Merge pull request #252 from wttech/authorized-execution

Granular permission control

Author: krystian-panek-vmltech

.github/workflows/test.yml

@@ -47,6 +47,13 @@ jobs:
           path: all/target/*.zip
           retention-days: 3
 
+      - name: Upload ACM Content Example Package Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: acm-content-example
+          path: ui.content.example/target/*.zip
+          retention-days: 3
+
   test:
     name: 'Test ACM Package'
     runs-on: ubuntu-latest
@@ -91,6 +98,12 @@ jobs:
           name: acm-package
           path: ./aem/home/lib/acm
 
+      - name: Download ACM Content Example Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: acm-content-example
+          path: ./aem/home/lib/acm-content-example
+
       - name: Setup AEM Instance
         run: |
           set -e
@@ -113,6 +126,13 @@ jobs:
           sh aemw instance restart
           echo "Deployed ACM Package '$PACKAGE_PATH'"
 
+      - name: Deploy ACM Content Example Package
+        run: |
+          PACKAGE_PATH=$(find ./aem/home/lib/acm-content-example -name "*.zip" | head -1)
+          echo "Deploying ACM Content Example Package '$PACKAGE_PATH'"
+          sh aemw pkg deploy --file "$PACKAGE_PATH"
+          echo "Deployed ACM Content Example Package '$PACKAGE_PATH'"
+
       - name: Run Playwright Tests
         working-directory: ./test/e2e
         run: npx playwright test
@@ -121,6 +141,6 @@ jobs:
         uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}
         with:
-          name: playwright-report
+          name: acm-playwright-report
           path: ./test/e2e/playwright-report/
           retention-days: 30

.gitignore

@@ -1,6 +1,6 @@
 ### Project-specific
 
-ui.apps/src/main/content/jcr_root/apps/acm/spa
+ui.apps/src/main/content/jcr_root/apps/acm/gui/spa/build/
 /var
 
 # Created by https://www.gitignore.io/api/eclipse,java,maven

.vscode/settings.json

@@ -2,5 +2,6 @@
     "search.exclude": {
         "**/aem/home": true,
         "**/node": true
-    }
+    },
+    "java.configuration.updateBuildConfiguration": "interactive"
 }

README.md

@@ -49,6 +49,10 @@ It works seamlessly across AEM on-premise, AMS, and AEMaaCS environments.
     - [Permissions Management](#permissions-management)
     - [Data Imports \& Exports](#data-imports--exports)
   - [Installation](#installation)
+    - [Package Installation](#package-installation)
+    - [Tools Access Configuration](#tools-access-configuration)
+      - [Feature Permissions](#feature-permissions)
+      - [API Permissions](#api-permissions)
   - [Compatibility](#compatibility)
   - [Documentation](#documentation)
     - [Usage](#usage)
@@ -107,6 +111,8 @@ By simplifying data import implementation, ACM allows developers to focus more o
 
 ## Installation
 
+### Package Installation
+
 The ready-to-install AEM packages are available on:
 
 - [GitHub releases](https://github.com/wttech/acm/releases).
@@ -155,27 +161,62 @@ Adjust file 'all/pom.xml':
 
     Repeat the same for [ui.content.example](https://central.sonatype.com/artifact/dev.vml.es/acm.ui.content.example) package if you want to install demonstrative ACM scripts to get you started quickly.
 
