Merge pull request #540 from Netcentric/bugfix/535-ensure_the_JMX_purge_authorizable_actions_never_purge_system_groups/users

#535 Ensure the JMX purge authorizable actions never purge system groups/users

Author: ghenzler

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java

@@ -8,6 +8,8 @@
  */
 package biz.netcentric.cq.tools.actool.authorizableinstaller.impl;
 
+import static biz.netcentric.cq.tools.actool.helper.Constants.PRINCIPAL_EVERYONE;
+
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
@@ -78,8 +80,6 @@ public class AuthorizableInstallerServiceImpl implements
 
     private static final String PATH_SEGMENT_SYSTEMUSERS = "system";
 
-    private static final String PRINCIPAL_EVERYONE = "everyone";
-
     // not using org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext.REP_EXTERNAL_ID since it is an
     // optional dependency and not available in AEM 6.1
     public static final String REP_EXTERNAL_ID = "rep:externalId";

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/helper/Constants.java

@@ -33,7 +33,8 @@ private Constants() {
             OBSOLETE_AUTHORIZABLES_KEY));
 
     public static final String USER_ANONYMOUS = "anonymous";
-
+    public static final String PRINCIPAL_EVERYONE = "everyone";
+    
     public static final String GROUPS_ROOT = "/home/groups";
     public static final String USERS_ROOT = "/home/users";
 

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/helper/PurgeHelper.java

@@ -8,67 +8,44 @@
  */
 package biz.netcentric.cq.tools.actool.helper;
 
-import static biz.netcentric.cq.tools.actool.history.PersistableInstallationLogger.msHumanReadable;
-
-import java.util.Iterator;
-import java.util.Set;
-
-import javax.jcr.AccessDeniedException;
 import javax.jcr.Node;
 import javax.jcr.NodeIterator;
-import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.UnsupportedRepositoryOperationException;
-import javax.jcr.lock.LockException;
 import javax.jcr.query.Query;
 import javax.jcr.query.QueryResult;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.version.VersionException;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.lang3.time.StopWatch;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.sling.api.resource.Resource;
-import org.apache.sling.api.resource.ResourceResolver;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class PurgeHelper {
     public static final Logger LOG = LoggerFactory.getLogger(PurgeHelper.class);
 
-
-    public static String purgeACLs(final Session session, final String path)
-            throws Exception {
+    public static String purgeACLs(final Session session, final String path) throws RepositoryException {
 
         StringBuilder message = new StringBuilder();
         if (StringUtils.isNotBlank(path)) {
             String queryString = "/jcr:root" + path.trim() + "//rep:policy";
-            Query query = session.getWorkspace().getQueryManager()
-                    .createQuery(queryString, Query.XPATH);
+            Query query = session.getWorkspace().getQueryManager().createQuery(queryString, Query.XPATH);
             QueryResult result = query.execute();
             NodeIterator nodeIterator = result.getNodes();
 
-            AccessControlManager accessManager = session
-                    .getAccessControlManager();
+            AccessControlManager accessManager = session.getAccessControlManager();
 
             while (nodeIterator.hasNext()) {
                 Node res = nodeIterator.nextNode().getParent();
                 if (res != null) {
-                    AccessControlPolicy[] policies = accessManager
-                            .getPolicies(res.getPath());
+                    AccessControlPolicy[] policies = accessManager.getPolicies(res.getPath());
                     for (int j = 0; j < policies.length; j++) {
                         accessManager.removePolicy(res.getPath(), policies[j]);
                     }
-                    message.append("Removed all policies from node "
-                            + res.getPath() + ".\n");
+                    message.append("Removed all policies from node " + res.getPath() + ".\n");
                 }
             }
-            message.append("\n\nCompleted removing ACLs from path: " + path
-                    + " and it's subpaths!");
+            message.append("\n\nCompleted removing ACLs from path: " + path + " and it's subpaths!");
         }
 
         session.save();
@@ -77,98 +54,18 @@ public static String purgeACLs(final Session session, final String path)
     }
 
     public static void purgeAcl(final Session session, final String path)
-            throws Exception {
+            throws RepositoryException {
 
         if (StringUtils.isNotBlank(path)) {
-            AccessControlManager accessManager = session
-                    .getAccessControlManager();
+            AccessControlManager accessManager = session.getAccessControlManager();
             Node node = session.getNode(path);
 
-            AccessControlPolicy[] policies = accessManager.getPolicies(node
-                    .getPath());
+            AccessControlPolicy[] policies = accessManager.getPolicies(node.getPath());
             for (int i = 0; i < policies.length; i++) {
                 accessManager.removePolicy(node.getPath(), policies[i]);
-                AcHelper.LOG.info("Removed all policies from node "
-                        + node.getPath() + ".\n");
+                LOG.info("Removed all policies from node {}", node.getPath());
             }
         }
     }
 
