Automatically avoid modifying admin user

Author: Jeff Bornemann

docs/Running.adoc

@@ -181,20 +181,3 @@ Invalid:
        ]
    }
 ```
-
-=== Syncing Users and Groups
-
-Grabbit has support for syncing users and groups. One *important note* about syncing users is that you must take care to avoid syncing the _admin user_.
-Jackrabbit will not allow modification of the admin user, so Grabbit will fail on a job that attempts to do so. You can find the path of your admin user
-on your data-warehouse instance or other source instance; and add it as an exclude path as so:
-
-```
- pathConfigurations :
-     -
-       path : /home/groups
-     -
-       path : /home/users
-       excludePaths:
-         - k/ki9zhpzfe    #Admin user
-```
-

src/main/groovy/com/twcable/grabbit/jcr/AuthorizableProtoNodeDecorator.groovy

@@ -55,9 +55,13 @@ class AuthorizableProtoNodeDecorator extends ProtoNodeDecorator {
             throw new InsufficientGrabbitPrivilegeException("JVM Permissions needed by Grabbit to sync Users/Groups were not found. See log for specific permissions needed, and add these to your security manager; or do not sync users and groups." +
                                                             "Unfortunately, the way Jackrabbit goes about certain things requires us to do a bit of hacking in order to sync Authorizables securely, and efficiently.")
         }
-        Authorizable existingAuthorizable = findAuthorizable(session)
-        Authorizable newAuthorizable = existingAuthorizable ? updateAuthorizable(existingAuthorizable, session) : createNewAuthorizable(session)
+        //the administrator is a special user that Jackrabbit will not let us mess with.
+        if(getAuthorizableID() == 'admin') {
+            return new JCRNodeDecorator(session.getNode(findAuthorizable(session, 'admin').getPath()))
+        }
 
+        Authorizable existingAuthorizable = findAuthorizable(session, getAuthorizableID())
+        Authorizable newAuthorizable = existingAuthorizable ? updateAuthorizable(existingAuthorizable, session) : createNewAuthorizable(session)
         return new JCRNodeDecorator(session.getNode(newAuthorizable.getPath()), getID())
     }
 
@@ -123,9 +127,9 @@ class AuthorizableProtoNodeDecorator extends ProtoNodeDecorator {
     }
 
 
-    private Authorizable findAuthorizable(final Session session) {
+    private Authorizable findAuthorizable(final Session session, final String authorizableID) {
         final UserManager userManager = getUserManager(session)
-        return userManager.getAuthorizable(getAuthorizableID())
+        return userManager.getAuthorizable(authorizableID)
     }
 
 

src/main/groovy/com/twcable/grabbit/jcr/JCRNodeDecorator.groovy

@@ -35,6 +35,7 @@ import org.apache.jackrabbit.api.security.user.UserManager
 import org.apache.jackrabbit.commons.flat.TreeTraverser
 import org.apache.jackrabbit.value.DateValue
 import org.apache.sling.jcr.base.util.AccessControlUtil
+import org.slf4j.Logger
 
 
 import static org.apache.jackrabbit.JcrConstants.JCR_CREATED
@@ -169,7 +170,7 @@ class JCRNodeDecorator {
                 try {
                     return new JCRNodeDecorator(getSession().getNodeByIdentifier(value.string))
                 } catch(ItemNotFoundException ex) {
-                    log?.info "Tried following reference ${value.string} from ${getInnerNode().path}, but this node does not exist any longer. Skipping"
+                    _log().info "Tried following reference ${value.string} from ${getInnerNode().path}, but this node does not exist any longer. Skipping"
                 }
             }
         } as Collection<JCRNodeDecorator>
@@ -345,6 +346,13 @@ class JCRNodeDecorator {
         return innerNode.getName().hashCode()
     }
 
+    /**
+     * @SL4J generated log property, and @Delegate conflict on accessing log sometimes within closures. This is to get around that
+     */
+    private static Logger _log() {
+        return log
+    }
+
 
     @CompileStatic
     private static class NoRootInclusionPolicy implements InclusionPolicy<JCRNode> {

src/test/groovy/com/twcable/grabbit/jcr/AuthorizableProtoNodeDecoratorSpec.groovy

@@ -42,7 +42,7 @@ import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE
 class AuthorizableProtoNodeDecoratorSpec extends Specification {
 
 
