Remove dependency on AEM's KeyStoreService

README.md

@@ -29,7 +29,7 @@ See also our talk at [adaptTo() 2016](https://adapt.to/2016/en/schedule/ac-tool.
 
 The AC Tool requires **Java 11 and AEM 6.5.18** or above (use v3.x for older AEM versions which runs on Java 8 and AEM 6.4 or above) for on-premise installations. Since v2.5.0 **[AEM as a Cloud Service](https://www.adobe.com/marketing/experience-manager/cloud-service.html)** is supported, see [Startup Hook](https://github.com/Netcentric/accesscontroltool/blob/develop/docs/ApplyConfig.md#startup-hook) for details.
 
-It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions and encrypted passwords cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling distribution).
+It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions, encrypted passwords and user's key stores cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling Starter distribution).
 
 # Installation
 

accesscontroltool-bundle/bnd.bnd

@@ -7,6 +7,7 @@ Bundle-SymbolicName: biz.netcentric.cq.tools.accesscontroltool.bundle
 
 # allow to run in Sling without AEM bundles
 # allow to run without bouncycastle which is only necessary for some edge cases when managing keys
+# broader version range for JMX annotation as 2.0.0 was introduced in https://github.com/apache/jackrabbit-oak/commit/42b0a70d305372e9c228697012f12c59d643fe27#diff-776354a994a5afefbc8da17a75d83569e198589f2abe3be6890bb621f9a1a708 but is still compatible with our use cases
 Import-Package: \
 com.adobe.granite.crypto;resolution:=optional,\
 com.adobe.granite.keystore;resolution:=optional,\
@@ -15,6 +16,7 @@ com.fasterxml.jackson.databind;resolution:=optional,\
 org.apache.http.*;resolution:=optional,\
 org.bouncycastle.*;resolution:=optional,\
 org.apache.jackrabbit.oak.spi.security.authentication.external.*;resolution:=optional,\
+org.apache.jackrabbit.oak.commons.jmx;version="[1.1.0,3.0.0)",\
 !jakarta.servlet.jsp.el,\
 *
 

accesscontroltool-bundle/maximum-sling.bndrun

@@ -0,0 +1,17 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-include ../target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun
+

accesscontroltool-bundle/minimum-aem.bndrun

@@ -13,5 +13,5 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
--include ../target-osgi-environment/minimum-environment/minimum-aem.bndrun
+-include ../target-osgi-environment/aem-minimum-version-environment/minimum-aem.bndrun
 

accesscontroltool-bundle/minimum-sling.bndrun

@@ -0,0 +1,17 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-include ../target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
+

accesscontroltool-bundle/pom.xml

@@ -117,6 +117,17 @@
             <artifactId>oak-jackrabbit-api</artifactId>
             <scope>provided</scope>
         </dependency>
+        <!-- for org.apache.jackrabbit.oak.commons.jmx -->
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-core-spi</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.jackrabbit.vault</groupId>
             <artifactId>org.apache.jackrabbit.vault</artifactId>
@@ -199,12 +210,6 @@
             <artifactId>httpclient-osgi</artifactId>
             <scope>provided</scope>
         </dependency>
-        <!-- JMX annotations -->
-        <dependency>
-            <groupId>com.adobe.granite</groupId>
-            <artifactId>com.adobe.granite.jmx</artifactId>
-            <scope>provided</scope>
-        </dependency>
         <!-- Crypto Support -->
         <dependency>
             <groupId>com.adobe.granite</groupId>
@@ -277,12 +282,6 @@
             <scope>test</scope>
         </dependency>
         <!-- IT dependencies -->
-        <dependency>
-            <groupId>org.apache.jackrabbit</groupId>
-            <artifactId>oak-api</artifactId>
-            <version>${oak.testing.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
             <artifactId>oak-core</artifactId>
@@ -380,11 +379,23 @@
                                 <artifactId>oak-jackrabbit-api</artifactId>
                                 <version>${oak.testing.version}</version>
                             </additionalClasspathDependency>
+                            <additionalClasspathDependency>
+                                <groupId>org.apache.jackrabbit</groupId>
+                                <artifactId>oak-api</artifactId>
+                                <version>${oak.testing.version}</version>
+                            </additionalClasspathDependency>
+                            <additionalClasspathDependency>
+                                <groupId>org.apache.jackrabbit</groupId>
+                                <artifactId>oak-core-spi</artifactId>
+                                <version>${oak.testing.version}</version>
+                            </additionalClasspathDependency>
                         </additionalClasspathDependencies>
                         <classpathDependencyExcludes>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-security-spi</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-auth-external</classpathDependencyExclude>
-                            <classpathDependencyExclude>org.apache.jackrabbit:jackrabbit-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-jackrabbit-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-core-spi</classpathDependencyExclude>
                         </classpathDependencyExcludes>
                     </configuration>
                 </plugin>
@@ -412,7 +423,7 @@
                 <artifactId>bnd-resolver-maven-plugin</artifactId>
                 <executions>
                     <execution>
-                        <id>resolve-against-minimum</id>
+                        <id>resolve-against-minimum-aem</id>
                         <goals>
                             <goal>resolve</goal>
                         </goals>
@@ -424,6 +435,32 @@
                             </bndruns>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>resolve-against-minimum-sling</id>
+                        <goals>
+                            <goal>resolve</goal>
+                        </goals>
+                        <phase>verify</phase>
+                        <configuration>
+                            <useMavenDependencies>false</useMavenDependencies>
+                            <bndruns>
+                                <include>minimum-sling.bndrun</include>
+                            </bndruns>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>resolve-against-maximum-sling</id>
+                        <goals>
+                            <goal>resolve</goal>
+                        </goals>
+                        <phase>verify</phase>
+                        <configuration>
+                            <useMavenDependencies>false</useMavenDependencies>
+                            <bndruns>
+                                <include>maximum-sling.bndrun</include>
+                            </bndruns>
+                        </configuration>
+                    </execution>
                     <!-- resolving against the maximum, i.e. AEMaaCS version happens separately in the aemanalyser-maven-plugin -->
                 </executions>
                 <configuration>

