#merge

CHANGELOG.md

@@ -9,6 +9,11 @@ The format is based on [Keep a Changelog](http://keepachangelog.com)
 <!-- Keep this up to date! After a release, change the tag name to the latest release -->
 [unreleased changes details]: https://github.com/Adobe-Consulting-Services/acs-aem-commons/compare/acs-aem-commons-4.7.2...HEAD
 
+## 5.0.0 - 2021-03-13
+
+### Changed
+- #2341 - ACS Commons fails to deploy to AEM as a Cloud Service due to inclusion of /var nodes
+
 ## 4.12.0 - 2021-03-13
 
 ### Added

RELEASING.md

@@ -59,7 +59,7 @@ if you are releasing 3.18.0, create 3.20.0 and 3.18.2.
 
 6. Ensure **Java 8** is active (Java 11 breaks on the JavaDocs build in `mvn release:perform`)
 
-7. Run the release: `mvn release:prepare` followed by `mvn release:perform`. You may need to pass `-Dgpg.passphrase=****` if your passphrase is not persisted in your `settings.xml`.  If you want to enter your passphrase manually at a prompt, add this to .bashrc or execute prior to mvn release: `export GPG_TTY=$(tty)` and you can verify it works via `echo "test" | gpg --clearsign`
+7. Run the release: `mvn release:prepare` followed by `git checkout master`. You may need to pass `-Dgpg.passphrase=****` if your passphrase is not persisted in your `settings.xml`.  If you want to enter your passphrase manually at a prompt, add this to .bashrc or execute prior to mvn release: `export GPG_TTY=$(tty)` and you can verify it works via `echo "test" | gpg --clearsign`
 
 8. Go to https://github.com/Adobe-Consulting-Services/acs-aem-commons/releases and edit the release tag, using the CHANGELOG data as the release text and attaching the content package zip files (both min and regular) to the release.
 

bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java

@@ -124,7 +124,9 @@ public final void execute(WorkItem workItem, WorkflowSession workflowSession, Me
         }
 
     }
-
+
+    // False positive, file path not controlled by the user
+    @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     void saveImage(Asset asset, Rendition toReplace, Layer layer, String mimetype, double quality, WorkflowHelper workflowHelper)
             throws IOException {
         File tmpFile = File.createTempFile(getTempFileSpecifier(), "." + workflowHelper.getExtension(mimetype));

bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java

@@ -55,6 +55,8 @@ private CacheUtils() {
      * @param cacheKey
      * @return
      */
+    // False positive, file path not controlled by the user
+    @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     public static File createTemporaryCacheFile(CacheKey cacheKey) throws IOException {
         // Create a file in Java temp directory with cacheKey.toSting() as file name.
 

bundle/src/main/java/com/adobe/acs/commons/workflow/impl/WorkflowPackageManagerImpl.java

@@ -42,6 +42,7 @@
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
 import org.apache.sling.commons.osgi.PropertiesUtil;
+import org.apache.sling.serviceusermapping.ServiceUserMapped;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -51,7 +52,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -108,6 +108,9 @@ public class WorkflowPackageManagerImpl implements WorkflowPackageManager {
     @Reference
     ResourceResolverFactory resourceResolverFactory;
 
+    @Reference(target = "("+ServiceUserMapped.SUBSERVICENAME+"="+SERVICE_NAME+")")
+    ServiceUserMapped serviceUserMapped;
+
     private String bucketPath;
 
     /**

bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java

@@ -33,6 +33,7 @@
 public class TestMarketoInterfaces {
 
     @Test
+    // This test is known to fail when executed by Cloud Manager's code quality check, however works locally and in Travis
     public void testInterfaces() throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
         Object[] interfaces = new Object[] { new FormValue() {
         }, new MarketoClientConfiguration() {

ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config

@@ -0,0 +1,8 @@
+scripts=[
+"# these users and ACLs are only necessary on author
+create service user acs-commons-package-replication-status-event-service with path system/acs-commons
+set ACL for acs-commons-package-replication-status-event-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config

