#441 Can now include capability queries in XML role payloads

JSON doesn't work yet due to an ML bug. 

The main fix here was to include capability-queries in the Role class. But also improved RoleObjectNodesSorter so that it won't drop any data.

Author: rjrudin

src/main/java/com/marklogic/appdeployer/command/AbstractCommand.java

@@ -532,7 +532,7 @@ protected String determineDatabaseNameForDatabaseResourceDirectory(CommandContex
 				logger.info("Found database file with same name, minus its extension, as the database resource directory; " +
 					"file: " + f);
 				String payload = copyFileToString(f, context);
-				String databaseName = new PayloadParser().getPayloadFieldValue(payload, "database-name");
+				String databaseName = payloadParser.getPayloadFieldValue(payload, "database-name");
 				logger.info("Associating database resource directory with database: " + databaseName);
 				return databaseName;
 			}
@@ -589,4 +589,8 @@ public boolean isSupportsResourceMerging() {
 	public void setSupportsResourceMerging(boolean supportsResourceMerging) {
 		this.supportsResourceMerging = supportsResourceMerging;
 	}
+
+	protected PayloadParser getPayloadParser() {
+		return payloadParser;
+	}
 }

src/main/java/com/marklogic/appdeployer/command/security/DeployRolesCommand.java

@@ -36,6 +36,11 @@ public class DeployRolesCommand extends AbstractResourceCommand implements Suppo
 	private ObjectNodesSorter objectNodesSorter = new RoleObjectNodesSorter();
 	private Set<String> defaultRolesToNotUndeploy;
 
+	// Keeps track of the original payloads (after token parsing) for XML files. These are needed to account for
+	// data that is dropped when a payload is deserialized into a Role class, such as "capability-queries". When
+	// the role is actually saved, this payload will be used instead of the serialization of the associated Role instance.
+	private Map<String, String> roleNamesAndXmlPayloads = new HashMap<>();
+
 	public DeployRolesCommand() {
 		setExecuteSortOrder(SortOrderConstants.DEPLOY_ROLES);
 		setUndoSortOrder(SortOrderConstants.DELETE_ROLES);
@@ -61,6 +66,14 @@ protected boolean useCmaForDeployingResources(CommandContext context) {
 		return true;
 	}
 
+	/**
+	 * Similar to useCmaForDeployingResources, this tells the parent class to always build a Configuration, even if
+	 * CMA isn't available. And when it's time to deploy the configuration, a check is made to see if CMA is really
+	 * available and if it's configured to be used.
+	 *
+	 * @param context
+	 * @return
+	 */
 	@Override
 	public boolean cmaShouldBeUsed(CommandContext context) {
 		return true;
@@ -90,7 +103,7 @@ protected void deployConfiguration(CommandContext context, Configuration config)
 			return;
 		}
 
-		if (objectNodesSorter != null) {
+		if (objectNodesSorter != null && roleNodes.size() > 1) {
 			logger.info("Sorting roles before they are saved");
 			roleNodes = objectNodesSorter.sortObjectNodes(roleNodes);
 			config.setRoles(roleNodes);
@@ -121,11 +134,32 @@ protected void submitRolesIndividually(CommandContext context, List<ObjectNode>
 		});
 
 		roleNodes.forEach(roleNode -> {
-			SaveReceipt receipt = saveResource(roleManager, context, roleNode.toString());
+			String roleName = roleNode.get("role-name").asText();
+			String payload = this.roleNamesAndXmlPayloads.containsKey(roleName) ? this.roleNamesAndXmlPayloads.get(roleName) : roleNode.toString();
+			SaveReceipt receipt = saveResource(roleManager, context, payload);
 			afterResourceSaved(roleManager, context, null, receipt);
 		});
 	}
 
+	/**
+	 * Overridden so that an XML payload can be saved so that it can be used later when the role is actually saved as
+	 * opposed to the serialization of a Role instance, which as of 4.3.x will not include "capability-queries" for an
+	 * XML payload.
+	 *
+	 * @param context
+	 * @param f
+	 * @return
+	 */
+	@Override
+	protected String readResourceFromFile(CommandContext context, File f) {
+		String payload = super.readResourceFromFile(context, f);
+		if (!getPayloadParser().isJsonPayload(payload)) {
+			String roleName = getPayloadParser().getPayloadFieldValue(payload, "role-name");
+			this.roleNamesAndXmlPayloads.put(roleName, payload);
+		}
+		return payload;
+	}
+
 	/**
 	 * If a role refers to itself via permissions, that role won't be created by CMA. Instead, a separate CMA request
 	 * is constructed, with each such role only having a role-name, and then immediately submitted so that the roles

