Skip to content

Commit

Permalink
Limit permissions of service user and update docs for security
Browse files Browse the repository at this point in the history
  • Loading branch information
@bdhoine
bdhoine committed Sep 28, 2023
1 parent 851fb71 commit baad69a
Show file tree
Hide file tree
Showing 8 changed files with 194 additions and 168 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Changed

- Permissions for service user are only to save scripts, replicate scripts and read user groups [#46](https://github.com/orbinson/aem-groovy-console/issues/46)

## [19.0.4] - 2023-08-14

### Added
Expand Down
184 changes: 18 additions & 166 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,203 +3,55 @@
[![Build and test for AEM 6.5](https://github.com/orbinson/aem-groovy-console/actions/workflows/build.yml/badge.svg)](https://github.com/orbinson/aem-groovy-console/actions/workflows/build.yml)
[![Build with AEM IDE](https://img.shields.io/badge/Built%20with-AEM%20IDE-orange)](https://plugins.jetbrains.com/plugin/9269-aem-ide)


# AEM Groovy Console

> [!IMPORTANT]
> Currently Adobe Managed Services is not allowing AEM Groovy Console to be installed on production publish environments for security reasons. We are taking actions in order to get it accepted.
## Overview
> Adobe Managed Services is not allowing AEM Groovy Console to be installed currently on production publish environments for security reasons. We are taking actions in order to get it accepted.
The AEM Groovy Console provides an interface for running [Groovy](https://www.groovy-lang.org) scripts in Adobe
Experience Manager. Scripts can be created to manipulate content in the JCR, call OSGi services, or execute arbitrary
code using the AEM, Sling, or JCR APIs. After installing the package in AEM (instructions below), see
the [console page](http://localhost:4502/groovyconsole) for documentation on the available bindings and methods. Sample
scripts are included in the package for reference.
the [console page](http://localhost:4502/groovyconsole) for documentation on the available bindings and methods. [Sample
scripts](ui.content/src/main/content/jcr_root/conf/groovyconsole/scripts/samples) are included in the package for reference.

![Screenshot](docs/assets/screenshot.png)

## Compatibility

AEM Groovy Console 19.0.1+ runs on Java 8 and 11 with an embedded Groovy version of 4.0.9
AEM Groovy Console `19.0.1+` runs on Java `8` and `11` with an embedded Groovy version of `4.0.9`.

Supported versions:

* AEM On premise: `>= 6.5.10`
* AEM as a Cloud Service: `>= 2022.11`
* Sling: `>=12`

To install the AEM Groovy Console on older AEM versions check the original
project [aem-groovy-console](https://github.com/CID15/aem-groovy-console)

## Installation

### Manual
Consult the [installation](docs/installation.md) documentation how you can start using the AEM Groovy Console.

1. Download the
console [aem-groovy-console-all](https://github.com/orbinson/aem-groovy-console/releases/download/19.0.3/aem-groovy-console-all-19.0.3.zip)
content package and install with [PackMgr](http://localhost:4502/crx/packmgr). For previous versions you can search
on the [Maven Central repository](https://search.maven.org/search?q=a:aem-groovy-console).

2. Navigate to the [groovyconsole](http://localhost:4502/groovyconsole) page.

### Maven profiles

Maven profiles can be used to install the bundles to AEM / Sling
To install the AEM Groovy Console on older AEM versions check the original
project [aem-groovy-console](https://github.com/CID15/aem-groovy-console).

* AEM Author running on localhost:4502
* api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy`
* all: `-P auto-deploy-single-package,aem`
* AEM Publish running on localhost:4503
* api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,publish`
* all: `-P auto-deploy-single-package,aem,publish`
* Sling running on localhost:8080
* api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,sling`
* all: `-P auto-deploy-single-package,sling`
## Usage

### Embedded package
There are several ways to [execute](docs/execution.md) Groovy scripts. The AEM Groovy Console also comes with a lot of [configuration](docs/configuration.md) options. If you want to extend the AEM Groovy Console consult the [extension](docs/extension.md) documentation for extension hooks, registering additional metaclasses and how to add notifications.

