java | 6 ++ .../impl/AcInstallationServiceImpl.java | 4 +- .../AuthorizableInstallerServiceImplTest.java | 6 +- .../configmodel/AuthorizablesConfigTest.java | 89 ++++++++++++------- docs/AdvancedFeatures.md | 10 ++- 10 files changed, 144 insertions(+), 50 deletions(-) diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java index db5bd5f5..3a26637b 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java @@ -89,7 +89,8 @@ public void installPathBasedACEs( orderedAceBeanSetFromConfig.addAll(aceBeanSetFromConfig); Set principalsToRemoveAcesForAtThisPath = acConfiguration.getAuthorizablesConfig() - .removeUnmanagedPrincipalNamesAtPath(path, principalsToRemoveAcesFor); + .removeUnmanagedPrincipalNamesAtPath(path, principalsToRemoveAcesFor, + acConfiguration.getGlobalConfiguration().getDefaultUnmanagedAcePathsRegex()); installAcl(orderedAceBeanSetFromConfig, path, principalsToRemoveAcesForAtThisPath, session, history); if (intermediateSaves && session.hasPendingChanges()) { diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java index 32af8267..ba39f5ba 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java @@ -224,8 +224,11 @@ private Set removeRegularUsers(Set allMembersFromRepo, UserManag private Set removeExternalMembersUnmanagedByConfiguration(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, Set relevantMembersInRepo, InstallationLogger installLog) { Set relevantMembers = new HashSet(relevantMembersInRepo); - Pattern unmanagedExternalMembersRegex = acConfiguration.getGlobalConfiguration() - .getDefaultUnmanagedExternalMembersRegex(); + + Pattern unmanagedExternalMembersRegex = authorizableConfigBean.getUnmanagedExternalMembersRegex(); + if (unmanagedExternalMembersRegex == null) { + unmanagedExternalMembersRegex = acConfiguration.getGlobalConfiguration().getDefaultUnmanagedExternalMembersRegex(); + } Set unmanagedMembers = new HashSet(); if (unmanagedExternalMembersRegex != null) { @@ -413,13 +416,13 @@ private void applyGroupMembershipConfigIsMemberOf(InstallationLogger installLog, AuthorizableConfigBean authorizableConfigBean, UserManager userManager, Session session, Set authorizablesFromConfigurations) throws RepositoryException, AuthorizableCreatorException { String[] memberOf = authorizableConfigBean.getMemberOf(); - String authorizableId = authorizableConfigBean.getAuthorizableId(); - Authorizable currentGroupFromRepository = userManager.getAuthorizable(authorizableId); + Authorizable currentGroupFromRepository = userManager.getAuthorizable(authorizableConfigBean.getAuthorizableId()); Set membershipGroupsFromConfig = getMembershipGroupsFromConfig(memberOf); Set membershipGroupsFromRepository = getMembershipGroupsFromRepository(currentGroupFromRepository); - applyGroupMembershipConfigIsMemberOf(authorizableId, acConfiguration, installLog, userManager, session, membershipGroupsFromConfig, + applyGroupMembershipConfigIsMemberOf(authorizableConfigBean, acConfiguration, installLog, userManager, session, + membershipGroupsFromConfig, membershipGroupsFromRepository, authorizablesFromConfigurations); } @@ -479,7 +482,7 @@ private Set getMembershipGroupsFromConfig(String[] memberOf) { } @SuppressWarnings("unchecked") - void applyGroupMembershipConfigIsMemberOf(String authorizableId, + void applyGroupMembershipConfigIsMemberOf(AuthorizableConfigBean authorizableConfigBean, AcConfiguration acConfiguration, InstallationLogger installLog, UserManager userManager, Session session, Set membershipGroupsFromConfig, @@ -491,6 +494,7 @@ void applyGroupMembershipConfigIsMemberOf(String authorizableId, membershipGroupsFromConfig.remove(PRINCIPAL_EVERYONE); membershipGroupsFromRepository.remove(PRINCIPAL_EVERYONE); + String authorizableId = authorizableConfigBean.getAuthorizableId(); installLog.addVerboseMessage(LOG, "Authorizable " + authorizableId + " isMemberOf(repo)=" + membershipGroupsFromRepository); installLog.addVerboseMessage(LOG, "Authorizable " + authorizableId + " isMemberOf(conifg)=" + membershipGroupsFromConfig); @@ -508,8 +512,10 @@ void applyGroupMembershipConfigIsMemberOf(String authorizableId, validatedMembershipGroupsFromConfig); Set unmanagedMembers = new HashSet(); - Pattern unmanagedExternalIsMemberOfRegex = acConfiguration.getGlobalConfiguration() - .getDefaultUnmanagedExternalIsMemberOfRegex(); + Pattern unmanagedExternalIsMemberOfRegex = authorizableConfigBean.getUnmanagedExternalIsMemberOfRegex(); + if (unmanagedExternalIsMemberOfRegex == null) { + unmanagedExternalIsMemberOfRegex = acConfiguration.getGlobalConfiguration().getDefaultUnmanagedExternalIsMemberOfRegex(); + } Iterator toBeRemovedMembersIt = toBeRemovedMembers.iterator(); while (toBeRemovedMembersIt.hasNext()) { diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java index ed9bf75b..8cec397c 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java @@ -11,6 +11,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.regex.Pattern; import org.apache.commons.lang.StringUtils; @@ -42,12 +43,15 @@ public class AuthorizableConfigBean implements AcDumpElement { private String migrateFrom; private String unmanagedAcePathsRegex; + private Pattern unmanagedExternalIsMemberOfRegex; + private Pattern unmanagedExternalMembersRegex; private boolean isGroup = true; private boolean isSystemUser = false; private String disabled; + public String getAuthorizableId() { return authorizableId; } @@ -248,6 +252,22 @@ public void setUnmanagedAcePathsRegex(String unmanagedAcePathsRegex) { this.unmanagedAcePathsRegex = unmanagedAcePathsRegex; } + public Pattern getUnmanagedExternalIsMemberOfRegex() { + return unmanagedExternalIsMemberOfRegex; + } + + public void setUnmanagedExternalIsMemberOfRegex(String unmanagedExternalIsMemberOfRegex) { + this.unmanagedExternalIsMemberOfRegex = GlobalConfiguration.stringToRegex(unmanagedExternalIsMemberOfRegex); + } + + public Pattern getUnmanagedExternalMembersRegex() { + return unmanagedExternalMembersRegex; + } + + public void setUnmanagedExternalMembersRegex(String unmanagedExternalMembersRegex) { + this.unmanagedExternalMembersRegex = GlobalConfiguration.stringToRegex(unmanagedExternalMembersRegex); + } + @Override public String toString() { final StringBuilder sb = new StringBuilder(); @@ -259,10 +279,11 @@ public String toString() { return sb.toString(); } - public boolean managesPath(String path) { - if (StringUtils.isNotBlank(unmanagedAcePathsRegex) + public boolean managesPath(String path, String defaultUnmanagedAcePathsRegex) { + String effectiveUnmanagedAcePathsRegex = StringUtils.defaultIfEmpty(unmanagedAcePathsRegex, defaultUnmanagedAcePathsRegex); + if (StringUtils.isNotBlank(effectiveUnmanagedAcePathsRegex) && StringUtils.isNotBlank(path) /* not supporting repository permissions here */) { - boolean pathIsManaged = !path.matches(unmanagedAcePathsRegex); + boolean pathIsManaged = !path.matches(effectiveUnmanagedAcePathsRegex); return pathIsManaged; } else { return true; // default diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java index f4cd200e..0fb5cca0 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java @@ -63,12 +63,12 @@ public String getPrincipalNameForAuthorizableId(String authorizableId) { return principalName; } - public Set removeUnmanagedPrincipalNamesAtPath(String path, Set principals) { + public Set removeUnmanagedPrincipalNamesAtPath(String path, Set principals, String defaultUnmanagedAcePathsRegex) { Set filteredPrincipals = new HashSet(); for (String principal : principals) { AuthorizableConfigBean authorizableConfig = getAuthorizableConfigByPrincipalName(principal); - if (authorizableConfig.managesPath(path)) { + if (authorizableConfig.managesPath(path, defaultUnmanagedAcePathsRegex)) { filteredPrincipals.add(principal); } } diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/GlobalConfiguration.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/GlobalConfiguration.java index 13ef062a..7eed2e7a 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/GlobalConfiguration.