Add validator for embedded bundles

kwin · kwin · commit 4a9f97842c67 · 2025-03-04T19:28:26.000+01:00
This closes #5
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@ There are several validators included in this artifact, all relate to namespacin
 1. [OSGi Configuration][osgi-installer-configurations]
 1. [Sling Resource Type and Resource Super Type][sling-resource-type] (`sling:resourceType` and `sling:resourceSuperType` properties)
 1. [AEM Client Library][aem-clientlibrary] (`categories` property)
+1. [Embedded Bundles][embedded] (the `Bundle-SymbolicName` of embedded bundles)
 
 Namespacing has been explicitly mentioned in [Achim Koch's Blog: Hosting Multiple Tenants on AEM](https://blog.developer.adobe.com/hosting-multiple-tenants-on-aem-815c8ed0c9f9) but obviously namespacing is just one of multiple aspects to consider for multi-tenant AEM environments.
 
@@ -33,8 +34,8 @@ The following options are supported apart from the default settings mentioned in
 Leaving the validators with the default options will not emit validation issues at all, i.e. none of the options are mandatory.
 
 
-Validator ID | Option | Description
---- | --- | --- 
+Validator ID | Option | Description | Since
+--- | --- | --- | ---
 `netcentric-filter-namespace` | `allowedPathPatterns` | Comma-separated list of regular expression patterns. Each package filter `root` must match at least one of the given patterns.
 `netcentric-packageid-namespace` | `allowedGroupPatterns` | Comma-separated list of regular expression patterns. The package's group must match at least one of the given patterns.
 `netcentric-packageid-namespace` | `allowedNamePatterns` | Comma-separated list of regular expression patterns. The package's name must match at least one of the given patterns.
@@ -48,6 +49,7 @@ Validator ID | Option | Description
 `netcentric-resourcetype-namespace` | `allowedTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-resourcetype-namespace` | `allowedSuperTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceSuperType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-clientlibrary-namespace` | `allowedCategoryPatterns` | Comma-separated list of regular expression patterns. Each [client library's `categories` value][aem-clientlibrary] must match at least one of the given patterns.
+`netcentric-embedded-namespace` | `allowedBundleSymbolicNamePatterns` | Comma-separated list of regular expression patterns. Each embedded bundle in the package must have a `Bundle-SymbolicName` in its manifest which matches at least one of the given patterns. | 1.1.0
 
 *Due to the use of comma-separated strings it is not possible to use a comma within the regular expressions. However, as those are matched against names/paths (which don't allow a comma anyhow) using the comma inside the regular expressions shouldn't be necessary anyhow.*
 
@@ -131,4 +133,5 @@ Adobe, and AEM are either registered trademarks or trademarks of Adobe in the Un
 [filevault-package-id]: https://jackrabbit.apache.org/filevault/properties.html
 [sling-resource-type]: https://sling.apache.org/documentation/the-sling-engine/resources.html#resource-types
 [oak-authorizables]: https://jackrabbit.apache.org/oak/docs/security/user/default.html#representation-in-the-repository
+[embedded]: https://jackrabbit.apache.org/filevault-package-maven-plugin/osgi.html#bundles-and-configurations
 
diff --git a/src/it/inside-namespace/container-package/pom.xml b/src/it/inside-namespace/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/inside-namespace/pom.xml b/src/it/inside-namespace/pom.xml
@@ -94,6 +94,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>org.apache.commons.lang3</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>
diff --git a/src/it/no-config/container-package/pom.xml b/src/it/no-config/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/outside-namespace/container-package/pom.xml b/src/it/outside-namespace/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/outside-namespace/pom.xml b/src/it/outside-namespace/pom.xml
@@ -100,6 +100,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>some-unused-prefix</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>
diff --git a/src/it/outside-namespace/verify.groovy b/src/it/outside-namespace/verify.groovy
@@ -23,10 +23,12 @@ assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/home/user
 
 // container-package
 assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/apps/mytenant/config' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
+[ERROR] ValidationViolation: Filter root '/apps/mytenant/install/commons-lang3-3.17.0.jar' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
 [ERROR] ValidationViolation: Package group 'biz.netcentric.filevault.validator.aem.namespace.it' is not allowed (does not match any of the group patterns [invalid-group]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: Package name 'container-package' is not allowed (does not match any of the name patterns [invalid-name]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent2' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent2.cfg.json, validator: jackrabbit-osgiconfigparser
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
-[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser""") : 'container-package'
+[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
+[ERROR] ValidationViolation: Bundle-SymbolicName 'org.apache.commons.lang3' does not match any of the allowed patterns [some-unused-prefix] @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}install${File.separator}commons-lang3-3.17.0.jar, validator: netcentric-embedded-namespace""") : 'container-package'
 
