diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java index 99e66fec..6913fa3e 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java @@ -18,10 +18,8 @@ import java.security.Principal; import java.util.Arrays; -import java.util.Collection; import java.util.Collections; import java.util.HashSet; -import java.util.List; import java.util.Map; import java.util.Set; import java.util.TreeSet; @@ -41,7 +39,6 @@ import biz.netcentric.cq.tools.actool.comparators.AcePermissionComparator; import biz.netcentric.cq.tools.actool.configmodel.AcConfiguration; import biz.netcentric.cq.tools.actool.configmodel.AceBean; -import biz.netcentric.cq.tools.actool.configmodel.Restriction; import biz.netcentric.cq.tools.actool.helper.AccessControlUtils; import biz.netcentric.cq.tools.actool.helper.ContentHelper; import biz.netcentric.cq.tools.actool.helper.RestrictionsHolder; @@ -168,25 +165,15 @@ protected boolean installPrivileges(AceBean aceBean, Principal principal, Jackra * @throws UnsupportedRepositoryOperationException * @throws RepositoryException */ protected RestrictionsHolder getRestrictions(AceBean aceBean, Session session, JackrabbitAccessControlList acl) - throws ValueFormatException, UnsupportedRepositoryOperationException, RepositoryException { - - final Collection supportedRestrictionNames = Arrays.asList(acl.getRestrictionNames()); + throws RepositoryException { if (aceBean.getRestrictions().isEmpty()) { return RestrictionsHolder.empty(); } - - List restrictions = aceBean.getRestrictions(); - for (Restriction restriction : restrictions) { - if (!supportedRestrictionNames.contains(restriction.getName())) { - throw new IllegalStateException( - "The AccessControlList at " + acl.getPath() + " does not support setting " + restriction.getName() - + " restrictions!"); - } - } - - RestrictionsHolder restrictionsHolder = new RestrictionsHolder(restrictions, session.getValueFactory(), acl); - return restrictionsHolder; + // no need to check if restrictions are supported, Oak is lenient nowadays and does the proper checks internally + // see https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213 + // also it supports non-mandatory restrictions like the ones from com.adobe.cq.dam.assetmetadatarestrictionprovider.impl.AssetMetadataRestrictionProvider + return new RestrictionsHolder(aceBean.getRestrictions(), session.getValueFactory(), acl); } /** Converts the given privilege names into a set of privilege objects. diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRepGlobException.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRepGlobException.java deleted file mode 100644 index 6a2751c5..00000000 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRepGlobException.java +++ /dev/null @@ -1,23 +0,0 @@ -package biz.netcentric.cq.tools.actool.validators.exceptions; - -/*- - * #%L - * Access Control Tool Bundle - * %% - * Copyright (C) 2015 - 2024 Cognizant Netcentric - * %% - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * #L% - */ - -public class InvalidRepGlobException extends AcConfigBeanValidationException { - - public InvalidRepGlobException(String message) { - super(message); - } - -} diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRestrictionsException.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRestrictionsException.java deleted file mode 100644 index f8aad424..00000000 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/exceptions/InvalidRestrictionsException.java +++ /dev/null @@ -1,23 +0,0 @@ -package biz.netcentric.cq.tools.actool.validators.exceptions; - -/*- - * #%L - * Access Control Tool Bundle - * %% - * Copyright (C) 2015 - 2024 Cognizant Netcentric - * %% - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * #L% - */ - -public class InvalidRestrictionsException extends AcConfigBeanValidationException { - - public InvalidRestrictionsException(String message) { - super(message); - } - -} diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java index afa5e57d..c9598c58 100644 --- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java +++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java @@ -14,24 +14,17 @@ * #L% */ -import java.util.Arrays; import java.util.HashSet; -import java.util.List; import java.util.Set; -import javax.jcr.AccessDeniedException; -import javax.jcr.RepositoryException; import javax.jcr.security.AccessControlManager; import org.apache.commons.lang3.StringUtils; -import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import biz.netcentric.cq.tools.actool.aem.AcToolCqActions; import biz.netcentric.cq.tools.actool.configmodel.AceBean; -import biz.netcentric.cq.tools.actool.configmodel.Restriction; -import biz.netcentric.cq.tools.actool.helper.AccessControlUtils; import