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/GlobalConfiguration.java @@ -25,6 +25,7 @@ public class GlobalConfiguration { public static final String KEY_DEFAULT_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX = "defaultUnmanagedExternalIsMemberOfRegex"; public static final String KEY_DEFAULT_UNMANAGED_EXTERNAL_MEMBERS_REGEX = "defaultUnmanagedExternalMembersRegex"; + public static final String KEY_DEFAULT_UNMANAGED_ACE_PATHS_REGEX = "defaultUnmanagedAcePathsRegex"; @Deprecated public static final String KEY_KEEP_EXISTING_MEMBERSHIPS_FOR_GROUP_NAMES_REGEX = "keepExistingMembershipsForGroupNamesRegEx"; @@ -34,6 +35,7 @@ public class GlobalConfiguration { private Pattern defaultUnmanagedExternalIsMemberOfRegex; private Pattern defaultUnmanagedExternalMembersRegex; + private String defaultUnmanagedAcePathsRegex; public GlobalConfiguration() { } @@ -47,7 +49,9 @@ public GlobalConfiguration(Map globalConfigMap) { + " (since v2.0.0) - please adjust your configuration."); } - + + setDefaultUnmanagedAcePathsRegex((String) globalConfigMap.get(KEY_DEFAULT_UNMANAGED_ACE_PATHS_REGEX)); + setDefaultUnmanagedExternalIsMemberOfRegex((String) globalConfigMap.get(KEY_DEFAULT_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX)); setDefaultUnmanagedExternalMembersRegex((String) globalConfigMap.get(KEY_DEFAULT_UNMANAGED_EXTERNAL_MEMBERS_REGEX)); @@ -75,6 +79,13 @@ public GlobalConfiguration(Map globalConfigMap) { public void merge(GlobalConfiguration otherGlobalConfig) { + if (otherGlobalConfig.getDefaultUnmanagedAcePathsRegex() != null) { + if (defaultUnmanagedAcePathsRegex == null) { + defaultUnmanagedAcePathsRegex = otherGlobalConfig.getDefaultUnmanagedAcePathsRegex(); + } else { + throw new IllegalArgumentException("Duplicate config for " + KEY_DEFAULT_UNMANAGED_ACE_PATHS_REGEX); + } + } if (otherGlobalConfig.getDefaultUnmanagedExternalIsMemberOfRegex() != null) { if (defaultUnmanagedExternalIsMemberOfRegex == null) { defaultUnmanagedExternalIsMemberOfRegex = otherGlobalConfig.getDefaultUnmanagedExternalIsMemberOfRegex(); @@ -139,7 +150,15 @@ public void setDefaultUnmanagedExternalMembersRegex(String defaultUnmanagedExter this.defaultUnmanagedExternalMembersRegex = stringToRegex(defaultUnmanagedExternalMembersRegex); } - private Pattern stringToRegex(String regex) { + public String getDefaultUnmanagedAcePathsRegex() { + return defaultUnmanagedAcePathsRegex; + } + + public void setDefaultUnmanagedAcePathsRegex(String defaultUnmanagedAcePathsRegex) { + this.defaultUnmanagedAcePathsRegex = defaultUnmanagedAcePathsRegex; + } + + static Pattern stringToRegex(String regex) { return StringUtils.isNotBlank(regex) ? Pattern.compile(regex) : null; } diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java index 8d8d3655..027d6281 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java @@ -70,6 +70,8 @@ public class YamlConfigReader implements ConfigReader { private static final String GROUP_CONFIG_PROPERTY_MIGRATE_FROM = "migrateFrom"; private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_ACE_PATHS_REGEX = "unmanagedAcePathsRegex"; + private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX = "unmanagedExternalIsMemberOfRegex"; + private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_MEMBERS_REGEX = "unmanagedExternalMembersRegex"; private static final String USER_CONFIG_PROPERTY_IS_SYSTEM_USER = "isSystemUser"; @@ -364,6 +366,10 @@ protected void setupAuthorizableBean( authorizableConfigBean.setUnmanagedAcePathsRegex(getMapValueAsString(currentPrincipalDataMap, GROUP_CONFIG_PROPERTY_UNMANAGED_ACE_PATHS_REGEX)); + authorizableConfigBean.setUnmanagedExternalIsMemberOfRegex(getMapValueAsString(currentPrincipalDataMap, + GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX)); + authorizableConfigBean.setUnmanagedExternalMembersRegex(getMapValueAsString(currentPrincipalDataMap, + GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_MEMBERS_REGEX)); authorizableConfigBean.setIsGroup(isGroupSection); authorizableConfigBean.setIsSystemUser(Boolean.valueOf(getMapValueAsString(currentPrincipalDataMap, diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java index da5f352c..496c3b09 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java @@ -254,9 +254,9 @@ private void removeAcesForPathsNotInConfig(InstallationLogger installLog, Sessio acConfiguration.getAceConfig()); for (String relevantPath : relevantPathsForCleanup) { - // TODO: why is acconfiguration retrieved from