#353 Deploying protected paths and query rolesets via CMA

Author: rjrudin

src/main/java/com/marklogic/appdeployer/CmaConfig.java

@@ -7,6 +7,8 @@ public class CmaConfig {
 	private boolean deployDatabases;
 	private boolean deployForests;
 	private boolean deployPrivileges;
+	private boolean deployProtectedPaths;
+	private boolean deployQueryRolesets;
 	private boolean deployRoles;
 	private boolean deployServers;
 	private boolean deployUsers;
@@ -17,6 +19,8 @@ public void enableAll() {
 		setDeployDatabases(true);
 		setDeployForests(true);
 		setDeployPrivileges(true);
+		setDeployProtectedPaths(true);
+		setDeployQueryRolesets(true);
 		setDeployRoles(true);
 		setDeployServers(true);
 		setDeployUsers(true);
@@ -85,4 +89,20 @@ public boolean isCombineRequests() {
 	public void setCombineRequests(boolean combineRequests) {
 		this.combineRequests = combineRequests;
 	}
+
+	public boolean isDeployProtectedPaths() {
+		return deployProtectedPaths;
+	}
+
+	public void setDeployProtectedPaths(boolean deployProtectedPaths) {
+		this.deployProtectedPaths = deployProtectedPaths;
+	}
+
+	public boolean isDeployQueryRolesets() {
+		return deployQueryRolesets;
+	}
+
+	public void setDeployQueryRolesets(boolean deployQueryRolesets) {
+		this.deployQueryRolesets = deployQueryRolesets;
+	}
 }

src/main/java/com/marklogic/appdeployer/DefaultAppConfigFactory.java

@@ -104,6 +104,16 @@ public void initialize() {
 			config.getCmaConfig().setDeployPrivileges(Boolean.parseBoolean(prop));
 		});
 
+		propertyConsumerMap.put("mlDeployProtectedPathsWithCma", (config, prop) -> {
+			logger.info("Deploy protected paths" + cmaMessage + prop);
+			config.getCmaConfig().setDeployProtectedPaths(Boolean.parseBoolean(prop));
+		});
+
+		propertyConsumerMap.put("mlDeployQueryRolesetsWithCma", (config, prop) -> {
+			logger.info("Deploy query rolesets" + cmaMessage + prop);
+			config.getCmaConfig().setDeployQueryRolesets(Boolean.parseBoolean(prop));
+		});
+
 		propertyConsumerMap.put("mlDeployRolesWithCma", (config, prop) -> {
 			logger.info("Deploy servers" + cmaMessage + prop);
 			config.getCmaConfig().setDeployRoles(Boolean.parseBoolean(prop));
@@ -730,7 +740,7 @@ public void initialize() {
 			logger.info("Supported resources will only be deployed if their resource files are new or have been modified since the last deployment: " + prop);
 			config.setIncrementalDeploy(Boolean.parseBoolean(prop));
 		});
-    
+
 		propertyConsumerMap.put("mlUpdateMimetypeWhenPropertiesAreEqual", (config, prop) -> {
 			logger.info("Update mimetype when properties are equal (defaults to false to avoid unnecessary ML restarts): " + prop);
 			config.setUpdateMimetypeWhenPropertiesAreEqual(Boolean.parseBoolean(prop));

src/main/java/com/marklogic/appdeployer/command/SortOrderConstants.java

@@ -4,7 +4,10 @@ public abstract class SortOrderConstants {
 
     public static Integer DEPLOY_PRIVILEGES = 5;
     public static Integer DEPLOY_ROLES = 10;
-    public static Integer DEPLOY_USERS = 15;
+	public static Integer DEPLOY_PROTECTED_PATHS = 12; // depends on roles
+	public static Integer DEPLOY_QUERY_ROLESETS = 13; // depends on roles
+    public static Integer DEPLOY_USERS = 15; // depends on roles
+
 	public static Integer DEPLOY_CERTIFICATE_AUTHORITIES = 20;
 	public static Integer DEPLOY_CERTIFICATE_TEMPLATES = 24;
 	public static Integer GENERATE_TEMPORARY_CERTIFICATE = 25;
@@ -13,8 +16,6 @@ public abstract class SortOrderConstants {
     public static Integer DEPLOY_EXTERNAL_SECURITY = 35;
     public static Integer DEPLOY_PROTECTED_COLLECTIONS = 40;
     public static Integer DEPLOY_MIMETYPES = 45;
-	public static Integer DEPLOY_PROTECTED_PATHS = 50;
-	public static Integer DEPLOY_QUERY_ROLESETS = 55;
 
 	public static Integer DEPLOY_GROUPS = 90;
 

src/main/java/com/marklogic/appdeployer/command/security/DeployProtectedPathsCommand.java

@@ -1,19 +1,44 @@
 package com.marklogic.appdeployer.command.security;
 
