Merge pull request #17 from Cognifide/feature/osgi-settings

Feature/osgi settings

src/main/aem/jcr_root/apps/cognifide/secureaem/components/htmlLibraryManager/.content.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.HtmlLibraryManagerTest"/>

src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingJsHandler/.content.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.SlingJsHandlerTest"/>

src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingJspScriptHandler/.content.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.SlingJspScriptHandlerTest"/>

src/main/aem/jcr_root/apps/cognifide/secureaem/components/wcmFilter/.content.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.WcmFilterTest"/>

src/main/aem/jcr_root/etc/secureaem/.content.xml

@@ -22,6 +22,10 @@
     <geometrixx/>
     <redundant-selectors/>
     <error-handler/>
+    <wcm-filter/>
+    <html-library-manager/>
+    <sling-js-handler/>
+    <sling-jsp-script-handler/>
     <crx-development-bundles/>
     <replication-transport-users/>
     <sling-development-bundle/>

src/main/aem/jcr_root/etc/secureaem/crx-development-bundles/.content.xml

@@ -13,7 +13,6 @@
             jcr:primaryType="nt:unstructured"
             sling:resourceType="cognifide/secureaem/components/crxDevelopmentBundles"
             enabled="true"
-            users="[admin:admin]"
             bundles="[Adobe CRXDE Support,Adobe Granite CRX Explorer,Adobe Granite CRXDE Lite]"/>
     </jcr:content>
 </jcr:root>

src/main/aem/jcr_root/etc/secureaem/html-library-manager/.content.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public."
+        jcr:primaryType="cq:PageContent"
+        jcr:title="Html Library Manager"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="MAJOR"
+        url="https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html#OSGI%20Settings"
+        urlDesc="Official AEM Security Checklist">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/htmlLibraryManager"
+            enabled="true"/>
+    </jcr:content>
+</jcr:root>

src/main/aem/jcr_root/etc/secureaem/replication-transport-users/.content.xml

@@ -12,7 +12,6 @@
         <testComponent
             jcr:primaryType="nt:unstructured"
             sling:resourceType="cognifide/secureaem/components/replicationTransportUsers"
-            enabled="true"
-            users="[admin:admin]"/>
+            enabled="true"/>
     </jcr:content>
 </jcr:root>

src/main/aem/jcr_root/etc/secureaem/sling-development-bundle/.content.xml

@@ -13,7 +13,6 @@
             jcr:primaryType="nt:unstructured"
             sling:resourceType="cognifide/secureaem/components/slingDevelopmentBundle"
             enabled="true"
-            users="[admin:admin]"
             bundles="[Apache Sling Tooling]"/>
     </jcr:content>
 </jcr:root>

src/main/aem/jcr_root/etc/secureaem/sling-js-handler/.content.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public."
+        jcr:primaryType="cq:PageContent"
+        jcr:title="Sling Java Script Handler"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="MAJOR"
+        url="https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html#OSGI%20Settings"
+        urlDesc="Official AEM Security Checklist">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/slingJsHandler"
+            enabled="true"/>
+    </jcr:content>
+</jcr:root>

src/main/aem/jcr_root/etc/secureaem/sling-jsp-script-handler/.content.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public."
+        jcr:primaryType="cq:PageContent"
+        jcr:title="Sling JSP script Handler"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="MAJOR"
+        url="https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html#OSGI%20Settings"
+        urlDesc="Official AEM Security Checklist">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/slingJspScriptHandler"
+            enabled="true"/>
+    </jcr:content>
+</jcr:root>

src/main/aem/jcr_root/etc/secureaem/sling-referrer-filter/.content.xml

@@ -12,7 +12,6 @@
         <testComponent
             jcr:primaryType="nt:unstructured"
             sling:resourceType="cognifide/secureaem/components/slingReferrerFilter"
-            enabled="true"
-            users="[admin:admin]"/>
+            enabled="true"/>
     </jcr:content>
 </jcr:root>

src/main/aem/jcr_root/etc/secureaem/wcm-filter/.content.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="AEM WCM Filter should be disabled on publish"
+        jcr:primaryType="cq:PageContent"
+        jcr:title="AEM WCM Filter"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="MAJOR"
+        url="https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/osgi-configuration-settings.html#Day%20CQ%20WCM%20Debug%20Filter"
+        urlDesc="Official Configuring AEM document">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/wcmFilter"
+            enabled="true"/>
+    </jcr:content>
+</jcr:root>

src/main/java/com/cognifide/secureaem/AbstractTest.java

@@ -6,7 +6,6 @@
 import java.util.List;
 import java.util.Set;
 
-import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.slf4j.Logger;
@@ -137,6 +136,22 @@ protected UsernamePasswordCredentials getUsernamePasswordCredentials(String inst
 		return credentials;
 	}
 