To deploy the Groovy Console as an embedded package you need to update your `pom.xml`
## Security

1. Add the `aem-groovy-console-all` to the `<dependencies>` section
In order to get more details on the used `Session` and `ResourceResolver` to run scripts please consult the [Groovy documentation](https://orbinson.github.io/aem-groovy-console) for the bindings and methods. In general the session derived from the request is used to run the scripts when using the web console or http requests.

```xml
<dependency>
<groupId>be.orbinson.aem</groupId>
<artifactId>aem-groovy-console-all</artifactId>
<version>19.0.3</version>
<type>zip</type>
</dependency>
```
2. Embed the package in with
the [filevault-package-maven-plugin](https://jackrabbit.apache.org/filevault-package-maven-plugin/) in
the `<embeddeds>` section
In order to run scripts or create scheduled jobs you need [configure](docs/configuration.md) specific user groups to execute scripts.

```xml
<embedded>
<groupId>be.orbinson.aem</groupId>
<artifactId>aem-groovy-console-all</artifactId>
<target>/apps/vendor-packages/content/install</target>
</embedded>
```
For scheduled or distributed execution, which is disabled by default, you need to configure permissions for the `aem-groovy-console-service` service user. The default [permissions](ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config) for the service user are the ones needed to read user groups to check execution permissions, save scripts and replicate scripts.

### AEM Dispatcher
If you need access to the repository for scheduled or distributed execution you need to configure extra permissions.

If you need to have the Groovy Console available through the dispatcher on a publish instance you can add the filters
following configuration.
For example if you want to run migrations on the `/content` tree you can deploy the following RepoInit script:

```text
# Allow Groovy Console page
/001 {
/type "allow"
/url "/groovyconsole"
}
/002 {
/type "allow"
/url "/apps/groovyconsole.html"
}
# Allow servlets
/003 {
/type "allow"
/path "/bin/groovyconsole/*"
}
set ACL for aem-groovy-console-service
allow jcr:all /content
end
```

## Building From Source

To build and install the latest development version of the Groovy Console to use in AEM (or if you've made source
modifications), run
the following Maven command.

```shell
mvn clean install -P autoInstallSinglePackage
```

## OSGi Configuration

To check the OSGi configuration navigate to
the [Groovy Console Configuration Service](http://localhost:4502/system/console/configMgr/be.orbinson.aem.groovy.console.configuration.impl.DefaultConfigurationService)
OSGi configuration page.

| Property | Description | Default Value |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------|
| Email Enabled? | Check to enable email notification on completion of script execution. | `false` |
| Email Recipients | Email addresses to receive notification. | `[]` |
| Script Execution Allowed Groups | List of group names that are authorized to use the console. By default, only the 'admin' user has permission to execute scripts. | `[]` |
| Scheduled Jobs Allowed Groups | List of group names that are authorized to schedule jobs. By default, only the 'admin' user has permission to schedule jobs. | `[]` |
| Audit Disabled? | Disables auditing of script execution history. | `false` |
| Display All Audit Records? | If enabled, all audit records (including records for other users) will be displayed in the console history. | `false` |
| Thread Timeout | Time in seconds that scripts are allowed to execute before being interrupted. If 0, no timeout is enforced. | 0 |
| Distributed execution enabled? | If enabled, a script will be able to be replicated from an author and executed on all default replication agents. | `false` |

## Batch script execution

Saved scripts can be remotely executed by sending a POST request to the console servlet with either the `scriptPath`
or `scriptPaths` query parameter.

