RepoInit Fix (#140)

* Refactor to separate out RepoInit into AEMaaCS and 6.5 configs
* Move RepoInit to build image phase.
* Bump nokoiri gem

core/src/main/java/com/adobe/aem/modernize/servlet/ScheduleConversionJobServlet.java

@@ -152,6 +152,11 @@ private void checkPermissions(ResourceResolver rr, RequestData data) throws Acce
       Session session = rr.adaptTo(Session.class);
       AccessControlManager acm = session.getAccessControlManager();
       Privilege[] privs = new Privilege[] { acm.privilegeFromName(Privilege.JCR_WRITE) };
+
+      if (!acm.hasPrivileges(JOB_DATA_LOCATION, privs)) {
+        throw new AccessDeniedException(JOB_DATA_LOCATION);
+      }
+
       for (String path : data.getPaths()) {
         if (!acm.hasPrivileges(path, privs)) {
           throw new AccessDeniedException(path);

core/src/test/java/com/adobe/aem/modernize/servlet/ScheduleConversionJobServletTest.java

@@ -137,6 +137,33 @@ public void invalidJobData() throws Exception {
     assertTrue(StringUtils.isBlank(result.getJob()), "Tracking path");
   }
 
+  @Test
+  public void noPermissionsJobDataPath() throws Exception {
+    MockSlingHttpServletRequest request = new MockSlingHttpServletRequest(resourceResolver, bundleContext);
+    MockSlingHttpServletResponse response = new MockSlingHttpServletResponse();
+    ScheduleConversionJobServlet.RequestData requestData = buildJobData();
+    Map<String, Object> params = new HashMap<>();
+    params.put("data", new ObjectMapper().writeValueAsString(requestData));
+    request.setParameterMap(params);
+
+    new Expectations() {{
+      resourceResolver.adaptTo(Session.class);
+      result = session;
+      session.getAccessControlManager();
+      result = accessControlManager;
+      accessControlManager.hasPrivileges(ConversionJob.JOB_DATA_LOCATION, withInstanceOf(Privilege[].class));
+      result = false;
+    }};
+
+    servlet.doPost(request, response);
+    ScheduleConversionJobServlet.ResponseData result = new ObjectMapper().readValue(response.getOutputAsString(), ScheduleConversionJobServlet.ResponseData.class);
+
+    assertEquals(SC_FORBIDDEN, response.getStatus(), "Response status code");
+    assertFalse(result.isSuccess(), "Response status");
+    assertNotNull(result.getMessage(), "Response message");
+    assertTrue(StringUtils.isBlank(result.getJob()), "Tracking path");
+  }
+
   @Test
   public void noPermissionsSinglePath() throws Exception {
     MockSlingHttpServletRequest request = new MockSlingHttpServletRequest(resourceResolver, bundleContext);
@@ -151,7 +178,9 @@ public void noPermissionsSinglePath() throws Exception {
       result = session;
       session.getAccessControlManager();
       result = accessControlManager;
-      accessControlManager.hasPrivileges(anyString, withInstanceOf(Privilege[].class));
+      accessControlManager.hasPrivileges(ConversionJob.JOB_DATA_LOCATION, withInstanceOf(Privilege[].class));
+      result = true;
+      accessControlManager.hasPrivileges("/content/test/path", withInstanceOf(Privilege[].class));
       result = false;
     }};
 
@@ -178,9 +207,12 @@ public void noPermissionsMultiplePaths() throws Exception {
       result = session;
       session.getAccessControlManager();
       result = accessControlManager;
-      accessControlManager.hasPrivileges(anyString, withInstanceOf(Privilege[].class));
-      times = 2;
-      returns(true, false);
+      accessControlManager.hasPrivileges(ConversionJob.JOB_DATA_LOCATION, withInstanceOf(Privilege[].class));
+      result = true;
+      accessControlManager.hasPrivileges("/content/test/path", withInstanceOf(Privilege[].class));
+      result = true;
+      accessControlManager.hasPrivileges("/content/other/path", withInstanceOf(Privilege[].class));
+      result = false;
     }};
 