log? Set principalsToRemoveAcesForAtThisPath = acConfiguration.getAuthorizablesConfig() - .removeUnmanagedPrincipalNamesAtPath(relevantPath, principalsInConfig); + .removeUnmanagedPrincipalNamesAtPath(relevantPath, principalsInConfig, + acConfiguration.getGlobalConfiguration().getDefaultUnmanagedAcePathsRegex()); // delete ACE if principal *is* in config, but the path *is not* in config int countRemoved = AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(session, diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java index b4d371f4..956ecee3 100644 --- a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java +++ b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java @@ -161,7 +161,11 @@ public Set answer(InvocationOnMock invocation) throws Throwable { }).when(cut).validateAssignedGroups(userManager, acConfiguration.getAuthorizablesConfig(), null, TESTGROUP, configuredGroups, status); Set authorizablesInConfig = new HashSet(asList(GROUP1)); - cut.applyGroupMembershipConfigIsMemberOf(TESTGROUP, acConfiguration, status, userManager, null, configuredGroups, groupsInRepo, + + AuthorizableConfigBean authorizableConfigBean = new AuthorizableConfigBean(); + authorizableConfigBean.setAuthorizableId(TESTGROUP); + cut.applyGroupMembershipConfigIsMemberOf(authorizableConfigBean, acConfiguration, status, userManager, null, configuredGroups, + groupsInRepo, authorizablesInConfig); verifyZeroInteractions(group2); // in configuredGroups and in groupsInRepo diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfigTest.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfigTest.java index 75c6ad56..d0eb55ed 100644 --- a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfigTest.java +++ b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfigTest.java @@ -1,55 +1,84 @@ package biz.netcentric.cq.tools.actool.configmodel; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; import java.util.Arrays; +import java.util.Collections; import java.util.LinkedHashSet; import java.util.Set; +import org.junit.Before; import org.junit.Test; public class AuthorizablesConfigTest { - @Test - public void testRemoveUnmanagedPrincipalNamesAtPath() { - AuthorizablesConfig authorizablesConfig = new AuthorizablesConfig(); + AuthorizablesConfig authorizablesConfig; + AuthorizableConfigBean beanTestGroupAllManaged; + AuthorizableConfigBean testgroupPartlyManaged; + AuthorizableConfigBean beanEveryone; + + @Before + public void setup() { + authorizablesConfig = new AuthorizablesConfig(); - AuthorizableConfigBean beanTestGroupAllManaged = getBean("testgroupAllManaged", null); + beanTestGroupAllManaged = getBean("testgroupAllManaged", null); authorizablesConfig.add(beanTestGroupAllManaged); - AuthorizableConfigBean testgroupPartlyManaged = getBean("testgroupPartlyManaged", "/content/dam/geometrixx.*"); + testgroupPartlyManaged = getBean("testgroupPartlyManaged", "/content/dam/geometrixx.*"); authorizablesConfig.add(testgroupPartlyManaged); // example for negative look-ahead to only manage certain paths as useful for everyone - AuthorizableConfigBean beanEveryone = getBean("everyone", "^(?!/etc/linkchecker|/etc/test).*" /* - * only manage /etc/linkchecker and - * /etc/test - */ ); + beanEveryone = getBean("everyone", "^(?!/etc/linkchecker|/etc/test).*" /* + * only manage /etc/linkchecker and /etc/test + */ ); authorizablesConfig.add(beanEveryone); + } + + @Test + public void testRemoveUnmanagedPrincipalNamesAtPath() { Set principalSet = principalSet(beanTestGroupAllManaged.getPrincipalName(), testgroupPartlyManaged.getPrincipalName(), beanEveryone.getPrincipalName()); - Set onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc/linkchecker", principalSet); - assertTrue(onlyManagedPrincipalNames.contains("testgroupAllManaged")); - assertTrue(onlyManagedPrincipalNames.contains("testgroupPartlyManaged")); - assertTrue(onlyManagedPrincipalNames.contains("everyone")); - - onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc", principalSet); - assertTrue(onlyManagedPrincipalNames.contains("testgroupAllManaged")); - assertTrue(onlyManagedPrincipalNames.contains("testgroupPartlyManaged")); - assertFalse(onlyManagedPrincipalNames.contains("everyone")); - - onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/content/geometrixx", principalSet); - assertTrue(onlyManagedPrincipalNames.contains("testgroupAllManaged")); - assertTrue(onlyManagedPrincipalNames.contains("testgroupPartlyManaged")); - assertFalse(onlyManagedPrincipalNames.contains("everyone")); - - onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/content/dam/geometrixx", principalSet); - assertTrue(onlyManagedPrincipalNames.contains("testgroupAllManaged")); - assertFalse(onlyManagedPrincipalNames.contains("testgroupPartlyManaged")); - assertFalse(onlyManagedPrincipalNames.contains("everyone")); + Set onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc/linkchecker", principalSet, + null); + assertEquals(principalSet("testgroupAllManaged", "testgroupPartlyManaged", "everyone"), onlyManagedPrincipalNames); + + onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc", principalSet, null); + assertEquals(principalSet("testgroupAllManaged", "testgroupPartlyManaged"), onlyManagedPrincipalNames); + + onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/content/geometrixx", principalSet, null); + assertEquals(principalSet("testgroupAllManaged", "testgroupPartlyManaged"), onlyManagedPrincipalNames); + + onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/content/dam/geometrixx", principalSet, null); + assertEquals(principalSet("testgroupAllManaged"), onlyManagedPrincipalNames); + + } + + @Test + public void testRemoveUnmanagedPrincipalNamesAtPathUsingGlobalConfig() { + + Set principalSet = principalSet(beanTestGroupAllManaged.getPrincipalName(), testgroupPartlyManaged.getPrincipalName(), + beanEveryone.getPrincipalName()); + + Set onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc/linkchecker", principalSet, + "/etc/.*"); + + // "testgroupPartlyManaged", "everyone" are still in since they define their own unmanagedAcePathsRegex + assertEquals(principalSet("testgroupPartlyManaged", "everyone"), onlyManagedPrincipalNames); + + // without any individual unmanagedAcePathsRegex set but defaultUnmanagedAcePathsRegex set to a matching regex, there will be never + // anything removed from this path + testgroupPartlyManaged.setUnmanagedAcePathsRegex(null); + beanEveryone.setUnmanagedAcePathsRegex(null); + onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc/linkchecker", principalSet, + "/etc/.*"); + assertEquals(Collections.emptySet(), onlyManagedPrincipalNames); + + // without default restriction all principals have to be returned + onlyManagedPrincipalNames = authorizablesConfig.removeUnmanagedPrincipalNamesAtPath("/etc/linkchecker", principalSet, + null); + assertEquals(principalSet("testgroupAllManaged", "testgroupPartlyManaged", "everyone"), onlyManagedPrincipalNames); } diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md index 299c1ad8..5798b47a 100644 --- a/docs/AdvancedFeatures.md +++ b/docs/AdvancedFeatures.md @@ -198,6 +198,8 @@ The AC Tool manages relationships between authorizables of the configuration (th That way relationships that are created programmatically or manually can be left intact and the AC Tool does not remove them. Also this allows to have two configuration sets at different root paths. +Additionally, it is also possible to set `unmanagedExternalIsMemberOfRegex` and `unmanagedExternalMembersRegex` directly on the authorizable definition (then only effective locally to the authorizable). + ### Examples ### * `defaultUnmanagedExternalMembersRegex: .*` allow arbitrary groups to inherit from ACTool managed groups and keep those (unmanaged) relations even though relationship hasn't been established through the ACTool. Might be useful in a multi-tenant setup where each tenant maintains his own list of groups (e.g. via ACTool in dedicated packages) and wants to inherit from some fragments being set up by the global YAML file. @@ -205,7 +207,7 @@ That way relationships that are created programmatically or manually can be left ## Limiting where the AC Tool creates and removes ACEs -The property `unmanagedAcePathsRegex` for authorizable configurations (users or groups) can be