JCRVLT-486 introduce new configuration property "validNameSpaces" all…

…owing to configure list of allowed namespaces in the format: prefix1=ns-uri1,prefix2=nsuri2,...
apache · Dec 3, 2020 · 8852632 · 8852632
1 parent 2d62076
commit 8852632
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 1 deletion.
diff --git a/vault-doc/src/site/markdown/validation.md b/vault-doc/src/site/markdown/validation.md
@@ -55,7 +55,7 @@ ID  |  Description | Options
 `jackrabbit-mergelimitations` | Checks for the limitation of import mode=merge outlined at [JCRVLT-255][jcrvlt-255]. | none
 `jackrabbit-oakindex` |  Checks if the package (potentially) modifies/creates an OakIndexDefinition. This is done by evaluating both the filter.xml for potential matches as well as the actual content for nodes with jcr:primaryType  `oak:indexDefinition`. | none
 `jackrabbit-packagetype` | Checks if the package type is correctly set for this package, i.e. is compliant with all rules outlined at [JCRVLT-170][jcrvlt-170]. | *jcrInstallerNodePathRegex*: the regex of the node paths which all OSGi bundles and configurations within packages must match ([JCR Installer](https://sling.apache.org/documentation/bundles/jcr-installer-provider.html)) (default=`/([^/]*/){0,4}?(install|config)(\\.[^/]*)*/(\\d{1,3}/)?.+?\\.`).<br/>*additionalJcrInstallerFileNodePathRegex*: the regex of all file node paths which all OSGi bundles and configurations within packages must match. This must match in addition to the regex from `jcrInstallerNodePathRegex`  (default=`.+?\\.(jar|config|cfg|cfg\\.json)`).<br/>*legacyTypeSeverity*: the severity of the validation message for package type `mixed` (default = `warn`).<br/>*noTypeSeverity*: the severity of the validation message when package type is not set at all (default = `warn`).<br/>*prohibitMutableContent*: boolean flag determining whether package type `content` or `mixed` (mutable content) leads to a validation message with severity error (default = `false`). Useful when used with [Oak Composite NodeStore](https://jackrabbit.apache.org/oak/docs/nodestore/compositens.html).<br/>*prohibitImmutableContent*: boolean flag determining whether package type `app`, `container` or `mixed` (immutable content) leads to a validation message with severity error (default = `false`). Useful when used with [Oak Composite NodeStore](https://jackrabbit.apache.org/oak/docs/nodestore/compositens.html).<br/>*allowComplexFilterRulesInApplicationPackages*: boolean flag determining whether complex rules (containing includes/excludes) are allowed in application content packages (default = `false`)
-`jackrabbit-nodetypes` | Checks if all non empty elements within [DocView files](docview.html) have the mandatory property `jcr:primaryType` set and follow the [node type definition of their given type](https://jackrabbit.apache.org/jcr/node-types.html). | *cnds*: A URI pointing to one or multiple [CNDs](https://jackrabbit.apache.org/jcr/node-type-notation.html) (separated by `,`) which define the additional namespaces and nodetypes used apart from the [default ones defined in JCR 2.0](https://docs.adobe.com/docs/en/spec/jcr/2.0/3_Repository_Model.html#3.7.11%20Standard%20Application%20Node%20Types). If a URI is pointing to a JAR, the validator will leverage all the nodetypes being mentioned in the [`Sling-Nodetypes` manifest header](https://sling.apache.org/documentation/bundles/content-loading-jcr-contentloader.html#declared-node-type-registration). Apart from the [standard protocols](https://docs.oracle.com/javase/7/docs/api/java/net/URL.html#URL(java.lang.String,%20java.lang.String,%20int,%20java.lang.String)) the scheme `tccl` can be used to reference names from the [Thread's context class loader](https://docs.oracle.com/javase/7/docs/api/java/lang/Thread.html#getContextClassLoader()). In the Maven plugin context this is the [plugin classloader](http://maven.apache.org/guides/mini/guide-maven-classloading.html?ref=driverlayer.com/web#3-plugin-classloaders).