+	/**
+	 * Check boolean property. If different than expected error message will be added to error list, if same as expected info message will be added to info list
+	 *
+	 * @param actualValue Actual value of boolean property
+	 * @param expectedValue Expected value of boolean property
+	 * @param propertyName Property name used in info/error messages
+	 * @param instanceName Instance name used in info/error messages
+	 */
+	protected void checkBooleanValue(boolean actualValue, boolean expectedValue, String propertyName, String instanceName) {
+		if (actualValue == expectedValue) {
+			addInfoMessage("On %s instance %s property is %b", instanceName, propertyName, actualValue);
+		} else {
+			addErrorMessage("On %s instance %s property is %b, but it should be %b", instanceName, propertyName, actualValue, expectedValue);
+		}
+	}
+
 	public List<String> getInfoMessages() {
 		return infoMessages;
 	}

src/main/java/com/cognifide/secureaem/HttpHelper.java

@@ -75,12 +75,12 @@ public String getBasePath(String url, boolean removeExtension) throws IOExceptio
 		EntityUtils.consume(response.getEntity());
 		HttpUriRequest request = (HttpUriRequest) context.getAttribute(ExecutionContext.HTTP_REQUEST);
 
-		URI uri = request.getURI();
-		String baseUrl = context.getAttribute(ExecutionContext.HTTP_TARGET_HOST).toString() + uri.getPath();
-		if (removeExtension && uri.getPath().contains(".")) {
+		String  uriPath = request.getURI().getPath();
+		String baseUrl = context.getAttribute(ExecutionContext.HTTP_TARGET_HOST).toString() + uriPath;
+		if (removeExtension && uriPath.contains(".")) {
 			baseUrl = StringUtils.substringBeforeLast(baseUrl, ".");
 		}
-		if (!"/".equals(uri.getPath())) {
+		if (!"/".equals(uriPath)) {
 			baseUrl = StringUtils.removeEnd(baseUrl, "/");
 		}
 		return baseUrl;

src/main/java/com/cognifide/secureaem/UserHelper.java

@@ -3,7 +3,11 @@
 /**
  * Created by Mariusz Kubiś on 19.09.16
  */
-public class UserHelper {
+public final class UserHelper {
+
+	private UserHelper() {
+		// To prevent initialization
+	}
 
 	public static String[] splitUser(String user) {
 		int colon = user.indexOf(':');

src/main/java/com/cognifide/secureaem/cli/Main.java

@@ -8,11 +8,12 @@
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.BufferedReader;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -24,22 +25,25 @@ public class Main {
 
 	private static final String DEFAULT_TEST_SUITE_PATH = "/test_suite.properties";
 
+	private static final String CMD_SUITE_OPTION = "suite";
+
 	public static void main(String[] args) throws Exception {
 		CommandLine cmdLine = createOptions(args);
 		if (!cmdLine.hasOption('a') && !cmdLine.hasOption('p') && !cmdLine.hasOption('d')) {
 			printf("Usage: ");
 			printf("java -jar secure-aem.jar [-a AUTHOR_URL] [-p PUBLISH_URL] [-d DISPATCHER_URL] ");
 			System.exit(1);
 		}
-		List<TestLoader> testLoaders =  createTestLoaders(cmdLine);
+		List<TestLoader> testLoaders = createTestLoaders(cmdLine);
 		boolean result = true;
 		for (TestLoader testLoader : testLoaders) {
 			result = doTest(testLoader, cmdLine) && result;
 		}
 		System.exit(result ? 0 : -1);
 	}
 
-	private static List<TestLoader> createTestLoaders(CommandLine cmdLine) throws IOException, ClassNotFoundException {
+	private static List<TestLoader> createTestLoaders(CommandLine cmdLine)
+			throws IOException, ClassNotFoundException {
 		try (BufferedReader reader = getBufferedReader(cmdLine)) {
 			List<TestLoader> testLoaders = new ArrayList<>();
 			String line;
@@ -56,11 +60,13 @@ private static List<TestLoader> createTestLoaders(CommandLine cmdLine) throws IO
 
 	private static BufferedReader getBufferedReader(CommandLine cmdLine) throws FileNotFoundException {
 		BufferedReader reader;
-		if (cmdLine.hasOption("suite")) {
-			reader = new BufferedReader(new FileReader(cmdLine.getOptionValue("suite")));
+		if (cmdLine.hasOption(CMD_SUITE_OPTION)) {
+			reader = new BufferedReader(
+					new InputStreamReader(new FileInputStream(cmdLine.getOptionValue(CMD_SUITE_OPTION)),
+							StandardCharsets.UTF_8));
 		} else {
 			InputStream is = Main.class.getClass().getResourceAsStream(DEFAULT_TEST_SUITE_PATH);
-			reader = new BufferedReader(new InputStreamReader(is));
+			reader = new BufferedReader(new InputStreamReader(is, StandardCharsets.UTF_8));
 		}
 		return reader;
 	}
@@ -84,7 +90,8 @@ private static boolean doTest(TestLoader testLoader, CommandLine cmdLine) throws
 				printf(" * %s", message);
 			}
 		}
-		if (!test.getInfoMessages().isEmpty() && !"true".equals(config.getStringValue("hidePassed", "false"))) {
+		if (!test.getInfoMessages().isEmpty() && !"true"
+				.equals(config.getStringValue("hidePassed", "false"))) {
 			printf("");
 			printf("Passed tests:");
 			for (String message : test.getInfoMessages()) {
@@ -99,12 +106,12 @@ private static void printf(String format, Object... args) {
 		System.out.println(String.format(format, args));
 	}
 
