JCRVLT-522 check effect of filter rules on ACLs

WIP

Author: kwin

src/site/markdown/filter.md

@@ -120,15 +120,17 @@ The exact rules are outlined below
 
 Item covered by filter rule | Item contained in the Content Package | Item contained in the Repository (prior to Import/Installation) | State of Item in Repository after Import/Installation
 --- | --- | --- | ---
-no | yes | yes | not touched
-no | no | yes | not touched
-no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.
+no | yes | yes | not touched(*)
+no | no | yes | not touched(*)
+no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.(*)
 no | no | no | not existing (not touched)
 yes | yes | yes | overwritten
 yes | no | yes | removed
 yes | yes | no | deserialized from content package
 yes | no | no | not existing
 
+Mostly for historical reason both authorizable nodes and access control lists behave differently.
+
 ### Uncovered ancestor nodes
 
 All *uncovered* ancestor nodes are either

src/site/markdown/importmode.md

@@ -25,7 +25,10 @@ Details on how node ids are treated during import are outlined at [Referenceable
 
 The import mode handling is inconsistent and has many edge cases for the mode `MERGE` and `UPDATE`. Therefore FileVault 3.5.0 introduces the new modes `MERGE_PROPERTIES` and `UPDATE_PROPERTIES` (in [JCRVLT-255][JCRVLT-255]) which behave much more predicatable. The details are outlined at the [JavaDoc][api.ImportMode].
 
-Import Mode behaviour on authorizables
+As the import mode has other side effects for authorizable and authorization nodes, the behavior is described in the following sections
+
+
+Authorizable Nodes
 ----------------------------------------------------
 If an authorizable with the same name already exists, the active `ImportMode` controls how the existing authorizables are affected:
 
@@ -58,6 +61,13 @@ Note that the workspace filter of the package refers on the content of the packa
 
 However, the importer keeps track of potential remapping of existing users and tries to calculate the filters accordingly.
 
+Authorization Nodes
+----------------------------------------------------
+
+All authorization nodes of node type `rep:ACL` or the derived `rep:CugPolicy` or `rep:PrincipalPolicy` are ignoring the import mode but rather only evaluate the [package property `acHandling`][properties].
+
+
 [api.WorkspaceFilter]: apidocs/org/apache/jackrabbit/vault/fs/api/WorkspaceFilter.html
 [api.ImportMode]: apidocs/org/apache/jackrabbit/vault/fs/api/ImportMode.html
-[JCRVLT-255]: https://issues.apache.org/jira/browse/JCRVLT-255
+[JCRVLT-255]: https://issues.apache.org/jira/browse/JCRVLT-255
+[properties]: properties.html

vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java

@@ -515,6 +515,11 @@ public void run(Archive archive, Session session,  String parentPath)
         }
     }
 
+    /**
+     * This discards artifacts from the tree which are not contained in the filter
+     * @param root the (sub)tree
+     * @return the modified (sub)tree
+     */
     private TxInfo postFilter(TxInfo root) {
         TxInfo modifierRoot = root;
         if (filter.contains(modifierRoot.path)){

vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java

@@ -24,9 +24,11 @@
 
 import javax.jcr.RepositoryException;
 
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.JcrUtils;
 import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
 import org.apache.jackrabbit.vault.fs.io.ImportOptions;
 import org.apache.jackrabbit.vault.packaging.JcrPackage;
@@ -416,7 +418,7 @@ public void testRepoACL() throws RepositoryException, IOException, PackageExcept
     }
 
     /**
-     * Installs a package with repository level acl and then installs another that removes them again.
+     * Installs a package with repository level acl with AccessControlHandling.MERGE.
      */
     @Test
     public void testRepoACLMerge() throws RepositoryException, IOException, PackageException {
@@ -437,7 +439,7 @@ public void testRepoACLMerge() throws RepositoryException, IOException, PackageE
     }
 
