Merge pull request #36 from ktor/master

feat: company settings -> service access policies

Author: ktor

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Build and analyze
+name: Build and test
 on:
     push:
         branches:
@@ -7,7 +7,7 @@ on:
         types: [ opened, synchronize, reopened ]
 jobs:
     build:
-        name: Build and test
+        name: Maven clean package
         runs-on: ubuntu-latest
         steps:
             -   uses: actions/checkout@v2
@@ -33,33 +33,3 @@ jobs:
                 env:
                     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
                 run: mvn -B clean package
-    scan:
-        name: Analyze
-        runs-on: ubuntu-latest
-        steps:
-            -   uses: actions/checkout@v2
-                with:
-                    fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-            - name: Set up JDK 11
-              uses: actions/setup-java@v1
-              with:
-                  java-version: 11
-            - name: Cache Maven packages
-              uses: actions/cache@v1
-              with:
-                  path: ~/.m2
-                  key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-                  restore-keys: ${{ runner.os }}-m2
-            - name: Cache SonarCloud packages
-              uses: actions/cache@v1
-              with:
-                  path: ~/.sonar/cache
-                  key: ${{ runner.os }}-sonar
-                  restore-keys: ${{ runner.os }}-sonar
-            - name: Sonar Scan
-              env:
-                  # Needed to get some information about the pull request, if any
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
-                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-              run: mvn -B verify -DskipTests org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Pcoverage

README.adoc

@@ -1,6 +1,6 @@
 = Liferay Portal DB setup core
 :liferay-version: 7.3.6
-:current-db-setup-core-version: 7.3.603
+:current-db-setup-core-version: 7.3.604
 :TOC:
 
 image:https://maven-badges.herokuapp.com/maven-central/com.ableneo.liferay/com.ableneo.liferay.db.setup.core/badge.svg?color=blue[Maven Central,link=https://search.maven.org/search?q=g:com.ableneo.liferay%20AND%20a:com.ableneo.liferay.db.setup.core]
@@ -11,11 +11,13 @@ Library that allows to setup a number of https://github.com/liferay[Liferay] art
 
 == Usage
 
-We recommend wrapping the library calls in either Liferay *upgrade process* or in a control panel app for a *reset to defaults* application.
+We recommend using Liferay's link:https://learn.liferay.com/dxp/latest/en/building-applications/data-frameworks/upgrade-processes.html[upgrade process] or control panel portlet to apply declared database changes.
 
-=== Examples
-==== Configuration
-All data definitions in examples are applied according to XML file header which defines on which company data creation should take effect and which admin user should be used for data creation.
+=== Configuration header
+All data definitions in the setup XML file are applied according to the `configuration` header. The header defines:
+
+. the link:https://learn.liferay.com/dxp/latest/en/system-administration/configuring-liferay/virtual_instances.html[virtual instance] on which the library will modify the data.
+. admin user account to be used for data modification
 
 .Automatically selected admin user
 [source, xml]
@@ -29,6 +31,7 @@ All data definitions in examples are applied according to XML file header which
         <companywebid>liferay.com</companywebid>
     </company>
   </configuration>
+</setup>
 ----
 
 .Specified admin user
@@ -44,7 +47,38 @@ All data definitions in examples are applied according to XML file header which
     </company>
   </configuration>
 ----
+=== Features
+
+==== Service Access Policy
+link:https://learn.liferay.com/dxp/latest/en/installation-and-upgrades/securing-liferay/securing-web-services/setting-service-access-policies.html#[Service access policy] is a link:https://learn.liferay.com/dxp/latest/en/installation-and-upgrades/securing-liferay/securing-web-services.html[second] from four of Liferay's API security layers. Together with _IP Permission Layer_, _Authentication and verification layer_ and _User permission layer_ is responsible for securing access to web services provided by portal instance.
+
+If you develop new link:https://learn.liferay.com/dxp/latest/en/headless-delivery/apis-with-rest-builder.html[REST Builder] REST/GraphQL endpoint's it's a common requirement to setup an access for those API's for an unauthenticated portal user- Guest which is by default forbidden.
+
+.Add new or update existing Service Access Policy by name
+[source, xml]
+----
+<company-settings>
+    <service-access-policies>
+        <service-access-policy name="MY_ACCESS_POLICY" enabled="true" unauthenticated="true">
+            <title locale="sk_SK" text="Moja pristupova politika" />
+            <allowed-service-signatures> <1>
+                com.liferay.headless.admin.user.internal.resource.v1_0.SiteResourceImpl#getSite
+            </allowed-service-signatures>
+        </service-access-policy>
+    </service-access-policies>
+</company>
+----
+<1> `allowed-service-signatures` provides the same functionality as link:https://learn.liferay.com/dxp/latest/en/installation-and-upgrades/securing-liferay/securing-web-services/setting-service-access-policies.html#creating-a-service-access-policy[_Advanced Mode_]
 