     servlet.doPost(request, response);
@@ -228,6 +260,8 @@ public  void noPermissionDesign() throws Exception {
       result = session;
       session.getAccessControlManager();
       result = accessControlManager;
+      accessControlManager.hasPrivileges(ConversionJob.JOB_DATA_LOCATION, withInstanceOf(Privilege[].class));
+      result = true;
       accessControlManager.hasPrivileges("/content/test/path", withInstanceOf(Privilege[].class));
       result = true;
       accessControlManager.hasPrivileges("/content/other/path", withInstanceOf(Privilege[].class));
@@ -267,6 +301,8 @@ public void noPermissionConf() throws Exception {
       result = session;
       session.getAccessControlManager();
       result = accessControlManager;
+      accessControlManager.hasPrivileges(ConversionJob.JOB_DATA_LOCATION, withInstanceOf(Privilege[].class));
+      result = true;
       accessControlManager.hasPrivileges("/content/test/path", withInstanceOf(Privilege[].class));
       result = true;
       accessControlManager.hasPrivileges("/content/other/path", withInstanceOf(Privilege[].class));

docs/Gemfile

@@ -15,7 +15,7 @@ gem "minima", "~> 2.5.1"
 
 # If you want to use GitHub Pages, remove the "gem "jekyll"" above and
 # uncomment the line below. To upgrade, run `bundle update github-pages`.
-gem "github-pages", "~> 222", group: :jekyll_plugins
+gem "github-pages", "~> 223", group: :jekyll_plugins
 
 # If you have any plugins, put them here!
 group :jekyll_plugins do
@@ -25,10 +25,13 @@ end
 # Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem
 # and associated library.
 platforms :mingw, :x64_mingw, :mswin, :jruby do
-  gem "tzinfo", "~> 1.2"
+  gem "tzinfo", "~> 2.0"
   gem "tzinfo-data"
 end
 
 # Performance-booster for watching directories on Windows
 gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
 
+gem "nokogiri", ">= 1.13.2"
+
+

docs/Gemfile.lock

@@ -1,7 +1,7 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.4.1)
+    activesupport (6.0.4.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -17,7 +17,7 @@ GEM
     commonmarker (0.17.13)
       ruby-enum (~> 0.5)
     concurrent-ruby (1.1.9)
-    dnsruby (1.61.7)
+    dnsruby (1.61.9)
       simpleidn (~> 0.1)
     em-websocket (0.5.3)
       eventmachine (>= 0.12.9)
@@ -26,29 +26,33 @@ GEM
       ffi (>= 1.15.0)
     eventmachine (1.2.7)
     execjs (2.8.1)
-    faraday (1.8.0)
+    faraday (1.10.0)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
       faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.1)
+      faraday-net_http_persistent (~> 1.0)
       faraday-patron (~> 1.0)
       faraday-rack (~> 1.0)
-      multipart-post (>= 1.2, < 3)
+      faraday-retry (~> 1.0)
       ruby2_keywords (>= 0.0.4)
     faraday-em_http (1.0.0)
     faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
+    faraday-multipart (1.0.3)
+      multipart-post (>= 1.2, < 3)
     faraday-net_http (1.0.1)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
-    ffi (1.15.4)
+    faraday-retry (1.0.3)
+    ffi (1.15.5)
     forwardable-extended (2.6.0)
     gemoji (3.0.1)
-    github-pages (222)
+    github-pages (223)
       github-pages-health-check (= 1.17.9)
       jekyll (= 3.9.0)
       jekyll-avatar (= 0.7.0)
@@ -58,6 +62,7 @@ GEM
       jekyll-feed (= 0.15.1)
       jekyll-gist (= 1.5.0)
       jekyll-github-metadata (= 2.13.0)
+      jekyll-include-cache (= 0.2.1)
       jekyll-mentions (= 1.6.0)
       jekyll-optional-front-matter (= 0.3.2)
       jekyll-paginate (= 1.1.0)
@@ -138,6 +143,8 @@ GEM
     jekyll-github-metadata (2.13.0)
       jekyll (>= 3.4, < 5.0)
       octokit (~> 4.0, != 4.4.0)
+    jekyll-include-cache (0.2.1)
+      jekyll (>= 3.7, < 5.0)
     jekyll-mentions (1.6.0)
       html-pipeline (~> 2.3)
       jekyll (>= 3.7, < 5.0)
@@ -215,26 +222,28 @@ GEM
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
     liquid (4.0.3)
-    listen (3.7.0)
+    listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.3.6)
+    mini_portile2 (2.8.0)
     minima (2.5.1)
       jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
-    minitest (5.14.4)
+    minitest (5.15.0)
     multipart-post (2.1.1)
-    nokogiri (1.12.5-x86_64-darwin)
+    nokogiri (1.13.3)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    octokit (4.21.0)
+    octokit (4.22.0)
       faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
     public_suffix (4.0.6)
     racc (1.6.0)
-    rb-fsevent (0.11.0)
+    rb-fsevent (0.11.1)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rexml (3.2.5)
@@ -265,16 +274,17 @@ GEM
       unf_ext
     unf_ext (0.0.8)
     unicode-display_width (1.8.0)
-    zeitwerk (2.5.1)
+    zeitwerk (2.5.4)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  github-pages (~> 222)
+  github-pages (~> 223)
   jekyll-feed (~> 0.15.1)
   minima (~> 2.5.1)
-  tzinfo (~> 1.2)
+  nokogiri (>= 1.13.2)
+  tzinfo (~> 2.0)
   tzinfo-data
   wdm (~> 0.1.1)
 

