Merge branch 'develop'

changes.xml

@@ -23,17 +23,32 @@
     xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
   <body>
 
+    <release version="1.15.0" date="2023-03-17">
+      <action type="add" dev="trichter" issue="88">
+        Role aem-dispatcher-cloud: Introduce httpd.rewrites (ported from aem-dispatcher-ams role).
+      </action>
+      <action type="add" dev="trichter" issue="87">
+        Role aem-dispatcher-cloud: Introduce httpd.rewriteIncludes (ported from aem-dispatcher-ams role).
+      </action>
+      <action type="add" dev="trichter" issue="86">
+        Role aem-dispatcher-cloud: Introduce httpd.generateAvailableVhost and httpd.generateEnabledVhost to control vhost generation.
+      </action>
+      <action type="fix" dev="trichter" issue="85">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Revert #83, move "security-related" deny rules back to dispatcher.filter.
+      </action>
+    </release>
+
     <release version="1.14.0" date="2023-01-12">
-      <action type="add" dev="trichter">
+      <action type="add" dev="trichter" issue="83">
         Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce dispatcher.filterAppend filter list.
       </action>
-      <action type="add" dev="trichter">
+      <action type="add" dev="trichter" issue="84">
         Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Block form selector with a non-empty suffix on all URLs in order to fix form validator bypass issue.
       </action>
-      <action type="update" dev="trichter">
+      <action type="update" dev="trichter" issue="83">
         Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Move "security-related" existing deny rules e.g. to prevent content grabbing to dispatcher.filterAppend filter list.
       </action>
-      <action type="update" dev="nbellack">
+      <action type="update" dev="nbellack" issue="82">
         Role aem-dispatcher-cloud: Sync with default dispatcher configuration from Adobe project archetype 36 to 39.
       </action>
       <action type="update" dev="sseifert">

conga-aem-definitions/pom.xml

@@ -25,13 +25,13 @@
   <parent>
     <groupId>io.wcm.devops.conga.definitions</groupId>
     <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-    <version>1.14.0</version>
+    <version>1.15.0</version>
     <relativePath>../parent/pom.xml</relativePath>
   </parent>
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem</artifactId>
-  <version>1.14.0</version>
+  <version>1.15.0</version>
   <packaging>config-definition</packaging>
 
   <name>CONGA AEM Definitions</name>

conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml

@@ -75,12 +75,6 @@ variants:
       - url: /libs/cq/personalization(/.*)?
         method: "GET"
         type: allow
-      # Allow current user [from default_filters.any]
-      - url: /libs/granite/security/currentuser.json
-        type: allow
-
-      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
-      filterAppend:
       # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
       - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
         extension: (json|xml|html|feed)
@@ -90,6 +84,9 @@ variants:
         type: deny
       - query: wcmmode=.*
         type: deny
+      # Allow current user [from default_filters.any]
+      - url: /libs/granite/security/currentuser.json
+        type: allow
       # Deny content grabbing for /content - additional selectors not included in default dispatcher.any
       - path: /content(/.*)?
         selectors: (ambits|assetsearch|assignments|childrenlist|cloudservices|contentfinder|context|emailservice|exacttarget|ext|form|media|missingpages|mobileapps|pages|paragraphs|payloadsummary|permissions|publications|referencelist|savedsearch|skippedpages|search|social|style|tags|tagtree|timezones)
@@ -106,6 +103,9 @@ variants:
       - path: /content(/.*)?
         selectors: (overlay)
         type: deny
+
+      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+      filterAppend:
       # block form validator bypass
       - url: '/.*'
         selectors: "(form)"

conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml

@@ -78,6 +78,15 @@ variants:
       - url: /libs/cq/personalization(/.*)?
         method: GET
         type: allow
+      # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
+      - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
+        extension: (json|xml|html|feed)
+        type: deny
+      # Deny authoring query params [from default_filters.any]
+      - query: debug=.*
+        type: deny
+      - query: wcmmode=.*
+        type: deny
       # Allow current user [from default_filters.any]
       - url: /libs/granite/security/currentuser.json
         type: allow
@@ -96,18 +105,6 @@ variants:
       - url: /graphql/execute.json*
         method: (GET|POST|OPTIONS)
         type: allow
-
-      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
-      filterAppend:
-      # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
-      - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
-        extension: (json|xml|html|feed)
-        type: deny
-      # Deny authoring query params [from default_filters.any]
-      - query: debug=.*
-        type: deny
-      - query: wcmmode=.*
-        type: deny
       # Deny content grabbing for /content - additional selectors not included in default dispatcher.any
       - path: /content(/.*)?
         selectors: (ambits|assetsearch|assignments|childrenlist|cloudservices|contentfinder|context|emailservice|exacttarget|ext|form|media|missingpages|mobileapps|pages|paragraphs|payloadsummary|permissions|publications|referencelist|savedsearch|skippedpages|search|social|style|tags|tagtree|timezones)
@@ -124,6 +121,9 @@ variants:
       - path: /content(/.*)?
         selectors: (overlay)
         type: deny
+
+      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+      filterAppend:
       # block form validator bypass
       - url: '/.*'
         selectors: "(form)"
@@ -169,6 +169,7 @@ files:
   template: conf.d/available_vhosts/tenant.vhost.hbs
   multiply: tenant
   fileHeader: conf
+  condition: ${httpd.generateAvailableVhost}
 
 # enabled vhosts
 - file: ${new('java.text.DecimalFormat','0000').format(multiplyIndex)}_${tenant}.vhost
@@ -177,6 +178,7 @@ files:
   variants:
   - aem-publish
   multiply: tenant
+  condition: ${httpd.generateEnabledVhost}
 
 # global rewrite rules
 - file: rewrite.rules
@@ -357,6 +359,17 @@ config:
       # Set the default experiation time for text/html responses (enabled by default in AEM Cloud Service webserver)
       htmlExpirationTimeMin: 5
 
+    # List of rewrite rules to include in the vhost
+    rewriteIncludes:
+      - conf.d/rewrites/rewrite.rules
+
+    # These rewrite rules are evaluated before the mapping rules
+    # rewrites:
+    #  - rule: ^/crx/(.*)$                 - [R=404,L]
+    #  - conditions:
+    #      - '%{REQUEST_URI} !^/system/sling/logout(.*)$'
+    #    rule: ^/system/(.*)$              - [R=404,L]
+
     # Request URI patterns for Sling maping short URL configuration
     mapping:
       uriExcludeFromMapping:
@@ -385,6 +398,12 @@ config:
       # Placed at the bottom of the vhost confign file
       after:
 
+    # Controls the generation of available_vhosts files
+    generateAvailableVhost: true
+
+    # Controls the generation of enabled_vhosts files
+    generateEnabledVhost: true
+
     # Allows to define different server names/alias names per environment in a single dispatcher configuration
     #cloudManagerConditional:
     #  targetEnvironment:  # to be substituted with e.g. "dev"

conga-aem-definitions/src/main/roles/aem-dispatcher.yaml

@@ -53,15 +53,6 @@ variants:
       # Enable features [from default dispatcher.any]
       - url: /libs/cq/personalization(/.*)?
         type: allow
-      # Allow access to client libraries and designs at /etc
-      - url: (/etc/clientlibs|/etc.clientlibs|/etc/designs/.*/clientlibs)(/.*)?
-        type: allow
-      # open consoles (access is controlled in httpd config)
-      - url: /(admin|crx|system)(/.*)?
-        type: allow
-
-      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
-      filterAppend:
       # Deny content grabbing, on all accessible pages [from default dispatcher.any]
       - selectors: ((sys|doc)view|query|[0-9-]+)
         extension: (json|xml)
@@ -87,6 +78,15 @@ variants:
       - path: /content(/.*)?
         selectors: (overlay)
         type: deny
+      # Allow access to client libraries and designs at /etc
+      - url: (/etc/clientlibs|/etc.clientlibs|/etc/designs/.*/clientlibs)(/.*)?
+        type: allow
+      # open consoles (access is controlled in httpd config)
+      - url: /(admin|crx|system)(/.*)?
+        type: allow
+
+      # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+      filterAppend:
       # block form validator bypass
       - url: '/.*'
         selectors: "(form)"

conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs

@@ -73,7 +73,9 @@ AllowEncodedSlashes NoDecode
 </IfModule>
 <IfModule mod_rewrite.c>
   RewriteEngine  on
-  Include conf.d/rewrites/rewrite.rules
+  {{~#each httpd.rewriteIncludes}}
+    Include {{ this }}
+  {{~/each}}
 </IfModule>
 
 # Do not allow RFC 2616 trace requests
@@ -171,6 +173,17 @@ Header set X-XSS-Protection "{{httpd.headers.xssProtection}}"
 {{~/if}}
 {{/block}}
 
+{{~#block "rewrites"}}
+{{~#if httpd.rewrites}}
+# Rewrites
+{{~#each httpd.rewrites}}
+{{~#each this.conditions}}
+RewriteCond {{this}}
+{{~/each}}
+RewriteRule {{this.rule}}
+{{~/each}}
+{{/if ~}}
+{{/block}}
 
 {{~#block "rewriteSlingShortUrlMapping"}}
 {{~#if sling.mapping.rootPath}}

example/pom.xml

@@ -32,7 +32,7 @@
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.example</artifactId>
   <packaging>config</packaging>
-  <version>1.14.0</version>
+  <version>1.15.0</version>
 
   <name>CONGA AEM Definitions Example</name>
   <description>Example environment definition.</description>
@@ -43,7 +43,7 @@
     <dependency>
       <groupId>io.wcm.devops.conga.definitions</groupId>
       <artifactId>io.wcm.devops.conga.definitions.aem</artifactId>
-      <version>1.14.0</version>
+      <version>1.15.0</version>
     </dependency>
 
   </dependencies>

example/src/main/environments/test.yaml

@@ -310,11 +310,15 @@ tenants:
         prod:
           serverName: www.prod-sample3.com
       rootRedirect.url: /en.html
+      rewrites:
+        - rule: ^/subpage/?$ /subpage.html [NC,R=301,L]
     sling.mapping.rootPath: /content/sample3
 
 - tenant: cloud-sample4.com
   config:
     httpd:
+      generateEnabledVhost: false
+      generateAvailableVhost: false
       cloudManagerConditional:
         dev:
           serverName: www.dev-sample4.com
@@ -326,6 +330,9 @@ tenants:
         prod:
           serverName: www.prod-sample4.com
       rootRedirect.url: /content/sample4/en.html
+      rewriteIncludes:
+        - _merge_
+        - conf.d/rewrites/additional_rewrite.rules
 
 - tenant: ams-sample5.com
   config:

parent/pom.xml

@@ -31,7 +31,7 @@
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-  <version>1.14.0</version>
+  <version>1.15.0</version>
   <packaging>pom</packaging>
 
   <name>CONGA AEM Definitions</name>
@@ -40,7 +40,12 @@
     <system>GitHub Actions</system>
     <url>https://github.com/wcm-io-devops/conga-aem-definitions/actions</url>
   </ciManagement>
-
+
+  <issueManagement>
+    <system>GitHub</system>
+    <url>https://github.com/wcm-io-devops/conga-aem-definitions/issues/</url>
+  </issueManagement>
+
   <build>
     <plugins>
 

pom.xml

@@ -23,13 +23,13 @@
   <parent>
     <groupId>io.wcm.devops.conga.definitions</groupId>
     <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-    <version>1.14.0</version>
+    <version>1.15.0</version>
     <relativePath>parent/pom.xml</relativePath>
   </parent>
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.root</artifactId>
-  <version>1.14.0</version>
+  <version>1.15.0</version>
   <packaging>pom</packaging>
 
   <name>CONGA AEM Definitions</name>