Add validator for embedded bundles

This closes #5

Author: kwin

README.md

@@ -19,6 +19,7 @@ There are several validators included in this artifact, all relate to namespacin
 1. [OSGi Configuration][osgi-installer-configurations]
 1. [Sling Resource Type and Resource Super Type][sling-resource-type] (`sling:resourceType` and `sling:resourceSuperType` properties)
 1. [AEM Client Library][aem-clientlibrary] (`categories` property)
+1. [Embedded Bundles][embedded] (the `Bundle-SymbolicName` of embedded bundles)
 
 Namespacing has been explicitly mentioned in [Achim Koch's Blog: Hosting Multiple Tenants on AEM](https://blog.developer.adobe.com/hosting-multiple-tenants-on-aem-815c8ed0c9f9) but obviously namespacing is just one of multiple aspects to consider for multi-tenant AEM environments.
 
@@ -48,6 +49,7 @@ Validator ID | Option | Description
 `netcentric-resourcetype-namespace` | `allowedTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-resourcetype-namespace` | `allowedSuperTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceSuperType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-clientlibrary-namespace` | `allowedCategoryPatterns` | Comma-separated list of regular expression patterns. Each [client library's `categories` value][aem-clientlibrary] must match at least one of the given patterns.
+`netcentric-embedded-namespace` | `allowedBundleSymbolicNamePatterns` | Comma-separated list of regular expression patterns. Each embedded bundle in the package must have a `Bundle-SymbolicName` in its manifest which matches at least one of the given patterns.
 
 *Due to the use of comma-separated strings it is not possible to use a comma within the regular expressions. However, as those are matched against names/paths (which don't allow a comma anyhow) using the comma inside the regular expressions shouldn't be necessary anyhow.*
 
@@ -131,4 +133,5 @@ Adobe, and AEM are either registered trademarks or trademarks of Adobe in the Un
 [filevault-package-id]: https://jackrabbit.apache.org/filevault/properties.html
 [sling-resource-type]: https://sling.apache.org/documentation/the-sling-engine/resources.html#resource-types
 [oak-authorizables]: https://jackrabbit.apache.org/oak/docs/security/user/default.html#representation-in-the-repository
+[embedded]: https://jackrabbit.apache.org/filevault-package-maven-plugin/osgi.html#bundles-and-configurations
 

src/it/inside-namespace/container-package/pom.xml

@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>

src/it/inside-namespace/pom.xml

@@ -94,6 +94,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>org.apache.commons.lang3</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>

src/it/no-config/container-package/pom.xml

@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>

src/it/outside-namespace/container-package/pom.xml

@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>

src/it/outside-namespace/pom.xml

@@ -100,6 +100,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>some-unused-prefix</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>

src/it/outside-namespace/verify.groovy

@@ -23,10 +23,12 @@ assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/home/user
 
 // container-package
 assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/apps/mytenant/config' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
+[ERROR] ValidationViolation: Filter root '/apps/mytenant/install/commons-lang3-3.17.0.jar' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
 [ERROR] ValidationViolation: Package group 'biz.netcentric.filevault.validator.aem.namespace.it' is not allowed (does not match any of the group patterns [invalid-group]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: Package name 'container-package' is not allowed (does not match any of the name patterns [invalid-name]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent2' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent2.cfg.json, validator: jackrabbit-osgiconfigparser
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
-[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser""") : 'container-package'
+[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
+[ERROR] ValidationViolation: Bundle-SymbolicName 'org.apache.commons.lang3' does not match any of the allowed patterns [some-unused-prefix] @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}install${File.separator}commons-lang3-3.17.0.jar, validator: netcentric-embedded-namespace""") : 'container-package'
 
