in src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java [288:312]
private void addPaths(@NotNull Formatter formatter, @NotNull List<VaultPackageAssembler> packageAssemblers) {
Set<RepoPath> paths = acls.entrySet().stream()
// filter paths if service user does not exist or will have principal-based ac setup enforced
.filter(entry -> {
Optional<SystemUser> su = getSystemUser(entry.getKey());
return su.isPresent() && !enforcePrincipalBased(su.get());
})
.map(Entry::getValue)
.flatMap(Collection::stream)
// paths only should/need to be create with resource-based access control
.filter(((Predicate<AccessControlEntry>) AccessControlEntry::isPrincipalBased).negate())
.map(AccessControlEntry::getRepositoryPath)
.collect(Collectors.toSet());
paths.stream()
.filter(path -> paths.stream().noneMatch(other -> !other.equals(path) && other.startsWith(path)))
.filter(((Predicate<RepoPath>)RepoPath::isRepositoryPath).negate())
.filter(path -> Stream.of(systemUsers, users, groups).flatMap(Collection::stream)
.noneMatch(user -> user.getPath().startsWith(path)))
.map(path -> getCreatePath(path, packageAssemblers))
.filter(Objects::nonNull)
.forEach(
path -> formatter.format("%s", path.asRepoInitString())
);
}