Merge pull request #196 from miguelrgonzalez/ml-gradle-issue-199

Ml gradle issue 199

Author: rjrudin

src/main/java/com/marklogic/appdeployer/ConfigDir.java

@@ -9,7 +9,7 @@
 /**
  * Defines all of the directories where configuration files can be found.
  *
- * TODO Eventually turn this into an interface. 
+ * TODO Eventually turn this into an interface.
  */
 public class ConfigDir {
 
@@ -92,6 +92,10 @@ public File getUsersDir() {
 		return new File(getSecurityDir(), "users");
 	}
 
+	public File getProtectedPathsDir() { return new File(getSecurityDir(), "protected-paths"); }
+
+	public File getQueryRoleSetsDir() { return new File(getSecurityDir(), "query-rolesets"); }
+
 	public File getServersDir() {
 		return new File(baseDir, "servers");
 	}

src/main/java/com/marklogic/appdeployer/command/SortOrderConstants.java

@@ -13,6 +13,8 @@ public abstract class SortOrderConstants {
     public static Integer DEPLOY_EXTERNAL_SECURITY = 70;
     public static Integer DEPLOY_PROTECTED_COLLECTIONS = 80;
     public static Integer DEPLOY_MIMETYPES = 90;
+	public static Integer DEPLOY_PROTECTED_PATHS = 95;
+	public static Integer DEPLOY_QUERY_ROLE_SETS = 97;
 
     public static Integer DEPLOY_TRIGGERS_DATABASE = 100;
     public static Integer DEPLOY_SCHEMAS_DATABASE = 100;
@@ -71,10 +73,13 @@ public abstract class SortOrderConstants {
     public static Integer DELETE_CERTIFICATE_AUTHORITIES = 9020;
     public static Integer DELETE_EXTERNAL_SECURITY = 9030;
     public static Integer DELETE_PROTECTED_COLLECTIONS = 9040;
+	public static Integer DELETE_QUERY_ROLE_SETS = 9050;
 
     // Roles can reference privileges, so must delete roles first
     public static Integer DELETE_ROLES = 9060;
     public static Integer DELETE_PRIVILEGES = 9070;
+    // Protected paths reference roles
+	public static Integer DELETE_PROTECTED_PATHS = 9080;
 
     /*
      * This executes before databases are deleted, as deleting databases normally deletes the primary forests, so we

src/main/java/com/marklogic/appdeployer/command/security/DeployProtectedPathCommand.java

@@ -0,0 +1,28 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.command.AbstractResourceCommand;
+import com.marklogic.appdeployer.command.CommandContext;
+import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.mgmt.resource.ResourceManager;
+import com.marklogic.mgmt.resource.security.ProtectedPathManager;
+import com.marklogic.mgmt.resource.security.UserManager;
+
+import java.io.File;
+
+public class DeployProtectedPathCommand extends AbstractResourceCommand{
+
+	public DeployProtectedPathCommand() {
+		setExecuteSortOrder(SortOrderConstants.DEPLOY_PROTECTED_PATHS);
+		setUndoSortOrder(SortOrderConstants.DELETE_PROTECTED_PATHS);
+	}
+
+	@Override
+	protected File[] getResourceDirs(CommandContext context) {
+		return new File[] { context.getAppConfig().getConfigDir().getProtectedPathsDir() };
+	}
+
+	@Override
+	protected ResourceManager getResourceManager(CommandContext context) {
+		return new ProtectedPathManager(context.getManageClient());
+	}
+}

src/main/java/com/marklogic/appdeployer/command/security/DeployQueryRoleSetsCommand.java

@@ -0,0 +1,26 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.command.AbstractResourceCommand;
+import com.marklogic.appdeployer.command.CommandContext;
+import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.mgmt.resource.ResourceManager;
+import com.marklogic.mgmt.resource.security.QueryRoleSetsManager;
+
+import java.io.File;
+
+public class DeployQueryRoleSetsCommand extends AbstractResourceCommand {
+
+	public DeployQueryRoleSetsCommand() {
+		setExecuteSortOrder(SortOrderConstants.DEPLOY_QUERY_ROLE_SETS);
+		setUndoSortOrder(SortOrderConstants.DELETE_QUERY_ROLE_SETS);
+	}
+	@Override
+	protected File[] getResourceDirs(CommandContext context) {
+		return new File[] { context.getAppConfig().getConfigDir().getQueryRoleSetsDir() };
+	}
+
+	@Override
+	protected ResourceManager getResourceManager(CommandContext context) {
+		return new QueryRoleSetsManager(context.getManageClient());
+	}
+}

