Support for writing authorizable nodes

Author: Jeff Bornemann

gradle.properties

@@ -40,6 +40,7 @@ scr_annotations_version = 1.7.0
 servlet_api_version = 2.5
 slf4j_version = 1.7.6
 sling_api_version = 2.9.0
+sling_base_version = 2.2.2
 sling_commons_testing_version = 2.0.12
 sling_commons_version = 2.2.0
 sling_event_version = 3.1.4

gradle/dependencies.gradle

@@ -19,6 +19,7 @@ dependencies {
 
     // Apache Sling libraries
     compile "org.apache.sling:org.apache.sling.api:${sling_api_version}"
+    compile "org.apache.sling:org.apache.sling.jcr.base:${sling_base_version}"
     compile "org.apache.sling:org.apache.sling.jcr.resource:${sling_jcr_resource_version}"
 
     // Apache Felix libraries
@@ -33,6 +34,7 @@ dependencies {
     // Working with the JCR
     compile "javax.jcr:jcr:${jcr_version}"
     compile "org.apache.jackrabbit:jackrabbit-jcr-commons:${jackrabbit_version}"
+    compile "org.apache.jackrabbit:jackrabbit-api:${jackrabbit_version}"
     compile "org.apache.sling:org.apache.sling.jcr.api:${sling_commons_version}"
 
     // Logging

gradle/packageExclusions.gradle

@@ -30,10 +30,12 @@ configurations.cq_package {
 
     exclude group: 'org.apache.commons', module: 'commons-lang3'
     exclude group: 'org.apache.jackrabbit', module:'jackrabbit-jcr-commons'
+    exclude group: 'org.apache.jackrabbit', module:'jackrabbit-api'
     exclude group: 'commons-io', module: 'commons-io'
 
     //Exclude Apache Sling Libraries
     exclude group: 'org.apache.sling', module: 'org.apache.sling.api'
+    exclude group: 'org.apache.sling', module: 'org.apache.sling.jcr.base'
     exclude group: 'org.apache.sling', module:'org.apache.sling.jcr.resource'
     exclude group: 'org.apache.sling', module: 'org.apache.sling.jcr.api'
 

src/main/content/SLING-INF/content/apps/grabbit/config/org.apache.sling.commons.log.LogManager.factory.config-com.twcable.grabbit.client.batch.xml

@@ -14,7 +14,7 @@
 
     <property>
         <name>org.apache.sling.commons.log.names</name>
-        <value>com.twcable.grabbit.client.batch</value>
+        <value>com.twcable.grabbit.client</value>
         <type>String</type>
     </property>
 

src/main/content/SLING-INF/content/apps/grabbit/config/org.apache.sling.commons.log.LogManager.factory.config-com.twcable.grabbit.server.batch.xml

@@ -14,7 +14,7 @@
 
     <property>
         <name>org.apache.sling.commons.log.names</name>
-        <value>com.twcable.grabbit.server.batch</value>
+        <value>com.twcable.grabbit.server</value>
         <type>String</type>
     </property>
 

src/main/groovy/com/twcable/grabbit/client/batch/steps/jcrnodes/JcrNodesWriter.groovy

@@ -88,7 +88,7 @@ class JcrNodesWriter implements ItemWriter<ProtoNode>, ItemWriteListener {
     }
 
     private static void writeToJcr(ProtoNode nodeProto, Session session) {
-        JcrNodeDecorator jcrNode = new ProtoNodeDecorator(nodeProto).writeToJcr(session)
+        JcrNodeDecorator jcrNode = ProtoNodeDecorator.createFrom(nodeProto).writeToJcr(session)
         jcrNode.setLastModified()
         // This will processed all mandatory child nodes only
         if(nodeProto.mandatoryChildNodeList && nodeProto.mandatoryChildNodeList.size() > 0) {