used to ensure certain paths are not managed by the AC Tool. This property must contain a regular expression which is matched against all ACE paths bound to the authorizable found in the system. All ACEs with matching paths are not touched: +The property `unmanagedAcePathsRegex` for authorizable configurations (users or groups) can be used to ensure certain paths are not managed by the AC Tool. This property must contain a regular expression which is matched against all ACE paths bound to the authorizable found in the system. All ACEs with matching paths are not touched. By setting the global config `defaultUnmanagedAcePathsRegex` it is possible to exclude certain areas of the JCR totally from removing (and creating once #244 is fixed) at all. ### Examples ``` @@ -227,6 +229,12 @@ You can use negative lookaheads to whitelist management of certain paths: unmanagedAcePathsRegex: /(?!conf).* ``` +Example for setting it globally: +``` +- global_config: + defaultUnmanagedAcePathsRegex: /content/project2.* # will never change any ACLs underneath this root path +``` + ## Automatically purge obsolete groups and users The root element `obsolete_authorizables` can be used to automatically purge authorizables that are not in use anymore: From 17170942269c091cf970a88f84b03c6e2653692b Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Wed, 7 Mar 2018 15:59:13 +0100 Subject: [PATCH 13/17] #260 documentation for length EL function --- docs/AdvancedFeatures.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md index 5798b47a..d7802c9e 100644 --- a/docs/AdvancedFeatures.md +++ b/docs/AdvancedFeatures.md @@ -147,6 +147,7 @@ Expressions are evaluated using javax.el expression language. The following util - contains(str,fragmentStr) - endsWith(str,fragmentStr) - startsWith(str,fragmentStr) +- length(str) ### Variables From e8ce2f91a101eb2cf9a8ae05823a624c269a71db Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Wed, 7 Mar 2018 17:05:32 +0100 Subject: [PATCH 14/17] Revert "Update dependencies for AEM 6.1" This reverts commit efce8eb017ff03ddb8f14b2084c95527db6caaba. --- pom.xml | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/pom.xml b/pom.xml index 5dfe5cb2..c5f19301 100644 --- a/pom.xml +++ b/pom.xml @@ -86,28 +86,27 @@ org.apache.jackrabbit jackrabbit-jcr-commons - 2.10.0 + 2.11.2 provided org.apache.sling org.apache.sling.settings - 1.7.6 + 1.2.2 provided com.day.jcr.vault com.day.jcr.vault - 2.5.10 + 2.4.32 provided com.day.cq cq-commons - 5.8.32 + 5.6.4 provided - com.adobe.granite com.adobe.granite.crypto @@ -116,15 +115,14 @@ org.osgi - osgi.core - 6.0.0 + org.osgi.core + 4.2.0 provided - org.osgi - osgi.cmpn - 5.0.0 + org.osgi.compendium + 4.2.0 provided @@ -148,16 +146,22 @@ 1.9.10 provided + + biz.aQute + bndlib + 1.43.0 + provided + org.slf4j slf4j-api - 1.7.6 + 1.5.10 provided javax.servlet servlet-api - 3.1 + 2.5 provided @@ -169,19 +173,19 @@ org.apache.sling org.apache.sling.api - 2.9.0 + 2.2.0 provided org.apache.sling org.apache.sling.jcr.api - 2.2.2 + 2.2.0 provided org.apache.sling org.apache.sling.commons.osgi - 2.2.2 + 2.2.0 provided @@ -205,19 +209,19 @@ com.adobe.granite com.adobe.granite.jmx - 0.3.0 + 0.2.6 provided org.apache.jackrabbit jackrabbit-api - 2.10.0 + 2.9.0 provided com.day.cq cq-security - 5.8.18 + 5.6.2 provided @@ -226,7 +230,6 @@ 1.13 bundle - junit junit From 10e5f6d611ad8a78d8ac613736a1a0a4e26d2a53 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Thu, 8 Mar 2018 16:15:37 +0100 Subject: [PATCH 15/17] Clarify how to extend `everyone` --- docs/AdvancedFeatures.