From ddd00e494df6f39c973be6f992c577813a06a5f0 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Mon, 30 Aug 2021 08:54:48 +0200
Subject: [PATCH 1/4] JCRVLT-522 check effect of filter rules on ACLs

WIP
---
 src/site/markdown/filter.md                   |  8 +--
 .../jackrabbit/vault/fs/io/Importer.java      |  5 ++
 .../packaging/integration/ACLAndMergeIT.java  | 21 ++++++--
 .../META-INF/vault/definition/.content.xml    | 49 +++++++++++++++++++
 .../META-INF/vault/filter.xml                 | 23 +++++++++
 .../META-INF/vault/nodetypes.cnd              |  8 +++
 .../META-INF/vault/properties.xml             | 36 ++++++++++++++
 .../jcr_root/.content.xml                     | 34 +++++++++++++
 .../jcr_root/testroot/_rep_policy.xml         |  9 ++++
 .../jcr_root/testroot/node_a/.content.xml     |  4 ++
 .../jcr_root/testroot/secured/.content.xml    | 21 ++++++++
 .../jcr_root/testroot/secured/_rep_policy.xml |  9 ++++
 12 files changed, 221 insertions(+), 6 deletions(-)
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml
 create mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml

diff --git a/src/site/markdown/filter.md b/src/site/markdown/filter.md
index 45adab5ab..2e1d83c39 100644
--- a/src/site/markdown/filter.md
+++ b/src/site/markdown/filter.md
@@ -121,15 +121,17 @@ The exact rules are outlined below
 
 Item covered by filter rule | Item contained in the Content Package | Item contained in the Repository (prior to Import/Installation) | State of Item in Repository after Import/Installation
 --- | --- | --- | ---
-no | yes | yes | not touched
-no | no | yes | not touched
-no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.
+no | yes | yes | not touched(*)
+no | no | yes | not touched(*)
+no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.(*)
 no | no | no | not existing (not touched)
 yes | yes | yes | overwritten
 yes | no | yes | removed
 yes | yes | no | deserialized from content package
 yes | no | no | not existing
 
+Mostly for historical reason both authorizable nodes and access control lists behave differently.
+
 ### Uncovered ancestor nodes
 
 All *uncovered* ancestor nodes are either
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
index 1b2c6dd6f..459d561a2 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
@@ -522,6 +522,11 @@ public void run(Archive archive, Session session,  String parentPath)
         }
     }
 
+    /**
+     * This discards artifacts from the tree which are not contained in the filter
+     * @param root the (sub)tree
+     * @return the modified (sub)tree
+     */
     private TxInfo postFilter(TxInfo root) {
         TxInfo modifierRoot = root;
         if (filter.contains(modifierRoot.path)){
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index 90f22f244..ae765d306 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -24,9 +24,11 @@
 
 import javax.jcr.RepositoryException;
 
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.JcrUtils;
 import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
 import org.apache.jackrabbit.vault.fs.io.ImportOptions;
 import org.apache.jackrabbit.vault.packaging.JcrPackage;
@@ -416,7 +418,7 @@ public void testRepoACL() throws RepositoryException, IOException, PackageExcept
     }
 
     /**
-     * Installs a package with repository level acl and then installs another that removes them again.
+     * Installs a package with repository level acl with AccessControlHandling.MERGE.
      */
     @Test
     public void testRepoACLMerge() throws RepositoryException, IOException, PackageException {
@@ -437,7 +439,7 @@ public void testRepoACLMerge() throws RepositoryException, IOException, PackageE
     }
 
     /**
-     * Installs a package with repository level acl and then installs another that removes them again.
+     * Installs a package with repository level acl with AccessControlHandling.MERGE_PRESERVE.
      */
     @Test
     public void testRepoACLMergePreserve() throws RepositoryException, IOException, PackageException {
@@ -458,7 +460,7 @@ public void testRepoACLMergePreserve() throws RepositoryException, IOException,
     }
 
