Merge branch 'develop' into

feature/503-improve-performance-of-applying-users-and-groups

Conflicts:
	accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java

Author: ghenzler

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java

@@ -25,6 +25,7 @@
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
 import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.ValueFactory;
 
@@ -43,6 +44,7 @@
 import org.apache.sling.api.resource.Resource;
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
+import org.apache.sling.jcr.api.SlingRepository;
 import org.apache.sling.jcr.resource.JcrResourceConstants;
 import org.osgi.service.component.annotations.Reference;
 import org.osgi.service.component.annotations.ReferenceCardinality;
@@ -99,6 +101,9 @@ public class AuthorizableInstallerServiceImpl implements
     @Reference(policyOption = ReferencePolicyOption.GREEDY)
     ResourceResolverFactory resourceResolverFactory;
 
+    @Reference(policyOption = ReferencePolicyOption.GREEDY)
+    SlingRepository repository;
+    
     @Override
     public void installAuthorizables(
             AcConfiguration acConfiguration,
@@ -156,7 +161,7 @@ private void installAuthorizableConfigurationBean(final Session session,
             // update password for users
             if (!authorizableToInstall.isGroup() && !authorizableConfigBean.isSystemUser()
                     && StringUtils.isNotBlank(authorizableConfigBean.getPassword())) {
-                setUserPassword(authorizableConfigBean, (User) authorizableToInstall);
+                setUserPassword(authorizableConfigBean, (User) authorizableToInstall, installLog);
             }
 
             // move authorizable if path changed (retaining existing members)
@@ -227,11 +232,25 @@ private void installKeys(Map<String, Key> keys, String userId, ResourceResolver
         }
     }
 
-
     void setUserPassword(final AuthorizableConfigBean authorizableConfigBean,
-                             final User authorizableToInstall) throws RepositoryException, AuthorizableCreatorException {
+            final User authorizableToInstall, InstallationLogger installLog) throws RepositoryException, AuthorizableCreatorException {
+
+        String userId = authorizableToInstall.getID();
         String password = getPassword(authorizableConfigBean);
-        authorizableToInstall.changePassword(password);
+        Session sessionForUser = null;
+        try {
+            sessionForUser = repository.login(new SimpleCredentials(userId, password.toCharArray()));
+            LOG.trace("Could obtain session {} for user {}, will not update password", sessionForUser, userId);
+            installLog.addVerboseMessage(LOG, "Password of user " + userId + " has not changed");
+        } catch (javax.jcr.LoginException e) {
+            LOG.trace("User {} could not log in with existing password", userId, e);
+            authorizableToInstall.changePassword(password);
+            installLog.addMessage(LOG, "Changed password of user " + userId);
+        } finally {
+            if (sessionForUser != null) {
+                sessionForUser.logout();
+            }
+        }
     }
 
     private String getPassword(final AuthorizableConfigBean authorizableConfigBean)

accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImplTest.java

@@ -14,6 +14,7 @@
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.spy;
@@ -22,6 +23,7 @@
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.verifyZeroInteractions;
 import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -30,6 +32,7 @@
 
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
 import javax.jcr.Value;
 import javax.jcr.ValueFactory;
 
@@ -39,17 +42,17 @@
 import org.apache.jackrabbit.api.security.user.Query;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.sling.jcr.api.SlingRepository;
 import org.hamcrest.BaseMatcher;
 import org.hamcrest.Description;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Enclosed;
+import org.mockito.InjectMocks;
 import org.mockito.Matchers;
 import org.mockito.Mock;
 import org.mockito.Mockito;
-import org.mockito.MockitoAnnotations;
 import org.mockito.Spy;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.runners.MockitoJUnitRunner;
@@ -321,6 +324,7 @@ public void describeTo(Description desc) {
 
     public static final class SetUserPassword {
 
+        private static final String USER_ID = "userid";
         private static final String UNPROTECTED_PASSWORD = "unprotected_pass";
 
         @Mock
@@ -329,26 +333,48 @@ public static final class SetUserPassword {
         @Mock
         private DecryptionService decryptionService;
 