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aem/AemUserKeyStoreService.java

@@ -0,0 +1,57 @@
+package biz.netcentric.cq.tools.actool.aem;
+
+/*-
+ * #%L
+ * Access Control Tool Bundle
+ * %%
+ * Copyright (C) 2015 - 2026 Cognizant Netcentric
+ * %%
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ * 
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+import org.apache.sling.api.resource.ResourceResolver;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferencePolicyOption;
+
+import com.adobe.granite.keystore.KeyStoreService;
+
+import biz.netcentric.cq.tools.actool.crypto.UserKeyStoreService;
+
+@Component
+public class AemUserKeyStoreService implements UserKeyStoreService {
+
+    @Reference(policyOption = ReferencePolicyOption.GREEDY)
+    private KeyStoreService delegate;
+
+    @Override
+    public boolean keyStoreExists(ResourceResolver resourceResolver, String userId) {
+        return delegate.keyStoreExists(resourceResolver, userId);
+    }
+
+    @Override
+    public void addKeyStoreKeyEntry(ResourceResolver resourceResolver, String userId, String key, PrivateKey privateKey,
+            Certificate[] certificates) {
+        delegate.addKeyStoreKeyEntry(resourceResolver, userId, key, privateKey, certificates);
+    }
+
+    @Override
+    public void addKeyStoreKeyPair(ResourceResolver resourceResolver, String userId, KeyPair keyPair, String key) {
+        delegate.addKeyStoreKeyPair(resourceResolver, userId, keyPair, key);
+    }
+
+    @Override
+    public void createKeyStore(ResourceResolver resourceResolver, String userId, char[] keyStorePasswordCharArray) {
+        delegate.createKeyStore(resourceResolver, userId, keyStorePasswordCharArray);
+    }
+
+}

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java

@@ -36,7 +36,6 @@
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.SimpleCredentials;
-import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.ValueFactory;
 
 import org.apache.commons.collections4.CollectionUtils;
@@ -61,9 +60,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
-import com.adobe.granite.keystore.KeyStoreService;
-
 import biz.netcentric.cq.tools.actool.api.InstallationOptions;
 import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException;
 import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService;
@@ -73,6 +69,7 @@
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.RandomPassword;
 import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
+import biz.netcentric.cq.tools.actool.crypto.UserKeyStoreService;
 import biz.netcentric.cq.tools.actool.externalusermanagement.ExternalGroupManagement;
 import biz.netcentric.cq.tools.actool.helper.AcHelper;
 import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
@@ -105,7 +102,7 @@ public class AuthorizableInstallerServiceImpl implements
     DecryptionService decryptionService;
 
     @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy=ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
-    volatile KeyStoreService keyStoreService;
+    volatile UserKeyStoreService keyStoreService;
 
