DHFPROD-4558: Changing order of deploying PPs and QRs

See comments/assertions for why this is being done.

Author: rjrudin

marklogic-data-hub/src/main/java/com/marklogic/hub/dhs/DhsDeployer.java

@@ -185,7 +185,16 @@ protected List<Command> buildCommandsForDeveloper(HubConfig hubConfig) {
         commands.add(new LoadSchemasCommand());
         commands.add(new DeployScheduledTasksCommand());
 
-        commands.add(new DeployProtectedPathsCommand());
+        /**
+         * Have run into an odd problem where when a user without the "security" role deploys QRs immediately after
+         * deploying PPs, the PPs don't work. Deploying PPs immediately after QRs does result in the PPs working. Or,
+         * deploying QRs some amount of time after deploying PPs works as well. So in this context, PPs are deployed
+         * after everything else is done, and QRs are deployed first based on the default sort order of the command.
+         */
+        DeployProtectedPathsCommand pathsCommand = new DeployProtectedPathsCommand();
+        pathsCommand.setExecuteSortOrder(Integer.MAX_VALUE);
+        commands.add(pathsCommand);
+
         commands.add(new DeployHubQueryRolesetsCommand());
 
         return commands;

marklogic-data-hub/src/main/resources/hub-internal-config/security/roles/data-hub-developer.json

@@ -28,11 +28,41 @@
       "action": "http://marklogic.com/xdmp/privileges/create-trigger",
       "kind": "execute"
     },
+    {
+      "privilege-name": "database-node-query-rolesets",
+      "action": "http://marklogic.com/xdmp/privileges/database-node-query-rolesets",
+      "kind": "execute"
+    },
     {
       "privilege-name": "get-system-logs",
       "action": "http://marklogic.com/xdmp/privileges/logs/system",
       "kind": "execute"
     },
+    {
+      "privilege-name": "node-query-rolesets",
+      "action": "http://marklogic.com/xdmp/privileges/node-query-rolesets",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "path-add-permissions",
+      "action": "http://marklogic.com/xdmp/privileges/path-add-permissions",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "path-get-permissions",
+      "action": "http://marklogic.com/xdmp/privileges/path-get-permissions",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "path-remove-permissions",
+      "action": "http://marklogic.com/xdmp/privileges/path-remove-permissions",
+      "kind": "execute"
+    },
+    {
+      "privilege-name": "path-set-permissions",
+      "action": "http://marklogic.com/xdmp/privileges/path-set-permissions",
+      "kind": "execute"
+    },
     {
       "privilege-name": "protect-path",
       "action": "http://marklogic.com/xdmp/privileges/protect-path",
@@ -57,6 +87,11 @@
       "privilege-name": "temporal-admin",
       "action": "http://marklogic.com/xdmp/privileges/temporal-admin",
       "kind": "execute"
+    },
+    {
+      "privilege-name": "unprotect-path",
+      "action": "http://marklogic.com/xdmp/privileges/unprotect-path",
+      "kind": "execute"
     }
   ]
 }

marklogic-data-hub/src/test/java/com/marklogic/hub/dhs/DeployAsDeveloperTest.java

@@ -18,9 +18,9 @@
 import com.marklogic.hub.DatabaseKind;
 import com.marklogic.hub.HubConfig;
 import com.marklogic.hub.HubTestBase;
-import com.marklogic.hub.dhs.installer.deploy.DeployHubQueryRolesetsCommand;
 import com.marklogic.hub.deploy.commands.LoadUserArtifactsCommand;
 import com.marklogic.hub.deploy.commands.LoadUserModulesCommand;
+import com.marklogic.hub.dhs.installer.deploy.DeployHubQueryRolesetsCommand;
 import com.marklogic.hub.impl.HubConfigImpl;
 import com.marklogic.hub.impl.HubProjectImpl;
 import org.junit.jupiter.api.BeforeEach;
@@ -172,7 +172,6 @@ public void buildCommandList() {
         List<Command> commands = new DhsDeployer().buildCommandsForDeveloper(hubConfig);
         Collections.sort(commands, Comparator.comparing(Command::getExecuteSortOrder));
         int index = 0;
-        assertTrue(commands.get(index++) instanceof DeployProtectedPathsCommand);
         assertTrue(commands.get(index++) instanceof DeployHubQueryRolesetsCommand);
         assertTrue(commands.get(index++) instanceof DeployOtherDatabasesCommand);
         assertTrue(commands.get(index++) instanceof LoadSchemasCommand);
@@ -185,16 +184,22 @@ public void buildCommandList() {
         assertTrue(commands.get(index++) instanceof DeployAlertConfigsCommand);
         assertTrue(commands.get(index++) instanceof DeployAlertActionsCommand);
         assertTrue(commands.get(index++) instanceof DeployAlertRulesCommand);
+        assertTrue(commands.get(index++) instanceof DeployProtectedPathsCommand);
         assertEquals(13, commands.size(),
             "As of ML 10.0-3, the granular privilege for indexes doesn't seem to work with XML payloads. " +
                 "Bug https://bugtrack.marklogic.com/54231 has been created to track that. Thus, " +
                 "DeployDatabaseFieldCommand cannot be included and ml-config/database-fields/final-database.xml " +
                 "cannot be processed.");
 
