Merge branch 'release/2.0.3'

Netcentric · Nov 24, 2017 · 1a73620 · 1a73620
2 parents 1d8b5b4 + 31524ef
commit 1a73620
Show file tree

Hide file tree

Showing 26 changed files with 526 additions and 219 deletions.
diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
@@ -11,7 +11,7 @@
     <parent>
         <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
         <artifactId>accesscontroltool</artifactId>
-        <version>2.0.2</version>
+        <version>2.0.3</version>
     </parent>
 
     <!-- ====================================================================== -->
@@ -31,6 +31,14 @@
             <groupId>org.osgi</groupId>
             <artifactId>org.osgi.core</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.event.dea</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.scheduler</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.felix</groupId>
             <artifactId>org.apache.felix.scr.annotations</artifactId>

diff --git a/...undle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java b/...undle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java
@@ -86,7 +86,9 @@ public void installPathBasedACEs(
                     new AcePermissionComparator());
             orderedAceBeanSetFromConfig.addAll(aceBeanSetFromConfig);
 
-            installAcl(orderedAceBeanSetFromConfig, path, principalsToRemoveAcesFor, session, history);
+            Set<String> principalsToRemoveAcesForAtThisPath = history.getAcConfiguration().getAuthorizablesConfig()
+                    .removeUnmanagedPrincipalNamesAtPath(path, principalsToRemoveAcesFor);
+            installAcl(orderedAceBeanSetFromConfig, path, principalsToRemoveAcesForAtThisPath, session, history);
 
             if (intermediateSaves && session.hasPendingChanges()) {
                 history.addVerboseMessage(LOG, "Saved session for path " + path);

diff --git a/...va/biz/netcentric/cq/tools/actool/authorizableinstaller/AuthorizableInstallerService.java b/...va/biz/netcentric/cq/tools/actool/authorizableinstaller/AuthorizableInstallerService.java
@@ -16,7 +16,7 @@
 
 public interface AuthorizableInstallerService {
 
-    public void createNewAuthorizables(
+    public void installAuthorizables(
             AuthorizablesConfig principalMapFromConfig,
             final Session session, AcInstallationLog installLog) throws RepositoryException, AuthorizableCreatorException;
 

diff --git a/...tcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/...tcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
@@ -21,7 +21,6 @@
 import javax.jcr.Session;
 import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.ValueFactory;
-import javax.jcr.ValueFormatException;
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
@@ -67,7 +66,7 @@ public class AuthorizableInstallerServiceImpl implements
     ExternalGroupInstallerServiceImpl externalGroupCreatorService;
 
     @Override
-    public void createNewAuthorizables(
+    public void installAuthorizables(
             AuthorizablesConfig authorizablesConfigBeans,
             final Session session, AcInstallationLog installLog)
             throws RepositoryException, AuthorizableCreatorException {
@@ -115,7 +114,7 @@ private void installAuthorizableConfigurationBean(final Session session,
             // move authorizable if path changed (retaining existing members)
             handleRecreationOfAuthorizableIfNecessary(session, authorizableConfigBean, installLog, userManager);
 
-            applyGroupMembershipConfigIsMemberOf(installLog, authorizableConfigBean, userManager, session);
+            applyGroupMembershipConfigIsMemberOf(installLog, authorizableConfigBean, userManager, session, authorizablesFromConfigurations);
 
         }
 
@@ -146,8 +145,9 @@ void applyGroupMembershipConfigMembers(AuthorizableConfigBean authorizableConfig
             relevantMembersInRepo = new HashSet<String>(CollectionUtils.subtract(relevantMembersInRepo, authorizablesFromConfigurations));
             // ensure regular users are never removed
             relevantMembersInRepo = removeRegularUsers(relevantMembersInRepo, userManager);
-            // take configuration 'allowExternalGroupNamesRegEx' into account (and remove matching groups from further handling)
-            relevantMembersInRepo = removeExternalGroupsThatAreUntouchedByConfiguration(relevantMembersInRepo, installLog);
+            // take configuration 'defaultUnmanagedExternalMembersRegex' into account (and remove matching groups from further handling)
+            relevantMembersInRepo = removeExternalMembersUnmanagedByConfiguration(authorizableConfigBean, relevantMembersInRepo,
+                    installLog);
 
