Add validator for embedded bundles

This closes #5

Author: kwin

README.md

@@ -19,6 +19,7 @@ There are several validators included in this artifact, all relate to namespacin
 1. [OSGi Configuration][osgi-installer-configurations]
 1. [Sling Resource Type and Resource Super Type][sling-resource-type] (`sling:resourceType` and `sling:resourceSuperType` properties)
 1. [AEM Client Library][aem-clientlibrary] (`categories` property)
+1. [Embedded Bundles][embedded] (the `Bundle-SymbolicName` of embedded bundles)
 
 Namespacing has been explicitly mentioned in [Achim Koch's Blog: Hosting Multiple Tenants on AEM](https://blog.developer.adobe.com/hosting-multiple-tenants-on-aem-815c8ed0c9f9) but obviously namespacing is just one of multiple aspects to consider for multi-tenant AEM environments.
 
@@ -48,6 +49,7 @@ Validator ID | Option | Description
 `netcentric-resourcetype-namespace` | `allowedTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-resourcetype-namespace` | `allowedSuperTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceSuperType` property of arbitrary JCR nodes must match at least one of the given patterns.
 `netcentric-clientlibrary-namespace` | `allowedCategoryPatterns` | Comma-separated list of regular expression patterns. Each [client library's `categories` value][aem-clientlibrary] must match at least one of the given patterns.
+`netcentric-embedded-namespace` | `allowedBundleSymbolicNamePatterns` | Comma-separated list of regular expression patterns. Each embedded bundle in the package must have a `Bundle-SymbolicName` in its manifest which matches at least one of the given patterns.
 
 *Due to the use of comma-separated strings it is not possible to use a comma within the regular expressions. However, as those are matched against names/paths (which don't allow a comma anyhow) using the comma inside the regular expressions shouldn't be necessary anyhow.*
 
@@ -131,4 +133,5 @@ Adobe, and AEM are either registered trademarks or trademarks of Adobe in the Un
 [filevault-package-id]: https://jackrabbit.apache.org/filevault/properties.html
 [sling-resource-type]: https://sling.apache.org/documentation/the-sling-engine/resources.html#resource-types
 [oak-authorizables]: https://jackrabbit.apache.org/oak/docs/security/user/default.html#representation-in-the-repository
+[embedded]: https://jackrabbit.apache.org/filevault-package-maven-plugin/osgi.html#bundles-and-configurations
 

src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidator.java

@@ -0,0 +1,99 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import java.util.Spliterators;
+import java.util.jar.JarInputStream;
+import java.util.jar.Manifest;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
+
+import org.apache.jackrabbit.vault.validation.spi.GenericJcrDataValidator;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessage;
+import org.apache.jackrabbit.vault.validation.spi.ValidationMessageSeverity;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public class EmbeddedNamespaceValidator implements GenericJcrDataValidator {
+
+    private final ValidationMessageSeverity severity;
+    private final Set<Pattern> allowedBundleSymbolicNamePatterns;
+
+    public EmbeddedNamespaceValidator(
+            ValidationMessageSeverity severity, Set<Pattern> allowedBundleSymbolicNamePatterns) {
+        super();
+        this.severity = severity;
+        this.allowedBundleSymbolicNamePatterns = allowedBundleSymbolicNamePatterns;
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> validateJcrData(
+            @NotNull InputStream input,
+            @NotNull Path filePath,
+            @NotNull Path basePath,
+            @NotNull Map<String, Integer> nodePathsAndLineNumbers)
+            throws IOException {
+        try (JarInputStream jarInputStream = new JarInputStream(input)) {
+            String bundleSymbolicName = getBundleSymbolicName(jarInputStream.getManifest());
+            if (allowedBundleSymbolicNamePatterns.stream()
+                    .noneMatch(pattern -> pattern.matcher(bundleSymbolicName).matches())) {
+                return Collections.singleton(new ValidationMessage(
+                        severity,
+                        String.format(
+                                "Bundle-SymbolicName '%s' does not match any of the allowed patterns [%s]",
+                                bundleSymbolicName,
+                                allowedBundleSymbolicNamePatterns.stream()
+                                        .map(Pattern::pattern)
+                                        .collect(Collectors.joining(",")))));
+            }
+        }
+
+        return GenericJcrDataValidator.super.validateJcrData(input, filePath, basePath, nodePathsAndLineNumbers);
+    }
+
+    String getBundleSymbolicName(Manifest manifest) {
+        return manifest.getMainAttributes().getValue("Bundle-SymbolicName");
+    }
+
+    @Override
+    public boolean shouldValidateJcrData(@NotNull Path filePath, @NotNull Path basePath) {
+        return isEmbeddedBundle(filePath);
+    }
+
+    static boolean isEmbeddedBundle(@NotNull Path filePath) {
+        if (!filePath.getName(0).toString().equals("apps")) {
+            return false;
+        }
+        if (!filePath.getFileName().toString().endsWith(".jar")) {
+            return false;
+        }
+        return StreamSupport.stream(Spliterators.spliterator(filePath.iterator(), filePath.getNameCount(), 0), false)
+                .limit(5) // max depth
+                .map(Path::getFileName)
+                .map(Path::toString)
+                .anyMatch(name -> name.startsWith("install.") || name.equals("install"));
+    }
+
+    @Override
+    public @Nullable Collection<ValidationMessage> done() {
+        return null;
+    }
+}

src/main/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorFactory.java

@@ -0,0 +1,37 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.jackrabbit.vault.validation.spi.ValidationContext;
+import org.apache.jackrabbit.vault.validation.spi.Validator;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorFactory;
+import org.apache.jackrabbit.vault.validation.spi.ValidatorSettings;
+import org.jetbrains.annotations.NotNull;
+import org.kohsuke.MetaInfServices;
+
+@MetaInfServices(ValidatorFactory.class)
+public class EmbeddedNamespaceValidatorFactory extends AbstractPatternSettingsValidatorFactory {
+
+    public EmbeddedNamespaceValidatorFactory() {
+        super("netcentric-embedded-namespace", "allowedBundleSymbolicNamePatterns", false);
+    }
+
+    @Override
+    protected Validator createValidator(
+            @NotNull Set<Pattern> patterns, @NotNull ValidationContext context, @NotNull ValidatorSettings settings) {
+        return new EmbeddedNamespaceValidator(settings.getDefaultSeverity(), patterns);
+    }
+}

src/test/java/biz/netcentric/filevault/validator/aem/namespace/EmbeddedNamespaceValidatorTest.java

@@ -0,0 +1,42 @@
+/*-
+ * #%L
+ * AEM FileVault Content Package Namespace Validators
+ * %%
+ * Copyright (C) 2024 Cognizant Netcentric
+ * %%
+ * All rights reserved. This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+package biz.netcentric.filevault.validator.aem.namespace;
+
+import java.nio.file.Paths;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class EmbeddedNamespaceValidatorTest {
+
+    @Test
+    void testIsEmbeddedBundle() {
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.jar")));
+        // with run modes
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author", "mybundle.jar")));
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "install.author.test", "mybundle.jar")));
+        // outside /apps
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("conf", "myapp", "install", "mybundle.jar")));
+        // at max depth
+        assertTrue(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "install", "mybundle.jar")));
+        // below max depth
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(
+                Paths.get("apps", "myapp", "child", "child", "child", "child", "install", "mybundle.jar")));
+        // no jar
+        assertFalse(EmbeddedNamespaceValidator.isEmbeddedBundle(Paths.get("apps", "myapp", "install", "mybundle.zip")));
+    }
+}