From e8dd753a622fcd68edca85a71fecba3395f7aa2b Mon Sep 17 00:00:00 2001
From: Pablo Castelo <pablo.castelo@netcentric.biz>
Date: Fri, 29 Sep 2023 14:16:59 +0200
Subject: [PATCH] Adding a new condition to identify when a everyone deny is
 found and if that is the case, all configured acls on the node are removed
 and installed again

---
 .../AceBeanInstallerIncremental.java          | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java
index 19d5be9a..f8dadc66 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java
@@ -82,7 +82,8 @@ protected void installAcl(Set<AceBean> aceBeanSetFromConfig, String path, Set<St
         int currentPositionConfig = 0;
 
         boolean changeHasBeenFound = false;
-            
+        boolean everyoneDenyFound = false;
+
         AccessControlManager acMgr = session.getAccessControlManager();
 
         JackrabbitAccessControlList acl = getAccessControlList(acMgr, path);
@@ -97,6 +98,12 @@ protected void installAcl(Set<AceBean> aceBeanSetFromConfig, String path, Set<St
             if (!principalsInConfiguration.contains(acePrincipalName)) {
                 countOutsideConfig++;
                 diffLog.append("    OUTSIDE (not in Config) " + actualAceBeanCompareStr + "\n");
+                // Condition will check if everyone deny was added at the bottom, blocking all permissions created by actool
+                // usually happens when SP installs some rep:policy nodes
+                if ((acl.size() - countOutsideConfig <= configuredAceEntries.size())
+                        && (StringUtils.startsWith(actualAceBeanCompareStr, "everyone") && StringUtils.contains(actualAceBeanCompareStr, "deny"))) {
+                    everyoneDenyFound = true;
+                }
                 continue;
             }
 
@@ -134,6 +141,18 @@ protected void installAcl(Set<AceBean> aceBeanSetFromConfig, String path, Set<St
 
         }
 
+        // will override the logic to apply all ACLs on the path, and removing all elements present in config files
+        if (everyoneDenyFound && !changeHasBeenFound) {
+            Iterator<AccessControlEntry> items = Arrays.asList(acl.getAccessControlEntries()).iterator();
+            while (items.hasNext()) {
+                AccessControlEntry currentEntry = items.next();
+                if (principalsInConfiguration.contains(currentEntry.getPrincipal().getName())) {
+                    acl.removeAccessControlEntry(currentEntry);
+                }
+            }
+            currentPositionConfig = 0;
+        }
+
         // install missing - this can be either because not all configured ACEs were found (append) or because a change was detected and old
         // aces have been deleted