### Single script

```shell
curl -d "scriptPath=/conf/groovyconsole/scripts/samples/JcrSearch.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json
```

### Multiple scripts

```shell
curl -d "scriptPaths=/conf/groovyconsole/scripts/samples/JcrSearch.groovy&scriptPaths=/conf/groovyconsole/scripts/samples/FulltextQuery.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json
```

## Extensions

The Groovy Console provides extension hooks to further customize script execution. The console provides an API
containing extension provider interfaces that can be implemented as OSGi services in any bundle deployed to an AEM
instance. See the default extension providers in the `be.orbinson.aem.groovy.console.extension.impl` package for
examples of how a bundle can implement these services to supply additional script bindings, compilation customizers,
metaclasses, and star imports.

| Service Interface | Description |
|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
| `be.orbinson.aem.groovy.console.api.BindingExtensionProvider` | Customize the bindings that are provided for each script execution. |
| `be.orbinson.aem.groovy.console.api.CompilationCustomizerExtensionProvider` | Restrict language features (via blacklist or whitelist) or provide AST transformations within the Groovy script compilation. |
| `be.orbinson.aem.groovy.console.api.ScriptMetaClassExtensionProvider` | Add runtime metaclasses (i.e. new methods) to the underlying script class. |
| `be.orbinson.aem.groovy.console.api.StarImportExtensionProvider` | Supply additional star imports that are added to the compiler configuration for each script execution. |

## Registering Additional Metaclasses

Services implementing the `be.orbinson.aem.groovy.console.extension.MetaClassExtensionProvider` will be automatically
discovered and bound by the OSGi container. These services can be implemented in any deployed bundle. The AEM Groovy
Extension bundle will handle the registration and removal of supplied metaclasses as these services are
activated/deactivated in the container. See the `DefaultMetaClassExtensionProvider` service for the proper closure
syntax for registering metaclasses.

## Notifications

To provide custom notifications for script executions, bundles may implement
the `be.orbinson.aem.groovy.console.notification.NotificationService` interface (see
the `be.orbinson.aem.groovy.console.notification.impl.EmailNotificationService` class for an example). These services
will
be dynamically bound by the Groovy Console service and all registered notification services will be called for each
script execution.

## Scheduler

The Scheduler allows for immediate (asynchronous) or Cron-based script execution. Scripts are executed
as [Sling Jobs](https://sling.apache.org/documentation/bundles/apache-sling-eventing-and-job-handling.html) and are
audited in the same manner as scripts executed in the console.

### Scheduled Job Event Handling

Bundles may implement services
extending `be.orbinson.aem.groovy.console.job.event.AbstractGroovyConsoleScheduledJobEventHandler` to provide
additional post-processing or notifications for completed Groovy Console jobs.
See `be.orbinson.aem.groovy.console.job.event.DefaultGroovyConsoleEmailNotificationEventHandler` for an example of the
required annotations to register a custom event handler.

## Sample Scripts

Sample scripts can be found in the [samples](src/main/content/jcr_root/conf/groovyconsole/scripts/samples) directory.

## Kudos

Kudos to [ICF Next](https://github.com/icfnext/aem-groovy-console)
Expand Down
2 changes: 1 addition & 1 deletion ...oovy/be/orbinson/aem/groovy/console/configuration/impl/DefaultConfigurationService.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ class DefaultConfigurationService implements ConfigurationService {
resourceResolverFactory.getServiceResourceResolver(null).withCloseable { resourceResolver ->
def userManager = resourceResolver.adaptTo(UserManager);
if (userManager != null) {
def user = resourceResolver.adaptTo(UserManager).getAuthorizable(request.userPrincipal) as User
def user = userManager.getAuthorizable(request.userPrincipal) as User
def memberOfGroupIds = user.memberOf()*.ID

LOG.debug("member of group IDs : {}, allowed group IDs : {}", memberOfGroupIds, groupIds)
Expand Down
18 changes: 18 additions & 0 deletions docs/configuration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Configuration

To check the OSGi configuration navigate to
the [Groovy Console Configuration Service](http://localhost:4502/system/console/configMgr/be.orbinson.aem.groovy.console.configuration.impl.DefaultConfigurationService)
OSGi configuration page.