src/main/groovy/com/twcable/grabbit/jcr/AuthorizableProtoNodeDecorator.groovy

@@ -0,0 +1,238 @@
+package com.twcable.grabbit.jcr
+
+import com.twcable.grabbit.proto.NodeProtos.Node as ProtoNode
+import com.twcable.grabbit.security.AuthorizablePrincipal
+import com.twcable.grabbit.security.InsufficientGrabbitPrivilegeException
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import org.apache.jackrabbit.api.security.user.Authorizable
+import org.apache.jackrabbit.api.security.user.User
+import org.apache.jackrabbit.api.security.user.UserManager
+import org.apache.jackrabbit.value.StringValue
+import org.apache.sling.jcr.base.util.AccessControlUtil
+
+import javax.annotation.Nonnull
+import javax.jcr.Session
+import java.lang.reflect.Field
+import java.lang.reflect.Method
+import java.lang.reflect.ReflectPermission
+
+/*
+ * Copyright 2015 Time Warner Cable, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This class wraps a serialized node that represents an Authorizable. Authorizables are special system protected nodes, that can only be written under certain
+ * trees, and can not be written directly by a client.
+ */
+@CompileStatic
+@Slf4j
+class AuthorizableProtoNodeDecorator extends ProtoNodeDecorator {
+
+
+    protected AuthorizableProtoNodeDecorator(@Nonnull ProtoNode node, @Nonnull Collection<ProtoPropertyDecorator> protoProperties) {
+        this.innerProtoNode = node
+        this.protoProperties = protoProperties
+    }
+
+
+    @Override
+    JcrNodeDecorator writeToJcr(@Nonnull Session session) {
+        if(!checkSecurityPermissions()) {
+            throw new InsufficientGrabbitPrivilegeException("JVM Permissions needed by Grabbit to sync Users/Groups were not found. See log for specific permissions needed, and add these to your security manager; or do not sync users and groups." +
+                                                            "Unfortunately, the way Jackrabbit goes about certain things requires us to do a bit of hacking in order to sync Authorizables securely, and efficiently.")
+        }
+        Authorizable authorizable = findAuthorizable(session)
+        if(!authorizable) {
+            authorizable = createNewAuthorizable(session)
+        }
+        else {
+            updateAuthorizable(authorizable, session)
+        }
+        session.save()
+        return new JcrNodeDecorator(session.getNode(authorizable.getPath()))
+    }
+
+
+    /**
+     * @return a new authorizable from this serialized node
+     */
+    private Authorizable createNewAuthorizable(final Session session) {
+        final UserManager userManager = getUserManager(session)
+        if(isUserType()) {
+            //We set a temporary password for now, and then set the real password later in setPasswordForUser(). See the method for why.
+            final newUser = userManager.createUser(authorizableID, 'temp', new AuthorizablePrincipal(authorizableID), getIntermediateAuthorizablePath())
+            //This is a special protected property for disabling user access
+            if(hasProperty('rep:disabled')) {
+                newUser.disable(getStringValueFrom('rep:disabled'))
+            }
+            //AEM writes this property directly on the user node for some reason. One known use is for setting leads on MCM campaigns.
+            final authorizableCategory = 'cq:authorizableCategory'
+            if(hasProperty(authorizableCategory)) {
+                newUser.setProperty(authorizableCategory, new StringValue(getStringValueFrom(authorizableCategory)))
+            }
+            //Special users may not have passwords, such as anonymous users
+            if(hasProperty('rep:password')) {
+                setPasswordForUser(newUser, session)
+            }
+            return newUser
+        }
+        return userManager.createGroup(authorizableID, new AuthorizablePrincipal(authorizableID), getIntermediateAuthorizablePath())
+    }
+
+
+    /**
+     * From a client API perspective, there is really no way to truely update an existing authorizable node. All of the properties are protected, and there is no
+     * known way to update them. What we do here is essentially remove the existing authorizable as denoted by the authorizableID, and recreate it.
+     */
+    private void updateAuthorizable(final Authorizable authorizable, final Session session) {
+        authorizable.remove()
+        session.save()
+        createNewAuthorizable(session)
+    }
+
+
+    private Authorizable findAuthorizable(final Session session) {
+        final UserManager userManager = getUserManager(session)
+        return userManager.getAuthorizable(getAuthorizableID())
+    }
+
+
+    private String getAuthorizableID() {
+        return protoProperties.find { it.isAuthorizableIDType() }.stringValue
+    }
+
+
+    private String getIntermediateAuthorizablePath() {
+        final pathTokens = getName().tokenize('/')
+        //remove last index, as this is the Authorizable node name
+        pathTokens.remove(pathTokens.size() - 1)
+        return "/${pathTokens.join('/')}"
+    }
+
+
+    private boolean isUserType() {
+        return protoProperties.any { it.userType }
+    }
+
+
+    /**
+     * Some JVM's have a SecurityManager set, which based on configuration, can potentially inhibit our hack {@code setPasswordForUser(User, Session)} from working.
+     * We need to check security permissions before proceeding
+     * @return true if we can sync this Authorizable
+     */
+    private boolean checkSecurityPermissions() {
+        final SecurityManager securityManager = getSecurityManager()
+        //If no security manager is present, then we are in the clear; otherwise, we need to check certain permissions
+        if(!securityManager){
+            log.debug "No SecurityManager found on this JVM. Sync of Users/Groups can continue"
+            return true
+        }
+        final issues = []
+        final badPermissions = false
+        log.debug "SecurityManager found on this JVM. Checking permissions.."
+        try {
+            //Needed to reflect on members for which this class does not normally have access to
