Merge branch 'release/2.0.1'

accesscontroltool-bundle/pom.xml

@@ -11,7 +11,7 @@
     <parent>
         <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
         <artifactId>accesscontroltool</artifactId>
-        <version>2.0.0</version>
+        <version>2.0.1</version>
     </parent>
 
     <!-- ====================================================================== -->

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java

@@ -142,7 +142,6 @@ protected void installAcl(Set<AceBean> aceBeanSetFromConfig, String path, Set<St
 
         for (int i = currentPositionConfig; i < configuredAceEntries.size(); i++) {
             AceBean aceBeanToAppend = configuredAceEntries.get(i);
-            // LOG.info("installing aceBeanToAppend=" + aceBeanToAppend);
 
             installPrivileges(aceBeanToAppend, new PrincipalImpl(aceBeanToAppend.getPrincipalName()), acl, session, acMgr);
             diffLog.append("    APPENDED (from Config)  " + toAceCompareString(aceBeanToAppend, acMgr) + "\n");
@@ -244,7 +243,7 @@ private Set<AceBean> getPrincipalAceBeansForActionAceBeanCached(AceBean origAceB
             Set<AceBean> principalCorrectedAceBeansForActions = new LinkedHashSet<AceBean>();
             for (AceBean aceBean : cachedAceBeansForActions) {
                 AceBean clone = aceBean.clone();
-                clone.setPrincipal(origAceBean.getPrincipalName());
+                clone.setPrincipalName(origAceBean.getPrincipalName());
                 principalCorrectedAceBeansForActions.add(clone);
             }
             return principalCorrectedAceBeansForActions;
@@ -254,10 +253,22 @@ private Set<AceBean> getPrincipalAceBeansForActionAceBeanCached(AceBean origAceB
             Set<AceBean> aceBeansForActionEntry = null;
             Session newSession = null;
             try {
-                // a new session is needed to ensure no pending changes are introduced (even if there would not be real pending changes
-                // since we add and remove, but session.hasPendingChanges() is true then)
+
                 newSession = slingRepository.loginService(Constants.USER_AC_SERVICE, null);
-                aceBeansForActionEntry = getPrincipalAceBeansForActionAceBean(origAceBean, newSession);
+                Session relevantSessionToUse;
+                if (newSession.nodeExists(origAceBean.getJcrPath())) {
+                    // a new session is needed to ensure no pending changes are introduced (even if there would not be real pending changes
+                    // since we add and remove, but session.hasPendingChanges() is true then).
+                    // The new session is not saved(), its only function is to produce the action->privileges mapping with the ootb class
+                    // CqActions
+                    relevantSessionToUse = newSession;
+                } else {
+                    // if the path was just only created in this session via initialContent
+                    relevantSessionToUse = session;
+                    LOG.warn("Reusing main session for path {} since the node was only just created in that session via 'initialContent'",
+                            origAceBean.getJcrPath());
+                }
+                aceBeansForActionEntry = getPrincipalAceBeansForActionAceBean(origAceBean, relevantSessionToUse);
             } finally {
                 newSession.logout();
             }
@@ -288,7 +299,7 @@ Set<AceBean> getPrincipalAceBeansForActionAceBean(AceBean origAceBean, Session s
             }
 
             AceBean privilegesAceBeanForAction = AcHelper.getAceBean(newAce, newAcl);
-            privilegesAceBeanForAction.setPrincipal(origAceBean.getPrincipalName());
+            privilegesAceBeanForAction.setPrincipalName(origAceBean.getPrincipalName());
 
             // handle restrictions
             if (isFirst) {
@@ -334,7 +345,7 @@ Set<AceBean> getPrincipalAceBeansForActionAceBean(AceBean origAceBean, Session s
         if (LOG.isDebugEnabled()) {
             StringBuilder buf = new StringBuilder();
             buf.append("CqActions at path " + origAceBean.getJcrPath()
-                    + " with principal=" + origAceBean.getPrincipalName() + "/" + principal.getName() + " produced \n");
+                    + " with authorizableId=" + origAceBean.getAuthorizableId() + "/" + principal.getName() + " produced \n");
             for (AceBean aceBean : aceBeansForActionEntry) {
                 buf.append("   " + toAceCompareString(aceBean, acMgr) + "\n");
             }