             Set<String> membersToAdd = new HashSet<String>(CollectionUtils.subtract(membersInConfig, relevantMembersInRepo));
             Set<String> membersToRemove = new HashSet<String>(CollectionUtils.subtract(relevantMembersInRepo, membersInConfig));
@@ -202,20 +202,30 @@ private Set<String> removeRegularUsers(Set<String> allMembersFromRepo, UserManag
         return relevantMembers;
     }
 
-    private Set<String> removeExternalGroupsThatAreUntouchedByConfiguration(Set<String> relevantMembersInRepo,
-            AcInstallationLog installLog) {
+    private Set<String> removeExternalMembersUnmanagedByConfiguration(AuthorizableConfigBean authorizableConfigBean,
+            Set<String> relevantMembersInRepo, AcInstallationLog installLog) {
         Set<String> relevantMembers = new HashSet<String>(relevantMembersInRepo);
-        Pattern keepExistingMembershipsForGroupNamesRegEx = installLog.getAcConfiguration().getGlobalConfiguration().getKeepExistingMembershipsForGroupNamesRegEx();
-        if (keepExistingMembershipsForGroupNamesRegEx != null) {
+        Pattern unmanagedExternalMembersRegex = installLog.getAcConfiguration().getGlobalConfiguration()
+                .getDefaultUnmanagedExternalMembersRegex();
+
+        Set<String> unmanagedMembers = new HashSet<String>();
+        if (unmanagedExternalMembersRegex != null) {
             Iterator<String> relevantMembersIt = relevantMembers.iterator();
             while (relevantMembersIt.hasNext()) {
                 String member = relevantMembersIt.next();
-                if (keepExistingMembershipsForGroupNamesRegEx.matcher(member).matches()) {
+                if (unmanagedExternalMembersRegex.matcher(member).matches()) {
+                    unmanagedMembers.add(member);
                     relevantMembersIt.remove();
                 }
             }
         }
 
+        if (!unmanagedMembers.isEmpty()) {
+            installLog.addVerboseMessage(LOG,
+                    "Not removing members " + unmanagedMembers + " from " + authorizableConfigBean.getAuthorizableId()
+                            + " because of unmanagedExternalMembersRegex=" + unmanagedExternalMembersRegex);
+        }
+
         return relevantMembers;
 
     }
@@ -331,7 +341,6 @@ private void handleRecreationOfAuthorizableIfNecessary(final Session session,
             existingAuthorizable.remove();
 
             // create group again using values form config
-            ValueFactory vf = session.getValueFactory();
             Authorizable newAuthorizable = createNewAuthorizable(principalConfigBean, installLog, userManager, session);
 
             int countMovedMembersOfGroup = 0;
@@ -380,10 +389,8 @@ private void deleteOldIntermediatePath(final Session session,
     }
 
     private void applyGroupMembershipConfigIsMemberOf(AcInstallationLog installLog,
-            AuthorizableConfigBean authorizableConfigBean, UserManager userManager, Session session)
-            throws RepositoryException, ValueFormatException,
-            UnsupportedRepositoryOperationException,
-            AuthorizableExistsException, AuthorizableCreatorException {
+            AuthorizableConfigBean authorizableConfigBean, UserManager userManager, Session session,
+            Set<String> authorizablesFromConfigurations) throws RepositoryException, AuthorizableCreatorException {
         String[] memberOf = authorizableConfigBean.getMemberOf();
         String authorizableId = authorizableConfigBean.getAuthorizableId();
 