-        DeployOtherDatabasesCommand dodc = (DeployOtherDatabasesCommand) commands.get(2);
+        DeployOtherDatabasesCommand dodc = (DeployOtherDatabasesCommand) commands.get(1);
         ResourceFilenameFilter filter = (ResourceFilenameFilter) dodc.getResourceFilenameFilter();
         assertEquals("(staging|final|job)-database.json", filter.getIncludePattern().pattern(),
             "DHS users aren't allowed to create their own databases, so the command for deploying databases is restricted " +
                 "to only updating the 3 known databases");
+
+        DeployProtectedPathsCommand pathsCommand = (DeployProtectedPathsCommand) commands.get(commands.size() - 1);
+        assertEquals(Integer.MAX_VALUE, pathsCommand.getExecuteSortOrder(),
+            "The PPs command is executed last to avoid the timing issue that occurs when a user without the 'security' " +
+                "role deploys PPs and then QRs immediately afterwards");
     }
 }

marklogic-data-hub/src/test/java/com/marklogic/hub/security/DataHubDeveloperTest.java

@@ -6,6 +6,8 @@
 import com.marklogic.mgmt.SaveReceipt;
 import com.marklogic.mgmt.api.database.Database;
 import com.marklogic.mgmt.api.database.GeospatialElementIndex;
+import com.marklogic.mgmt.api.security.Role;
+import com.marklogic.mgmt.api.security.RolePrivilege;
 import com.marklogic.mgmt.api.security.protectedpath.Permission;
 import com.marklogic.mgmt.api.security.protectedpath.ProtectedPath;
 import com.marklogic.mgmt.api.security.queryroleset.QueryRoleset;
@@ -16,6 +18,7 @@
 import com.marklogic.mgmt.resource.alert.AlertRuleManager;
 import com.marklogic.mgmt.resource.security.ProtectedPathManager;
 import com.marklogic.mgmt.resource.security.QueryRolesetManager;
+import com.marklogic.mgmt.resource.security.RoleManager;
 import com.marklogic.mgmt.resource.tasks.TaskManager;
 import com.marklogic.mgmt.resource.temporal.TemporalAxesManager;
 import com.marklogic.mgmt.resource.temporal.TemporalCollectionManager;
@@ -87,6 +90,8 @@ public void task9ConfigureBitemporal() throws IOException {
 
     @Test
     public void task10CreateProtectedPaths() throws Exception {
+        verifyRoleHasAllProtectedPathAndQueryRolesetPrivileges();
+
         final String pathExpression = "/some/path";
         ProtectedPath path = new ProtectedPath(pathExpression);
         path.setPermission(Arrays.asList(new com.marklogic.mgmt.api.security.protectedpath.Permission("rest-reader", "read")));
@@ -116,6 +121,30 @@ public void task10CreateProtectedPaths() throws Exception {
         }
     }
 
+    private void verifyRoleHasAllProtectedPathAndQueryRolesetPrivileges() {
+        Role role = resourceMapper.readResource(new RoleManager(adminUserClient).getPropertiesAsJson("data-hub-developer"), Role.class);
+        List<RolePrivilege> privileges = role.getPrivilege();
+        Arrays.asList("protect-path", "remove-path", "unprotect-path", "path-add-permissions", "path-get-permissions", "path-remove-permissions",
+            "path-set-permissions", "add-query-rolesets", "remove-query-rolesets", "database-node-query-rolesets", "node-query-rolesets")
+            .stream().forEach(privilegeName -> {
+
+            boolean found = false;
+            for (RolePrivilege rp : privileges) {
+                if (privilegeName.equals(rp.getPrivilegeName())) {
+                    found = true;
+                    break;
+                }
+            }
+            assertTrue(found, "Did not find privilege: " + privilegeName + ". Due to the odd issue with protected paths " +
+                "not working if query rolesets are deployed immediately after protected paths by a user without the " +
+                "'security' role, all privileges related to PPs and QRs are granted to the data-hub-developer role to " +
+                "minimize the chance of some other mysterious issue popping up. The Manage API appears to allow for " +
+                "PPs to be deployed and deleted with just protect-path and remove-path, and for QRs to be deployed " +
+                "and deleted with just add-query-rolesets and remove-query-rolesets, but we're granting all the privileges " +
+                "just to be safe.");
+        });
+    }
+
     @Test
     void task10CreateQueryRolesets() {
         final QueryRolesetManager mgr = new QueryRolesetManager(userWithRoleBeingTestedClient);