     /**
-     * Installs a package a the root level (JCRVLT-75)
+     * Installs a package at the root level (JCRVLT-75)
      */
     @Test
     public void testRootACL() throws RepositoryException, IOException, PackageException {
@@ -469,4 +471,17 @@ public void testRootACL() throws RepositoryException, IOException, PackageExcept
         // test if nodes and ACLs of first package exist
         assertPermission("/", true, new String[]{"jcr:all"}, "everyone", null);
     }
+    
+    /** Check effect of filter definitions */
+    @Test
+    public void testACLsOutsideFilter() throws IOException, PackageException, RepositoryException {
+        //JcrUtils.getOrCreateByPath("/testroot/secured", JcrConstants.NT_FOLDER, admin);
+        extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
+        
+        // test if nodes and ACLs of package exist
+        assertNodeExists("/testroot/node_a");
+        // which ACLs should exist now?
+        assertPermission("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
+        assertPermission("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
+    }
 }
\ No newline at end of file
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
new file mode 100644
index 000000000..94aad3198
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
+    jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:createdBy="admin"
+    jcr:description="AC Handling: OverWrite"
+    jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:lastModifiedBy="admin"
+    jcr:primaryType="vlt:PackageDefinition"
+    acHandling="overwrite"
+    buildCount="1"
+    builtWith=""
+    fixedBugs=""
+    group="support"
+    lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastUnwrappedBy="admin"
+    lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastWrappedBy="admin"
+    name=""
+    providerLink=""
+    providerName=""
+    providerUrl=""
+    testedWith=""
+    version="">
+    <filter jcr:primaryType="nt:unstructured">
+        <f0
+            jcr:primaryType="nt:unstructured"
+            mode="replace"
+            root="/testroot/secured"
+            rules="[]"/>
+    </filter>
+    <screenshots jcr:primaryType="nt:unstructured"/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
new file mode 100644
index 000000000..1919a514a
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<workspaceFilter version="1.0">
+    <filter root="/testroot/node_a"/>
+    <filter root="/testroot/secured">
+        <include pattern="/testroot/secured/jcr:content"/>
+    </filter>
+</workspaceFilter>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd
new file mode 100644
index 000000000..5afdfb71b
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd
@@ -0,0 +1,8 @@
+<'sling'='http://sling.apache.org/jcr/sling/1.0'>
+<'nt'='http://www.jcp.org/jcr/nt/1.0'>
+
+[sling:Folder] > nt:folder
+  - * (undefined)
+  - * (undefined) multiple
+  + * (nt:base) = sling:Folder version
+
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml
new file mode 100644
index 000000000..70a8f65f5
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>FileVault Package Properties</comment>
+<entry key="createdBy">admin</entry>
+<entry key="name">mode_ac_test_a</entry>
+<entry key="lastModified">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="lastModifiedBy">admin</entry>
+<entry key="created">2011-11-15T09:43:22.993+01:00</entry>
+<entry key="buildCount">1</entry>
+<entry key="version"/>
+<entry key="dependencies"/>
+<entry key="packageFormatVersion">2</entry>
+<entry key="description"/>
+<entry key="lastWrapped">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="group"/>
+<entry key="lastWrappedBy">admin</entry>
+<entry key="acHandling">overwrite</entry>
+</properties>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml
new file mode 100644
index 000000000..d412a30db
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="rep:root"
+    sling:resourceType="sling:redirect"
+    sling:target="/index.html">
+    <rep:policy/>
+    <jcr:system/>
+    <var/>
+    <libs/>
+    <etc/>
+    <apps/>
+    <content/>
+    <tmp/>
+    <home/>
+    <testroot/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml
new file mode 100644
index 000000000..8a415d585
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root
+        xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:primaryType="rep:ACL">
+    <deny
+        jcr:primaryType="rep:DenyACE"
+        rep:principalName="everyone"
+        rep:privileges="{Name}[jcr:all]"/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml
new file mode 100644
index 000000000..61b37c823
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
+    jcr:primaryType="sling:Folder"
+    title="1234"/>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml
new file mode 100644
index 000000000..1e519aa0b
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="nt:folder"/>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml
new file mode 100644
index 000000000..8a415d585
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root
+        xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:primaryType="rep:ACL">
+    <deny
+        jcr:primaryType="rep:DenyACE"
+        rep:principalName="everyone"
+        rep:privileges="{Name}[jcr:all]"/>
+</jcr:root>

From 2dea1029213635194fcc6800d046045592867b3b Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Mon, 30 Aug 2021 11:57:21 +0200
Subject: [PATCH 2/4] fix tests to correctly reflect status quo