+        @Mock
+        private InstallationLogger installationLogger;
+
+        @Mock
+        private SlingRepository repository;
+
+        @Mock
+        private Session session;
+
+        @Spy
+        @InjectMocks
         private AuthorizableInstallerServiceImpl service;
 
+        private AuthorizableConfigBean configBean;
+
         @Before
-        public void setUp() throws CryptoException {
-            MockitoAnnotations.initMocks(this);
+        public void setUp() throws CryptoException, RepositoryException {
+            initMocks(this);
 
-            service = new AuthorizableInstallerServiceImpl();
-            service.decryptionService = decryptionService;
+            doReturn(USER_ID).when(user).getID();
 
             doReturn(UNPROTECTED_PASSWORD).when(decryptionService).decrypt(anyString());
+
+            configBean = new AuthorizableConfigBean();
+            configBean.setPassword("{some_protected_pass1}");
         }
 
         @Test
-        public void test() throws RepositoryException, AuthorizableCreatorException {
-            final AuthorizableConfigBean bean = new AuthorizableConfigBean();
-            bean.setPassword("{some_protected_pass1}");
+        public void testPasswordExists() throws RepositoryException, AuthorizableCreatorException {
 
-            service.setUserPassword(bean, user);
+            doReturn(session).when(repository).login(any(SimpleCredentials.class));
+            service.setUserPassword(configBean, user, installationLogger);
+            verify(user, times(0)).changePassword(anyString());
+        }
 
-            verify(user).changePassword(eq(UNPROTECTED_PASSWORD));
+        @Test
+        public void testPasswordDifferent() throws RepositoryException, AuthorizableCreatorException {
+            final AuthorizableConfigBean bean = new AuthorizableConfigBean();
+            bean.setPassword("{some_protected_pass1}");
+            doThrow(javax.jcr.LoginException.class).when(repository).login(any(SimpleCredentials.class));
+            service.setUserPassword(configBean, user, installationLogger);
+            verify(user, times(1)).changePassword(UNPROTECTED_PASSWORD);
         }
     }
 }

docs/ApplyConfig.md

@@ -9,6 +9,7 @@
   * [JMX](#jmx)
   * [Startup Hook](#startup-hook)
   * [Upload Listener Service](#upload-listener-service)
+  * [Ad hoc installation of small fragments](#ad-hoc-installation-of-small-fragments)
 
 <!--- This table of contents has been generated with https://github.com/ekalinin/github-markdown-toc#gh-md-toc -->
 
@@ -141,5 +142,31 @@ NOTE: Usually it is better to rely on the install hook and manual executions via
 The upload listener service requires the `AC Tool Installation Service` (PID `biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl`) to be configured correctly, i.e. its configuration path must point to the nodes containing the `YAML` files.
 <img src="images/installation-service.png">
 
+### Ad hoc installation of small fragments
+
+Generally it is best practice to keep the yaml files in source control and only use one of the above methods to trigger the installation of those files. 
+However, for some support scenarios it can be useful to be able to apply small yaml fragments directly. This can be achieved by using the following 
+groovy script (using the [AEM Groovy Console](https://github.com/icfnext/aem-groovy-console)):
+
+```
+import static org.apache.jackrabbit.commons.JcrUtils.*
+import static org.apache.commons.io.IOUtils.*
+import biz.netcentric.cq.tools.actool.api.AcInstallationService
+def runAcTool(adhocFolder, adhocFile, yaml) {
+    putFile(getOrCreateByPath(adhocFolder, "nt:folder", session), adhocFile, "text/yaml", toInputStream(yaml)); session.save();
+    return getService(AcInstallationService.class).apply(adhocFolder)
+}
+
+runAcTool("/tmp/actool-adhoc", "actool.yaml", """
+    
+- user_config:
+    - test-user:
+       - name: "My test user"
+         path: /home/users/testusers
+
+""")
+```
+
+As for any executions, the log of ad hoc installations are found underneath `/var/statistics/achistory`.