src/main/java/com/marklogic/mgmt/api/security/CapabilityQuery.java

@@ -0,0 +1,26 @@
+package com.marklogic.mgmt.api.security;
+
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+public class CapabilityQuery {
+
+	private String capability;
+	// Note that an XML payload will not deserialize into this, nor will it deserialize into an Object
+	private ObjectNode query;
+
+	public String getCapability() {
+		return capability;
+	}
+
+	public void setCapability(String capability) {
+		this.capability = capability;
+	}
+
+	public ObjectNode getQuery() {
+		return query;
+	}
+
+	public void setQuery(ObjectNode query) {
+		this.query = query;
+	}
+}

src/main/java/com/marklogic/mgmt/api/security/Role.java

@@ -36,6 +36,10 @@ public class Role extends Resource {
 	@XmlElementWrapper(name = "collections")
 	private List<String> collection;
 
+	// This does not yet have an XmlElementWrapper on it as CapabilityQuery does not yet support XML marshalling;
+	// unclear how to use e.g. XmlAnyElement on the query portion of it
+	private List<CapabilityQuery> capabilityQuery;
+
 	public Role() {
 	}
 
@@ -203,4 +207,11 @@ public void setCollection(List<String> collection) {
 		this.collection = collection;
 	}
 
+	public List<CapabilityQuery> getCapabilityQuery() {
+		return capabilityQuery;
+	}
+
+	public void setCapabilityQuery(List<CapabilityQuery> capabilityQuery) {
+		this.capabilityQuery = capabilityQuery;
+	}
 }

src/main/java/com/marklogic/mgmt/api/security/RoleObjectNodesSorter.java

@@ -22,21 +22,36 @@ public class RoleObjectNodesSorter implements ObjectNodesSorter {
 	 */
 	@Override
 	public List<ObjectNode> sortObjectNodes(List<ObjectNode> objectNodes) {
+		// Construct a list of roles so they can be sorted
 		List<Role> roles = new ArrayList<>();
+
+		// Construct a map of roles to object nodes so that the original object nodes can be added to the list.
+		// This is to resolve bug #441, where capability-query's are being dropped because the Role class doesn't
+		// support them. It may be better to refactor this to not deserialize into Role instances so that ObjectNodes
+		// are used the entire time, even though we'd lose some of the convenience methods provided by the Role class.
+		final Map<String, ObjectNode> roleMap = new HashMap();
+
 		ObjectReader reader = ObjectMapperFactory.getObjectMapper().readerFor(Role.class);
-		for (ObjectNode node : objectNodes) {
+		for (ObjectNode objectNode : objectNodes) {
 			try {
-				roles.add(reader.readValue(node));
+				Role role = reader.readValue(objectNode);
+				roles.add(role);
+				roleMap.put(role.getRoleName(), objectNode);
 			} catch (IOException e) {
-				throw new RuntimeException("Unable to read ObjectNode into Role; node: " + node, e);
+				throw new RuntimeException("Unable to read ObjectNode into Role; JSON: " + objectNode, e);
 			}
 		}
 
 		roles = sortRoles(roles);
 
-		List<ObjectNode> newList = new ArrayList<>();
-		roles.forEach(role -> newList.add(role.toObjectNode()));
-		return newList;
+		List<ObjectNode> sortedNodes = new ArrayList<>();
+		roles.forEach(role -> {
+			// Sanity check; we don't ever expect to get back a role in the sorted list that isn't in the roleMap
+			if (roleMap.containsKey(role.getRoleName())) {
+				sortedNodes.add(roleMap.get(role.getRoleName()));
+			}
+		});
+		return sortedNodes;
 	}
 
 

src/main/java/com/marklogic/rest/util/Fragment.java

@@ -31,7 +31,8 @@ public Fragment(String xml, Namespace... namespaces) {
             List<Namespace> list = new ArrayList<Namespace>();
 	        list.add(Namespace.getNamespace("arp", "http://marklogic.com/manage/alert-rule/properties"));
             list.add(Namespace.getNamespace("c", "http://marklogic.com/manage/clusters"));
-	        list.add(Namespace.getNamespace("cert", "http://marklogic.com/xdmp/x509"));
+			list.add(Namespace.getNamespace("cert", "http://marklogic.com/xdmp/x509"));
+			list.add(Namespace.getNamespace("cts", "http://marklogic.com/cts"));
             list.add(Namespace.getNamespace("db", "http://marklogic.com/manage/databases"));
             list.add(Namespace.getNamespace("es", "http://marklogic.com/entity-services"));
             list.add(Namespace.getNamespace("f", "http://marklogic.com/manage/forests"));

src/test/java/com/marklogic/appdeployer/command/databases/ClearDatabaseTest.java

@@ -27,6 +27,7 @@ public void teardown() {
     public void modulesDatabase() {
         initializeAppDeployer(new DeployRestApiServersCommand(true), buildLoadModulesCommand());
 
