Merge branch 'release/1.7.0'

Author: kwin

README.md

@@ -54,7 +54,8 @@ Overall format
      - isMemberOf: comma separated list of other groups
      - members: comma separated list of groups that are member of this group
      - description: (optional, description)
-     - path: ?
+     - path: (optional, path of the group in JCR)
+     - migrateFrom: (optional, a group name assigned member users are taken over from, available from v1.7)
 ```
 
 Example
@@ -69,6 +70,8 @@ If the isMemberOf property of a group contains a group which is not yet installe
 
 The members property contains a list of groups where this group is added as isMemberOf.
 
+The property 'migrateFrom' allows to migrate a group name without loosing their members (members of the group given in migrateFrom are taken over and the source=old group deleted afterwards). This property is only to be used temporarily (usually only included in one released version that travels all environments, once all groups are migrated the config should be removed). If not set (the default) nothing happens. If the property points to a group that does not exist (anymore), the property is ignored.
+
 ## Configuration of users
 
 In general it is best practice to not generate regular users by the AC Tool but use other mechanism (e.g. LDAP) to create users. However, it can be useful to create system users (e.g. for replication agents or OSGi service authentiation) or test users on staging environments.
@@ -84,13 +87,14 @@ Users can be configured in the same way as groups in the **user_config** section
 
 The configurations are done per principal followed by indented informations which comprise of config data which represents the settings per ACE. This data includes
 
-property | comment | optional
+property | comment | required
 --- | --- | ---
-path | a node path. Wildcards `*` are possible. e.g. assuming we have the language trees de and en then `/content/*./test` would match: `/content/de/test` and `/content/en/test` (mandatory). If an asterisk is contained then the path has to be written inside single quotes (`'...'`) since this symbol is a functional character in YAML. | no
-permission | the permission (either `allow` or `deny`) | no
-actions | the actions (`read,modify,create,delete,acl_read,acl_edit,replicate`). Reference: <http://docs.adobe.com/docs/en/cq/current/administering/security.html#Actions> | no, either actions or privileges; also a mix of both is possible
-privileges | the privileges (`jcr:read, rep:write, jcr:all, crx:replicate, jcr:addChildNodes, jcr:lifecycleManagement, jcr:lockManagement, jcr:modifyAccessControl, jcr:modifyProperties, jcr:namespaceManagement, jcr:nodeTypeDefinitionManagement, jcr:nodeTypeManagement, jcr:readAccessControl, jcr:removeChildNodes, jcr:removeNode, jcr:retentionManagement, jcr:versionManagement, jcr:workspaceManagement, jcr:write, rep:privilegeManagement`). References: <http://jackrabbit.apache.org/oak/docs/security/privilege.html> <http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html#16.2.3%20Standard%20Privileges> | no
-repGlob |a repGlob expression | yes
+path | a node path. Wildcards `*` are possible. e.g. assuming we have the language trees de and en then `/content/*./test` would match: `/content/de/test` and `/content/en/test` (mandatory). If an asterisk is contained then the path has to be written inside single quotes (`'...'`) since this symbol is a functional character in YAML. | yes
+permission | the permission (either `allow` or `deny`) | yes
+actions | the actions (`read,modify,create,delete,acl_read,acl_edit,replicate`). Reference: <http://docs.adobe.com/docs/en/cq/current/administering/security.html#Actions> | either actions or privileges need to be present; also a mix of both is possible
+privileges | the privileges (`jcr:read, rep:write, jcr:all, crx:replicate, jcr:addChildNodes, jcr:lifecycleManagement, jcr:lockManagement, jcr:modifyAccessControl, jcr:modifyProperties, jcr:namespaceManagement, jcr:nodeTypeDefinitionManagement, jcr:nodeTypeManagement, jcr:readAccessControl, jcr:removeChildNodes, jcr:removeNode, jcr:retentionManagement, jcr:versionManagement, jcr:workspaceManagement, jcr:write, rep:privilegeManagement`). References: <http://jackrabbit.apache.org/oak/docs/security/privilege.html> <http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html#16.2.3%20Standard%20Privileges> | either actions or privileges need to be present; also a mix of both is possible
+repGlob |a repGlob expression | no
+initialContent | Allows to specify docview xml to create the path if it does not exist. The namespaces for jcr, sling and cq are added automatically if not provided to keep xml short. Initial content must only be specified exactly once per path (this is validated). If paths without permissions should be created, it is possible to provide only a path/initialContent tuple. Available form version 1.7.0. | no
 
 Every new data entry starts with a "-". 
 
@@ -102,8 +106,9 @@ Overall format
    - path: a valid node path in CRX
      permission: [allow/deny]
      actions: actions string
-     privileges: privileges string (optional)
-     repGlob: regex (optional, path restriction as regular expression)
+     privileges: privileges string  
+     repGlob: regex    (optional, path restriction as regular expression)
+     initialContent: <jcr:root jcr:primaryType="sling:Folder">   (optional)
 ```
 