@@ -0,0 +1,11 @@
+scripts=[
+"# extend rights for installing the ui.content package containing /var nodes with AEMaaCS (https://helpx.adobe.com/in/experience-manager/kb/cm/cloudmanager-deploy-fails-due-to-sling-distribution-aem.html)
+create path /var/acs-commons(nt:folder)
+
+# AEM classic does not know this system user, but creating it below system/acs-commons shouldn't do any harm
+create service user sling-distribution-importer with path system/acs-commons
+set ACL for sling-distribution-importer
+    allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl, jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config

@@ -0,0 +1,30 @@
+scripts=[
+"
+# These paths must exist otherwise the following ACL applicaiton will fail, resulting in err'ing build 
+create path /content/cq:tags(sling:Folder)
+create path /etc/packages(sling:Folder)
+
+create service user acs-commons-automatic-package-replicator-service with path system/acs-commons
+set ACL for acs-commons-automatic-package-replicator-service
+    allow jcr:read,jcr:versionManagement,rep:write,crx:replicate on /etc/packages
+    allow jcr:read on /
+end
+
+create service user acs-commons-file-fetch-service with path system/acs-aem-commons
+set ACL for acs-commons-file-fetch-service
+    allow jcr:read,jcr:versionManagement,rep:write,crx:replicate on /content/dam
+    allow jcr:read on /
+end
+
+create service user acs-commons-remote-assets-service with path system/acs-aem-commons
+set ACL for acs-commons-remote-assets-service
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/dam, /etc/tags
+    allow jcr:read on /
+
+    # If /etc/tags is used, these ACLs be set manually - if RepoInit defines this structure, it supersedes the use of /content/cq:tags
+    # allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
+end
+"
+]
+

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config

@@ -0,0 +1,8 @@
+scripts=[
+"
+create service user acs-commons-ensure-oak-index-service with path system/acs-commons
+set ACL for acs-commons-ensure-oak-index-service
+    allow jcr:read,rep:write,rep:indexDefinitionManagement on /oak:index
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config

@@ -0,0 +1,18 @@
+scripts=[
+"
+create service user acs-commons-dispatcher-flush-service with path system/acs-commons
+set ACL for acs-commons-dispatcher-flush-service
+    allow jcr:read,crx:replicate,jcr:removeNode on /
+end
+
+create service user acs-commons-ensure-service-user-service with path system/acs-commons
+set ACL for acs-commons-ensure-service-user-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+
+create service user acs-commons-on-deploy-scripts-service with path system/acs-commons
+set ACL for acs-commons-on-deploy-scripts-service
+    allow jcr:read on /
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config

@@ -0,0 +1,17 @@
+scripts=[
+"# these users and ACLs are only necessary on author
+create service user acs-commons-workflow-remover-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/instances(sling:Folder)
+set ACL for acs-commons-workflow-remover-service
+    allow jcr:read, rep:write on /var/workflow/instances
+end
+
+create service user acs-commons-workflowpackagemanager-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/packages(sling:Folder)
+set ACL for acs-commons-workflowpackagemanager-service
+    allow jcr:read on /var/workflow/packages
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config

@@ -0,0 +1,24 @@
+user.mapping=[ \
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index\=[acs-commons-ensure-oak-index-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:email-service\=[acs-commons-email-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service\=[acs-commons-httpcache-jcr-storage-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:review-task-asset-mover\=[acs-commons-review-task-asset-mover-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:error-page-handler\=[acs-commons-error-page-handler-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:form-helper\=[acs-commons-form-helper-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:dispatcher-flush\=[acs-commons-dispatcher-flush-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:package-replication-status-event-listener\=[acs-commons-package-replication-status-event-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:component-error-handler\=[acs-commons-component-error-handler-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:system-notifications\=[acs-commons-system-notifications-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle-twitter:twitter-updater\=[acs-commons-twitter-updater-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:workflow-remover\=[acs-commons-workflow-remover-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow\=[acs-commons-bulk-workflow-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow-runner\=[workflow-process-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-service-user\=[acs-commons-ensure-service-user-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:shared-component-props\=[acs-commons-shared-component-props-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:manage-controlled-processes\=[acs-commons-manage-controlled-processes-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:automatic-package-replicator\=[acs-commons-automatic-package-replicator-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:on-deploy-scripts\=[acs-commons-on-deploy-scripts-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:remote-assets\=[acs-commons-remote-assets-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service\=[acs-commons-workflowpackagemanager-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:file-fetch\=[acs-commons-file-fetch-service]" \
+]