     /**
-     * Installs a package with repository level acl and then installs another that removes them again.
+     * Installs a package with repository level acl with AccessControlHandling.MERGE_PRESERVE.
      */
     @Test
     public void testRepoACLMergePreserve() throws RepositoryException, IOException, PackageException {
@@ -458,7 +460,7 @@ public void testRepoACLMergePreserve() throws RepositoryException, IOException,
     }
 
     /**
-     * Installs a package a the root level (JCRVLT-75)
+     * Installs a package at the root level (JCRVLT-75)
      */
     @Test
     public void testRootACL() throws RepositoryException, IOException, PackageException {
@@ -469,4 +471,17 @@ public void testRootACL() throws RepositoryException, IOException, PackageExcept
         // test if nodes and ACLs of first package exist
         assertPermission("/", true, new String[]{"jcr:all"}, "everyone", null);
     }
+    
+    /** Check effect of filter definitions */
+    @Test
+    public void testACLsOutsideFilter() throws IOException, PackageException, RepositoryException {
+        JcrUtils.getOrCreateByPath("/testroot/secured", JcrConstants.NT_FOLDER, admin);
+        extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
+        
+        // test if nodes and ACLs of package exist
+        assertNodeExists("/testroot/node_a");
+        assertPermission("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
+        /*
+        assertPermission("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);*/
+    }
 }

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
+    jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:createdBy="admin"
+    jcr:description="AC Handling: OverWrite"
+    jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:lastModifiedBy="admin"
+    jcr:primaryType="vlt:PackageDefinition"
+    acHandling="overwrite"
+    buildCount="1"
+    builtWith=""
+    fixedBugs=""
+    group="support"
+    lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastUnwrappedBy="admin"
+    lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastWrappedBy="admin"
+    name=""
+    providerLink=""
+    providerName=""
+    providerUrl=""
+    testedWith=""
+    version="">
+    <filter jcr:primaryType="nt:unstructured">
+        <f0
+            jcr:primaryType="nt:unstructured"
+            mode="replace"
+            root="/testroot/secured"
+            rules="[]"/>
+    </filter>
+    <screenshots jcr:primaryType="nt:unstructured"/>
+</jcr:root>

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<workspaceFilter version="1.0">
+    <filter root="/testroot/node_a"/>
+</workspaceFilter>

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd

@@ -0,0 +1,8 @@
+<'sling'='http://sling.apache.org/jcr/sling/1.0'>
+<'nt'='http://www.jcp.org/jcr/nt/1.0'>
+
+[sling:Folder] > nt:folder
+  - * (undefined)
+  - * (undefined) multiple
+  + * (nt:base) = sling:Folder version
+

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>FileVault Package Properties</comment>
+<entry key="createdBy">admin</entry>
+<entry key="name">mode_ac_test_a</entry>
+<entry key="lastModified">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="lastModifiedBy">admin</entry>
+<entry key="created">2011-11-15T09:43:22.993+01:00</entry>
+<entry key="buildCount">1</entry>
+<entry key="version"/>
+<entry key="dependencies"/>
+<entry key="packageFormatVersion">2</entry>
+<entry key="description"/>
+<entry key="lastWrapped">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="group"/>
+<entry key="lastWrappedBy">admin</entry>
+<entry key="acHandling">overwrite</entry>
+</properties>

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="rep:root"
+    sling:resourceType="sling:redirect"
+    sling:target="/index.html">
+    <rep:policy/>
+    <jcr:system/>
+    <var/>
+    <libs/>
+    <etc/>
+    <apps/>
+    <content/>
+    <tmp/>
+    <home/>
+    <testroot/>
+</jcr:root>

vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root
+        xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:primaryType="rep:ACL">
+    <deny
+        jcr:primaryType="rep:DenyACE"
+        rep:principalName="everyone"
+        rep:privileges="{Name}[jcr:all]"/>
+</jcr:root>