@@ -392,7 +399,7 @@ private void applyGroupMembershipConfigIsMemberOf(AcInstallationLog installLog,
         Set<String> membershipGroupsFromRepository = getMembershipGroupsFromRepository(currentGroupFromRepository);
 
         applyGroupMembershipConfigIsMemberOf(authorizableId, installLog, userManager, session, membershipGroupsFromConfig,
-                membershipGroupsFromRepository);
+                membershipGroupsFromRepository, authorizablesFromConfigurations);
     }
 
     private Authorizable createNewAuthorizable(
@@ -453,10 +460,9 @@ private Set<String> getMembershipGroupsFromConfig(String[] memberOf) {
     void applyGroupMembershipConfigIsMemberOf(String authorizableId,
             AcInstallationLog installLog, UserManager userManager, Session session,
             Set<String> membershipGroupsFromConfig,
-            Set<String> membershipGroupsFromRepository)
+            Set<String> membershipGroupsFromRepository, Set<String> authorizablesFromConfigurations)
             throws RepositoryException, AuthorizableExistsException,
             AuthorizableCreatorException {
-        LOG.debug("mergeMemberOfGroups() for {}", authorizableId);
 
         // membership to everyone cannot be removed or added => take it out from both lists
         membershipGroupsFromConfig.remove(PRINCIPAL_EVERYONE);
@@ -477,23 +483,26 @@ void applyGroupMembershipConfigIsMemberOf(String authorizableId,
 
         Collection<String> toBeRemovedMembers = CollectionUtils.subtract(membershipGroupsFromRepository,
                 validatedMembershipGroupsFromConfig);
-        Set<String> toBeSkippedFromRemovalMembers = new HashSet<String>();
+        Set<String> unmanagedMembers = new HashSet<String>();
 
-        Pattern ignoredMembershipsPattern = installLog.getAcConfiguration().getGlobalConfiguration().getKeepExistingMembershipsForGroupNamesRegEx();
+        Pattern unmanagedExternalIsMemberOfRegex = installLog.getAcConfiguration().getGlobalConfiguration()
+                .getDefaultUnmanagedExternalIsMemberOfRegex();
 
         Iterator<String> toBeRemovedMembersIt = toBeRemovedMembers.iterator();
         while (toBeRemovedMembersIt.hasNext()) {
             String groupId = toBeRemovedMembersIt.next();
-            if ((ignoredMembershipsPattern != null) && ignoredMembershipsPattern.matcher(groupId).find()) {
-                toBeSkippedFromRemovalMembers.add(groupId);
+            if (!authorizablesFromConfigurations.contains(groupId) /* generally only consider groups that are not in config as unmanaged */
+                    && (unmanagedExternalIsMemberOfRegex != null) && unmanagedExternalIsMemberOfRegex.matcher(groupId).matches()) {
+                unmanagedMembers.add(groupId);
                 toBeRemovedMembersIt.remove();
             }
         }
         installLog.addVerboseMessage(LOG, "Authorizable " + authorizableId + " will be removed from members of " + toBeRemovedMembers);
 
-        if (!toBeSkippedFromRemovalMembers.isEmpty()) {
+        if (!unmanagedMembers.isEmpty()) {
             installLog.addVerboseMessage(LOG, "Authorizable " + authorizableId + " remains member of groups "
-                    + toBeSkippedFromRemovalMembers + " (due to configured ignoredMembershipsPattern=" + ignoredMembershipsPattern + ")");
+                    + unmanagedMembers + " (due to configured unmanagedExternalIsMemberOfRegex="
+                    + unmanagedExternalIsMemberOfRegex + ")");
 
         }
 
@@ -564,7 +573,7 @@ private Authorizable createNewGroup(
         return newGroup;
     }
 
-    private void setAuthorizableProperties(Authorizable authorizable, AuthorizableConfigBean principalConfigBean,
+    void setAuthorizableProperties(Authorizable authorizable, AuthorizableConfigBean principalConfigBean,
             Session session, AcInstallationLog installationLog)
             throws RepositoryException {
 
