1. Make sure the following path is present on author /etc/cqsm/import/jcr:content/cqsmInclude
2. Execute "Run on publish" on any script
3. The entire /etc/cqsm/import/jcr:content/cqsmInclude gets removed

• Change package name to apm
• Fix resolution for tables
• History node is not recreated whenever used from backend API
• Created at column in import table is not filled in

Yet another implemented, but undocumented endpoint: /bin/cqsm/list

Internal ticket reference: CQSM-220

I'd like to have main run.cqsm script, but each subscripts also could be run separately for e.g testing.

run.cqsm

DEFINE market 'en'
IMPORT market.cqsm
DEFINE market 'pl'
IMPORT market.cqsm

market.cqsm

IMPORT definitions.cqsm ONCE
CREATE USER my_user ${user_path}/${market}
# ...

but the IMPORT path ONCE is not available. Still redefining variables is nice, but if definitions.cqsm has some other rules that shouldn't be run again that ONCE will prevent some errors and improve performance.

this is issue is about a workaround which can be handled in other way: #34 (which I also invented, but nah still not implemened)

STRICT glob means that it matches given path only
MODIFY gives two permissions for given path and for glob /jcr:content
Question is what should the following action result to?
ALLOW /content STRICT [ MODIFY ]

BEGIN MACRO content_market('lang_code', 'permissions')
   # Allow to read site root path
    DENY    ${content_path}                                    [READ]
    ALLOW   ${content_path}   STRICT                           [READ]
    ALLOW   ${content_path}   /jcr:content                     [READ]
    ALLOW   ${content_path}   /jcr:primaryType                 [READ]

    # Allow to read site channel root path
    DENY    ${content_path}/default                            [READ]
    ALLOW   ${content_path}/default   STRICT                   [READ]
    ALLOW   ${content_path}/default   /jcr:content             [READ]
    ALLOW   ${content_path}/default   /jcr:primaryType         [READ]

    ALLOW   ${content_path/default/${langCode} ${permissions}

END MACRO

then just

USE MACRO content_market('en_US', [ALL])
USE MACRO content_market('pl_PL', [READ])

macro argument names are quoted intentionally to be able to inject there other variables.

APM will provide many built-in macros, for instance for filtered workflows to be launched by author

BEGIN MACRO workflows_only_at('path')
    ADD TO GROUP 'workflow-users'
    DENY    /etc/workflow/models /*                              [READ]
    ALLOW /etc/workflow/models/${path}                           [READ]
END MACRO

USE MACRO workflows_only_at('my-site')

Difference between cqsm-2.0.0 and cqsm-2.0.0-aem61 is not documented anywhere. It seems the 1st one is for newest AEM (6.2 at the time of writing) and 2nd one is for AEM 6.1 only.

Can we introduce consistent naming convention, please? Lack of suffix everywhere will introduce confusion upon next AEM release.

It is very often that projects are re-using scripts with different parameter values. Add possibility to pass arguments in INCLUDE action.

Current state

Main script:

DEFINE name 'foo'
DEFINE pass 'p@$$'
RUN create-user.cqsm

Script create-user.cqsm:

CREATE USER $name $pass 

Proposed solution

Main script:

RUN create-user.cqsm name=['foo'] pass='p@$$'

Script create-user.cqsm:

REQUIRE [name, pass]    # throws error when name or pass is not defined

CREATE USER $name $pass 

Additional requirements:

• Create new command (or add handler on the level of ANTLR handlers): REQUIRE - if definition of given name isn't currently accessible, throw an error.
• This feature depends on #185.

http://creadur.apache.org/rat/apache-rat-plugin/

Hi,

Is there a possible way with this tool, to export the user groups that is currently available in the project ?

Thanks in advance.

Currently, when a CQSM script is run, it overrides permissions applied by CUGs. In result, you must "resynchronise" CUG after each run of CQSM.
It would be nice if there is an option to tell CQSM to resynchronise CUGs after running a script. A script to resynchronize CUGs is already created synchronise_CUGs.txt

change tool name from Security Management to Permission Management

• mention lombok
• custom code formatter settings

We have a config for Delegating Servlet from ACS Commons that is mapping the wcm/core/components/designer to acs-commons/components/utilities/designer.