-    public static void purgeACLs(final ResourceResolver resourceResolver,
-            final String[] paths) throws Exception {
-        Session session = resourceResolver.adaptTo(Session.class);
-
-        for (int i = 0; i < paths.length; i++) {
-            if (StringUtils.isNotBlank(paths[i])) {
-                String query = "/jcr:root" + paths[i].trim() + "//rep:policy";
-                Iterator<Resource> results = resourceResolver.findResources(
-                        query, Query.XPATH);
-                AccessControlManager accessManager = session
-                        .getAccessControlManager();
-
-                while (results.hasNext()) {
-                    Resource res = results.next().getParent();
-                    if (res != null) {
-                        AccessControlPolicy[] policies = accessManager
-                                .getPolicies(res.getPath());
-                        for (int j = 0; j < policies.length; j++) {
-                            accessManager.removePolicy(res.getPath(),
-                                    policies[j]);
-                        }
-                    }
-                }
-            }
-        }
-        session.save();
-    }
-
-    public static String deleteAcesForPrincipalIds(final Session session,
-            final Set<String> principalIds, final Set<AclBean> aclBeans)
-            throws UnsupportedRepositoryOperationException,
-            RepositoryException, AccessControlException, PathNotFoundException,
-            AccessDeniedException, LockException, VersionException {
-
-        StopWatch sw = new StopWatch();
-        sw.start();
-        StringBuilder message = new StringBuilder();
-        AccessControlManager aMgr = session.getAccessControlManager();
-        long aceCounter = 0;
-
-        for (AclBean aclBean : aclBeans) {
-            if (aclBean == null) {
-                continue;
-            }
-
-            JackrabbitAccessControlList acl = aclBean.getAcl();
-            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
-                String principalId = ace.getPrincipal().getName();
-                if (principalIds.contains(principalId)) {
-                    String parentNodePath = aclBean.getParentPath();
-                    acl.removeAccessControlEntry(ace);
-                    boolean aclEmpty = acl.isEmpty();
-                    if (!aclEmpty) {
-                        aMgr.setPolicy(aclBean.getParentPath(), acl);
-                    } else {
-                        aMgr.removePolicy(aclBean.getParentPath(), acl);
-                    }
-
-                    String msg = "Path " + parentNodePath + ": Removed entry for '" + principalId + "' from ACL "
-                            + (aclEmpty ? " (and the now emtpy ACL itself)" : "");
-                    LOG.info(msg);
-                    message.append(msg + "\n");
-                    aceCounter++;
-                }
-            }
-
-        }
-        sw.stop();
-        String executionTime = msHumanReadable(sw.getTime());
-        String resultMsg = (aceCounter > 0)
-                ? "Deleted " + aceCounter + " ACEs for " + principalIds.size() + " principals in " + executionTime
-                : "Did not delete any ACEs";
-        message.append(resultMsg + "\n");
-        LOG.debug(resultMsg);
-
-        return message.toString();
-    }
 }

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/AcHistoryService.java

@@ -16,10 +16,9 @@ public interface AcHistoryService {
 
     public void persistAcePurgeHistory(PersistableInstallationLogger history);
 
-    /**
-     * Returns history items of previous runs
-     * @return Set of AcToolExecutions
-     */
+    /** Returns history items of previous runs
+     * 
+     * @return Set of AcToolExecutions */
     public List<AcToolExecution> getAcToolExecutions();
 
     public String getLastInstallationHistory();
@@ -28,10 +27,8 @@ public interface AcHistoryService {
 
     public boolean wasLastPersistHistoryCallSuccessful();
 
-    /**
-     * @deprecated Use {@link #getAcToolExecutions()} instead
-     * @return
-     */
+    /** @deprecated Use {@link #getAcToolExecutions()} instead
+     * @return */
     public String[] getInstallationLogPaths();
-    
+
 }

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/impl/AcHistoryServiceImpl.java

@@ -14,8 +14,6 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
-import java.util.TreeSet;
 
 import javax.jcr.Node;
 import javax.jcr.NodeIterator;
@@ -37,8 +35,6 @@
 
 import com.day.cq.commons.jcr.JcrConstants;
 
-import biz.netcentric.cq.tools.actool.comparators.TimestampPropertyComparator;
-import biz.netcentric.cq.tools.actool.helper.Constants;
 import biz.netcentric.cq.tools.actool.history.AcHistoryService;
 import biz.netcentric.cq.tools.actool.history.AcToolExecution;
 import biz.netcentric.cq.tools.actool.history.PersistableInstallationLogger;
@@ -172,7 +168,7 @@ public String getLastInstallationHistory() {
                 history = "no history found!";
             }
         } catch (RepositoryException e) {
-            LOG.error("RepositoryException: ", e);
+            LOG.error("RepositoryException: {}", e, e);
         } finally {
             if (session != null) {
                 session.logout();
@@ -235,64 +231,46 @@ public String getLogFromHistory(int n, boolean inHtmlFormat, boolean includeVerb
 
     @Override
     public void persistAcePurgeHistory(PersistableInstallationLogger installLog) {
-        Session session = null;
 
