Do not pre-validate restrictions

Oak takes care of that in
https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213
as soon as you try to apply those.
Otherwise you face exceptions when using restrictions only available at
run-time in cloud (but not at build time).

This closes #854

Author: kwin

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java

@@ -18,10 +18,8 @@
 
 import java.security.Principal;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeSet;
@@ -41,7 +39,6 @@
 import biz.netcentric.cq.tools.actool.comparators.AcePermissionComparator;
 import biz.netcentric.cq.tools.actool.configmodel.AcConfiguration;
 import biz.netcentric.cq.tools.actool.configmodel.AceBean;
-import biz.netcentric.cq.tools.actool.configmodel.Restriction;
 import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
 import biz.netcentric.cq.tools.actool.helper.ContentHelper;
 import biz.netcentric.cq.tools.actool.helper.RestrictionsHolder;
@@ -168,25 +165,15 @@ protected boolean installPrivileges(AceBean aceBean, Principal principal, Jackra
      * @throws UnsupportedRepositoryOperationException
      * @throws RepositoryException */
     protected RestrictionsHolder getRestrictions(AceBean aceBean, Session session, JackrabbitAccessControlList acl)
-            throws ValueFormatException, UnsupportedRepositoryOperationException, RepositoryException {
-
-        final Collection<String> supportedRestrictionNames = Arrays.asList(acl.getRestrictionNames());
+            throws RepositoryException {
 
         if (aceBean.getRestrictions().isEmpty()) {
             return RestrictionsHolder.empty();
         }
-
-        List<Restriction> restrictions = aceBean.getRestrictions();
-        for (Restriction restriction : restrictions) {
-            if (!supportedRestrictionNames.contains(restriction.getName())) {
-                throw new IllegalStateException(
-                        "The AccessControlList at " + acl.getPath() + " does not support setting " + restriction.getName()
-                                + " restrictions!");
-            }
-        }
-
-        RestrictionsHolder restrictionsHolder = new RestrictionsHolder(restrictions, session.getValueFactory(), acl);
-        return restrictionsHolder;
+        // no need to check if restrictions are supported, Oak is lenient nowadays and does the proper checks internally
+        // see https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213
+        // also it supports non-mandatory restrictions like the ones from com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.AssetMetadataRestrictionProvider
+        return new RestrictionsHolder(aceBean.getRestrictions(), session.getValueFactory(), acl);
     }
 
     /** Converts the given privilege names into a set of privilege objects.

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRepGlobException.java

@@ -14,24 +14,17 @@
  * #L%
  */
 
-import java.util.Arrays;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
-import javax.jcr.AccessDeniedException;
-import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlManager;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import biz.netcentric.cq.tools.actool.aem.AcToolCqActions;
 import biz.netcentric.cq.tools.actool.configmodel.AceBean;
-import biz.netcentric.cq.tools.actool.configmodel.Restriction;
-import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
 import biz.netcentric.cq.tools.actool.validators.AceBeanValidator;
 import biz.netcentric.cq.tools.actool.validators.Validators;
 import biz.netcentric.cq.tools.actool.validators.exceptions.AcConfigBeanValidationException;
@@ -42,8 +35,6 @@
 import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidJcrPrivilegeException;
 import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPathException;
 import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPermissionException;
-import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRepGlobException;
-import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRestrictionsException;
 import biz.netcentric.cq.tools.actool.validators.exceptions.NoActionOrPrivilegeDefinedException;
 import biz.netcentric.cq.tools.actool.validators.exceptions.NoGroupDefinedException;
 import biz.netcentric.cq.tools.actool.validators.exceptions.TooManyActionsException;
@@ -103,8 +94,6 @@ private boolean validate(AccessControlManager aclManager) throws AcConfigBeanVal
             throw new NoActionOrPrivilegeDefinedException(errorMessage);
         }
 
-        validateRestrictions(this.aceBean, aclManager);
-
         return true;
     }
 
@@ -117,60 +106,6 @@ private void maintainBeanCounter() {
         previousAuthorizableId = aceBean.getAuthorizableId();
     }
 
-    private boolean validateRestrictions(final AceBean tmpAceBean, final AccessControlManager aclManager)
-            throws InvalidRepGlobException, InvalidRestrictionsException {
-        boolean valid = true;
-
-        final List<Restriction> restrictions = tmpAceBean.getRestrictions();
-        if (restrictions.isEmpty()) {
-            return true;
-        }
-
-        final Set<String> restrictionNamesFromAceBean = new HashSet<String>();
-        for (Restriction restriction : restrictions) {
-            restrictionNamesFromAceBean.add(restriction.getName());
-        }
-
-        final Set<String> allowedRestrictionNames = getSupportedRestrictions(aclManager);
-
-        if (!allowedRestrictionNames.containsAll(restrictionNamesFromAceBean)) {
-            restrictionNamesFromAceBean.removeAll(allowedRestrictionNames);
-            valid = false;
-            final String errorMessage = getBeanDescription(this.currentBeanCounter,
-                    tmpAceBean.getAuthorizableId())
-                    + ",  this repository doesn't support following restriction(s): "
-                    + restrictionNamesFromAceBean;
-            throw new InvalidRestrictionsException(errorMessage);
-        }
-
-        return valid;
-    }
-
-    private Set<String> getSupportedRestrictions(final AccessControlManager aclManager)
-            throws InvalidRepGlobException {
-        Set<String> allowedRestrictions = new HashSet<>();
-        try {
-            final JackrabbitAccessControlList jacl = getJackrabbitAccessControlList(aclManager);
-            allowedRestrictions = new HashSet<>(Arrays.asList(jacl.getRestrictionNames()));
-        } catch (final RepositoryException e) {
-            throw new InvalidRepGlobException("Could not get restriction names from ACL of path: " + this.aceBean.getJcrPath());
-        }
-        return allowedRestrictions;
-    }
-
-    private JackrabbitAccessControlList getJackrabbitAccessControlList(final AccessControlManager aclManager) throws RepositoryException, AccessDeniedException {
-        JackrabbitAccessControlList jacl = null;
-        // don't check paths containing wildcards
-        if(!this.aceBean.getJcrPath().contains("*")){
-            jacl = AccessControlUtils.getModifiableAcl(aclManager, this.aceBean.getJcrPath());
-        }
-        if(jacl == null){
-            // root as fallback
-            jacl = AccessControlUtils.getModifiableAcl(aclManager, "/");
-        }
-        return jacl;
-    }
-
     private boolean validatePermission(final AceBean tmpAclBean) throws InvalidPermissionException {
 
         final String permission = tmpAclBean.getPermission();

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRestrictionsException.java

@@ -285,15 +285,12 @@
            rep:glob: test
            rep:ntNames: test
            rep:prefixes: test
-         assertedException: InvalidRestrictionsException
 
        #11 wrong restriction name. correct one would be rep:glob
        - path: /content
          permission: allow
          actions: read
          restrictions:
            rep:Glob: /cq:*
-         assertedException: InvalidRestrictionsException
-