ui.content/pom.xml

@@ -109,66 +109,6 @@
                                 <denyAllDeletes>true</denyAllDeletes>
                             </config>
                         </check>
-                        <!-- check that rep:policy nodes are actually created by the package -->
-                        <check>
-                            <name>check-expected-policy-paths</name>
-                            <template>basic/expectPaths</template>
-                            <config>
-                                <severity>minor</severity>
-                                <expectedPaths>
-                                    <path>/oak:index/rep:policy</path>
-                                    <path>/conf/rep:policy</path>
-                                    <path>/content/rep:policy</path>
-                                    <path>/content/dam/rep:policy</path>
-                                    <path>/etc/rep:policy</path>
-                                    <path>/etc/acs-commons/bulk-workflow-manager/rep:policy</path>
-                                    <path>/etc/acs-commons/notifications/rep:policy</path>
-                                    <path>/etc/acs-commons/redirect-maps/rep:policy</path>
-                                    <path>/etc/cloudservices/dtm/rep:policy</path>
-                                    <path>/etc/cloudservices/sharethis/rep:policy</path>
-                                    <path>/etc/cloudservices/typekit/rep:policy</path>
-                                    <path>/etc/notification/email/rep:policy</path>
-                                    <path>/etc/workflow/instances/rep:policy</path>
-                                    <path>/home/groups/rep:policy</path>
-                                    <path>/home/users/rep:policy</path>
-                                    <path>/var/workflow/instances/rep:policy</path>
-                                    <path>/var/acs-commons/rep:policy</path>
-                                    <path>/var/acs-commons/httpcache/rep:policy</path>
-                                    <path>/var/acs-commons/mcp/rep:policy</path>
-                                    <path>/var/acs-commons/on-deploy-scripts-status/rep:policy</path>
-                                </expectedPaths>
-                            </config>
-                        </check>
-                        <check>
-                            <name>verify-acls-on-root</name>
-                            <template>basic/expectAces</template>
-                            <!-- since the root rep:policy node will obviously exist regardless, we should be more
-                            specific for these acl entries -->
-                            <config>
-                                <expectedAces>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-oak-index-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,rep:indexDefinitionManagement
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-dispatcher-flush-service
-                                        ;type=allow;path=/;privileges=jcr:read,crx:replicate,jcr:removeNode
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-package-replication-status-event-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-service-user-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-on-deploy-scripts-service
-                                        ;type=allow;path=/;privileges=jcr:read
-                                    </expectedAce>
-                                </expectedAces>
-                            </config>
-                        </check>
                     </checks>
 
                     <!-- assume that we are installing into an instance where utility pages and configs have already

ui.content/src/main/content/META-INF/vault/filter.xml

@@ -90,8 +90,6 @@
     <filter root="/home/groups/rep:policy"/>
     <filter root="/home/users/rep:policy"/>
     <filter root="/home/users/system/acs-commons"/>
-    <filter root="/oak:index/rep:policy"/>
-    <filter root="/rep:policy"/>
     <filter root="/var/acs-commons">
         <include pattern="/var/acs-commons/rep:policy"/>
         <include pattern="/var/acs-commons/jcr:content"/>
@@ -104,6 +102,4 @@
         <include pattern="/var/acs-commons/on-deploy-scripts-status"/>
         <include pattern="/var/acs-commons/mcp"/>
     </filter>
-    <filter root="/var/workflow/instances/rep:policy"/>
-    <filter root="/var/workflow/packages/rep:policy"/>
 </workspaceFilter>