+        appConfig.setRestPort(8004);
         appDeployer.deploy(appConfig);
 
         DatabaseManager mgr = new DatabaseManager(manageClient);

src/test/java/com/marklogic/appdeployer/command/security/DeployRoleWithCapabilityQueryTest.java

@@ -0,0 +1,64 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.AbstractAppDeployerTest;
+import com.marklogic.mgmt.resource.security.RoleManager;
+import com.marklogic.rest.util.Fragment;
+import org.junit.jupiter.api.Test;
+import org.springframework.web.client.HttpServerErrorException;
+
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+public class DeployRoleWithCapabilityQueryTest extends AbstractAppDeployerTest {
+
+	@Test
+	void jsonRole() {
+		appConfig.getFirstConfigDir().setBaseDir(new File("src/test/resources/sample-app/qbac-json-role"));
+
+		initializeAppDeployer(new DeployRolesCommand());
+
+		final String message = "ML 10.0-7 is not able to deploy a JSON role with capability queries; expecting to get an XDMP-NOTQUERY error: ";
+		try {
+			appConfig.getCmaConfig().setDeployRoles(true);
+			appDeployer.deploy(appConfig);
+			fail("Expected error: " + message);
+		} catch (HttpServerErrorException ex) {
+			assertTrue(ex.getMessage().contains("XDMP-NOTQUERY"), message + ex.getMessage());
+		}
+
+		// Make sure error occurs with CMA disabled too
+		try {
+			appConfig.getCmaConfig().setDeployRoles(false);
+			appDeployer.deploy(appConfig);
+			fail("Expected error: " + message);
+		} catch (HttpServerErrorException ex) {
+			assertTrue(ex.getMessage().contains("XDMP-NOTQUERY"), message + ex.getMessage());
+		}
+	}
+
+	@Test
+	void xmlRole() {
+		appConfig.getFirstConfigDir().setBaseDir(new File("src/test/resources/sample-app/qbac-xml-role"));
+		initializeAppDeployer(new DeployRolesCommand());
+
+		try {
+			// This is necessary because the CMA config is JSON, and the XML capability-queries cannot be
+			// converted into JSON
+			appConfig.getCmaConfig().setDeployRoles(false);
+			appDeployer.deploy(appConfig);
+
+			RoleManager mgr = new RoleManager(manageClient);
+			assertTrue(mgr.exists("a-qbac-xml-role"));
+
+			Fragment props = mgr.getPropertiesAsXml("a-qbac-xml-role");
+			assertEquals("hello", props.getElementValue("/m:role-properties/m:queries/m:capability-query[m:capability = 'read']" +
+				"/m:query/cts:word-query/cts:text"), "Verifying that the query was saved");
+			assertEquals("world", props.getElementValue("/m:role-properties/m:queries/m:capability-query[m:capability = 'update']" +
+				"/m:query/cts:word-query/cts:text"), "Verifying that the query was saved");
+		} finally {
+			undeploySampleApp();
+		}
+	}
+
+}

src/test/java/com/marklogic/appdeployer/command/security/ManageAmpsTest.java

@@ -21,6 +21,7 @@ public class ManageAmpsTest extends AbstractManageResourceTest {
 
 	@Test
 	public void ampLoadedBeforeModules() {
+		appConfig.setRestPort(8004);
 		appConfig.setConfigDir(new ConfigDir(new File("src/test/resources/sample-app/real-amp")));
 
 		initializeAppDeployer(new DeployUsersCommand(), new DeployRestApiServersCommand(true),

src/test/resources/sample-app/qbac-json-role/security/roles/a-qbac-role.json

@@ -0,0 +1,28 @@
+{
+	"role-name": "a-qbac-role",
+	"description": "testing",
+	"capability-query": [
+		{
+			"capability": "read",
+			"query": {
+				"word-query": {
+					"text": {
+						"lang": "en",
+						"_value": "hello"
+					}
+				}
+			}
+		},
+		{
+			"capability": "update",
+			"query": {
+				"word-query": {
+					"text": {
+						"lang": "en",
+						"_value": "world"
+					}
+				}
+			}
+		}
+	]
+}