ui.apps.structure/pom.xml

@@ -35,6 +35,8 @@
                         <!-- /apps root -->
                         <filter><root>/apps</root></filter>
                         <filter><root>/apps/aem-modernize</root></filter>
+                        <filter><root>/apps/aem-modernize/content</root></filter>
+
                         <filter><root>/apps/aem-modernize-packages</root></filter>
 
                         <filter><root>/apps/cq</root></filter>
@@ -45,6 +47,7 @@
                         <filter><root>/apps/cq/core/content</root></filter>
                         <filter><root>/apps/cq/core/content/nav</root></filter>
                         <filter><root>/apps/cq/core/content/nav/tools</root></filter>
+                        <filter><root>/apps/cq/core/content/nav/tools/aem-modernize</root></filter>
 
                     </filters>
                 </configuration>

ui.apps/src/main/content/jcr_root/apps/cq/core/content/nav/tools/aem-modernize/.content.xml

@@ -24,6 +24,7 @@
     jcr:title="AEM Modernize Tools"
     id="aem-modernize">
 
+    <full />
     <structure />
     <component />
     <policy />

ui.config/pom.xml

@@ -39,8 +39,6 @@
     <!-- B U I L D   D E F I N I T I O N                                        -->
     <!-- ====================================================================== -->
     <build>
-        <sourceDirectory>src/main/content/jcr_root</sourceDirectory>
-
         <plugins>
             <plugin>
                 <groupId>org.apache.jackrabbit</groupId>
@@ -72,6 +70,7 @@
                         <groupId>org.apache.jackrabbit</groupId>
                         <artifactId>filevault-package-maven-plugin</artifactId>
                         <configuration>
+                            <jcrRootSourceDirectory>${project.basedir}/src/cs/content/jcr_root</jcrRootSourceDirectory>
                             <repositoryStructurePackages>
                                 <repositoryStructurePackage>
                                     <groupId>com.adobe.aem</groupId>
@@ -102,6 +101,7 @@
                         <groupId>org.apache.jackrabbit</groupId>
                         <artifactId>filevault-package-maven-plugin</artifactId>
                         <configuration>
+                            <jcrRootSourceDirectory>${project.basedir}/src/aem65/content/jcr_root</jcrRootSourceDirectory>
                             <classifier>aem65</classifier>
                             <repositoryStructurePackages>
                                 <repositoryStructurePackage>
@@ -142,6 +142,7 @@
                         <groupId>org.apache.jackrabbit</groupId>
                         <artifactId>filevault-package-maven-plugin</artifactId>
                         <configuration>
+                            <jcrRootSourceDirectory>${project.basedir}/src/cs/content/jcr_root</jcrRootSourceDirectory>
                             <classifier>java8</classifier>
                             <repositoryStructurePackages>
                                 <repositoryStructurePackage>
@@ -182,6 +183,7 @@
                         <groupId>org.apache.jackrabbit</groupId>
                         <artifactId>filevault-package-maven-plugin</artifactId>
                         <configuration>
+                            <jcrRootSourceDirectory>${project.basedir}/src/aem65/content/jcr_root</jcrRootSourceDirectory>
                             <classifier>java8aem65</classifier>
                             <repositoryStructurePackages>
                                 <repositoryStructurePackage>

ui.config/src/aem65/content/jcr_root/apps/aem-modernize/osgiconfig/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-modernize.config