+            securityManager.checkPermission(new ReflectPermission('suppressAccessChecks'))
+        }
+        catch(SecurityException ex) {
+            issues << 'suppressAccessChecks'
+            badPermissions = true
+        }
+        try {
+            //Needed to access all declared members of a class, including protected or private
+            securityManager.checkPermission(new RuntimePermission('accessDeclaredMembers'))
+        }
+        catch(SecurityException ex) {
+            issues << 'accessDeclaredMembers'
+            badPermissions = true
+        }
+        try {
+            //Needed to access classes directly within a potentially system protected package
+            securityManager.checkPermission(new RuntimePermission('accessClassInPackage.{org.apache.jackrabbit.oak.security.user}'))
+        }
+        catch(SecurityException ex) {
+            issues << 'accessClassInPackage.{org.apache.jackrabbit.oak.security.user}'
+            badPermissions = true
+        }
+        if(badPermissions) {
+            log.warn "A SecurityManager is enabled for this JVM, and permissions are not sufficient for Grabbit to sync Authorizables (Users/Groups). You must enable ${issues.join(', ')} permissions in your SecurityManager to use this functionality" +
+                     "Check https://docs.oracle.com/javase/7/docs/api/java/lang/RuntimePermission.html and https://docs.oracle.com/javase/7/docs/api/java/lang/reflect/ReflectPermission.html to see what these permissions enable"
+            return false
+        }
+        else {
+            log.debug "Permissions check successful"
+            return true
+        }
+    }
+
+    /**
+     * @return the system's security manager, or null if one is not present
+     */
+    SecurityManager getSecurityManager() {
+        return System.getSecurityManager()
+    }
+
+
+    UserManager getUserManager(final Session session) {
+        return AccessControlUtil.getUserManager(session)
+    }
+
+
+    /**
+     * Normally we would call org.apache.jackrabbit.oak.jcr.delegate.UserDelegator.changePassword(String password) to change a password (this is what is publicly available through the Jackrabbit API)
+     * However, this method ALWAYS rehashes the password argument which is of no use to us, since we are trying to transfer an already hashed password.
+     *
+     * Internally, org.apache.jackrabbit.oak.jcr.delegate.UserDelegator calls it's delegate's org.apache.jackrabbit.oak.security.user.UserImpl.changePassword(String password)
+     * which calls org.apache.jackrabbit.oak.security.user.UserManagerImpl.setPassword(Tree tree, String userId, String password, boolean forceHash) with forceHash always set to true
+     * We really need forcehash set to false for our case, but this isn't publicly available. Here, we access internal objects to do this manipulation. org.apache.jackrabbit.oak.security.user.UserManagerImpl
+     * simply ensures that forcehash is false, and that the password is not plain text, and it sets the password as-is.
+     *
+     * @throws IllegalStateException if security permissions required to run this are not there. @{code checkSecurityPermissions()} should be called before calling this method
+     **/
+     void setPasswordForUser(final User user, final Session session) {
+        if(!checkSecurityPermissions()) throw new IllegalStateException("Security check failed for Grabbit. Can not set user passwords")
+        //As a consumer we have access to org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator below
+        final userManager = getUserManager(session)
+        Class userManagerDelegatorClass = userManager.getClass()
+        //Reach into the class of this delegator, and grab the core Jackrabbit object we delegate to
+        Field userManagerDelegateField = userManagerDelegatorClass.getDeclaredField('userManagerDelegate')
+        //The delegate field is private, so we need to make it accessible. Security checks above are imperative for this to work
+        userManagerDelegateField.setAccessible(true)
+        //Here we have a handle to the internal class org.apache.jackrabbit.oak.security.user.UserManagerImpl
+        final userManagerDelegate = userManagerDelegateField.get(userManager)
+        final userManagerDelegateClass = userManagerDelegate.getClass()
+        //We need to set the 'setPassword' method as accessible. Again, security checks above are imperative for this to work
+        Method setPasswordMethod = userManagerDelegateClass.getDeclaredMethod('setPassword', Class.forName('org.apache.jackrabbit.oak.api.Tree', true, userManagerDelegateClass.getClassLoader()), String, String, boolean)
+        setPasswordMethod.setAccessible(true)
+        /**
+         * Step two. We need access to the internal Authorizable object's tree in order to call the internal setPassword method
+         * User is an instance of org.apache.jackrabbit.oak.jcr.delegate.UserDelegator. We need to get the delegate off of this class's super class org.apache.jackrabbit.oak.jcr.delegate.AuthorizableDelegator
+         */
+        Class authorizableDelegateClass = user.getClass().getSuperclass()
+        Field authorizableDelegateField = authorizableDelegateClass.getDeclaredField('delegate')
+        authorizableDelegateField.setAccessible(true)
+        final authorizable = authorizableDelegateField.get(user)
+        //Internal org.apache.jackrabbit.oak.security.user.AuthorizableImpl object. We can access the protected tree here
+        Method getTreeMethod = authorizable.getClass().getSuperclass().getDeclaredMethod('getTree')
+        getTreeMethod.setAccessible(true)
+
+        /**
+         * The last argument where we are passing in 'false' in the secret sauce we need. This parameter is forceHash. As long as forceHash is false, and the password is not
+         * clear-text, which it isn't since we got it from another Jackrabbit instance, we can set the password as-is.
+         */
+        setPasswordMethod.invoke(userManagerDelegate, getTreeMethod.invoke(authorizable), getAuthorizableID(), getStringValueFrom('rep:password'), false)
+    }
+}