-3. Consider refining the ACL settings
-
-   The default settings are defined in the [repo init OSGi config](https://github.com/wttech/acm/blob/main/ui.config/src/main/content/jcr_root/apps/acm-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer~acmcore.config), which effectively restrict access to the tool and script execution to administrators only - a recommended practice for production environments.
-   If you require further customization, you can create your own repo init OSGi config to override or extend the default configuration.
-
-   For example:
-   ```ini
-   service.ranking=I"100"
-   scripts=["  
-       set ACL for everyone
-           deny jcr:read on /apps/acm
-           deny jcr:read on /apps/cq/core/content/nav/tools/acm
-       end
-
-       create group acm-users
-       set ACL for acm-users
-           allow jcr:read on /apps/acm
-           allow jcr:read on /apps/cq/core/content/nav/tools/acm
-       end
-   "]
-   ```
+### Tools Access Configuration
+
+The default settings are defined in the [repo init OSGi config](https://github.com/wttech/acm/blob/main/ui.config/src/main/content/jcr_root/apps/acm-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer~acmcore.config), which effectively restrict access to the tool and script execution to administrators only - a recommended practice for production environments.
+
+If you require further customization, you can create your own repo init OSGi config to override or extend the default configuration.
+
+#### Feature Permissions
+
+ACM supports fine-grained permission control through individual features. This allows you to grant specific capabilities to different user groups without providing full access to ACM tool. For a complete list of available features, see the [ACM features directory](https://github.com/wttech/acm/tree/main/ui.apps/src/main/content/jcr_root/apps/acm/feature).
+
+**Example: Create groups for full and limited access:**
+
+```ini
+service.ranking=I"100"
+scripts=["  
+    set ACL for everyone
+        deny jcr:read on /apps/cq/core/content/nav/tools/acm
+        deny jcr:read on /apps/acm
+    end
+
+    create group acm-admins
+    set ACL for acm-admins
+        allow jcr:read on /apps/cq/core/content/nav/tools/acm
+        allow jcr:read on /apps/acm
+    end
+
+    create group acm-script-users
+    set ACL for acm-script-users
+        allow jcr:read on /apps/cq/core/content/nav/tools/acm
+        allow jcr:read on /apps/acm/gui
+        allow jcr:read on /apps/acm/api
+
+        allow jcr:read on /apps/acm/feature/script/list
+        allow jcr:read on /apps/acm/feature/script/view
+        allow jcr:read on /apps/acm/feature/execution/view
+
+        allow jcr:read on /conf/acm/settings/script
+    end
+"]
+```
+
+Later on when AEM is running, just assign users to the created groups (`acm-admins` or `acm-script-users`) to grant them the corresponding access.
+
+#### API Permissions
+
+Access to ACM's REST API endpoints is controlled through nodes under `/apps/acm/api`. For a complete list of available endpoints, see the [ACM API directory](https://github.com/wttech/acm/tree/main/ui.apps/src/main/content/jcr_root/apps/acm/api).
+
+**Important:** Code execution requires authorization at three levels: API endpoint, feature, and e.g. script path. Example:
+
+```ini
+set ACL for acm-automation-user
+    allow jcr:read on /apps/acm/api
+    allow jcr:read on /apps/acm/feature
+    allow jcr:read on /conf/acm/settings/script
+end
+```
 
 ## Compatibility
 

Taskfile.yml

@@ -249,7 +249,7 @@ tasks:
     desc: build & deploy frontend to instances
     cmds:
       - (cd ui.frontend && npm install && npm run build)
-      - sh aemw content push --dir 'ui.apps/src/main/content/jcr_root/apps/acm/spa'
+      - sh aemw content push --dir 'ui.apps/src/main/content/jcr_root/apps/acm/gui/spa/build'
 
   develop:frontend:dev:
     desc: build & deploy frontend to instances in development mode

core/src/main/java/dev/vml/es/acm/core/AcmConstants.java

@@ -8,6 +8,8 @@ public class AcmConstants {
 
     public static final String NOTIFIER_ID = "acm";
 
+    public static final String APPS_ROOT = "/apps/acm";
+
     public static final String SETTINGS_ROOT = "/conf/acm/settings";
 
     public static final String VAR_ROOT = "/var/acm";

core/src/main/java/dev/vml/es/acm/core/acl/authorizable/PermissionsOptions.java

@@ -11,6 +11,10 @@
 
 public class PermissionsOptions {
 
+    public static final String GLOB_STRICT = "strict";
+
+    private static final String GLOB_STRICT_EFFECTIVE = "";
+
     private String path;
 
     private List<String> permissions = Collections.emptyList();
@@ -33,6 +37,11 @@ public void setPath(String path) {
         this.path = path;
     }
 
+    public void setPathStrict(String path) {
+        this.path = path;
+        this.glob = GLOB_STRICT_EFFECTIVE;
+    }
+
     public List<String> getPermissions() {
         return permissions;
     }
@@ -46,7 +55,7 @@ public String getGlob() {
     }
 
     public void setGlob(String glob) {
-        this.glob = glob;
+        this.glob = GLOB_STRICT.equalsIgnoreCase(glob) ? GLOB_STRICT_EFFECTIVE : glob;
     }
 
     public List<String> getTypes() {

core/src/main/java/dev/vml/es/acm/core/acl/check/PermissionsOptions.java

@@ -11,6 +11,10 @@
 
 public class PermissionsOptions extends AuthorizableOptions {
 
+    public static final String GLOB_STRICT = "strict";
+
+    private static final String GLOB_STRICT_EFFECTIVE = "";
+
     private String path;
 
     private List<String> permissions = Collections.emptyList();
@@ -31,6 +35,11 @@ public void setPath(String path) {
         this.path = path;
     }
 
+    public void setPathStrict(String path) {
+        this.path = path;
+        this.glob = GLOB_STRICT_EFFECTIVE;
+    }
+
     public List<String> getPermissions() {
         return permissions;
     }
@@ -44,7 +53,7 @@ public String getGlob() {
     }
 
     public void setGlob(String glob) {
-        this.glob = glob;
+        this.glob = GLOB_STRICT.equalsIgnoreCase(glob) ? GLOB_STRICT_EFFECTIVE : glob;
     }
 
     public List<String> getTypes() {

core/src/main/java/dev/vml/es/acm/core/code/CodePrintStream.java

@@ -28,7 +28,7 @@ public class CodePrintStream extends PrintStream {
     public static final String[] LOGGER_NAMES = {LOGGER_NAME_ACL, LOGGER_NAME_REPO};
 