@@ -0,0 +1,40 @@
+scripts=["
+create path /var/aem-modernize(sling:Folder)
+create path /var/aem-modernize/job-data(sling:Folder)
+
+# Cover any missing paths on CS
+create path /etc/designs(sling:Folder)
+
+create service user aem-modernize-schedule-job-service with path system/aem-modernize
+set ACL for aem-modernize-schedule-job-service
+    allow jcr:read on /
+    allow jcr:readAccessControl on /content,/conf,/etc
+    allow rep:write on /var/aem-modernize/job-data
+end
+
+create service user aem-modernize-convert-service with path system/aem-modernize
+set ACL for aem-modernize-convert-service
+    allow jcr:read on /
+    allow rep:write on /etc/designs
+    allow rep:write on /conf
+    allow rep:write on /content
+    allow jcr:versionManagement on /content
+    allow rep:write on /var/aem-modernize/job-data
+end
+
+create path /apps/aem-modernize(sling:Folder)
+create path /apps/aem-modernize/content(sling:Folder)
+
+create path /apps/cq(sling:Folder)
+create path /apps/cq/core(sling:Folder)
+create path /apps/cq/core/content(sling:Folder)
+create path /apps/cq/core/content/nav(sling:Folder)
+create path /apps/cq/core/content/nav/tools(sling:Folder)
+create path /apps/cq/core/content/nav/tools/aem-modernize(sling:OrderedFolder)
+
+set ACL for everyone
+  deny jcr:all on /apps/aem-modernize
+  deny jcr:all on /apps/cq/core/content/nav/tools/aem-modernize
+  deny jcr:all on /var/aem-modernize
+end
+"]

ui.config/src/cs/content/jcr_root/apps/aem-modernize/osgiconfig/config.author/org.apache.sling.event.jobs.QueueConfiguration-aem-modernize.config

@@ -0,0 +1,6 @@
+queue.name="AEM Modernize Tools Queue"
+queue.topics=["com/adobe/aem/modernize/job/topic/convert/*"]
+queue.type="ORDERED"
+queue.priority="MIN"
+queue.retries="0"
+queue.maxparallel="1"

ui.config/src/cs/content/jcr_root/apps/aem-modernize/osgiconfig/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-modernize.config

@@ -0,0 +1,40 @@
+scripts=["
+create path /var/aem-modernize(sling:Folder)
+create path /var/aem-modernize/job-data(sling:Folder)
+
+# Cover any missing paths on CS
+create path /etc/designs(sling:Folder)
+
+create service user aem-modernize-schedule-job-service with forced path system/cq:services/aem-modernize
+set principal ACL for aem-modernize-schedule-job-service
+    allow jcr:read on /
+    allow jcr:readAccessControl on /content,/conf,/etc
+    allow rep:write on /var/aem-modernize/job-data
+end
+
+create service user aem-modernize-convert-service with forced path system/cq:services/aem-modernize
+set principal ACL for aem-modernize-convert-service
+    allow jcr:read on /
+    allow rep:write on /etc/designs
+    allow rep:write on /conf
+    allow rep:write on /content
+    allow jcr:versionManagement on /content
+    allow rep:write on /var/aem-modernize/job-data
+end
+
+create path /apps/aem-modernize(sling:Folder)
+create path /apps/aem-modernize/content(sling:Folder)
+
+create path /apps/cq(sling:Folder)
+create path /apps/cq/core(sling:Folder)
+create path /apps/cq/core/content(sling:Folder)
+create path /apps/cq/core/content/nav(sling:Folder)
+create path /apps/cq/core/content/nav/tools(sling:Folder)
+create path /apps/cq/core/content/nav/tools/aem-modernize(sling:OrderedFolder)
+
+set ACL for everyone
+  deny jcr:all on /apps/aem-modernize
+  deny jcr:all on /apps/cq/core/content/nav/tools/aem-modernize
+  deny jcr:all on /var/aem-modernize
+end
+"]