search

Netcentric / accesscontroltool

Rights and roles management for AEM made easy
Eclipse Public License 1.0
147 stars 92 forks source link

The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code #671

Closed manuel-sanchez-vilt closed 9 months ago

manuel-sanchez-vilt commented 10 months ago

AEM Version, including Service Packs, Cumulative Fix Packs, etc: AEM 2023.7.12874.20230726T072051Z Access Control Tool version: 3.0.8

When I launch a non-production code quality pipeline in Cloud Manager I get the following critical bugs:

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

File Location | Line Number | Issue | Type | Severity | Effort | Rule | Tags | Documentation -- | -- | -- | -- | -- | -- | -- | -- | -- Netcentric:accesscontroltool-package:3.0.8 | 0 | The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code. Detected in biz.netcentric.cq.tools.actool.dumpservice.impl.DumpServiceImpl$1 contained in /apps/netcentric/actool/install/accesscontroltool-bundle-3.0.8.jar. | Bug | Critical | 30m | CQRules:CQBP-84 | cqsoftwarequality | https://www.adobe.com/go/aem_cmcq_cqbp-84_en Netcentric:accesscontroltool-package:3.0.8 | 0 | The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code. Detected in biz.netcentric.cq.tools.actool.authorizableinstaller.impl.AuthInstallerUserManagerPrefetchingImpl$1 contained in /apps/netcentric/actool/install/accesscontroltool-bundle-3.0.8.jar. | Bug | Critical | 30m | CQRules:CQBP-84 | cqsoftwarequality | https://www.adobe.com/go/aem_cmcq_cqbp-84_en

teropikala commented 10 months ago

I'm seeing the same with version 3.0.9 and AEM Release 2023.9.13420.20230907T185228Z

teropikala commented 10 months ago

It looks like this relatively recent change has added @ProviderType to Query class:

https://issues.apache.org/jira/browse/OAK-10252 https://github.com/apache/jackrabbit-oak/pull/948

kwin commented 10 months ago

Thanks for the report and the pointers towards https://issues.apache.org/jira/browse/OAK-10252. I consider this a false positive and therefore raised https://issues.apache.org/jira/browse/OAK-10448. Until this is fixed in a newer Oak version please just ignore that issue in your Cloud Manager build.

teropikala commented 10 months ago

I had a quick look at the code and if I'm not mistaken it would be easy to address on accesscontroltool.

Those two classes define their own version of Query instead of building it with QueryBuilder.

kwin commented 10 months ago

QueryBuilder(https://github.com/apache/jackrabbit-oak/blob/dcd46825e21f373fda8dbfe61cdaeac522fe15eb/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/QueryBuilder.java) does not expose a method which returns a Query. Also AFAIK there is no Query implementation exposed by Oak/Jackrabbit which could be used with https://github.com/apache/jackrabbit-oak/blob/dcd46825e21f373fda8dbfe61cdaeac522fe15eb/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/UserManager.java#L167

teropikala commented 10 months ago

Indeed. I confused com.day.cq.search.Query and org.apache.jackrabbit.api.security.user.Query

@ProviderType annotation doesn't make any sense if correct way to use the Query/QueryBuilder is to define new class according to JavaDoc: https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Query.html

thcharan commented 10 months ago

@kwin - the same issue reported for ACS Commons was resolved . FYI. https://github.com/Adobe-Consulting-Services/acs-aem-commons/issues/3185

kwin commented 10 months ago

@thcharan A similar one was reported for ACS AEM Commons but in this case it is really false positive while for ACS AEM Commons it was a correctly classified provider type interface which was implemented (JackrabbitSession).

tech-arch-forum commented 10 months ago

We also face the same critical issue in the Cloud Manager pipeline with version 6.0.6 is that getting resolve in next release?

kwin commented 10 months ago

No, as you can see in comments above this is a bug in Oak and requires a fix there.

adellanegra commented 10 months ago

Hi, any update about the issue fix? for deploying the code we are forced to "hide" the netcentric dependencies and it means that the tool is not available anymore so if we need urgently to be fixed.

Thanks

kwin commented 9 months ago

I think this has been fixed in newer versions of AEMaaCS meanwhile.