-    AuthorizableProtoNodeDecorator theProtoNodeDecoratorForUser(boolean hasProfile, boolean hasPreferences, Closure configuration = null){
+    AuthorizableProtoNodeDecorator theProtoNodeDecoratorForUser(boolean hasProfile, boolean hasPreferences, String id, Closure configuration = null){
         ProtoNodeBuilder nodeBuilder = ProtoNode.newBuilder()
         nodeBuilder.setName('/home/users/u/user1')
 
@@ -69,7 +69,7 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
                 .setName('rep:authorizableId')
                 .setType(STRING)
                 .setMultiple(false)
-                .addValues(ProtoValue.newBuilder().setStringValue('authorizableID'))
+                .addValues(ProtoValue.newBuilder().setStringValue(id))
                 .build()
         nodeBuilder.addProperties(authorizableIdProperty)
 
@@ -185,6 +185,39 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
     }
 
 
+    def "Does not attempt to modify the administrator"() {
+        when:
+        final adminNode = Mock(Node) {
+            getProperty(JCR_PRIMARYTYPE) >> Mock(Property) {
+                it.getString() >> 'rep:User'
+            }
+            getProperties() >> Mock(PropertyIterator) {
+                it.toList() >> []
+            }
+        }
+        final session = Mock(Session) {
+            it.getNode('/home/users/m/a') >> adminNode
+        }
+        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, false, 'admin') {
+            it.getSecurityManager() >> Mock(SecurityManager) {
+                it.checkPermission(_) >> {
+                    return
+                }
+            }
+            it.getUserManager(session) >> Mock(UserManager) {
+                it.getAuthorizable('admin') >> Mock(Authorizable) {
+                    it.getPath() >> '/home/users/m/a'
+                }
+            }
+        }
+
+        final JCRNodeDecorator resultNode = protoNodeDecorator.writeToJcr(session)
+
+        then:
+        (resultNode as Node) == adminNode
+    }
+
+
     def "Passes security check if all JVM permissions are present"() {
         when:
         final session = Mock(Session) {
@@ -281,7 +314,7 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
             1 * it.setProperty('cq:authorizableCategory', new StringValue('mcm'))
             it.getPath() >> 'newUserPath'
         }
-        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, false) {
+        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, false, 'authorizableID') {
             it.getName() >> '/home/users/auth_folder/user'
             it.getSecurityManager() >> null
             it.setPasswordForUser(newUser, session) >> {
@@ -356,7 +389,7 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
         final session = Mock(Session) {
             it.getNode('/home/users/u/newuser') >> node
         }
-        final protoNodeDecorator = theProtoNodeDecoratorForUser(exists, false) {
+        final protoNodeDecorator = theProtoNodeDecoratorForUser(exists, false, 'authorizableID') {
             it.getSecurityManager() >> null
             it.getUserManager(session) >> Mock(UserManager) {
                 it.getAuthorizable('authorizableID') >> Mock(Authorizable) {
@@ -392,7 +425,7 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
         final session = Mock(Session) {
             it.getNode('/home/users/u/newuser') >> node
         }
-        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, exists) {
+        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, exists, 'authorizableID') {
             it.getSecurityManager() >> null
             it.getUserManager(session) >> Mock(UserManager) {
                 it.getAuthorizable('authorizableID') >> Mock(Authorizable) {
@@ -431,7 +464,7 @@ class AuthorizableProtoNodeDecoratorSpec extends Specification {
             1 * it.removeMember(_)
             1 * it.addMember(_)
         }
-        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, false) {
+        final protoNodeDecorator = theProtoNodeDecoratorForUser(false, false, 'authorizableID') {
             it.getUserManager(session) >> Mock(UserManager) {
                 it.getAuthorizable('authorizableID') >> Mock(Authorizable) {
                     it.declaredMemberOf() >> [group].iterator()