src/main/groovy/com/twcable/grabbit/jcr/DefaultProtoNodeDecorator.groovy

@@ -0,0 +1,95 @@
+/*
+ * Copyright 2015 Time Warner Cable, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.twcable.grabbit.jcr
+
+import com.twcable.grabbit.proto.NodeProtos.Node as ProtoNode
+import com.twcable.grabbit.proto.NodeProtos.Value as ProtoValue
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import org.apache.jackrabbit.commons.JcrUtils
+
+import javax.annotation.Nonnull
+import javax.jcr.Node as JCRNode
+import javax.jcr.Session
+
+import static org.apache.jackrabbit.JcrConstants.JCR_MIXINTYPES
+import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE
+
+@CompileStatic
+@Slf4j
+class DefaultProtoNodeDecorator extends ProtoNodeDecorator {
+
+
+    protected DefaultProtoNodeDecorator(@Nonnull ProtoNode node, @Nonnull Collection<ProtoPropertyDecorator> protoProperties) {
+        this.innerProtoNode = node
+        this.protoProperties = protoProperties
+    }
+
+
+    @Override
+    JcrNodeDecorator writeToJcr(@Nonnull Session session) {
+        final jcrNode = getOrCreateNode(session)
+        //Write mixin types first to avoid InvalidConstraintExceptions
+        final mixinProperty = getMixinProperty()
+        if(mixinProperty) {
+            addMixins(mixinProperty, jcrNode)
+        }
+        //Then add other properties
+        writableProperties.each { it.writeToNode(jcrNode) }
+
+        return new JcrNodeDecorator(jcrNode)
+    }
+
+
+    private ProtoPropertyDecorator getMixinProperty() {
+        protoProperties.find { it.isMixinType() }
+    }
+
+
+    private Collection<ProtoPropertyDecorator> getWritableProperties() {
+        protoProperties.findAll { !(it.name in [JCR_PRIMARYTYPE, JCR_MIXINTYPES]) }
+    }
+
+
+    /**
+     * This method is rather succinct, but helps isolate this JcrUtils static method call
+     * so that we can get better test coverage.
+     * @param session to create or get the node path for
+     * @return the newly created, or found node
+     */
+    JCRNode getOrCreateNode(Session session) {
+        JcrUtils.getOrCreateByPath(innerProtoNode.name, primaryType.getStringValue(), session)
+    }
+
+
+    /**
+     * If a property can be added as a mixin, adds it to the given node
+     * @param property
+     * @param node
+     */
+    private static void addMixins(ProtoPropertyDecorator property, JCRNode node) {
+        property.valuesList.each { ProtoValue value ->
+            if (node.canAddMixin(value.stringValue)) {
+                node.addMixin(value.stringValue)
+                log.debug "Added mixin ${value.stringValue} for : ${node.name}."
+            }
+            else {
+                log.warn "Encountered invalid mixin type while unmarshalling for Proto value : ${value}"
+            }
+        }
+    }
+
+}