     // have to match pattern in 'monaco/log.ts'
-    private static final DateTimeFormatter LOGGER_TIMESTAMP_FORMATTER = DateTimeFormatter.ofPattern("HH:mm:ss.SSS");
+    private static final DateTimeFormatter TIMESTAMP_FORMATTER = DateTimeFormatter.ofPattern("HH:mm:ss.SSS");
 
     private final Logger logger;
 
@@ -40,6 +40,8 @@ public class CodePrintStream extends PrintStream {
 
     private final LogAppender logAppender;
 
+    private boolean printerTimestamps;
+
     public CodePrintStream(OutputStream output, String id) {
         super(output);
 
@@ -48,6 +50,8 @@ public CodePrintStream(OutputStream output, String id) {
         this.loggerTimestamps = true;
         this.logger = loggerContext.getLogger(id);
         this.logAppender = new LogAppender();
+
+        this.printerTimestamps = true;
     }
 
     private class LogAppender extends AppenderBase<ILoggingEvent> {
@@ -60,7 +64,7 @@ protected void append(ILoggingEvent event) {
                     if (loggerTimestamps) {
                         LocalDateTime eventTime = LocalDateTime.ofInstant(
                                 Instant.ofEpochMilli(event.getTimeStamp()), ZoneId.systemDefault());
-                        String timestamp = eventTime.format(LOGGER_TIMESTAMP_FORMATTER);
+                        String timestamp = eventTime.format(TIMESTAMP_FORMATTER);
                         println(timestamp + " [" + level + "] " + event.getFormattedMessage());
                     } else {
                         println('[' + level + "] " + event.getFormattedMessage());
@@ -116,7 +120,7 @@ public boolean isLoggerTimestamps() {
         return loggerTimestamps;
     }
 
-    public void withLoggerTimestamps(boolean flag) {
+    public void setLoggerTimestamps(boolean flag) {
         this.loggerTimestamps = flag;
     }
 
@@ -147,33 +151,45 @@ public void fromLoggers(List<String> loggerNames) {
         loggerNames.forEach(this::fromLogger);
     }
 
+    public void setPrinterTimestamps(boolean flag) {
+        this.printerTimestamps = flag;
+    }
+
+    public boolean isPrinterTimestamps() {
+        return printerTimestamps;
+    }
+
+    public void printTimestamped(String level, String message) {
+        printTimestamped(CodePrintLevel.of(level), message);
+    }
+
+    public void printTimestamped(CodePrintLevel level, String message) {
+        if (printerTimestamps) {
+            LocalDateTime now = LocalDateTime.now();
+            String timestamp = now.format(TIMESTAMP_FORMATTER);
+            println(timestamp + " [" + level + "] " + message);
+        } else {
+            println("[" + level + "] " + message);
+        }
+    }
+
     public void success(String message) {
-        printStamped(CodePrintLevel.SUCCESS, message);
+        printTimestamped(CodePrintLevel.SUCCESS, message);
     }
 
     public void info(String message) {
-        printStamped(CodePrintLevel.INFO, message);
+        printTimestamped(CodePrintLevel.INFO, message);
     }
 
     public void error(String message) {
-        printStamped(CodePrintLevel.ERROR, message);
+        printTimestamped(CodePrintLevel.ERROR, message);
     }
 
     public void warn(String message) {
-        printStamped(CodePrintLevel.WARN, message);
+        printTimestamped(CodePrintLevel.WARN, message);
     }
 
     public void debug(String message) {
-        printStamped(CodePrintLevel.DEBUG, message);
-    }
-
-    public void printStamped(String level, String message) {
-        printStamped(CodePrintLevel.of(level), message);
-    }
-
-    public void printStamped(CodePrintLevel level, String message) {
-        LocalDateTime now = LocalDateTime.now();
-        String timestamp = now.format(LOGGER_TIMESTAMP_FORMATTER);
-        println(timestamp + " [" + level + "] " + message);
+        printTimestamped(CodePrintLevel.DEBUG, message);
     }
 }

core/src/main/java/dev/vml/es/acm/core/code/Conditions.java

@@ -209,7 +209,7 @@ public InstanceInfo instanceInfo() {
     // Executable-based
 
     public boolean isConsole() {
-        return Executable.ID_CONSOLE.equals(executableId());
+        return Executable.CONSOLE_ID.equals(executableId());
     }
 
     public boolean isAutomaticScript() {