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.marklogic.appdeployer.command.AbstractResourceCommand;
 import com.marklogic.appdeployer.command.CommandContext;
 import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.appdeployer.command.SupportsCmaCommand;
+import com.marklogic.mgmt.api.configuration.Configuration;
+import com.marklogic.mgmt.api.security.protectedpath.ProtectedPath;
 import com.marklogic.mgmt.resource.ResourceManager;
 import com.marklogic.mgmt.resource.security.ProtectedPathManager;
-import com.marklogic.mgmt.resource.security.UserManager;
 
 import java.io.File;
 
-public class DeployProtectedPathsCommand extends AbstractResourceCommand {
+public class DeployProtectedPathsCommand extends AbstractResourceCommand implements SupportsCmaCommand {
 
 	public DeployProtectedPathsCommand() {
 		setExecuteSortOrder(SortOrderConstants.DEPLOY_PROTECTED_PATHS);
 		setUndoSortOrder(SortOrderConstants.DELETE_PROTECTED_PATHS);
+
+		setResourceClassType(ProtectedPath.class);
+	}
+
+	@Override
+	public boolean cmaShouldBeUsed(CommandContext context) {
+		return context.getAppConfig().getCmaConfig().isDeployProtectedPaths();
+	}
+
+	@Override
+	public void addResourceToConfiguration(ObjectNode resource, Configuration configuration) {
+		configuration.addProtectedPath(resource);
+	}
+
+	@Override
+	protected void deployConfiguration(CommandContext context, Configuration config) {
+		if (context.getAppConfig().getCmaConfig().isCombineRequests()) {
+			logger.info("Adding protected paths to combined CMA request");
+			context.addCmaConfigurationToCombinedRequest(config);
+		} else {
+			super.deployConfiguration(context, config);
+		}
 	}
 
 	@Override

src/main/java/com/marklogic/appdeployer/command/security/DeployQueryRolesetsCommand.java

@@ -1,18 +1,44 @@
 package com.marklogic.appdeployer.command.security;
 
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.marklogic.appdeployer.command.AbstractResourceCommand;
 import com.marklogic.appdeployer.command.CommandContext;
 import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.appdeployer.command.SupportsCmaCommand;
+import com.marklogic.mgmt.api.configuration.Configuration;
+import com.marklogic.mgmt.api.security.queryroleset.QueryRoleset;
 import com.marklogic.mgmt.resource.ResourceManager;
-import com.marklogic.mgmt.resource.security.QueryRolesetsManager;
+import com.marklogic.mgmt.resource.security.QueryRolesetManager;
 
 import java.io.File;
 
-public class DeployQueryRolesetsCommand extends AbstractResourceCommand {
+public class DeployQueryRolesetsCommand extends AbstractResourceCommand implements SupportsCmaCommand {
 
 	public DeployQueryRolesetsCommand() {
 		setExecuteSortOrder(SortOrderConstants.DEPLOY_QUERY_ROLESETS);
 		setUndoSortOrder(SortOrderConstants.DELETE_QUERY_ROLESETS);
+
+		setResourceClassType(QueryRoleset.class);
+	}
+
+	@Override
+	public boolean cmaShouldBeUsed(CommandContext context) {
+		return context.getAppConfig().getCmaConfig().isDeployQueryRolesets();
+	}
+
+	@Override
+	public void addResourceToConfiguration(ObjectNode resource, Configuration configuration) {
+		configuration.addQueryRoleset(resource);
+	}
+
+	@Override
+	protected void deployConfiguration(CommandContext context, Configuration config) {
+		if (context.getAppConfig().getCmaConfig().isCombineRequests()) {
+			logger.info("Adding query rolesets to combined CMA request");
+			context.addCmaConfigurationToCombinedRequest(config);
+		} else {
+			super.deployConfiguration(context, config);
+		}
 	}
 
 	@Override
@@ -22,6 +48,6 @@ protected File[] getResourceDirs(CommandContext context) {
 
 	@Override
 	protected ResourceManager getResourceManager(CommandContext context) {
-		return new QueryRolesetsManager(context.getManageClient());
+		return new QueryRolesetManager(context.getManageClient());
 	}
 }

src/main/java/com/marklogic/mgmt/api/API.java

@@ -15,6 +15,8 @@
 import com.marklogic.mgmt.api.group.Group;
 import com.marklogic.mgmt.api.restapi.RestApi;
 import com.marklogic.mgmt.api.security.*;
+import com.marklogic.mgmt.api.security.protectedpath.ProtectedPath;
+import com.marklogic.mgmt.api.security.queryroleset.QueryRoleset;
 import com.marklogic.mgmt.api.server.Server;
 import com.marklogic.mgmt.api.task.Task;
 import com.marklogic.mgmt.api.trigger.Trigger;
@@ -31,6 +33,8 @@
 import com.marklogic.mgmt.util.SystemPropertySource;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Big facade-style class for the MarkLogic Management API. Use this to instantiate or access any resource, as it will
@@ -230,6 +234,26 @@ public Forest getForest() {
         return forest(null);
     }
 
