lockdown ACLs by default and add sync-service user (#251)

* lockdown ACLs by default and add sync-service user Co-authored-by: Ben Radey <[email protected]> Co-authored-by: Lisa Davidson <[email protected]>
redhataccess · Mar 11, 2020 · 71d6656 · 71d6656
1 parent 21ff033
commit 71d6656
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 8 deletions.
diff --git a/...rc/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java b/...rc/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java
@@ -90,7 +90,7 @@ private Resource resolveWithSymlinks(String path, Resource pathParent) {
             if (resource == null) {
                 return null;
             }
-            if ("pant:symlink".equals(resource.getResourceType())) {
+            if ("pantheon/symlink".equals(resource.getResourceType())) {
                 resource = resolveWithSymlinks(resource.getValueMap().get("pant:target", String.class), resource.getParent());
             }
         }

diff --git a/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd b/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd
@@ -43,7 +43,7 @@
     - sling:resourceType (string) = 'pantheon/module' mandatory autocreated
 
 [pant:moduleLocale] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified
- - sling:resourceType (string) = 'pantheon/moduleLocale' mandatory autocreated
+    - sling:resourceType (string) = 'pantheon/moduleLocale' mandatory autocreated
 
 [pant:moduleVersion] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified
     - sling:resourceType (string) = 'pantheon/moduleVersion' mandatory autocreated
@@ -54,6 +54,9 @@
 [pant:productVersion] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified
     - sling:resourceType (string) = 'pantheon/productVersion' mandatory autocreated
 
+[pant:symlink] > nt:unstructured
+    - sling:resourceType (string) = 'pantheon/symlink' mandatory autocreated
+
 // Base type for titles
 //[pant:title] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified
 //	- sling:resourceType (string) = 'pantheon/title' mandatory autocreated

diff --git a/...est/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java b/...est/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java
@@ -40,7 +40,7 @@ void resolveWithSymlinks() {
                 .resource("/realLocation/testFile/jcr:content",
                         JCR_DATA, "some included content")
                 .resource("/symlink",
-                        "sling:resourceType", "pant:symlink",
+                        "sling:resourceType", "pantheon/symlink",
                         "pant:target", "realLocation")
                 .commit();
 

diff --git a/pantheon-slingstart/src/main/provisioning/pantheon.txt b/pantheon-slingstart/src/main/provisioning/pantheon.txt
@@ -23,6 +23,7 @@
     create group pantheon-authors
     create group pantheon-publishers
     create service user pantheon
+    create user sync-service with password sync-service
 
     # Assign ACLs
     set ACL for pantheon
@@ -31,7 +32,7 @@
     end
 
     set ACL for pantheon-authors
-        allow jcr:all on /content/repositories
+        allow jcr:modifyProperties,jcr:read on /content/repositories
         allow jcr:write,jcr:nodeTypeManagement on /content/modules
         allow jcr:write,jcr:nodeTypeManagement on /content/sandbox
         allow jcr:read on /conf/pantheon
@@ -44,12 +45,22 @@
         deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:moduleLocale)
         deny jcr:modifyProperties on /content/modules restriction(rep:ntNames,pant:moduleLocale)
         deny jcr:modifyProperties on /content/sandbox restriction(rep:ntNames,pant:moduleLocale)
+
+        deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,nt:resource)
+        deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:symlink)
     end
 
     set ACL for pantheon-publishers
-        allow jcr:all on /content/repositories
+        allow jcr:removeNode,jcr:modifyProperties,jcr:read on /content/repositories
         allow jcr:write,jcr:nodeTypeManagement on /content/modules
         allow jcr:write,jcr:nodeTypeManagement on /content/products
         allow jcr:write,jcr:nodeTypeManagement on /content/sandbox
         allow jcr:read on /conf/pantheon
-    end
+
+        deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,nt:resource)
+        deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:symlink)
+    end
+
+    set ACL for sync-service
+        allow jcr:all on /content/repositories
+    end
diff --git a/uploader/pantheon.py b/uploader/pantheon.py
@@ -243,8 +243,7 @@ def process_file(path, filetype):
                 _error('Absolute symlink paths are unsupported: ' + str(path) + ' -> ' + target)
             elif not args.dry:
                 symlinkData = {}
-                symlinkData['jcr:primaryType'] = 'nt:unstructured'
-                symlinkData['sling:resourceType'] = 'pant:symlink'
+                symlinkData['jcr:primaryType'] = 'pant:symlink'
                 symlinkData['pant:target'] = target
                 r = requests.post(url, headers=HEADERS, data=symlinkData, auth=(args.user, pw))
                 _print_response('symlink', path, r.status_code, r.reason)