Because of the fact that /apps/cqsm/core/renderers/cqsmRenderer inherits from cqsm/core/renderers/base and this in turn inherits from wcm/core/components/designer, the Delegating servlet was mapping the cqsmRenderer to acs-commons/components/utilities/designer which was causing the tool to break. This realtionship is really weird and probably could be removed.

On trusty images oraclejdk7 is no longer supported. This is why we are getting travis failures.

We could remove it from .travis.yml file or switch to openjdk7.

Also, maybe precise image would work with oracle JAVA but this would require more work for Travis configuration.

view-source:http://localhost:4503/etc/cqsm/pages/viewCqsmFile.html?wcmmode=disabled&filename=xxx.cqsm&filepath=/etc/cqsm/import/_jcr_content/xxx.cqsm

/bin/cqsm/history was implemented some time ago, but stays completely undocumented.

Internal ticket reference: CQSM-226

• add travis build
• add build status

Currently, the permission store lookup is performed using ResourceResolver.
In fact, this could be achieved easily while staying on the JCR API.

instead

CREATE USER xx
FOR USER xx
   SET PROPERTY profile/givenName 'XX'

why not just

CREATE USER xx THEN
   SET PROPERTY profile/givenName 'XX'

It will help to create scripts that can be launched multiple times.
Currently when we are using REMOVE USER ... command no permissions are cleaned so old script operations may have impact and we are not sure if our script is complete.

Business background:
AEM publisher ACLs differs than author's. Sometimes different instances of publisher has different ACL's (solr indexers). The purpose of the instance is reflected in instance run modes.

Enhancement:
The idea is to auto-run scripts when specified run modes are present.
Feature will introduce new property at script content : cqsm:allowedRunModes.
This property would work only when script is run in auto-run mode. Providing that this property will be effective only when set together with cqsm:executionMode. It doesn't matter if it will be scheduled, run on startup or when modified.
Few examples:

• Script 1 content:
  cqsm:executionMode = ON_STARTUP
  cqsm:allowedRunModes = [publish,indexer]
  instance run modes: publish
  RESULT: script won't be run
• Script 2 content:
  cqsm:executionMode = ON_STARTUP
  cqsm:allowedRunModes = [publish,indexer]
  instance run modes: publish,indexer,backup1
  RESULT: script will be run

it will be nice to have option to run/dry run all scripts.
To introduce such functionatity there should be posibility to change order of scripts in custom way (some arrows to move script on list + some buttons to sort i.e. alfabetically)

executionSummary and executionSummaryJson is the same thing, the only difference is that the first one is an evaluated version of the latter.

[
    {
        "author": "admin",
        "executionSummary": [
            {
                "actionName": "CreateAuthorizable",
                "command": "CREATE USER abcd-dev-author IF NOT EXISTS",
                "messages": [
                    {
                        "text": "User with id: abcd-dev-author created",
                        "type": "info"
                    }
                ],
                "parameters": "abcd-dev-author",
                "status": "SUCCESS"
            },
            {
                "actionName": "ForAuthorizable",
                "command": "FOR USER abcd-dev-author",
                "messages": [
                    {
                        "text": "User with id: abcd-dev-author set as current authorizable",
                        "type": "info"
                    }
                ],
                "parameters": "abcd-dev-author",
                "status": "SUCCESS"
            }
        ],
        "executionSummaryJson": "[\n  {\n    \"actionName\": \"CreateAuthorizable\",\n    \"command\": \"CREATE USER abcd-dev-author IF NOT EXISTS\",\n    \"parameters\": \"abcd-dev-author\",\n    \"messages\": [\n      {\n        \"text\": \"User with id: abcd-dev-author created\",\n        \"type\": \"info\"\n      }\n    ],\n    \"status\": \"SUCCESS\"\n  },\n  {\n    \"actionName\": \"ForAuthorizable\",\n    \"command\": \"FOR USER abcd-dev-author\",\n    \"parameters\": \"abcd-dev-author\",\n    \"messages\": [\n      {\n        \"text\": \"User with id: abcd-dev-author set as current authorizable\",\n        \"type\": \"info\"\n      }\n    ],\n    \"status\": \"SUCCESS\"\n  }\n]",
        "executionTime": "Sep 12, 2016 8:49:06 PM",
        "executor": "admin",
        "fileName": "abcd-demo-dev-users.cqsm",
        "filePath": "/etc/cqsm/history/jcr:content/cqsmHistory/abcd-demo-dev-users.cqsm/script",
        "instanceHostname": "abcd-vagrant.local",
        "instanceType": "author",
        "path": "/etc/cqsm/history/jcr:content/cqsmHistory/abcd-demo-dev-users.cqsm",
        "uploadTime": "Sep 12, 2016 8:43:18 PM"
    }
]