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java

@@ -94,6 +94,11 @@ public void installPathBasedACEs(
             }
         }
 
+        if (history.getMissingParentPathsForInitialContent() > 0) {
+            history.addWarning(LOG, "There were " + history.getMissingParentPathsForInitialContent()
+                    + " parent paths missing for creation of intial content (those paths were skipped, see verbose log for details)");
+        }
+
         history.addMessage(LOG, "Finished installation of " + paths.size() + " ACLs in "
                 + msHumanReadable(stopWatch.getTime())
                 + " (changed ACLs=" + history.getCountAclsChanged() + " unchanged ACLs=" + history.getCountAclsUnchanged()

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/api/InstallationLog.java

@@ -28,4 +28,6 @@ public interface InstallationLog extends AcInstallationHistoryPojo {
 
     int getCountActionCacheHit();
 
+    int getMissingParentPathsForInitialContent();
+
 }

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java

@@ -105,7 +105,7 @@ private void installAuthorizableConfigurationBean(final Session session,
         else {
 
             // update name for both groups and users
-            setAuthorizableProperties(authorizableToInstall, authorizableConfigBean, session);
+            setAuthorizableProperties(authorizableToInstall, authorizableConfigBean, session, installLog);
             // update password for users
             if (!authorizableToInstall.isGroup() && !authorizableConfigBean.isSystemUser()
                     && StringUtils.isNotBlank(authorizableConfigBean.getPassword())) {
@@ -560,12 +560,12 @@ private Authorizable createNewGroup(
 
         addMembersToReferencingAuthorizables(newGroup, principalConfigBean, userManager, session, installLog);
 
-        setAuthorizableProperties(newGroup, principalConfigBean, session);
+        setAuthorizableProperties(newGroup, principalConfigBean, session, installLog);
         return newGroup;
     }
 
     private void setAuthorizableProperties(Authorizable authorizable, AuthorizableConfigBean principalConfigBean,
-            Session session)
+            Session session, AcInstallationLog installationLog)
             throws RepositoryException {
 
         String profileContent = principalConfigBean.getProfileContent();
@@ -596,6 +596,28 @@ private void setAuthorizableProperties(Authorizable authorizable, AuthorizableCo
         if (StringUtils.isNotBlank(description)) {
             authorizable.setProperty("profile/aboutMe", vf.createValue(description));
         }
+
+        String disabled = principalConfigBean.getDisabled();
+        if (StringUtils.isNotBlank(disabled)) {
+            if (authorizable.isGroup()) {
+                throw new IllegalStateException("Property disabled can only be set on users");
+            }
+            // if disabled is set to false, use "reason null" as this will enable the user when calling User.disable()
+            String disabledReason = StringUtils.equalsIgnoreCase(disabled, "false") ? null
+                    : (StringUtils.equalsIgnoreCase(disabled, "true") ? "User disabled by AC Tool" : /* use text directly */ disabled);
+            User user = (User) authorizable;
+            boolean currentlyDisabled = user.isDisabled();
+            boolean toBeDisabled = disabledReason != null;
+            if (currentlyDisabled && !toBeDisabled) {
+                installationLog.addMessage(LOG, "Enabling user " + user.getID());
+            } else if (!currentlyDisabled && toBeDisabled) {
+                installationLog.addMessage(LOG, "Disabling user " + user.getID() + " with reason: " + disabledReason);
+            }
+            if(currentlyDisabled || toBeDisabled) {
+                user.disable(disabledReason);
+            }
+
+        }
     }
 
     private Authorizable createNewUser(
@@ -621,7 +643,7 @@ private Authorizable createNewUser(
         } else {
             newUser = userManager.createUser(authorizableId, password, new PrincipalImpl(authorizableId), intermediatePath);
         }
-        setAuthorizableProperties(newUser, principalConfigBean, session);
+        setAuthorizableProperties(newUser, principalConfigBean, session, installLog);
 
         addMembersToReferencingAuthorizables(newUser, principalConfigBean, userManager, session, installLog);
 

