Merge branch 'trunk' into OAK-11286

Author: reschke

.commit-check.yml

@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# format as outlined in https://github.com/commit-check/commit-check/blob/main/.commit-check.yml
+# further information in https://github.com/commit-check/commit-check/blob/main/README.rst
+checks:
+  - check: message
+    regex: '^OAK-\d+:?\s\S+.*'
+    error: "The commit message must start with 'OAK-<ID>[:] ' followed by some descriptive text"
+    suggest: Please check your commit message whether it matches above regex
+
+  - check: author_name
+    regex: ^[A-Za-z ,.\'-]+$|.*(\[bot])
+    error: The committer name seems invalid
+    suggest: run command `git config user.name "Your Name"`
+
+  - check: author_email
+    regex: ^.+@.+$
+    error: The committer email seems invalid
+    suggest: run command `git config user.email yourname@example.com`

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-#   ~ Licensed to the Apache Software Foundation (ASF) under one
+#  ~ Licensed to the Apache Software Foundation (ASF) under one
 #  ~ or more contributor license agreements.  See the NOTICE file
 #  ~ distributed with this work for additional information
 #  ~ regarding copyright ownership.  The ASF licenses this file
@@ -37,7 +37,7 @@ jobs:
           cache: maven
       - name: Build
         # executing ITs requires installing artifacts to the local repository
-        run: mvn -B install -Pcoverage -PintegrationTesting -Dnsfixtures=SEGMENT_TAR,DOCUMENT_NS
+        run: mvn -B install -Pcoverage,integrationTesting,javadoc -Dnsfixtures=SEGMENT_TAR,DOCUMENT_NS
       - name: Upload build result
         uses: actions/upload-artifact@v4
         with:

.github/workflows/commit-check.yml

@@ -0,0 +1,49 @@
+#  ~ Licensed to the Apache Software Foundation (ASF) under one
+#  ~ or more contributor license agreements.  See the NOTICE file
+#  ~ distributed with this work for additional information
+#  ~ regarding copyright ownership.  The ASF licenses this file
+#  ~ to you under the Apache License, Version 2.0 (the
+#  ~ "License"); you may not use this file except in compliance
+#  ~ with the License.  You may obtain a copy of the License at
+#  ~
+#  ~   http://www.apache.org/licenses/LICENSE-2.0
+#  ~
+#  ~ Unless required by applicable law or agreed to in writing,
+#  ~ software distributed under the License is distributed on an
+#  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  ~ KIND, either express or implied.  See the License for the
+#  ~ specific language governing permissions and limitations
+#  ~ under the License.
+
+name: Commit Check
+
+on:
+  pull_request:
+    branches: 'trunk'
+
+jobs:
+  commit-check:
+    runs-on: ubuntu-latest
+    permissions:  # use permissions because of use pr-comments
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}  # checkout PR HEAD commit
+          fetch-depth: 0  # required for merge-base check
+      # https://github.com/commit-check
+      # must be pinned due to https://infra.apache.org/github-actions-policy.html
+      - uses: commit-check/commit-check-action@8d507e12899a9feb405c3ed546252ff9508724e0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # use GITHUB_TOKEN because of use pr-comments
+        with:
+          # check commit message formatting convention
+          message: true
+          branch: true
+          author-name: true
+          author-email: true
+          commit-signoff: false
+          merge-base: false
+          job-summary: true
+          pr-comments: ${{ github.event_name == 'pull_request' }}

.github/workflows/stale.yml

@@ -1,4 +1,4 @@
-#   ~ Licensed to the Apache Software Foundation (ASF) under one
+#  ~ Licensed to the Apache Software Foundation (ASF) under one
 #  ~ or more contributor license agreements.  See the NOTICE file
 #  ~ distributed with this work for additional information
 #  ~ regarding copyright ownership.  The ASF licenses this file

Jenkinsfile

@@ -63,7 +63,7 @@ def buildModule(moduleSpec) {
                     // clean all modules
                     sh "${MAVEN_CMD} -T 1C clean"
                     // build and install up to desired module
-                    sh "${MAVEN_CMD} -Dbaseline.skip=true -Prat -T 1C install -DskipTests -pl :${moduleName} -am"
+                    sh "${MAVEN_CMD} -Dbaseline.skip=true -T 1C install -DskipTests -pl :${moduleName} -am"
                     try {
                         sh "${MAVEN_CMD} ${testOptions} -DtrimStackTrace=false -Dnsfixtures=SEGMENT_TAR,DOCUMENT_NS -Dmongo.db=MongoMKDB-${MONGODB_SUFFIX} clean verify -pl :${moduleName}"
                     } finally {

oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java

@@ -19,9 +19,11 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
-import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
 import org.jetbrains.annotations.NotNull;
 