-	private static CommandLine createOptions(String args[]) throws ParseException {
+	private static CommandLine createOptions(String[] args) throws ParseException {
 		Options options = new Options();
 		options.addOption("a", true, "author URL");
 		options.addOption("p", true, "publish URL");
 		options.addOption("d", true, "dispatcher URL");
-		options.addOption("suite", true, "test suite");
+		options.addOption(CMD_SUITE_OPTION, true, "test suite");
 		options.addOption("aCredentials", true, "author credentials");
 		options.addOption("pCredentials", true, "publish credentials");
 

src/main/java/com/cognifide/secureaem/sling/DefaultConfigurationProvider.java

@@ -51,18 +51,10 @@ protected void activate() throws LoginException {
 		ResourceResolver resolver = resolverFactory.getAdministrativeResourceResolver(null);
 		try {
 			String currentHost = getCurrentHost();
-			String publishHost = getTransportUri(new AgentConfigFilter() {
-				@Override
-				public boolean matches(AgentConfig agentConfig) {
-					return "durbo".equals(agentConfig.getSerializationType());
-				}
-			});
-			String dispatcher = getTransportUri(new AgentConfigFilter() {
-				@Override
-				public boolean matches(AgentConfig agentConfig) {
-					return "flush".equals(agentConfig.getSerializationType());
-				}
-			});
+			String publishHost = getTransportUri(
+					agentConfig -> "durbo".equals(agentConfig.getSerializationType()));
+			String dispatcher = getTransportUri(
+					agentConfig -> "flush".equals(agentConfig.getSerializationType()));
 			LOG.info("Discovered author instance URL: " + currentHost);
 			LOG.info("Discovered publish instance URL: " + publishHost);
 			LOG.info("Discovered dispatcher URL: " + dispatcher);
@@ -137,7 +129,7 @@ private String getCurrentHost() {
 		}
 	}
 
-	private static interface AgentConfigFilter {
+	private interface AgentConfigFilter {
 		boolean matches(AgentConfig agentConfig);
 	}
 }

src/main/java/com/cognifide/secureaem/sling/ResourceConfiguration.java

@@ -12,7 +12,7 @@
 import com.cognifide.secureaem.cli.CliConfiguration;
 
 public class ResourceConfiguration implements Configuration {
-	private static final Logger LOG = LoggerFactory.getLogger(DefaultConfigurationProvider.class);
+	private static final Logger LOG = LoggerFactory.getLogger(ResourceConfiguration.class);
 	private final ValueMap globalConfig;
 
 	private final SlingHttpServletRequest request;

src/main/java/com/cognifide/secureaem/tests/HtmlLibraryManagerTest.java

@@ -0,0 +1,29 @@
+package com.cognifide.secureaem.tests;
+
+import com.cognifide.secureaem.AbstractTest;
+import com.cognifide.secureaem.Configuration;
+import com.cognifide.secureaem.markers.AuthorTest;
+import com.cognifide.secureaem.markers.PublishTest;
+
+public class HtmlLibraryManagerTest extends AbstractTest
+		implements AuthorTest, PublishTest, OsgiConfigurationTest {
+
+	public HtmlLibraryManagerTest(Configuration config) {
+		super(config);
+	}
+
+	@Override public boolean doTest(String url, String instanceName) throws Exception {
+		String configurationEndpoint = url
+				+ "/system/console/configMgr/com.adobe.granite.ui.clientlibs.impl.HtmlLibraryManagerImpl.json";
+		String body = getJsonBodyOfOsgiConfiguration(configurationEndpoint, getUsernamePasswordCredentials(instanceName), instanceName);
+		checkBooleanValue(getBooleanValueFromJson("htmllibmanager.minify", body), true, "Minify",
+				instanceName);
+		checkBooleanValue(getBooleanValueFromJson("htmllibmanager.gzip", body), true, "Gzip", instanceName);
+		checkBooleanValue(getBooleanValueFromJson("htmllibmanager.debug", body), false, "Debug",
+				instanceName);
+		checkBooleanValue(getBooleanValueFromJson("htmllibmanager.timing", body), false, "Timing",
+				instanceName);
+		return getErrorMessages().isEmpty();
+	}
+}
+