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AcConfiguration.java

@@ -47,6 +47,20 @@ public AcesConfig getAceConfig() {
 
     public void setAceConfig(AcesConfig aceBeansSet) {
         this.aceBeansConfig = aceBeansSet;
+        ensureAceBeansHaveCorrectPrincipalNameSet(aceBeansSet);
+    }
+
+    // this is required as the configuration contains authorizableIds, but the JCR contains principal names. The mapping is available via
+    // authorizablesConfig
+    private void ensureAceBeansHaveCorrectPrincipalNameSet(AcesConfig aceBeansSet) {
+        if (authorizablesConfig == null) {
+            throw new IllegalStateException("authorizablesConfig must be set before setAceConfig() is called");
+        }
+        for (AceBean aceBean : aceBeansSet) {
+            String authorizableId = aceBean.getAuthorizableId();
+            String principalName = authorizablesConfig.getPrincipalNameForAuthorizableId(authorizableId);
+            aceBean.setPrincipalName(principalName);
+        }
     }
 
     public Set<String> getObsoleteAuthorizables() {

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AceBean.java

@@ -33,10 +33,12 @@ public class AceBean implements AcDumpElement {
 
     public static final Logger LOG = LoggerFactory.getLogger(AceBean.class);
 
+    private String principalName; // as found in jcr for ACE settings
+    private String authorizableId; // as configured in yaml file
+
     private String jcrPath;
     private String actionsStringFromConfig;
     private String privilegesString;
-    private String principal;
     private String permission;
     private String[] actions;
     private List<Restriction> restrictions = new ArrayList<Restriction>();
@@ -52,9 +54,9 @@ public AceBean clone() {
 
         AceBean clone = new AceBean();
         clone.setJcrPath(jcrPath);
-        clone.setActionsStringFromConfig(actionsStringFromConfig);
         clone.setPrivilegesString(privilegesString);
-        clone.setPrincipal(principal);
+        clone.setAuthorizableId(authorizableId);
+        clone.setPrincipalName(principalName);
         clone.setPermission(permission);
         clone.setActions(actions);
         clone.setRestrictions(new ArrayList<Restriction>(restrictions));
@@ -79,11 +81,19 @@ public void clearActions() {
     }
 
     public String getPrincipalName() {
-        return principal;
+        return principalName;
+    }
+
+    public void setPrincipalName(String principalName) {
+        this.principalName = principalName;
+    }
+
+    public String getAuthorizableId() {
+         return authorizableId;
     }
 
-    public void setPrincipal(String principal) {
-        this.principal = principal;
+    public void setAuthorizableId(String authorizableId) {
+        this.authorizableId = authorizableId;
     }
 
     public String getJcrPath() {
@@ -123,7 +133,7 @@ public void setRestrictions(Object restrictionsRaw, String oldStyleRepGlob) {
                     LOG.debug("Could not get value from restriction map using key: {}", key);
                     continue;
                 }
-                final String[] values = value.split(",");
+                final String[] values = value.split(" *, *");
 
                 restrictions.add(new Restriction(key, values));
             }
@@ -172,18 +182,10 @@ public String getActionsString() {
         return "";
     }
 
-    public String getActionsStringFromConfig() {
-        return actionsStringFromConfig;
-    }
-
     public void setActions(String[] actions) {
         this.actions = actions;
     }
 