---
 .../vault/packaging/integration/ACLAndMergeIT.java     | 10 +++++-----
 .../ac_outside_filter.zip/META-INF/vault/filter.xml    |  7 ++++---
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index ae765d306..e83cedab2 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -475,13 +475,13 @@ public void testRootACL() throws RepositoryException, IOException, PackageExcept
     /** Check effect of filter definitions */
     @Test
     public void testACLsOutsideFilter() throws IOException, PackageException, RepositoryException {
-        //JcrUtils.getOrCreateByPath("/testroot/secured", JcrConstants.NT_FOLDER, admin);
         extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
-        
-        // test if nodes and ACLs of package exist
         assertNodeExists("/testroot/node_a");
-        // which ACLs should exist now?
-        assertPermission("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
+
+        // this ACL is not contained in the filter and not installed because ancestor is no filter root
+        assertPermissionMissing("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
+
+        // this is not contained in the filter root but installed nevertheless (due to ancestor being a filter root)
         assertPermission("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
     }
 }
\ No newline at end of file
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
index 1919a514a..c6d3ce01f 100644
--- a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
@@ -16,8 +16,9 @@
   ~ limitations under the License.
   -->
 <workspaceFilter version="1.0">
-    <filter root="/testroot/node_a"/>
-    <filter root="/testroot/secured">
-        <include pattern="/testroot/secured/jcr:content"/>
+    <filter root="/testroot">
+       <include pattern="/testroot/secured"/>
+       <include pattern="/testroot/secured/jcr:content"/>
+       <include pattern="/testroot/node_a(/.*)?"/>
     </filter>
 </workspaceFilter>

From 656a32117473623c1cb255d49b097689dbf2d5fb Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Wed, 1 Sep 2021 13:59:04 +0200
Subject: [PATCH 3/4] modify post filter handling to completely ignore
 artifacts not neither ancestor of a filter nor contained in it

---
 .../java/org/apache/jackrabbit/vault/fs/io/Importer.java     | 5 +----
 .../vault/packaging/integration/ACLAndMergeIT.java           | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
index 459d561a2..aaaedcf33 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
@@ -529,10 +529,7 @@ public void run(Archive archive, Session session,  String parentPath)
      */
     private TxInfo postFilter(TxInfo root) {
         TxInfo modifierRoot = root;
-        if (filter.contains(modifierRoot.path)){
-            return modifierRoot;
-        }
-        if (filter.isAncestor(modifierRoot.path)) {
+        if (filter.isAncestor(modifierRoot.path) || filter.contains(modifierRoot.path)) {
             for (String k : modifierRoot.children().keySet()) {
                 TxInfo child = modifierRoot.children().get(k);
                 modifierRoot.children().put(k, postFilter(child));
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index e83cedab2..a18e589cf 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -482,6 +482,6 @@ public void testACLsOutsideFilter() throws IOException, PackageException, Reposi
         assertPermissionMissing("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
 
         // this is not contained in the filter root but installed nevertheless (due to ancestor being a filter root)
-        assertPermission("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
+        assertPermissionMissing("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
     }
 }
\ No newline at end of file

From b3e8af3b3c3eae2efcd1c77cf93ef5290508698c Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Wed, 6 Jul 2022 10:19:51 +0200
Subject: [PATCH 4/4] cleanup and documentation

---
 src/site/markdown/filter.md                   |  4 ++
 src/site/markdown/vaultfs.md                  | 16 +++++-
 .../fs/spi/impl/jcr20/JcrACLManagement.java   |  1 +
 .../packaging/integration/ACLAndMergeIT.java  |  5 +-
 .../META-INF/vault/definition/.content.xml    | 49 -------------------
 .../META-INF/vault/filter.xml                 |  1 +
 6 files changed, 24 insertions(+), 52 deletions(-)
 delete mode 100644 vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml

diff --git a/src/site/markdown/filter.md b/src/site/markdown/filter.md
index 2e1d83c39..3dce8b9f0 100644
--- a/src/site/markdown/filter.md
+++ b/src/site/markdown/filter.md
@@ -140,6 +140,10 @@ All *uncovered* ancestor nodes are either
 1. since version 3.4.4 ([JCRVLT-417](https://issues.apache.org/jira/browse/JCRVLT-417)) created with the ancestor node type's default child type or if that is not set or prior to version 3.4.4 created with node type `nt:folder` (in case the the node type is *not* given with a `.content.xml` at the right location and the node does not yet exist in the repo) or
 1. not touched at all (in case they are already existing in the repo, no matter which node type is given with a `.content.xml` at the according location) 
 
+### Effect on Access Control Lists (ACLs)
+
+In order for ACLs to be installed the [ACL serialization node path](vaultfs.html#Authorization_Serialization) must be contained in the filter as well.
+
 ### Example
 
 Content Package Filter
diff --git a/src/site/markdown/vaultfs.md b/src/site/markdown/vaultfs.md
index ef16e5155..ce87dd092 100644
--- a/src/site/markdown/vaultfs.md
+++ b/src/site/markdown/vaultfs.md
@@ -291,6 +291,16 @@ The serialization of the artifacts is defined by the **serializer** that is prov
 1. a direct data serialization for the contents of file or binary artifacts and 
 2. an enhanced _docview_ serialization for the rest. The [_enhanced docview_ serialization][enhanceddocview] that is used allows multi-value properties and explicit types in contrast to regular [document view XML defined by JCR 2.0][docview].
 