<br/>*defaultNodeType*: the node type in expanded or qualified form which is used for unknown ancestor nodes which are not given otherwise (default = `nt:folder`). *Note* **Using the default is pretty conservative but the safest approach. It may lead to a lot of issues as `nt:folder` is heavily restricted. In general you cannot know with which type the parent node already exists in the resource and FileVault itself for a long time created `nt:folder` nodes as [intermediates](filter.html#Uncovered_ancestor_nodes) so this is the safest option. If you are sure that the intermediate node types are of the correct type, you should uise a type with no restrictions (`nt:unstructured`)**.<br/>*severityForUnknownNodetypes*: The severity of issues being emitted due to an unknown primary/mixin type set on a node (default = `WARN`).
+`jackrabbit-nodetypes` | Checks if all non empty elements within [DocView files](docview.html) have the mandatory property `jcr:primaryType` set and follow the [node type definition of their given type](https://jackrabbit.apache.org/jcr/node-types.html). | *cnds*: A URI pointing to one or multiple [CNDs](https://jackrabbit.apache.org/jcr/node-type-notation.html) (separated by `,`) which define the additional namespaces and nodetypes used apart from the [default ones defined in JCR 2.0](https://docs.adobe.com/docs/en/spec/jcr/2.0/3_Repository_Model.html#3.7.11%20Standard%20Application%20Node%20Types). If a URI is pointing to a JAR, the validator will leverage all the nodetypes being mentioned in the [`Sling-Nodetypes` manifest header](https://sling.apache.org/documentation/bundles/content-loading-jcr-contentloader.html#declared-node-type-registration). Apart from the [standard protocols](https://docs.oracle.com/javase/7/docs/api/java/net/URL.html#URL(java.lang.String,%20java.lang.String,%20int,%20java.lang.String)) the scheme `tccl` can be used to reference names from the [Thread's context class loader](https://docs.oracle.com/javase/7/docs/api/java/lang/Thread.html#getContextClassLoader()). In the Maven plugin context this is the [plugin classloader](http://maven.apache.org/guides/mini/guide-maven-classloading.html?ref=driverlayer.com/web#3-plugin-classloaders).<br/>*defaultNodeType*: the node type in expanded or qualified form which is used for unknown ancestor nodes which are not given otherwise (default = `nt:folder`). *Note* **Using the default is pretty conservative but the safest approach. It may lead to a lot of issues as `nt:folder` is heavily restricted. In general you cannot know with which type the parent node already exists in the resource and FileVault itself for a long time created `nt:folder` nodes as [intermediates](filter.html#Uncovered_ancestor_nodes) so this is the safest option. If you are sure that the intermediate node types are of the correct type, you should uise a type with no restrictions (`nt:unstructured`)**.<br/>*severityForUnknownNodetypes*: The severity of issues being emitted due to an unknown primary/mixin type set on a node (default = `WARN`).<br/>*validNameSpaces*: Configure list of namespaces that are known to be valid. Syntax: `prefix1=http://uri1,prefix2=http://uri2,...`.
 `jackrabbit-accesscontrol` | Checks that [access control list nodes (primary type `rep:ACL`, `rep:CugPolicy` and `rep:PrincipalPolicy`)](https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#Representation_in_the_Repository) are only used when the [package property's](./properties.html) `acHandling` is set to something but `ignore` or `clear`. | none
 