Provide mechanism which will allow to execute the block statement only if the user is created for the first time:

For example in our script, we have users with initial password (after first log in they are forced to change it):

CREATE USER my@user ${users_path} IF NOT EXISTS
FOR USER my@user
	SET-PROPERTY profile/givenName Name
	SET-PROPERTY profile/familyName LastName
	SET-PROPERTY profile/email my@use
	SET PASSWORD initial-password
        ADD TO GROUP site-viewers
	ADD TO GROUP super-authors

If this script is executed after the user has modified his details (password etc...) then we would reset it to the initial one.

We will need something like this:

IF USER NOT EXISTS my@user ${users_path}
        CREATE USER my@user ${users_path}
	SET-PROPERTY profile/givenName Name
	SET-PROPERTY profile/familyName LastName
	SET-PROPERTY profile/email my@user
	SET PASSWORD initial-password

FOR USER my@user
        ADD TO GROUP site-viewers
	ADD TO GROUP super-authors
        ADD TO GROUP admin

Open the logs, look for errors

Actual

Following error present on author and publish:

20.07.2017 11:22:57.634 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://549.1:0/OSGI-INF/metatype/com.cognifide.cq.cqsm.core.jobs.JobResultsCache.xml 20.07.2017 11:22:57.638 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://553.0:0/OSGI-INF/metatype/com.cognifide.cq.atm.monitor.FailureLogListener.xml 20.07.2017 11:22:57.638 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://553.0:0/OSGI-INF/metatype/com.cognifide.cq.atm.monitor.MonitorDispatcherService.xml

Expected

No "Missing element AD in element OCD" errors.

Just noticed that Run on author action doesn't update Last run on author column. The entire /etc/cqsm/import.html needs to be refreshed to see that.

For most cases this is probably not a problem to have particular version of CQ Actions being installed with APM, but in our project, we have got our own CQ Actions installed, and we cannot update version currently.

Proposed solution is to make APM generate two packages: one as it is currently, and another with CQ Action bundles embedded inside APM bundle, and CQ Actions removed from install folder of APM package.

Expected:
When publish instances are stopped, running uploaded script with "Run on publish" should end up with error: publish unavailable or similar.
Actual:
"Run on publish" with no active publish server ends up with success.

Is error expected when I run DRY RUN?

Child members can only be removed from groups.

Generally some parts of scripts are reused and parametrized with some definitions from parent script. But when they are executed separately .. error is cased because of lack of defined definitions. For testing/dev purposes it would be nice to have a possibility to test sub scripts by just implementing "DEFINE ... IF NOT EXISTS" (define value only if it is not defined previously)

Upfront explanation:

• application in this context is a CRX package that contains *.cqsm files and saves them in JCR repository under /etc/cqsm/import/jcr:content/cqsmImport and /etc/cqsm/import/jcr:content/cqsmInclude

APM execution date displayed on http://localhost:4502/etc/cqsm/import.html comes from JCR property that's stored directly under given script as cqsm:executionLast. Upon application update APM scripts get replaced and this property is gone. Eventually, even though given script was executed and hasn't changed in the new app, /etc/cqsm/import.html will show that this script was never executed, which is not true. If script has changed then this is absolutely expected.