+.Delete existing Service Access Policy by name
+[source,xml]
+----
+<company-settings>
+    <service-access-policies>
+        <delete-service-access-policy name="WIZARD_GUEST_ACCESS"/>
+    </service-access-policies>
+</company-settings>
+----
 ==== Permissions
 Resource permissions.
 [source, xml]
@@ -256,6 +290,13 @@ They are probably not perfect, please let me know if anything feels wrong or inc
 
 == Changelog
 
+=== Version 7.3.604
+==== Features & bug fixes
+* added an ability to create/update/delete link:https://learn.liferay.com/dxp/latest/en/installation-and-upgrades/securing-liferay/securing-web-services/setting-service-access-policies.html[Service Access Policies]
+
+==== Refactorings & project changes
+* refactored common mock setup into a separate class
+
 === Version 7.3.603
 ==== Features & bug fixes
 * fixed setup for multiple companies/groups

pom.xml

@@ -225,10 +225,18 @@
             <plugin>
                 <groupId>com.hubspot.maven.plugins</groupId>
                 <artifactId>prettier-maven-plugin</artifactId>
-                <version>0.12</version>
+                <version>0.17</version>
                 <configuration>
+                    <prettierJavaVersion>1.6.1</prettierJavaVersion>
+                    <printWidth>120</printWidth>
+                    <useTabs>false</useTabs>
+                    <tabWidth>4</tabWidth>
                     <ignoreConfigFile>false</ignoreConfigFile>
                     <ignoreEditorConfig>false</ignoreEditorConfig>
+                    <inputGlobs>
+                        <inputGlob>src/main/java/**/*.java</inputGlob>
+                        <inputGlob>src/test/java/**/*.java</inputGlob>
+                    </inputGlobs>
                 </configuration>
             </plugin>
 

src/main/java/com/ableneo/liferay/portal/setup/LiferaySetup.java

@@ -6,6 +6,7 @@
 import com.ableneo.liferay.portal.setup.core.SetupPermissions;
 import com.ableneo.liferay.portal.setup.core.SetupPortal;
 import com.ableneo.liferay.portal.setup.core.SetupRoles;
+import com.ableneo.liferay.portal.setup.core.SetupServiceAccessPolicies;
 import com.ableneo.liferay.portal.setup.core.SetupSites;
 import com.ableneo.liferay.portal.setup.core.SetupUserGroups;
 import com.ableneo.liferay.portal.setup.core.SetupUsers;
@@ -14,6 +15,7 @@
 import com.ableneo.liferay.portal.setup.domain.CustomFields;
 import com.ableneo.liferay.portal.setup.domain.ObjectsToBeDeleted;
 import com.ableneo.liferay.portal.setup.domain.Organization;
+import com.ableneo.liferay.portal.setup.domain.ServiceAccessPolicies;
 import com.ableneo.liferay.portal.setup.domain.Setup;
 import com.ableneo.liferay.portal.setup.domain.Site;
 import com.liferay.portal.kernel.exception.PortalException;
@@ -120,6 +122,15 @@ public static boolean setup(final Setup setup, Bundle callerBundle) {
                     SetupConfigurationThreadLocal.configureThreadLocalContent(runAsUserEmail, companyId, callerBundle);
                     executeSetupConfiguration(setup);
 
+                    // setup company settings
+                    if (setup.getCompanySettings() != null) {
+                        // setup service access policies
+                        final ServiceAccessPolicies serviceAccessPolicies = setup.getCompanySettings().getServiceAccessPolicies();
+                        if (serviceAccessPolicies != null) {
+                            SetupServiceAccessPolicies.setupServiceAccessPolicies(serviceAccessPolicies);
+                        }
+                    }
+
                     // iterate over group names or choose GUEST group for the company
                     if (company.getGroupName().isEmpty()) {
                         company.getGroupName().add(GroupConstants.GUEST);

src/main/java/com/ableneo/liferay/portal/setup/core/AbstractSetup.java

@@ -0,0 +1,6 @@
+package com.ableneo.liferay.portal.setup.core;
+
+public abstract class AbstractSetup {
+
+    private AbstractSetup() {}
+}

src/main/java/com/ableneo/liferay/portal/setup/core/SetupServiceAccessPolicies.java