-    public void setActionsStringFromConfig(String actionsString) {
-        actionsStringFromConfig = actionsString;
-    }
-
     public String[] getActions() {
         return actions;
     }
@@ -194,7 +196,7 @@ public String getPrivilegesString() {
 
     public String[] getPrivileges() {
         if (StringUtils.isNotBlank(privilegesString)) {
-            return privilegesString.split(",");
+            return privilegesString.split(" *, *");
         }
         return null;
     }
@@ -222,7 +224,8 @@ public void setKeepOrder(boolean keepOrder) {
     @Override
     public String toString() {
         return "AceBean [jcrPath=" + jcrPath + "\n" + ", actionsStringFromConfig=" + actionsStringFromConfig + "\n"
-                + ", privilegesString=" + privilegesString + "\n" + ", principal=" + principal + "\n" + ", permission=" + permission
+                + ", privilegesString=" + privilegesString + "\n" + ", principal=" + principalName + "\n, authorizableId=" + authorizableId
+                + "\n" + ", permission=" + permission
                 + "\n, actions=" + Arrays.toString(actions) + "\n" + ", restrictions="
                 + restrictions + "\n"
                 + ", initialContent=" + initialContent + "]";
@@ -238,7 +241,7 @@ public int hashCode() {
         result = (prime * result) + ((initialContent == null) ? 0 : initialContent.hashCode());
         result = (prime * result) + ((jcrPath == null) ? 0 : jcrPath.hashCode());
         result = (prime * result) + ((permission == null) ? 0 : permission.hashCode());
-        result = (prime * result) + ((principal == null) ? 0 : principal.hashCode());
+        result = (prime * result) + ((principalName == null) ? 0 : principalName.hashCode());
         result = (prime * result) + ((privilegesString == null) ? 0 : privilegesString.hashCode());
         result = (prime * result) + ((restrictions == null) ? 0 : restrictions.hashCode());
         return result;
@@ -287,11 +290,11 @@ public boolean equals(Object obj) {
         } else if (!permission.equals(other.permission)) {
             return false;
         }
-        if (principal == null) {
-            if (other.principal != null) {
+        if (principalName == null) {
+            if (other.principalName != null) {
                 return false;
             }
-        } else if (!principal.equals(other.principal)) {
+        } else if (!principalName.equals(other.principalName)) {
             return false;
         }
         if (privilegesString == null) {

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AcesConfig.java

@@ -27,10 +27,10 @@ public Set<String> getJcrPaths() {
         return jcrPathsInAceConfig;
     }
 
-    public Set<AceBean> filterByPrincipalName(String principalName) {
+    public Set<AceBean> filterByAuthorizableId(String authId) {
         Set<AceBean> aclsFiltered = new LinkedHashSet<AceBean>();
         for (AceBean bean : this) {
-            if (StringUtils.equals(principalName, bean.getPrincipalName())) {
+            if (StringUtils.equals(authId, bean.getAuthorizableId())) {
                 aclsFiltered.add(bean);
             }
         }

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java

@@ -44,6 +44,8 @@ public class AuthorizableConfigBean implements AcDumpElement {
     private boolean isGroup = true;
     private boolean isSystemUser = false;
 
+    private String disabled;
+
     public String getAuthorizableId() {
         return authorizableId;
     }
@@ -213,10 +215,19 @@ public void setMembers(final String[] members) {
         this.members = members;
     }
 
+    public String getDisabled() {
+        return disabled;
+    }
+
+    public void setDisabled(String disabled) {
+        this.disabled = disabled;
+    }
+
     public String getMigrateFrom() {
         return migrateFrom;
     }
 
+
     /** Set a group name, from which the users are taken over to this group. The group given is deleted after the run. This property is only
      * to be used temporarily (usually only included in one released version that travels all environments, once all groups are migrated the
      * config should be removed). If not set (the default) nothing happens. If the property points to a group that does not exist (anymore),

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizablesConfig.java

@@ -43,4 +43,15 @@ public Set<String> getPrincipalNames() {
         return principals;
     }
 
+    public String getPrincipalNameForAuthorizableId(String authorizableId) {
+        String principalName = null;
+        for (AuthorizableConfigBean authorizableConfigBean : this) {
+            if (StringUtils.equals(authorizableConfigBean.getAuthorizableId(), authorizableId)) {
+                principalName = authorizableConfigBean.getPrincipalName();
+                break;
+            }
+        }
+        return principalName;
+    }
+
 }