 Only ACEs for groups which are defined in the same configuration file can be installed! This ensures a consistency between the groups and their ACE definitions per configuration file.

accesscontroltool-bundle/pom.xml

@@ -11,7 +11,7 @@
     <parent>
         <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
         <artifactId>accesscontroltool</artifactId>
-        <version>1.6.2</version>
+        <version>1.7.0</version>
     </parent>
 
     <!-- ====================================================================== -->

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceservice/impl/AceServiceImpl.java

@@ -10,6 +10,7 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -22,6 +23,8 @@
 import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.ValueFormatException;
 
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.time.StopWatch;
 import org.apache.felix.scr.annotations.Activate;
 import org.apache.felix.scr.annotations.Component;
@@ -120,17 +123,49 @@ private void installConfigurationFromYamlList(
             LOG.error(message);
             throw new IllegalArgumentException(message);
         }
-        removeAcesForAuthorizable(history, session, authorizablesMapfromConfig.keySet(), repositoryDumpAceMap);
+
+        Set<String> authorizablesToRemoveAcesFor = getAuthorizablesToRemoveAcesFor(authorizablesMapfromConfig);
+
+        removeAcesForAuthorizables(history, session, authorizablesToRemoveAcesFor, repositoryDumpAceMap);
         installAuthorizables(history, authorizableHistorySet, authorizablesMapfromConfig);
         installAces(history, session, aceMapFromConfig);
     }
-    
-    private void removeAcesForAuthorizable(AcInstallationHistoryPojo history, Session session, Set<String> authorizablesSet, Map<String, Set<AceBean>> repositoryDumpAceMap) throws UnsupportedRepositoryOperationException, RepositoryException {
-    	// loop through all ACLs found in the repository
+
+    private Set<String> getAuthorizablesToRemoveAcesFor(Map<String, LinkedHashSet<AuthorizableConfigBean>> authorizablesMapfromConfig) {
+        Set<String> authorizablesToRemoveAcesFor = new HashSet<String>(authorizablesMapfromConfig.keySet());
+        Set<String> authorizablesToBeMigrated = collectAuthorizablesToBeMigrated(authorizablesMapfromConfig);
+        Collection<?> invalidAuthorizablesInConfig = CollectionUtils.intersection(authorizablesToRemoveAcesFor, authorizablesToBeMigrated);
+        if (!invalidAuthorizablesInConfig.isEmpty()) {
+            String message = "If migrateFrom feature is used, groups that shall be migrated from must not be present in regular configuration (offending groups: "
+                    + invalidAuthorizablesInConfig + ")";
+            LOG.error(message);
+            throw new IllegalArgumentException(message);
+        }
+        authorizablesToRemoveAcesFor.addAll(authorizablesToBeMigrated);
+        return authorizablesToRemoveAcesFor;
+    }
+
+    private Set<String> collectAuthorizablesToBeMigrated(Map<String, LinkedHashSet<AuthorizableConfigBean>> authorizablesMapfromConfig) {
+        Set<String> authorizablesToBeMigrated = new HashSet<String>();
+        for (String principalStr : authorizablesMapfromConfig.keySet()) {
+            LinkedHashSet<AuthorizableConfigBean> authorizableConfigBeans = authorizablesMapfromConfig.get(principalStr);
+            for (AuthorizableConfigBean authorizableConfigBean : authorizableConfigBeans) {
+                String migrateFrom = authorizableConfigBean.getMigrateFrom();
+                if (StringUtils.isNotBlank(migrateFrom)) {
+                    authorizablesToBeMigrated.add(migrateFrom);
+                }
+            }
+        }
+        return authorizablesToBeMigrated;
+    }
+
+    private void removeAcesForAuthorizables(AcInstallationHistoryPojo history, Session session, Set<String> authorizablesSet,
+            Map<String, Set<AceBean>> repositoryDumpAceMap) throws UnsupportedRepositoryOperationException, RepositoryException {
+        // loop through all ACLs found in the repository
         for (Map.Entry<String, Set<AceBean>> entry : repositoryDumpAceMap.entrySet()) {
             Set<AceBean> acl = entry.getValue();
             for (AceBean aceBean : acl) {
-                // if the ACL form repo contains an ACE regarding an
+                // if the ACL from repo contains an ACE regarding an
                 // authorizable from the groups config then delete all ACEs from
                 // this authorizable from current ACL
                 if (authorizablesSet.contains(aceBean.getPrincipalName())) {
@@ -163,7 +198,7 @@ private void installAuthorizables(
             AcInstallationHistoryPojo history,
             Set<AuthorizableInstallationHistory> authorizableHistorySet,
             Map<String, LinkedHashSet<AuthorizableConfigBean>> authorizablesMapfromConfig)
-            throws RepositoryException, Exception {
+                    throws RepositoryException, Exception {
         // --- installation of Authorizables from configuration ---
 