@@ -0,0 +1,118 @@
+package com.ableneo.liferay.portal.setup.core;
+
+import com.ableneo.liferay.portal.setup.SetupConfigurationThreadLocal;
+import com.ableneo.liferay.portal.setup.domain.DeleteServiceAccessPolicy;
+import com.ableneo.liferay.portal.setup.domain.ServiceAccessPolicies;
+import com.ableneo.liferay.portal.setup.domain.ServiceAccessPolicy;
+import com.liferay.portal.kernel.exception.PortalException;
+import com.liferay.portal.kernel.service.ServiceContext;
+import com.liferay.portal.kernel.util.LocaleUtil;
+import com.liferay.portal.security.service.access.policy.exception.NoSuchEntryException;
+import com.liferay.portal.security.service.access.policy.model.SAPEntry;
+import com.liferay.portal.security.service.access.policy.service.SAPEntryLocalServiceUtil;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SetupServiceAccessPolicies {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SetupCategorization.class);
+
+    public static void setupServiceAccessPolicies(ServiceAccessPolicies serviceAccessPolicies) {
+        final List<ServiceAccessPolicy> serviceAccessPolicyList = serviceAccessPolicies.getServiceAccessPolicy();
+
+        final Long runInCompanyId = SetupConfigurationThreadLocal.getRunInCompanyId();
+        serviceAccessPolicyList.forEach(serviceAccessPolicyConfiguration -> {
+            Map<Locale, String> titleMap = new HashMap<>();
+            serviceAccessPolicyConfiguration
+                .getTitle()
+                .forEach(title -> {
+                    titleMap.put(LocaleUtil.fromLanguageId(title.getLocale()), title.getText());
+                });
+
+            SAPEntry sapEntry = getSapEntry(runInCompanyId, serviceAccessPolicyConfiguration.getName());
+
+            if (sapEntry == null) {
+                addSAPEntry(serviceAccessPolicyConfiguration, titleMap);
+            } else {
+                sapEntry.setEnabled(serviceAccessPolicyConfiguration.isEnabled());
+                sapEntry.setDefaultSAPEntry(serviceAccessPolicyConfiguration.isUnauthenticated());
+                sapEntry.setAllowedServiceSignatures(serviceAccessPolicyConfiguration.getAllowedServiceSignatures());
+                if (!titleMap.isEmpty()) {
+                    sapEntry.setTitleMap(titleMap);
+                }
+                updateSAPEntry(sapEntry);
+            }
+        });
+
+        final List<DeleteServiceAccessPolicy> deleteServiceAccessPolicyList = serviceAccessPolicies.getDeleteServiceAccessPolicy();
+        deleteServiceAccessPolicyList.forEach(deleteServiceAccessPolicy -> {
+            final SAPEntry sapEntry = getSapEntry(runInCompanyId, deleteServiceAccessPolicy.getName());
+            if (sapEntry != null) {
+                deleteSAPEntry(sapEntry);
+            } else {
+                LOG.warn("Tried to delete SAP Entry {} in company {} but the entry haven't been found.", deleteServiceAccessPolicy.getName(), runInCompanyId);
+            }
+        });
+    }
+
+    private static void deleteSAPEntry(SAPEntry sapEntry) {
+        try {
+            SAPEntryLocalServiceUtil.deleteSAPEntry(sapEntry);
+        } catch (PortalException e) {
+            LOG.error(
+                "Unexpected exception when trying to delete SAP Entry {} in company {}",
+                sapEntry.getName(),
+                sapEntry.getCompanyId(),
+                e
+            );
+        }
+    }
+
+    protected static void updateSAPEntry(SAPEntry sapEntry) {
+        SAPEntryLocalServiceUtil.updateSAPEntry(sapEntry);
+    }
+
+    protected static void addSAPEntry(
+        ServiceAccessPolicy serviceAccessPolicyConfiguration,
+        Map<Locale, String> titleMap
+    ) {
+        final ServiceContext serviceContext = new ServiceContext();
+        serviceContext.setCompanyId(SetupConfigurationThreadLocal.getRunInCompanyId());
+        final Long runAsUserId = SetupConfigurationThreadLocal.getRunAsUserId();
+        try {
+            SAPEntryLocalServiceUtil.addSAPEntry(
+                runAsUserId,
+                serviceAccessPolicyConfiguration.getAllowedServiceSignatures(),
+                serviceAccessPolicyConfiguration.isUnauthenticated(),
+                serviceAccessPolicyConfiguration.isEnabled(),
+                serviceAccessPolicyConfiguration.getName(),
+                titleMap,
+                serviceContext
+            );
+        } catch (PortalException e) {
+            LOG.error(
+                "Unexpected exception trying to add SAP Entry {} to company {} with a user {}",
+                serviceAccessPolicyConfiguration.getName(),
+                serviceContext.getCompanyId(),
+                runAsUserId,
+                e
+            );
+        }
+    }
+
+    protected static SAPEntry getSapEntry(Long companyId, String name) {
+        try {
+            return SAPEntryLocalServiceUtil.getSAPEntry(companyId, name);
+        } catch (NoSuchEntryException e) {
+            LOG.debug("SAP Entry {} not found in company {}", name, companyId);
+        } catch (PortalException e) {
+            LOG.error("Unexpected exception when trying to fetch SAP Entry {} from company {}", name, companyId);
+        }
+
+        return null;
+    }
+}