+        Session session = null;
         try {
             session = repository.loginService(null, null);
+
             Node acHistoryRootNode = HistoryUtils.getAcHistoryRootNode(session);
-            NodeIterator nodeIterator = acHistoryRootNode.getNodes();
-            Set<Node> historyNodes = new TreeSet<Node>(
-                    new TimestampPropertyComparator());
-            Node newestHistoryNode = null;
-            while (nodeIterator.hasNext()) {
-                historyNodes.add(nodeIterator.nextNode());
+
+            Node purgeHistoryNode = acHistoryRootNode.addNode("purge_" + System.currentTimeMillis(), HistoryUtils.NODETYPE_NT_UNSTRUCTURED);
+
+            // if there is already a purge history node, order the new one before so
+            // the newest one is always on top
+            NodeIterator nodeIt = acHistoryRootNode.getNodes();
+            Node previousPurgeNode = null;
+            while (nodeIt.hasNext()) {
+                Node currNode = nodeIt.nextNode();
+                // get previous purgeHistory node
+                if (currNode.getName().contains("purge_")) {
+                    previousPurgeNode = currNode;
+                    break;
+                }
             }
-            if (!historyNodes.isEmpty()) {
-                newestHistoryNode = historyNodes.iterator().next();
-                persistPurgeAceHistory(session, installLog, newestHistoryNode);
-                session.save();
+
+            if (previousPurgeNode != null) {
+                acHistoryRootNode.orderBefore(purgeHistoryNode.getName(), previousPurgeNode.getName());
             }
 
+            installLog.addMessage(LOG, "Saved history in node: " + purgeHistoryNode.getPath());
+            HistoryUtils.setHistoryNodeProperties(purgeHistoryNode, installLog, "purge");
+            HistoryUtils.saveLogs(purgeHistoryNode, installLog);
+
+            session.save();
         } catch (RepositoryException e) {
-            LOG.error("Exception: ", e);
+            LOG.error("RepositoryException: ", e);
         } finally {
             if (session != null) {
                 session.logout();
             }
         }
     }
 
-    private static Node persistPurgeAceHistory(final Session session,
-            PersistableInstallationLogger installLog, final Node historyNode)
-                    throws RepositoryException {
-
-        Node purgeHistoryNode = historyNode.addNode(
-                "purge_" + System.currentTimeMillis(),
-                HistoryUtils.NODETYPE_NT_UNSTRUCTURED);
-
-        // if there is already a purge history node, order the new one before so
-        // the newest one is always on top
-        NodeIterator nodeIt = historyNode.getNodes();
-        Node previousPurgeNode = null;
-        while (nodeIt.hasNext()) {
-            Node currNode = nodeIt.nextNode();
-            // get previous purgeHistory node
-            if (currNode.getName().contains("purge_")) {
-                previousPurgeNode = currNode;
-                break;
-            }
-        }
-
-        if (previousPurgeNode != null) {
-            historyNode.orderBefore(purgeHistoryNode.getName(),
-                    previousPurgeNode.getName());
-        }
-
-        installLog.addMessage(LOG, "Saved history in node: " + purgeHistoryNode.getPath());
-        HistoryUtils.setHistoryNodeProperties(purgeHistoryNode, installLog, "purge");
-        return historyNode;
-    }
-
     @Override
     public boolean wasLastPersistHistoryCallSuccessful() {
         return wasLastPersistHistoryCallSuccessful;

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/history/impl/HistoryUtils.java

@@ -133,13 +133,8 @@ public static Node persistHistory(final Session session,
         Node newHistoryNode = safeGetNode(acHistoryRootNode, name, NODETYPE_NT_UNSTRUCTURED);
         String path = newHistoryNode.getPath();
         setHistoryNodeProperties(newHistoryNode, installLog, trigger);
-        
-        // not ideal to save both variants, but the easiest for now
-        JcrUtils.putFile(newHistoryNode, LOG_FILE_NAME_VERBOSE, "text/plain",
-                new ByteArrayInputStream(installLog.getVerboseMessageHistory().getBytes()));
-        JcrUtils.putFile(newHistoryNode, LOG_FILE_NAME, "text/plain",
-                new ByteArrayInputStream(installLog.getMessageHistory().getBytes()));
-        
+        saveLogs(newHistoryNode, installLog);
+
         deleteObsoleteHistoryNodes(acHistoryRootNode, nrOfHistoriesToSave);
 
         Node previousHistoryNode = (Node) acHistoryRootNode.getNodes().next();
@@ -153,6 +148,14 @@ public static Node persistHistory(final Session session,
         return newHistoryNode;
     }
 
+    static void saveLogs(Node historyNode, PersistableInstallationLogger installLog) throws RepositoryException {
+        // not ideal to save both variants, but the easiest for now
+        JcrUtils.putFile(historyNode, LOG_FILE_NAME_VERBOSE, "text/plain",
+                new ByteArrayInputStream(installLog.getVerboseMessageHistory().getBytes()));
+        JcrUtils.putFile(historyNode, LOG_FILE_NAME, "text/plain",
+                new ByteArrayInputStream(installLog.getMessageHistory().getBytes()));
+    }
+
     private static boolean isInStrackTracke(StackTraceElement[] stackTrace, Class<?> classToSearch) {
         return isInStrackTracke(stackTrace, classToSearch.getName());
     }