         LOG.info("--- start installation of Authorizable Configuration ---");
@@ -198,7 +233,7 @@ private void installAuthorizables(
             }
         }
 
-        String message = "finished installation of groups configuration without errors!";
+        String message = "Finished installation of groups configuration without errors";
         history.addMessage(message);
         LOG.info(message);
     }
@@ -256,7 +291,7 @@ public AcInstallationHistoryPojo execute() {
     public void installNewConfigurations(Session session,
             AcInstallationHistoryPojo history,
             Map<String, String> newestConfigurations, Set<AuthorizableInstallationHistory> authorizableInstallationHistorySet)
-            throws Exception {
+                    throws Exception {
 
         StopWatch sw = new StopWatch();
         sw.start();

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceservicejmx/impl/AceServiceMBeanImpl.java

@@ -15,23 +15,23 @@
 import org.apache.commons.lang.time.StopWatch;
 import org.apache.felix.scr.annotations.Component;
 import org.apache.felix.scr.annotations.Properties;
+import org.apache.felix.scr.annotations.Property;
 import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.Service;
-import org.apache.felix.scr.annotations.Property;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.adobe.granite.jmx.annotation.AnnotatedStandardMBean;
-
 import biz.netcentric.cq.tools.actool.aceservice.AceService;
 import biz.netcentric.cq.tools.actool.aceservicejmx.AceServiceMBean;
 import biz.netcentric.cq.tools.actool.dumpservice.Dumpservice;
 import biz.netcentric.cq.tools.actool.installationhistory.AcHistoryService;
 
+import com.adobe.granite.jmx.annotation.AnnotatedStandardMBean;
+
 @Service
 @Component(immediate = true)
 @Properties({
-        @Property(name = "jmx.objectname", value = "biz.netcentric.cq.tools.actool:id='ac installation'"),
+        @Property(name = "jmx.objectname", value = "biz.netcentric.cq.tools:type=ACTool"),
         @Property(name = "pattern", value = "/.*") })
 public class AceServiceMBeanImpl extends AnnotatedStandardMBean implements
         AceServiceMBean {

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableutils/AuthorizableConfigBean.java

@@ -32,6 +32,8 @@ public class AuthorizableConfigBean implements AcDumpElement {
     private String path;
     private String password;
 
+    private String migrateFrom;
+
     private boolean isGroup = true;
     private boolean isSystemUser = false;
 
@@ -186,6 +188,20 @@ public void setPath(final String path) {
         this.path = path;
     }
 
+    public String getMigrateFrom() {
+        return migrateFrom;
+    }
+
+    /** Set a group name, from which the users are taken over to this group. The group given is deleted after the run. This property is only
+     * to be used temporarily (usually only included in one released version that travels all environments, once all groups are migrated the
+     * config should be removed). If not set (the default) nothing happens. If the property points to a group that does not exist (anymore),
+     * the property is ignored.
+     * 
+     * @param migrateFrom */
+    public void setMigrateFrom(String migrateFrom) {
+        this.migrateFrom = migrateFrom;
+    }
+
     @Override
     public String toString() {
         final StringBuilder sb = new StringBuilder();