From 71d66560038fd75cc4ee77ea155578a365a4c84e Mon Sep 17 00:00:00 2001 From: Joseph Marrero Date: Wed, 11 Mar 2020 15:34:09 -0400 Subject: [PATCH] lockdown ACLs by default and add sync-service user (#251) * lockdown ACLs by default and add sync-service user Co-authored-by: Ben Radey Co-authored-by: Lisa Davidson --- .../SlingResourceIncludeProcessor.java | 2 +- .../resources/SLING-INF/nodetypes/nodetypes.cnd | 5 ++++- .../SlingResourceIncludeProcessorTest.java | 2 +- .../src/main/provisioning/pantheon.txt | 17 ++++++++++++++--- uploader/pantheon.py | 3 +-- 5 files changed, 21 insertions(+), 8 deletions(-) diff --git a/pantheon-bundle/src/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java b/pantheon-bundle/src/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java index 537b66922..721aa2168 100644 --- a/pantheon-bundle/src/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java +++ b/pantheon-bundle/src/main/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessor.java @@ -90,7 +90,7 @@ private Resource resolveWithSymlinks(String path, Resource pathParent) { if (resource == null) { return null; } - if ("pant:symlink".equals(resource.getResourceType())) { + if ("pantheon/symlink".equals(resource.getResourceType())) { resource = resolveWithSymlinks(resource.getValueMap().get("pant:target", String.class), resource.getParent()); } } diff --git a/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd b/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd index 9caf6f5d1..106e0647e 100644 --- a/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd +++ b/pantheon-bundle/src/main/resources/SLING-INF/nodetypes/nodetypes.cnd @@ -43,7 +43,7 @@ - sling:resourceType (string) = 'pantheon/module' mandatory autocreated [pant:moduleLocale] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified - - sling:resourceType (string) = 'pantheon/moduleLocale' mandatory autocreated + - sling:resourceType (string) = 'pantheon/moduleLocale' mandatory autocreated [pant:moduleVersion] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified - sling:resourceType (string) = 'pantheon/moduleVersion' mandatory autocreated @@ -54,6 +54,9 @@ [pant:productVersion] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified - sling:resourceType (string) = 'pantheon/productVersion' mandatory autocreated +[pant:symlink] > nt:unstructured + - sling:resourceType (string) = 'pantheon/symlink' mandatory autocreated + // Base type for titles //[pant:title] > nt:unstructured, sling:Resource, mix:referenceable, mix:created, mix:lastModified // - sling:resourceType (string) = 'pantheon/title' mandatory autocreated diff --git a/pantheon-bundle/src/test/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java b/pantheon-bundle/src/test/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java index 23a6be13d..262a27090 100644 --- a/pantheon-bundle/src/test/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java +++ b/pantheon-bundle/src/test/java/com/redhat/pantheon/asciidoctor/extension/SlingResourceIncludeProcessorTest.java @@ -40,7 +40,7 @@ void resolveWithSymlinks() { .resource("/realLocation/testFile/jcr:content", JCR_DATA, "some included content") .resource("/symlink", - "sling:resourceType", "pant:symlink", + "sling:resourceType", "pantheon/symlink", "pant:target", "realLocation") .commit(); diff --git a/pantheon-slingstart/src/main/provisioning/pantheon.txt b/pantheon-slingstart/src/main/provisioning/pantheon.txt index f68ba8640..a65faf4f2 100644 --- a/pantheon-slingstart/src/main/provisioning/pantheon.txt +++ b/pantheon-slingstart/src/main/provisioning/pantheon.txt @@ -23,6 +23,7 @@ create group pantheon-authors create group pantheon-publishers create service user pantheon + create user sync-service with password sync-service # Assign ACLs set ACL for pantheon @@ -31,7 +32,7 @@ end set ACL for pantheon-authors - allow jcr:all on /content/repositories + allow jcr:modifyProperties,jcr:read on /content/repositories allow jcr:write,jcr:nodeTypeManagement on /content/modules allow jcr:write,jcr:nodeTypeManagement on /content/sandbox allow jcr:read on /conf/pantheon @@ -44,12 +45,22 @@ deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:moduleLocale) deny jcr:modifyProperties on /content/modules restriction(rep:ntNames,pant:moduleLocale) deny jcr:modifyProperties on /content/sandbox restriction(rep:ntNames,pant:moduleLocale) + + deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,nt:resource) + deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:symlink) end set ACL for pantheon-publishers - allow jcr:all on /content/repositories + allow jcr:removeNode,jcr:modifyProperties,jcr:read on /content/repositories allow jcr:write,jcr:nodeTypeManagement on /content/modules allow jcr:write,jcr:nodeTypeManagement on /content/products allow jcr:write,jcr:nodeTypeManagement on /content/sandbox allow jcr:read on /conf/pantheon - end \ No newline at end of file + + deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,nt:resource) + deny jcr:modifyProperties on /content/repositories restriction(rep:ntNames,pant:symlink) + end + + set ACL for sync-service + allow jcr:all on /content/repositories + end diff --git a/uploader/pantheon.py b/uploader/pantheon.py index 9b1ca59c1..145e1b7bc 100755 --- a/uploader/pantheon.py +++ b/uploader/pantheon.py @@ -243,8 +243,7 @@ def process_file(path, filetype): _error('Absolute symlink paths are unsupported: ' + str(path) + ' -> ' + target) elif not args.dry: symlinkData = {} - symlinkData['jcr:primaryType'] = 'nt:unstructured' - symlinkData['sling:resourceType'] = 'pant:symlink' + symlinkData['jcr:primaryType'] = 'pant:symlink' symlinkData['pant:target'] = target r = requests.post(url, headers=HEADERS, data=symlinkData, auth=(args.user, pw)) _print_response('symlink', path, r.status_code, r.reason)