The following configuration properties are available:

| Property | Description | Default Value |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------|
| Email Enabled? | Check to enable email notification on completion of script execution. | `false` |
| Email Recipients | Email addresses to receive notification. | `[]` |
| Script Execution Allowed Groups | List of group names that are authorized to use the console. By default, only the 'admin' user has permission to execute scripts. | `[]` |
| Scheduled Jobs Allowed Groups | List of group names that are authorized to schedule jobs. By default, only the 'admin' user has permission to schedule jobs. | `[]` |
| Audit Disabled? | Disables auditing of script execution history. | `false` |
| Display All Audit Records? | If enabled, all audit records (including records for other users) will be displayed in the console history. | `false` |
| Thread Timeout | Time in seconds that scripts are allowed to execute before being interrupted. If 0, no timeout is enforced. | 0 |
| Distributed execution enabled? | If enabled, a script will be able to be replicated from an author and executed on all default replication agents. | `false` |
34 changes: 34 additions & 0 deletions docs/execution.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Execution

There are a various way to run Groovy scripts with the AEM Groovy Console.

## Batch script execution

Saved scripts can be remotely executed by sending a POST request to the console servlet with either the `scriptPath`
or `scriptPaths` query parameter.

### Single script

```shell
curl -d "scriptPath=/conf/groovyconsole/scripts/samples/JcrSearch.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json
```

### Multiple scripts

```shell
curl -d "scriptPaths=/conf/groovyconsole/scripts/samples/JcrSearch.groovy&scriptPaths=/conf/groovyconsole/scripts/samples/FulltextQuery.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json
```

## Scheduler

The Scheduler allows for immediate (asynchronous) or Cron-based script execution. Scripts are executed
as [Sling Jobs](https://sling.apache.org/documentation/bundles/apache-sling-eventing-and-job-handling.html) and are
audited in the same manner as scripts executed in the console.

### Scheduled Job Event Handling

Bundles may implement services
extending `be.orbinson.aem.groovy.console.job.event.AbstractGroovyConsoleScheduledJobEventHandler` to provide
additional post-processing or notifications for completed Groovy Console jobs.
See `be.orbinson.aem.groovy.console.job.event.DefaultGroovyConsoleEmailNotificationEventHandler` for an example of the
required annotations to register a custom event handler.
33 changes: 33 additions & 0 deletions docs/extension.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Extensions

## Extension Hooks

The Groovy Console provides extension hooks to further customize script execution. The console provides an API
containing extension provider interfaces that can be implemented as OSGi services in any bundle deployed to an AEM
instance. See the default extension providers in the `be.orbinson.aem.groovy.console.extension.impl` package for
examples of how a bundle can implement these services to supply additional script bindings, compilation customizers,
metaclasses, and star imports.

| Service Interface | Description |
|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
| `be.orbinson.aem.groovy.console.api.BindingExtensionProvider` | Customize the bindings that are provided for each script execution. |
| `be.orbinson.aem.groovy.console.api.CompilationCustomizerExtensionProvider` | Restrict language features (via blacklist or whitelist) or provide AST transformations within the Groovy script compilation. |
| `be.orbinson.aem.groovy.console.api.ScriptMetaClassExtensionProvider` | Add runtime metaclasses (i.e. new methods) to the underlying script class. |
| `be.orbinson.aem.groovy.console.api.StarImportExtensionProvider` | Supply additional star imports that are added to the compiler configuration for each script execution. |

## Registering Additional Metaclasses

Services implementing the `be.orbinson.aem.groovy.console.extension.MetaClassExtensionProvider` will be automatically
discovered and bound by the OSGi container. These services can be implemented in any deployed bundle. The AEM Groovy
Extension bundle will handle the registration and removal of supplied metaclasses as these services are
activated/deactivated in the container. See the `DefaultMetaClassExtensionProvider` service for the proper closure
syntax for registering metaclasses.

## Notifications

To provide custom notifications for script executions, bundles may implement
the `be.orbinson.aem.groovy.console.notification.NotificationService` interface (see
the `be.orbinson.aem.groovy.console.notification.impl.EmailNotificationService` class for an example). These services
will
be dynamically bound by the Groovy Console service and all registered notification services will be called for each
script execution.
Loading

0 comments on commit baad69a

Please sign in to comment.