src/main/java/com/marklogic/mgmt/PayloadParser.java

@@ -30,7 +30,8 @@ public String getPayloadFieldValue(String payload, String fieldName) {
                 throw new RuntimeException("Cannot get field value from JSON; field name: " + fieldName + "; JSON: "
                         + payload);
             }
-            return node.get(fieldName).asText();
+            return node.get(fieldName).isTextual() ? node.get(fieldName).asText() : node.get(fieldName).toString();
+
         } else {
             Fragment f = new Fragment(payload);
             String xpath = String.format("/node()/*[local-name(.) = '%s']", fieldName);

src/main/java/com/marklogic/mgmt/resource/security/ProtectedPathManager.java

@@ -0,0 +1,91 @@
+package com.marklogic.mgmt.resource.security;
+
+import com.marklogic.mgmt.ManageClient;
+import com.marklogic.mgmt.resource.AbstractResourceManager;
+import com.marklogic.rest.util.Fragment;
+import com.marklogic.rest.util.ResourcesFragment;
+import org.springframework.web.client.ResourceAccessException;
+
+import java.util.List;
+
+public class ProtectedPathManager extends AbstractResourceManager {
+	public ProtectedPathManager(ManageClient client) {
+		super(client);
+	}
+
+	@Override
+	public String getResourcesPath() {
+		return "/manage/v2/protected-paths";
+	}
+
+	@Override
+	protected String getResourceName() {
+		return "protected-path";
+	}
+
+	@Override
+	protected String getIdFieldName() {
+		return "path-expression";
+	}
+
+	@Override
+	public String getPropertiesPath(String resourceNameOrId, String... resourceUrlParams) {
+		return getResourcesPath()  + "/" + getIdForPathExpression(resourceNameOrId) + "/properties";
+	}
+
+	@Override
+	public String getResourcePath(String resourceNameOrId, String... resourceUrlParams) {
+		return getResourcesPath() + "/" + getIdForPathExpression(resourceNameOrId);
+	}
+
+	@Override
+	protected String[] getDeleteResourceParams(String payload) {
+		// We need to unprotect the path before deleting it
+		// Otherwise we'll get a SEC-MUSTUNPROTECTPATH error
+		return new String[]{"force", "true"};
+	}
+
+	@Override
+	public boolean exists(String resourceNameOrId, String... resourceUrlParams) {
+		Fragment f = getAsXml();
+		return f.elementExists(format(
+			"/node()/*[local-name(.) = 'list-items']/node()[*[local-name(.) = 'nameref'] = '%s']",
+			resourceNameOrId));
+	}
+
+	public String getIdForPathExpression(String pathExpression) {
+		Fragment f = getAsXml();
+		String xpath = "/node()/*[local-name(.) = 'list-items']/node()"
+			+ "[*[local-name(.) = 'nameref'] = '%s']/*[local-name(.) = 'idref']";
+		xpath = String.format(xpath, pathExpression);
+		String id = f.getElementValue(xpath);
+		if (id == null) {
+			throw new RuntimeException("Could not find a protected path with a path-expression of: " + pathExpression);
+		}
+		return id;
+	}
+
+	@Override
+	protected boolean useAdminUser() { return true; }
+
+
+	/**
+	 * Testing the deployment/undeployment of protected paths intermittently fails when performing a GET on the
+	 * /manage/v2/protected-paths endpoint. A single retry seems to address the issue, though the cause is still
+	 * unknown.
+	 *
+	 * @return ResourcesFragment
+	 */
+	@Override
+	public ResourcesFragment getAsXml() {
+		try {
+			return new ResourcesFragment(getManageClient().getXmlAsAdmin(getResourcesPath()));
+		} catch (ResourceAccessException ex) {
+			if (logger.isWarnEnabled()) {
+				logger.warn("Unable to get list of protected paths, retrying; cause: " + ex.getMessage());
+			}
+			return new ResourcesFragment(getManageClient().getXmlAsAdmin(getResourcesPath()));
+		}
+	}
+
+}