+    public ProtectedPath protectedPath(String pathExpression) {
+    	ProtectedPath path = new ProtectedPath(pathExpression);
+    	path.setApi(this);
+    	return pathExpression != null && path.exists() ?
+		    getResource(pathExpression, new ProtectedPathManager(getManageClient()), ProtectedPath.class) : path;
+    }
+
+    public QueryRoleset queryRoleset(String... roleNames) {
+	    List<String> names = new ArrayList<>();
+	    for (String name : roleNames) {
+	    	names.add(name);
+	    }
+    	QueryRoleset roleset = new QueryRoleset();
+	    roleset.setApi(this);
+	    roleset.setRoleName(names);
+    	return roleNames != null && roleset.exists() ?
+		    getResource(roleset.getRoleNamesAsJsonArrayString(), new QueryRolesetManager(getManageClient()), QueryRoleset.class) :
+		    roleset;
+    }
+
     public Server server(String name) {
         return server(name, (Integer)null);
     }

src/main/java/com/marklogic/mgmt/api/configuration/Configuration.java

@@ -31,6 +31,12 @@ public class Configuration {
 	@JsonProperty("privilege")
 	private List<ObjectNode> privileges;
 
+	@JsonProperty("protected-path")
+	private List<ObjectNode> protectedPaths;
+
+	@JsonProperty("query-roleset")
+	private List<ObjectNode> queryRolesets;
+
 	@JsonProperty("role")
 	private List<ObjectNode> roles;
 
@@ -47,6 +53,8 @@ public boolean hasResources() {
 				(forests != null && !forests.isEmpty()) ||
 				(groups != null && !groups.isEmpty()) ||
 				(privileges != null && !privileges.isEmpty()) ||
+				(protectedPaths != null && !protectedPaths.isEmpty()) ||
+				(queryRolesets != null && !queryRolesets.isEmpty()) ||
 				(roles != null && !roles.isEmpty()) ||
 				(servers != null && !servers.isEmpty()) ||
 				(users != null && !users.isEmpty());
@@ -81,6 +89,16 @@ public void addGroup(ObjectNode g) {
 		groups.add(g);
 	}
 
+	public void addProtectedPath(ObjectNode node) {
+		if (protectedPaths == null) protectedPaths = new ArrayList<>();
+		protectedPaths.add(node);
+	}
+
+	public void addQueryRoleset(ObjectNode node) {
+		if (queryRolesets == null) queryRolesets = new ArrayList<>();
+		queryRolesets.add(node);
+	}
+
 	public void addRole(ObjectNode r) {
 		if (roles == null) roles = new ArrayList<>();
 		roles.add(r);
@@ -164,4 +182,20 @@ public List<ObjectNode> getPrivileges() {
 	public void setPrivileges(List<ObjectNode> privileges) {
 		this.privileges = privileges;
 	}
+
+	public List<ObjectNode> getProtectedPaths() {
+		return protectedPaths;
+	}
+
+	public void setProtectedPaths(List<ObjectNode> protectedPaths) {
+		this.protectedPaths = protectedPaths;
+	}
+
+	public List<ObjectNode> getQueryRolesets() {
+		return queryRolesets;
+	}
+
+	public void setQueryRolesets(List<ObjectNode> queryRolesets) {
+		this.queryRolesets = queryRolesets;
+	}
 }

src/main/java/com/marklogic/mgmt/api/security/protectedpath/PathNamespace.java

@@ -0,0 +1,38 @@
+package com.marklogic.mgmt.api.security.protectedpath;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+public class PathNamespace {
+
+	private String prefix;
+
+	@XmlElement(name = "namespace-uri")
+	private String namespaceUri;
+
+	public PathNamespace() {
+	}
+
+	public PathNamespace(String prefix, String namespaceUri) {
+		this.prefix = prefix;
+		this.namespaceUri = namespaceUri;
+	}
+
+	public String getPrefix() {
+		return prefix;
+	}
+
+	public void setPrefix(String prefix) {
+		this.prefix = prefix;
+	}
+
+	public String getNamespaceUri() {
+		return namespaceUri;
+	}
+
+	public void setNamespaceUri(String namespaceUri) {
+		this.namespaceUri = namespaceUri;
+	}
+}

src/main/java/com/marklogic/mgmt/api/security/protectedpath/Permission.java

@@ -0,0 +1,37 @@
+package com.marklogic.mgmt.api.security.protectedpath;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+public class Permission {
+
+	@XmlElement(name = "role-name")
+	private String roleName;
+	private String capability;
+
+	public Permission() {
+	}
+
+	public Permission(String roleName, String capability) {
+		this.roleName = roleName;
+		this.capability = capability;
+	}
+
+	public String getRoleName() {
+		return roleName;
+	}
+
+	public void setRoleName(String roleName) {
+		this.roleName = roleName;
+	}
+
+	public String getCapability() {
+		return capability;
+	}
+
+	public void setCapability(String capability) {
+		this.capability = capability;
+	}
+}