 return true

src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidator.java

@@ -0,0 +1,106 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import java.util.Spliterators;
+import java.util.jar.JarInputStream;
+import java.util.jar.Manifest;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
+
+import org.apache.jackrabbit.vault.validation.spi.GenericJcrDataValidator;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessage;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessageSeverity;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public class EmbeddedNamespaceValidator implements GenericJcrDataValidator {
+
+    private final ValidationMessageSeverity severity;
+    private final Set<Pattern> allowedBundleSymbolicNamePatterns;
+
+    public EmbeddedNamespaceValidator(
+            ValidationMessageSeverity severity, Set<Pattern> allowedBundleSymbolicNamePatterns) {
+        super();
+        this.severity = severity;
+        this.allowedBundleSymbolicNamePatterns = allowedBundleSymbolicNamePatterns;
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> validateJcrData(
+            @NotNull InputStream input,
+            @NotNull Path filePath,
+            @NotNull Path basePath,
+            @NotNull Map<String, Integer> nodePathsAndLineNumbers)
+            throws IOException {
+        try (JarInputStream jarInputStream = new JarInputStream(input)) {
+            String bundleSymbolicName = getBundleSymbolicName(jarInputStream.getManifest());
+            if (bundleSymbolicName == null) {
+                return Collections.singleton(new ValidationMessage(
+                        ValidationMessageSeverity.WARN,
+                        "Either no manifest or no Bundle-SymbolicName header found in manifest. Skip evaluation!"));
+            }
+            if (allowedBundleSymbolicNamePatterns.stream()
+                    .noneMatch(pattern -> pattern.matcher(bundleSymbolicName).matches())) {
+                return Collections.singleton(new ValidationMessage(
+                        severity,
+                        String.format(
+                                "Bundle-SymbolicName '%s' does not match any of the allowed patterns [%s]",
+                                bundleSymbolicName,
+                                allowedBundleSymbolicNamePatterns.stream()
+                                        .map(Pattern::pattern)
+                                        .collect(Collectors.joining(",")))));
+            }
+        }
+        return null;
+    }
+
+    String getBundleSymbolicName(Manifest manifest) {
+        if (manifest == null) {
+            return null;
+        }
+        return manifest.getMainAttributes().getValue("Bundle-SymbolicName");
+    }
+
+    @Override
+    public boolean shouldValidateJcrData(@NotNull Path filePath, @NotNull Path basePath) {
+        return isEmbeddedBundle(filePath);
+    }
+
+    static boolean isEmbeddedBundle(@NotNull Path filePath) {
+        if (!filePath.getName(0).toString().equals("apps")) {
+            return false;
+        }
+        if (!filePath.getFileName().toString().endsWith(".jar")) {
+            return false;
+        }
+        return StreamSupport.stream(Spliterators.spliterator(filePath.iterator(), filePath.getNameCount(), 0), false)
+                .limit(5) // max depth
+                .map(Path::getFileName)
+                .map(Path::toString)
+                .anyMatch(name -> name.startsWith("install.") || name.equals("install"));
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> done() {
+        return null;
+    }
+}

src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorFactory.java

@@ -0,0 +1,37 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.jackrabbit.vault.validation.spi.ValidationContext;
+import org.apache.jackrabbit.vault.validation.spi.Validator;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorFactory;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorSettings;
+import org.jetbrains.annotations.NotNull;
+import org.kohsuke.MetaInfServices;
+
+@MetaInfServices(ValidatorFactory.class)
+public class EmbeddedNamespaceValidatorFactory extends AbstractPatternSettingsValidatorFactory {
+
+    public EmbeddedNamespaceValidatorFactory() {
+        super("netcentric-embedded-namespace", "allowedBundleSymbolicNamePatterns", false);
+    }
+
+    @Override
+    protected Validator createValidator(
+            @NotNull Set<Pattern> patterns, @NotNull ValidationContext context, @NotNull ValidatorSettings settings) {
+        return new EmbeddedNamespaceValidator(settings.getDefaultSeverity(), patterns);
+    }
+}

src/test/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorTest.java

@@ -0,0 +1,42 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.nio.file.Paths;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class EmbeddedNamespaceValidatorTest {
+
+    @Test
+    void testIsEmbeddedBundle() {
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.jar")));
+        // with run modes
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author", "mybundle.jar")));
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author.test", "mybundle.jar")));
+        // outside /apps
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("conf", "myapp", "install", "mybundle.jar")));
+        // at max depth
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "install", "mybundle.jar")));
+        // below max depth
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "child", "child", "install", "mybundle.jar")));
+        // no jar
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.zip")));
+    }
+}