src/main/java/com/marklogic/mgmt/resource/security/QueryRoleSetsManager.java

@@ -0,0 +1,83 @@
+package com.marklogic.mgmt.resource.security;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.marklogic.mgmt.ManageClient;
+import com.marklogic.mgmt.PayloadParser;
+import com.marklogic.mgmt.resource.AbstractResourceManager;
+import com.marklogic.rest.util.Fragment;
+
+import java.util.List;
+
+public class QueryRoleSetsManager extends AbstractResourceManager {
+
+	private boolean updateAllowed = false;
+
+	public QueryRoleSetsManager(ManageClient client) {
+		super(client);
+	}
+
+	@Override
+	public String getResourcesPath() {
+		return "/manage/v2/query-rolesets";
+	}
+
+	@Override
+	protected String getResourceName() {
+		return "query-rolesets";
+	}
+
+	@Override
+	protected String getIdFieldName() {
+		return "role-name";
+	}
+
+	@Override
+	public String getPropertiesPath(String resourceNameOrId, String... resourceUrlParams) {
+		String id = getIdForRoleNames(resourceNameOrId);
+		if (id == null) {
+			throw new RuntimeException("Could not find a query-roleset with roles: " + resourceNameOrId);
+		} else return getResourcesPath()  + "/" + id + "/properties";
+	}
+
+	@Override
+	public String getResourcePath(String resourceNameOrId, String... resourceUrlParams) {
+		String id = getIdForRoleNames(resourceNameOrId);
+		if (id == null) {
+			throw new RuntimeException("Could not find a query-roleset with roles: " + resourceNameOrId);
+		}else return getResourcesPath()  + "/" + id;
+	}
+
+	@Override
+	public boolean exists(String resourceNameOrId, String... resourceUrlParams) {
+		Fragment f = getAsXml();
+		return f.elementExists(format(
+			"/node()/*[local-name(.) = 'list-items']/node()[*[local-name(.) = 'idref'] = '%s']",
+			getIdForRoleNames(resourceNameOrId)));
+	}
+
+	public String getIdForRoleNames(String roles) {
+		Fragment f = getAsXml();
+		String xpath = "/node()/*[local-name(.) = 'list-items']/node()/*[local-name(.) = 'idref']";
+		String roleSetId = null;
+
+		//Transform roles into role JSON array
+		JsonNode roleArray = payloadParser.parseJson(roles);
+
+		//Get list of existing rolesets
+		for(String id : f.getElementValues(xpath)) {
+			String response =
+				payloadParser.getPayloadFieldValue(
+                    getManageClient().getJson(getResourcesPath() + "/" + id + "/properties"),
+                    getIdFieldName()
+				);
+
+			//does this roleset contain the same list of roles?
+			if (roleArray.equals(payloadParser.parseJson(response))) {
+				roleSetId = id;
+				break;
+			}
+		}
+		return roleSetId;
+	}
+
+}

src/test/java/com/marklogic/appdeployer/command/security/ManageProtectedPathsTest.java

@@ -0,0 +1,24 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.command.AbstractManageResourceTest;
+import com.marklogic.appdeployer.command.Command;
+import com.marklogic.mgmt.resource.ResourceManager;
+import com.marklogic.mgmt.resource.security.ProtectedPathManager;
+
+public class ManageProtectedPathsTest extends AbstractManageResourceTest {
+	@Override
+	protected ResourceManager newResourceManager() {
+        return new ProtectedPathManager(manageClient);
+	}
+
+	@Override
+	protected Command newCommand() {
+		return new DeployProtectedPathCommand();
+	}
+
+	@Override
+	protected String[] getResourceNames() {
+		return new String[] { "/test:element" };
+	}
+
+}

src/test/java/com/marklogic/appdeployer/command/security/ManageQueryRoleSetsTest.java

@@ -0,0 +1,23 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.command.AbstractManageResourceTest;
+import com.marklogic.appdeployer.command.Command;
+import com.marklogic.mgmt.resource.ResourceManager;
+import com.marklogic.mgmt.resource.security.QueryRoleSetsManager;
+
+public class ManageQueryRoleSetsTest extends AbstractManageResourceTest {
+    @Override
+    protected ResourceManager newResourceManager() {
+        return new QueryRoleSetsManager(manageClient);
+    }
+
+    @Override
+    protected Command newCommand() {
+        return new DeployQueryRoleSetsCommand();
+    }
+
+	@Override
+	protected String[] getResourceNames() {
+		return new String[] { "[\"view-admin\"]" };
+	}
+}

src/test/resources/sample-app/src/main/ml-config/security/protected-paths/path-1.json

@@ -0,0 +1,9 @@
+{
+	"path-expression":"/test:element",
+	"path-namespace":[
+		{"prefix":"test", "namespace-uri":"http://marklogic.com"}
+	],
+	"permission": [
+		{"role-name":"view-admin", "capability":"read"}
+	]
+}