+### Authorization Serialization
+
+As JCR 2.0 does not define if/how access control information is stored in the repository, FileVault only supports the Oak-specific implementation leveraging its internal repository format. It support the following node names:
+
+1. `rep:policy` or `repo:policy` (for repository-level ACLs) with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation-in-the-repository>
+1. `rep:cugPolicy` with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/authorization/cug.html#representation-in-the-repository>
+1. `rep:principalPolicy`  with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html#representation-in-the-repository>
+
+Those are serialized as [enhanced docview][enhanceddocview].
+
 Deserialization
 ---------------
 Although for exporting only 2 serialization types are used this is a bit different for importing. The importer analyzes the provided input sources and determines the following serialization types:
@@ -310,6 +320,9 @@ Depending on the configuration those input sources can be handled differently. C
 
 **generic data** produces a `nt:file` having the data as `nt:resource` content.
 
+### Authorization Deserialization
+
+Only the Oak-specific serializations as defined above are deserialized leveraging the [JCR 2.0 API defined in chapter 16][authorization].
 
 Terminology
 -----------
@@ -332,4 +345,5 @@ Terminology
 
 [enhanceddocview]: docview.html
 [docview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.3%20Document%20View
-[sysview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.2%20System%20View
\ No newline at end of file
+[sysview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.2%20System%20View
+[authorization]: https://s.apache.org/jcr-2.0-spec/16_Access_Control_Management.html
\ No newline at end of file
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
index bd2ab7822..0c4a68318 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
@@ -34,6 +34,7 @@ public class JcrACLManagement implements ACLManagement {
      * {@inheritDoc}
      */
     public boolean isACLNodeType(String name) {
+        // all those inherit from rep:Policy
         return name.equals("rep:ACL") || name.equals("rep:CugPolicy") || name.equals("rep:PrincipalPolicy");
     }
 
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index a18e589cf..d8e47dbd8 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -478,10 +478,11 @@ public void testACLsOutsideFilter() throws IOException, PackageException, Reposi
         extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
         assertNodeExists("/testroot/node_a");
 
-        // this ACL is not contained in the filter and not installed because ancestor is no filter root
+        // this ACL is not contained in the filter neither is its direct ancestor (node whose privileges are set)
+        // still nodes contained in the filter would be affected by the ACL
         assertPermissionMissing("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
 
-        // this is not contained in the filter root but installed nevertheless (due to ancestor being a filter root)
+        // this ACL is not contained in the filter but its direct ancestor (the node whose privileges are set) is
         assertPermissionMissing("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
     }
 }
\ No newline at end of file
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
deleted file mode 100644
index 94aad3198..000000000
--- a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Licensed to the Apache Software Foundation (ASF) under one or more
-  ~ contributor license agreements.  See the NOTICE file distributed with
-  ~ this work for additional information regarding copyright ownership.
-  ~ The ASF licenses this file to You under the Apache License, Version 2.0
-  ~ (the "License"); you may not use this file except in compliance with
-  ~ the License.  You may obtain a copy of the License at
-  ~
-  ~      http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
-    jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
-    jcr:createdBy="admin"
-    jcr:description="AC Handling: OverWrite"
-    jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
-    jcr:lastModifiedBy="admin"
-    jcr:primaryType="vlt:PackageDefinition"
-    acHandling="overwrite"
-    buildCount="1"
-    builtWith=""
-    fixedBugs=""
-    group="support"
-    lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
-    lastUnwrappedBy="admin"
-    lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
-    lastWrappedBy="admin"
-    name=""
-    providerLink=""
-    providerName=""
-    providerUrl=""
-    testedWith=""
-    version="">
-    <filter jcr:primaryType="nt:unstructured">
-        <f0
-            jcr:primaryType="nt:unstructured"
-            mode="replace"
-            root="/testroot/secured"
-            rules="[]"/>
-    </filter>
-    <screenshots jcr:primaryType="nt:unstructured"/>
-</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
index c6d3ce01f..84ea8ffff 100644
--- a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
@@ -21,4 +21,5 @@
        <include pattern="/testroot/secured/jcr:content"/>
        <include pattern="/testroot/node_a(/.*)?"/>
     </filter>
+    <filter root="/test2root/child/grandchild" />
 </workspaceFilter>