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md index d7802c9e..bc0db2fe 100644 --- a/docs/AdvancedFeatures.md +++ b/docs/AdvancedFeatures.md @@ -184,7 +184,9 @@ NOTE: The scope of a variable is always limited to the lines in the very same ya To configure permissions for already existing users, it's best to create a custom group and add this user to the `members` attribute of that group. The ACEs added to the custom group will then be effective for that user as well. -Another alternative is to list the built-in user in the YAML file (with the correct path and system user flag) and leverage `unmanagedAcePathsRegex` as outlined below. +This is not an option for the [`everyone` group](https://jackrabbit.apache.org/oak/docs/security/user/default.html#Everyone_Group) as it is neither allowed to put groups/users as members to this group (because implicitly every principal is member of this group) nor to put this group as member to another group (to prevent cycles, compare with [OAK-7323](https://issues.apache.org/jira/browse/OAK-7323)). + +Another alternative is to list the built-in user in the YAML file (with the correct path and system user flag) and leverage `unmanagedAcePathsRegex` as outlined below. This is currently the only option to extend rights for `everyone`. ## Configure memberships of/towards externally managed groups From 2d368ff729883fe0cead9695a00a7a5d65ee8f89 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Thu, 8 Mar 2018 18:37:44 +0100 Subject: [PATCH 16/17] updating poms for 2.0.6 branch with snapshot versions --- accesscontroltool-bundle/pom.xml | 2 +- accesscontroltool-exampleconfig-package/pom.xml | 2 +- accesscontroltool-oakindex-package/pom.xml | 2 +- accesscontroltool-package/pom.xml | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml index 9eb28a77..598a1195 100644 --- a/accesscontroltool-bundle/pom.xml +++ b/accesscontroltool-bundle/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.6-rc-SNAPSHOT diff --git a/accesscontroltool-exampleconfig-package/pom.xml b/accesscontroltool-exampleconfig-package/pom.xml index 0524ad5f..a36d5c65 100644 --- a/accesscontroltool-exampleconfig-package/pom.xml +++ b/accesscontroltool-exampleconfig-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.6-rc-SNAPSHOT diff --git a/accesscontroltool-oakindex-package/pom.xml b/accesscontroltool-oakindex-package/pom.xml index 9e046a78..a72f2535 100644 --- a/accesscontroltool-oakindex-package/pom.xml +++ b/accesscontroltool-oakindex-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.6-rc-SNAPSHOT diff --git a/accesscontroltool-package/pom.xml b/accesscontroltool-package/pom.xml index 584d1fca..bfa51751 100644 --- a/accesscontroltool-package/pom.xml +++ b/accesscontroltool-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.6-rc-SNAPSHOT diff --git a/pom.xml b/pom.xml index c5f19301..257e62d4 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-SNAPSHOT + 2.0.6-rc-SNAPSHOT pom Access Control Tool - Reactor Project From 926fa37aa344d2a97748c5a41675e6ca69d3d8a7 Mon Sep 17 00:00:00 2001 From: "georg.henzler" Date: Thu, 8 Mar 2018 18:38:27 +0100 Subject: [PATCH 17/17] updating poms for branch'release/2.0.6' with non-snapshot versions --- accesscontroltool-bundle/pom.xml | 2 +- accesscontroltool-exampleconfig-package/pom.xml | 2 +- accesscontroltool-oakindex-package/pom.xml | 2 +- accesscontroltool-package/pom.xml | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml index 598a1195..dff37a6c 100644 --- a/accesscontroltool-bundle/pom.xml +++ b/accesscontroltool-bundle/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-rc-SNAPSHOT + 2.0.6 diff --git a/accesscontroltool-exampleconfig-package/pom.xml b/accesscontroltool-exampleconfig-package/pom.xml index a36d5c65..5815bcd6 100644 --- a/accesscontroltool-exampleconfig-package/pom.xml +++ b/accesscontroltool-exampleconfig-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-rc-SNAPSHOT + 2.0.6 diff --git a/accesscontroltool-oakindex-package/pom.xml b/accesscontroltool-oakindex-package/pom.xml index a72f2535..97346d3e 100644 --- a/accesscontroltool-oakindex-package/pom.xml +++ b/accesscontroltool-oakindex-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-rc-SNAPSHOT + 2.0.6 diff --git a/accesscontroltool-package/pom.xml b/accesscontroltool-package/pom.xml index bfa51751..fb88572b 100644 --- a/accesscontroltool-package/pom.xml +++ b/accesscontroltool-package/pom.xml @@ -15,7 +15,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-rc-SNAPSHOT + 2.0.6 diff --git a/pom.xml b/pom.xml index 257e62d4..5990c5cb 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ biz.netcentric.cq.tools.accesscontroltool accesscontroltool - 2.0.6-rc-SNAPSHOT + 2.0.6 pom Access Control Tool - Reactor Project