 ### Custom Validators

diff --git a/...va/org/apache/jackrabbit/vault/validation/spi/impl/nodetype/NodeTypeValidatorFactory.java b/...va/org/apache/jackrabbit/vault/validation/spi/impl/nodetype/NodeTypeValidatorFactory.java
@@ -22,8 +22,14 @@
 import java.net.JarURLConnection;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.jar.Manifest;
 
 import javax.jcr.RepositoryException;
@@ -50,6 +56,8 @@ public class NodeTypeValidatorFactory implements ValidatorFactory {
     /** The default node type to assume if no other node type is given */
     public static final String OPTION_DEFAULT_NODE_TYPES = "defaultNodeType";
     public static final String OPTION_SEVERITY_FOR_UNKNOWN_NODETYPES = "severityForUnknownNodetypes";
+    /** Comma-separated list of name spaces that are known as valid (even if not defined in the CND files). Use syntax "prefix1=ns-uri1,prefix2=nsuri2,...". */
+    public static final String OPTION_VALID_NAMESPACES = "validNameSpaces";
 
     static final @NotNull String DEFAULT_DEFAULT_NODE_TYPE = JcrConstants.NT_FOLDER;
 
@@ -82,6 +90,14 @@ public class NodeTypeValidatorFactory implements ValidatorFactory {
             severityForUnknownNodetypes = DEFAULT_SEVERITY_FOR_UNKNOWN_NODETYPE;
         }
 
+        Map<String,String> validNameSpaces; 
+        if (settings.getOptions().containsKey(OPTION_VALID_NAMESPACES)) {
+            validNameSpaces = parseNamespaces(settings.getOptions().get(OPTION_VALID_NAMESPACES));
+        }
+        else {
+            validNameSpaces = Collections.emptyMap();
+        }
+
         try {
             NodeTypeManagerProvider ntManagerProvider = null;
             ntManagerProvider = new NodeTypeManagerProvider();
@@ -93,6 +109,9 @@ public class NodeTypeValidatorFactory implements ValidatorFactory {
                     throw new IllegalArgumentException("Error loading node types from CND at " + cndUrl, e);
                 }
             }
+            for (Map.Entry<String, String> entry : validNameSpaces.entrySet()) {
+                ntManagerProvider.registerNamespace(entry.getKey(), entry.getValue());
+            }
             return new NodeTypeValidator(context.getFilter(), ntManagerProvider, ntManagerProvider.getNameResolver().getQName(defaultNodeType), settings.getDefaultSeverity(),
                     severityForUnknownNodetypes);
         } catch (IOException | RepositoryException | ParseException e) {
@@ -134,6 +153,18 @@ static List<String> resolveJarUrls(String... urls) {
         return resolvedUrls;
     }
 
+    static Map<String,String> parseNamespaces(String optionValue) {
+        Map<String,String> result = new HashMap<>();
+        String[] namespaces = optionValue.split("\\s*,\\s*");
+        for (String namespace : namespaces) {
+            String[] namespaceParts = namespace.split("\\s*=\\s*");
+            if (namespaceParts.length == 2 && StringUtils.isNoneBlank(namespaceParts[0], namespaceParts[1])) {
+                result.put(namespaceParts[0], namespaceParts[1]);
+            }
+        }
+        return result;
+    }
+
     @Override
     public boolean shouldValidateSubpackages() {
         return false;

diff --git a/...rg/apache/jackrabbit/vault/validation/spi/impl/nodetype/NodeTypeValidatorFactoryTest.java b/...rg/apache/jackrabbit/vault/validation/spi/impl/nodetype/NodeTypeValidatorFactoryTest.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.jackrabbit.vault.validation.spi.impl.nodetype;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+public class NodeTypeValidatorFactoryTest {
+
+    @Test
+    public void testParseNamespaces() {
+        String optionValue = "ns1=http://uri1,\n"
+                + "     ns2 = http://uri2,ns3=http://uri3";
+        Map<String,String> actual = NodeTypeValidatorFactory.parseNamespaces(optionValue);
+
+        Map<String,String> expected = new HashMap<>();
+        expected.put("ns1", "http://uri1");
+        expected.put("ns2", "http://uri2");
+        expected.put("ns3", "http://uri3");
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testParseNamespacesMixedInvalid() {
+        String optionValue = "ns1=http://uri1,\n"
+                + "     abc,def=\n,"
+                + "=http://xyz";
+        Map<String,String> actual = NodeTypeValidatorFactory.parseNamespaces(optionValue);
+
+        Map<String,String> expected = new HashMap<>();
+        expected.put("ns1", "http://uri1");
+        assertEquals(expected, actual);
+    }
+
+}