biz.netcentric.cq.tools.actool.validators.AceBeanValidator; import biz.netcentric.cq.tools.actool.validators.Validators; import biz.netcentric.cq.tools.actool.validators.exceptions.AcConfigBeanValidationException; @@ -42,8 +35,6 @@ import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidJcrPrivilegeException; import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPathException; import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPermissionException; -import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRepGlobException; -import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRestrictionsException; import biz.netcentric.cq.tools.actool.validators.exceptions.NoActionOrPrivilegeDefinedException; import biz.netcentric.cq.tools.actool.validators.exceptions.NoGroupDefinedException; import biz.netcentric.cq.tools.actool.validators.exceptions.TooManyActionsException; @@ -103,8 +94,6 @@ private boolean validate(AccessControlManager aclManager) throws AcConfigBeanVal throw new NoActionOrPrivilegeDefinedException(errorMessage); } - validateRestrictions(this.aceBean, aclManager); - return true; } @@ -117,60 +106,6 @@ private void maintainBeanCounter() { previousAuthorizableId = aceBean.getAuthorizableId(); } - private boolean validateRestrictions(final AceBean tmpAceBean, final AccessControlManager aclManager) - throws InvalidRepGlobException, InvalidRestrictionsException { - boolean valid = true; - - final List restrictions = tmpAceBean.getRestrictions(); - if (restrictions.isEmpty()) { - return true; - } - - final Set restrictionNamesFromAceBean = new HashSet(); - for (Restriction restriction : restrictions) { - restrictionNamesFromAceBean.add(restriction.getName()); - } - - final Set allowedRestrictionNames = getSupportedRestrictions(aclManager); - - if (!allowedRestrictionNames.containsAll(restrictionNamesFromAceBean)) { - restrictionNamesFromAceBean.removeAll(allowedRestrictionNames); - valid = false; - final String errorMessage = getBeanDescription(this.currentBeanCounter, - tmpAceBean.getAuthorizableId()) - + ", this repository doesn't support following restriction(s): " - + restrictionNamesFromAceBean; - throw new InvalidRestrictionsException(errorMessage); - } - - return valid; - } - - private Set getSupportedRestrictions(final AccessControlManager aclManager) - throws InvalidRepGlobException { - Set allowedRestrictions = new HashSet<>(); - try { - final JackrabbitAccessControlList jacl = getJackrabbitAccessControlList(aclManager); - allowedRestrictions = new HashSet<>(Arrays.asList(jacl.getRestrictionNames())); - } catch (final RepositoryException e) { - throw new InvalidRepGlobException("Could not get restriction names from ACL of path: " + this.aceBean.getJcrPath()); - } - return allowedRestrictions; - } - - private JackrabbitAccessControlList getJackrabbitAccessControlList(final AccessControlManager aclManager) throws RepositoryException, AccessDeniedException { - JackrabbitAccessControlList jacl = null; - // don't check paths containing wildcards - if(!this.aceBean.getJcrPath().contains("*")){ - jacl = AccessControlUtils.getModifiableAcl(aclManager, this.aceBean.getJcrPath()); - } - if(jacl == null){ - // root as fallback - jacl = AccessControlUtils.getModifiableAcl(aclManager, "/"); - } - return jacl; - } - private boolean validatePermission(final AceBean tmpAclBean) throws InvalidPermissionException { final String permission = tmpAclBean.getPermission(); diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/validators/RestrictionValidationTest.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/validators/RestrictionValidationTest.java deleted file mode 100644 index 3c991836..00000000 --- a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/validators/RestrictionValidationTest.java +++ /dev/null @@ -1,138 +0,0 @@ - -package biz.netcentric.cq.tools.actool.validators; - -/*- - * #%L - * Access Control Tool Bundle - * %% - * Copyright (C) 2015 - 2024 Cognizant Netcentric - * %% - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * #L% - */ - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.doThrow; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.withSettings; -import static org.mockito.MockitoAnnotations.initMocks; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Set; - -import javax.jcr.RepositoryException; -import javax.jcr.Session; -import javax.jcr.security.AccessControlList; -import javax.jcr.security.AccessControlManager; -import javax.jcr.security.AccessControlPolicy; - -import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; -import org.apache.sling.jcr.api.SlingRepository; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.mockito.InjectMocks; -import