     @Reference(policyOption = ReferencePolicyOption.GREEDY)
     ResourceResolverFactory resourceResolverFactory;
@@ -218,7 +215,7 @@ private void installAuthorizableConfigurationBean(final Session session,
         }
     }
 
-    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException, UnsupportedRepositoryOperationException, RepositoryException {
+    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, IOException, RepositoryException {
         Map<String, Object> authInfo = new HashMap<>();
         authInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION, session);
         ResourceResolver resolver = resourceResolverFactory.getResourceResolver(authInfo);
@@ -234,7 +231,7 @@ private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> k
         }
     }
 
-    private void removeKeyStore(ResourceResolver resolver, User user, InstallationLogger installLog) throws UnsupportedRepositoryOperationException, RepositoryException, PersistenceException {
+    private void removeKeyStore(ResourceResolver resolver, User user, InstallationLogger installLog) throws RepositoryException, PersistenceException {
         String keyStorePath = user.getPath() + "/" + USER_KEYSTORE_FOLDER;
         Resource keyStoreResource = resolver.getResource(keyStorePath);
         if (keyStoreResource != null) {
@@ -245,7 +242,7 @@ private void removeKeyStore(ResourceResolver resolver, User user, InstallationLo
         }
     }
 
-    private void installKeys(Map<String, Key> keys, String userId, String keyStorePassword, ResourceResolver resourceResolver, InstallationLogger installLog) throws SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException {
+    private void installKeys(Map<String, Key> keys, String userId, String keyStorePassword, ResourceResolver resourceResolver, InstallationLogger installLog) throws SlingIOException, SecurityException {
         if (keyStoreService == null) {
             throw new IllegalStateException(
                     "Keys are used on the authorizable which require the AEM KeyStore Service which is missing.");

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/crypto/UserKeyStoreService.java

@@ -0,0 +1,36 @@
+package biz.netcentric.cq.tools.actool.crypto;
+
+/*-
+ * #%L
+ * Access Control Tool Bundle
+ * %%
+ * Copyright (C) 2015 - 2026 Cognizant Netcentric
+ * %%
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ * 
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+import org.apache.sling.api.resource.ResourceResolver;
+
+/** Interface for managing user's key stores. 
+ * This allows to decouple from a concrete (AEM-specific) interface like {@link com.adobe.granite.keystore.KeyStoreService} */
+public interface UserKeyStoreService {
+
+    boolean keyStoreExists(ResourceResolver resourceResolver, String userId);
+
+    void addKeyStoreKeyEntry(ResourceResolver resourceResolver, String userId, String key, PrivateKey privateKey,
+            Certificate[] certificates);
+
+    void addKeyStoreKeyPair(ResourceResolver resourceResolver, String userId, KeyPair keyPair, String key);
+
+    void createKeyStore(ResourceResolver resourceResolver, String userId, char[] keyStorePasswordCharArray);
+
+}

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBean.java

@@ -16,8 +16,9 @@
 
 import javax.jcr.RepositoryException;
 
-import com.adobe.granite.jmx.annotation.Description;
-import com.adobe.granite.jmx.annotation.Name;
+import org.apache.jackrabbit.oak.api.jmx.Description;
+import org.apache.jackrabbit.oak.api.jmx.Name;
+
 
 /**
  * exposes functionalities of the Netcentric AC-Tool

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBeanImpl.java

@@ -22,15 +22,14 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.time.StopWatch;
+import org.apache.jackrabbit.oak.commons.jmx.AnnotatedStandardMBean;
 import org.apache.sling.jcr.api.SlingRepository;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Reference;
 import org.osgi.service.component.annotations.ReferencePolicyOption;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.adobe.granite.jmx.annotation.AnnotatedStandardMBean;
-
 import biz.netcentric.cq.tools.actool.api.InstallationOptionsBuilder;
 import biz.netcentric.cq.tools.actool.dumpservice.ConfigDumpService;
 import biz.netcentric.cq.tools.actool.history.AcHistoryService;
@@ -167,6 +166,7 @@ public String showInstallationLog(final String n, boolean verbose) throws Reposi
     public String purgeAllAuthorizablesFromConfiguration() {
         return acInstallationService.purgeAuthorizablesFromConfig();
     }
+
     @Override
     public String purgeAllAuthorizablesFromConfiguration(String configurationRootPath) {
         InstallationOptionsBuilder builder = new InstallationOptionsBuilder();
@@ -192,7 +192,4 @@ public String getVersion() {
         return acInstallationService.getVersion();
     }
 
-
-
-
 }