@@ -585,8 +594,16 @@ private void setAuthorizableProperties(Authorizable authorizable, AuthorizableCo
             if (authorizable.isGroup()) {
                 authorizable.setProperty("profile/givenName", vf.createValue(name));
             } else {
-                String givenName = StringUtils.substringBeforeLast(name, " ");
-                String familyName = StringUtils.substringAfterLast(name, " ");
+                String givenName;
+                String familyName;
+                if(name.contains(",")) {
+                    String[] nameParts = name.split("\\s*,\\s*", 2);
+                    familyName = nameParts[0];
+                    givenName = nameParts[1];
+                } else {
+                    givenName = StringUtils.substringBeforeLast(name, " ");
+                    familyName = StringUtils.substringAfterLast(name, " ");
+                }
                 authorizable.setProperty("profile/givenName", vf.createValue(givenName));
                 authorizable.setProperty("profile/familyName", vf.createValue(familyName));
             }

diff --git a/...ndle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java b/...ndle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java
@@ -41,6 +41,8 @@ public class AuthorizableConfigBean implements AcDumpElement {
 
     private String migrateFrom;
 
+    private String unmanagedAcePathsRegex;
+
     private boolean isGroup = true;
     private boolean isSystemUser = false;
 
@@ -238,6 +240,13 @@ public void setMigrateFrom(String migrateFrom) {
         this.migrateFrom = migrateFrom;
     }
 
+    public String getUnmanagedAcePathsRegex() {
+        return unmanagedAcePathsRegex;
+    }
+
+    public void setUnmanagedAcePathsRegex(String unmanagedAcePathsRegex) {
+        this.unmanagedAcePathsRegex = unmanagedAcePathsRegex;
+    }
 
     @Override
     public String toString() {
@@ -250,6 +259,16 @@ public String toString() {
         return sb.toString();
     }
 
+    public boolean managesPath(String path) {
+        if (StringUtils.isNotBlank(unmanagedAcePathsRegex)
+                && StringUtils.isNotBlank(path) /* not supporting repository permissions here */) {
+            boolean pathIsManaged = !path.matches(unmanagedAcePathsRegex);
+            return pathIsManaged;
+        } else {
+            return true; // default
+        }
+    }
+
     @Override
     public void accept(final AcDumpElementVisitor acDumpElementVisitor) {
         acDumpElementVisitor.visit(this);

diff --git a/...-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java b/...-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java
@@ -27,6 +27,15 @@ public AuthorizableConfigBean getAuthorizableConfig(String authorizableId) {
         return null;
     }
 
+    public AuthorizableConfigBean getAuthorizableConfigByPrincipalName(String principalName) {
+        for (AuthorizableConfigBean authorizableConfigBean : this) {
+            if (StringUtils.equals(authorizableConfigBean.getPrincipalName(), principalName)) {
+                return authorizableConfigBean;
+            }
+        }
+        return null;
+    }
+
     public Set<String> getAuthorizableIds() {
         Set<String> authorizableIdsFromConfigurations = new LinkedHashSet<String>();
         for (AuthorizableConfigBean authorizableConfigBean : this) {
@@ -54,4 +63,17 @@ public String getPrincipalNameForAuthorizableId(String authorizableId) {
         return principalName;
     }
 
+    public Set<String> removeUnmanagedPrincipalNamesAtPath(String path, Set<String> principals) {
+
+        Set<String> filteredPrincipals = new HashSet<String>();
+        for (String principal : principals) {
+            AuthorizableConfigBean authorizableConfig = getAuthorizableConfigByPrincipalName(principal);
+            if (authorizableConfig.managesPath(path)) {
+                filteredPrincipals.add(principal);
+            }
+        }
+
+        return filteredPrincipals;
+    }
+
 }