org.mockito.Mock; - -import biz.netcentric.cq.tools.actool.configmodel.AceBean; -import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean; -import biz.netcentric.cq.tools.actool.configreader.ConfigReader; -import biz.netcentric.cq.tools.actool.configreader.TestAceBean; -import biz.netcentric.cq.tools.actool.configreader.TestYamlConfigReader; -import biz.netcentric.cq.tools.actool.validators.exceptions.AcConfigBeanValidationException; -import biz.netcentric.cq.tools.actool.validators.impl.AceBeanValidatorImpl; -import biz.netcentric.cq.tools.actool.validators.impl.AuthorizableValidatorImpl; - -/** Contains unit tests checking support of different restrictions - * - * @author jochenkoschorkej */ -public class RestrictionValidationTest { - - @Mock - SlingRepository repository; - - @Mock - Session session; - - @Mock - AccessControlList accessControlPolicy; - - @Mock - AccessControlManager accessControlManager; - - @InjectMocks - ConfigReader yamlConfigReader = new TestYamlConfigReader(); - - List aclList; - Set groupsFromConfig; - List aceBeanList = new ArrayList(); - List authorizableBeanList = new ArrayList(); - - @BeforeEach - public void setup() throws IOException, RepositoryException, - AcConfigBeanValidationException { - - initMocks(this); - doReturn(session).when(repository).loginService(null, null); - - accessControlPolicy = mock(AccessControlList.class, - withSettings().extraInterfaces(JackrabbitAccessControlList.class)); - - doReturn(accessControlManager).when(session).getAccessControlManager(); - doReturn(new AccessControlPolicy[] { accessControlPolicy }).when(accessControlManager).getPolicies("/"); - - doThrow(new RepositoryException("invalid permission")).when(accessControlManager).privilegeFromName("read"); - doThrow(new RepositoryException("invalid permission")).when(accessControlManager).privilegeFromName("jcr_all"); - } - - private void setupBeansFromTestYaml(final String path) throws IOException, AcConfigBeanValidationException, RepositoryException { - final List yamlList = ValidatorTestHelper.getYamlList(path); - final AuthorizableValidator authorizableValidator = new AuthorizableValidatorImpl("/home/groups", "/home/users"); - authorizableValidator.disable(); - groupsFromConfig = yamlConfigReader.getGroupConfigurationBeans( - yamlList, authorizableValidator).getAuthorizableIds(); - ValidatorTestHelper.createAuthorizableTestBeans(yamlList, yamlConfigReader, authorizableBeanList); - ValidatorTestHelper.createAceTestBeans(yamlList, yamlConfigReader, groupsFromConfig, aceBeanList, session); - } - - @Test - public void testAceBeansOnlyRepGlobRestrictionSupported() throws IOException, AcConfigBeanValidationException, RepositoryException { - doReturn(new String[] { "rep:glob" }).when((JackrabbitAccessControlList) accessControlPolicy).getRestrictionNames(); - setupBeansFromTestYaml("testRestrictionsConfigs/test-restrictions1.yaml"); - testExceptions(); - } - - @Test - public void testAceBeansOnlyNtNamesRestrictionSupported() throws IOException, AcConfigBeanValidationException, RepositoryException { - setupBeansFromTestYaml("testRestrictionsConfigs/test-restrictions2.yaml"); - doReturn(new String[] { "rep:ntNames" }).when((JackrabbitAccessControlList) accessControlPolicy).getRestrictionNames(); - testExceptions(); - } - - @Test - public void testAceBeansAllRestrictionsSupported() throws IOException, AcConfigBeanValidationException, RepositoryException { - setupBeansFromTestYaml("testRestrictionsConfigs/test-restrictions3.yaml"); - doReturn(new String[] { "rep:ntNames", "rep:glob", "rep:prefixes" }).when((JackrabbitAccessControlList) accessControlPolicy) - .getRestrictionNames(); - testExceptions(); - } - - private void testExceptions() { - final AceBeanValidator aceBeanValidator = new AceBeanValidatorImpl( - groupsFromConfig); - for (final AceBean aceBean : aceBeanList) { - assertEquals(((TestAceBean) aceBean).getAssertedExceptionString(), - ValidatorTestHelper.getSimpleValidationException(aceBean, aceBeanValidator, accessControlManager), - "Problem in bean " + aceBean); - - } - } - -} diff --git a/accesscontroltool-bundle/src/test/resources/testconfig.yaml b/accesscontroltool-bundle/src/test/resources/testconfig.yaml index 4c8e628d..bba40a37 100644 --- a/accesscontroltool-bundle/src/test/resources/testconfig.yaml +++ b/accesscontroltool-bundle/src/test/resources/testconfig.yaml @@ -285,7 +285,6 @@ rep:glob: test rep:ntNames: test rep:prefixes: test - assertedException: InvalidRestrictionsException #11 wrong restriction name. correct one would be rep:glob - path: /content @@ -293,7 +292,5 @@ actions: read restrictions: rep:Glob: /cq:* - assertedException: InvalidRestrictionsException - \ No newline at end of file