 /**
@@ -203,9 +205,7 @@ public Authorizable setAutoMembershipConfig(@NotNull AutoMembershipConfig autoMe
          */
         @NotNull
         public Set<String> getAutoMembership(@NotNull org.apache.jackrabbit.api.security.user.Authorizable authorizable) {
-            return ImmutableSet.<String>builder().
-                    addAll(autoMembershipConfig.getAutoMembership(authorizable)).
-                    addAll(getAutoMembership()).build();
+            return Stream.concat(autoMembershipConfig.getAutoMembership(authorizable).stream().filter(Objects::nonNull), getAutoMembership().stream().filter(Objects::nonNull)).collect(Collectors.toUnmodifiableSet());
         }
 
         /**

oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java

@@ -21,7 +21,6 @@
 import javax.management.MalformedObjectNameException;
 import javax.security.auth.spi.LoginModule;
 
-import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
 import org.apache.felix.jaas.LoginModuleFactory;
 import org.apache.jackrabbit.oak.api.ContentRepository;
 import org.apache.jackrabbit.oak.commons.jmx.JmxUtil;
@@ -214,7 +213,7 @@ private void mayRegisterSyncMBean() {
             String sncName = osgiConfig.getConfigValue(PARAM_SYNC_HANDLER_NAME, "");
 
             SyncMBeanImpl bean = new SyncMBeanImpl(contentRepository, securityProvider, syncManager, sncName, idpManager, idpName);
-            Map<String, String> properties = ImmutableMap.of("handler", sncName, "idp", idpName);
+            Map<String, String> properties = Map.of("handler", sncName, "idp", idpName);
             mbeanRegistration = whiteboard.register(SynchronizationMBean.class, bean, 
                     JmxUtil.createObjectNameMap("UserManagement", "External Identity Synchronization Management", properties));
             log.debug("Registration of SynchronizationMBean completed");

oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java

@@ -23,6 +23,7 @@
 import org.apache.jackrabbit.oak.api.ContentRepository;
 import org.apache.jackrabbit.oak.api.ContentSession;
 import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -46,7 +47,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.jcr.RepositoryException;
-import javax.security.auth.Subject;
 import java.io.IOException;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
@@ -107,7 +107,7 @@ static Delegatee createInstance(@NotNull final ContentRepository repository,
                                     int batchSize) {
         ContentSession systemSession;
         try {
-            systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction<ContentSession>) () -> repository.login(null, null));
+            systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction<ContentSession>) () -> repository.login(null, null));
         } catch (PrivilegedActionException e) {
             throw new SyncRuntimeException(ERROR_CREATE_DELEGATEE, e);
         }

oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java

@@ -19,7 +19,6 @@
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.UserManager;
-import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
 import org.apache.jackrabbit.guava.common.collect.Iterators;
 import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.AutoMembershipConfig;
 import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals;
@@ -220,7 +219,7 @@ private Map<Principal, Group> collectGlobalAutoMembershipPrincipals(@NotNull Str
                 }
             }
             // only cache the principal instance but not the group (tree might become disconnected)
-            principalMap.put(idpName, ImmutableSet.copyOf(map.keySet()));
+            principalMap.put(idpName, Set.copyOf(map.keySet()));
         } else {
             // resolve Group objects from cached principals
             principalMap.get(idpName).forEach(groupPrincipal -> {

oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProvider.java

@@ -16,11 +16,11 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;
 
-import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.commons.PropertiesUtil;
+import org.apache.jackrabbit.oak.commons.collections.CollectionUtils;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -199,7 +199,7 @@ private Map<String, Set<String>> getAutomembership(boolean memberIsGroup) {
 
         private static void updateAutoMembershipMap(@NotNull Map<String, Set<String>> map, @NotNull String syncHandlerName, 
                                                     @NotNull String idpName, @NotNull String[] membership) {
-            Set<String> userMembership = ImmutableSet.copyOf(membership);
+            Set<String> userMembership = CollectionUtils.toSet(membership);
             Set<String> previous = map.put(idpName, userMembership);
             if (previous != null) {
                 String msg = previous.equals(userMembership) ? "Duplicate" : "Colliding";