At the same time there's a full history under /etc/cqsm/history/jcr:content, which I rely on at the moment in my Chef cookbook to verify if script has or hasn't been run yet.

All in all execution history is stored in 2 places - directly under given script as well as under /etc/cqsm/history/jcr:content. Is this really a reasonable approach?

This is not a big deal, but affects user experience and can lead to misleading conclusions sometimes.

Possible considerations and solutions:

• ideally execution history should be stored in a single place
• application (custom CRX package) should never overwrite /etc/cqsm/import/jcr:content/cqsmImport and /etc/cqsm/import/jcr:content/cqsmInclude. MERGE filter should be used instead (to avoid unwanted removal of cqsm:executionLast property from scripts)
• even though above change will preserve the cqsm:executionLast property it doesn't really mean that information about last execution on /etc/cqsm/import.html will be accurate, as content of given script can change with application upgrade
• whenever Created at date is newer than cqsm:executionLast (please note that it may happen if MERGE filter was used in my application package), given script should be considered as not yet executed (in other words cqsm:executionLast should get removed). This is not ideal, as create/update date of given node doesn't really mean that something has been updated in a script
• for higher execution accuracy different approach can be taken into consideration - each script is identified by its content. Whenever that changes, APM should mark script as not yet executed. It probably means we need to introduce some sort of a script checksum. It can be a brand new JCR property that's attached to each script. Thanks to that whenever user opens import console, history is searched to see if there's an entry that contains that checksum property. Don't know what are the performance implications of such change though, in particular for an instance that contains hundreds of history entries. Additionally APM should recalculate script's checksum if file was modified (either by a package installation or an in-place update). I imagine that as a sort of a listener.

Internal ticket reference: CQSM-245

Propose the output structure and implement a servlet listing all execution history.

Extension bundles can add new features to parser. Script manager could trigger preprocess event before every command parsing.

When using APM on AEM 6.3 the following error appears in logs:
org.apache.sling.api.resource.LoginException: Bundle com.cognifide.cq.cqsm is NOT whitelisted

Since the 6.3 version of AEM all bundles that use administrative resource resolver have to be whitelisted in Apache Sling Login Admin Whitelist OSGi configuration.

There are two possible ways to fix this issue. One is to whitelist the APM bundle by providing the following OSGi configuration:
org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment

The other one is to replace the administrative resource resolver with service resource resolver. But first it should to be determined if this solution is possible.

Not sure if that's a bug or an improvement, but it'd be nice to see non-200 response if an error occurred during CQSM script run. There's a way to verify if such case actually happened, as response body contains JSON with all required data.

Upload script on Author, use 'Run on publish` button.
Expected:
Import page 'Recently executed at' column should state last publish run date,
Actual:
Import page 'Recently executed at' column states that script was never run.
Note that History for that run is created properly. (This is a problem on scirpt node level itself)

Instead of one type of event listener, we should extend our API and implement 3 types of listeners:

• lifecycle listener (args: script, returns boolean / if false blocking saving, removing)
• execution listener (args: progress, context)
• parser listener (args: script, command, returns: modified command)

During script execution from /etc/cqsm/import.html console hundreds of HTTP requests get sent to /bin/cqsm/run-background?id=<DATE>/<ID>. For the sake of example, please take a look at these screenshots:

During 45 seconds of execution 972 requests were made. Sounds like a way more than we need. It'd be great if we can reduce the frequency and/or introduce some sort of a back off approach (to not overload AEM instance with redundant HTTP traffic).

Basing on [~michal_zietek]'s suggestion we should hide or display as tree or something.. related scripts on imported scripts list. Some partial scripts are always invalid because they are included from other scripts.

Two new tags have been created 26 days ago (https://github.com/Cognifide/APM/releases), which indicates final release, but none of them contains corresponding CRX package. Could you please include them?

The only way to get that package is build from source, which is an inconvenience for anyone that'd like to use APM.

APM enables user to run script on publish instance via Run on publish button. Is it possible to verify if given script has been already executed there?