 return true
diff --git a/src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidator.java b/src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidator.java
@@ -0,0 +1,106 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import java.util.Spliterators;
+import java.util.jar.JarInputStream;
+import java.util.jar.Manifest;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
+
+import org.apache.jackrabbit.vault.validation.spi.GenericJcrDataValidator;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessage;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessageSeverity;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public class EmbeddedNamespaceValidator implements GenericJcrDataValidator {
+
+    private final ValidationMessageSeverity severity;
+    private final Set<Pattern> allowedBundleSymbolicNamePatterns;
+
+    public EmbeddedNamespaceValidator(
+            ValidationMessageSeverity severity, Set<Pattern> allowedBundleSymbolicNamePatterns) {
+        super();
+        this.severity = severity;
+        this.allowedBundleSymbolicNamePatterns = allowedBundleSymbolicNamePatterns;
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> validateJcrData(
+            @NotNull InputStream input,
+            @NotNull Path filePath,
+            @NotNull Path basePath,
+            @NotNull Map<String, Integer> nodePathsAndLineNumbers)
+            throws IOException {
+        try (JarInputStream jarInputStream = new JarInputStream(input)) {
+            String bundleSymbolicName = getBundleSymbolicName(jarInputStream.getManifest());
+            if (bundleSymbolicName == null) {
+                return Collections.singleton(new ValidationMessage(
+                        ValidationMessageSeverity.WARN,
+                        "Either no manifest or no Bundle-SymbolicName header found in manifest. Skip evaluation!"));
+            }
+            if (allowedBundleSymbolicNamePatterns.stream()
+                    .noneMatch(pattern -> pattern.matcher(bundleSymbolicName).matches())) {
+                return Collections.singleton(new ValidationMessage(
+                        severity,
+                        String.format(
+                                "Bundle-SymbolicName '%s' does not match any of the allowed patterns [%s]",
+                                bundleSymbolicName,
+                                allowedBundleSymbolicNamePatterns.stream()
+                                        .map(Pattern::pattern)
+                                        .collect(Collectors.joining(",")))));
+            }
+        }
+        return null;
+    }
+
+    String getBundleSymbolicName(Manifest manifest) {
+        if (manifest == null) {
+            return null;
+        }
+        return manifest.getMainAttributes().getValue("Bundle-SymbolicName");
+    }
+
+    @Override
+    public boolean shouldValidateJcrData(@NotNull Path filePath, @NotNull Path basePath) {
+        return isEmbeddedBundle(filePath);
+    }
+
+    static boolean isEmbeddedBundle(@NotNull Path filePath) {
+        if (!filePath.getName(0).toString().equals("apps")) {
+            return false;
+        }
+        if (!filePath.getFileName().toString().endsWith(".jar")) {
+            return false;
+        }
+        return StreamSupport.stream(Spliterators.spliterator(filePath.iterator(), filePath.getNameCount(), 0), false)
+                .limit(5) // max depth
+                .map(Path::getFileName)
+                .map(Path::toString)
+                .anyMatch(name -> name.startsWith("install.") || name.equals("install"));
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> done() {
+        return null;
+    }
+}
diff --git a/src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorFactory.java b/src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorFactory.java
@@ -0,0 +1,37 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.jackrabbit.vault.validation.spi.ValidationContext;
+import org.apache.jackrabbit.vault.validation.spi.Validator;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorFactory;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorSettings;
+import org.jetbrains.annotations.NotNull;
+import org.kohsuke.MetaInfServices;
+
+@MetaInfServices(ValidatorFactory.class)
+public class EmbeddedNamespaceValidatorFactory extends AbstractPatternSettingsValidatorFactory {
+
+    public EmbeddedNamespaceValidatorFactory() {
+        super("netcentric-embedded-namespace", "allowedBundleSymbolicNamePatterns", false);
+    }
+
+    @Override
+    protected Validator createValidator(
+            @NotNull Set<Pattern> patterns, @NotNull ValidationContext context, @NotNull ValidatorSettings settings) {
+        return new EmbeddedNamespaceValidator(settings.getDefaultSeverity(), patterns);
+    }
+}
diff --git a/src/test/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorTest.java b/src/test/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorTest.java
@@ -0,0 +1,42 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.nio.file.Paths;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class EmbeddedNamespaceValidatorTest {
+
+    @Test
+    void testIsEmbeddedBundle() {
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.jar")));
+        // with run modes
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author", "mybundle.jar")));
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author.test", "mybundle.jar")));
+        // outside /apps
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("conf", "myapp", "install", "mybundle.jar")));
+        // at max depth
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "install", "mybundle.jar")));
+        // below max depth
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "child", "child", "install", "mybundle.jar")));
+        // no jar
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.zip")));
+    }
+}
