Search in sources :

Example 11 with ExternalGroup

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup in project jackrabbit-oak by apache.

the class LargeLdapProviderTest method testGetMembers.

@Test
public void testGetMembers() throws Exception {
    ExternalIdentityRef ref = new ExternalIdentityRef(GROUP_DN, IDP_NAME);
    ExternalIdentity id = idp.getIdentity(ref);
    assertTrue("Group instance", id instanceof ExternalGroup);
    ExternalGroup grp = (ExternalGroup) id;
    assertIfEquals("Group members", TEST_MEMBERS, grp.getDeclaredMembers());
}
Also used : ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Test(org.junit.Test)

Example 12 with ExternalGroup

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup in project jackrabbit-oak by apache.

the class LdapProviderTest method testResolvePrincipalNameGroup.

@Test
public void testResolvePrincipalNameGroup() throws ExternalIdentityException {
    ExternalGroup gr = idp.getGroup(TEST_GROUP1_NAME);
    assertNotNull(gr);
    assertEquals(gr.getPrincipalName(), idp.fromExternalIdentityRef(gr.getExternalId()));
}
Also used : ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) Test(org.junit.Test)

Example 13 with ExternalGroup

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup in project jackrabbit-oak by apache.

the class DefaultSyncContext method syncMembership.

/**
     * Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth
     * is equal or less than 0, no syncing is performed.
     *
     * @param external the external identity
     * @param auth the authorizable
     * @param depth recursion depth.
     * @throws RepositoryException
     */
protected void syncMembership(@Nonnull ExternalIdentity external, @Nonnull Authorizable auth, long depth) throws RepositoryException {
    if (depth <= 0) {
        return;
    }
    if (log.isDebugEnabled()) {
        log.debug("Syncing membership '{}' -> '{}'", external.getExternalId().getString(), auth.getID());
    }
    final DebugTimer timer = new DebugTimer();
    Iterable<ExternalIdentityRef> externalGroups;
    try {
        externalGroups = external.getDeclaredGroups();
    } catch (ExternalIdentityException e) {
        log.error("Error while retrieving external declared groups for '{}'", external.getId(), e);
        return;
    }
    timer.mark("fetching");
    // first get the set of the existing groups that are synced ones
    Map<String, Group> declaredExternalGroups = new HashMap<String, Group>();
    Iterator<Group> grpIter = auth.declaredMemberOf();
    while (grpIter.hasNext()) {
        Group grp = grpIter.next();
        if (isSameIDP(grp)) {
            declaredExternalGroups.put(grp.getID(), grp);
        }
    }
    timer.mark("reading");
    for (ExternalIdentityRef ref : externalGroups) {
        log.debug("- processing membership {}", ref.getId());
        // get group
        ExternalGroup extGroup;
        try {
            ExternalIdentity extId = idp.getIdentity(ref);
            if (extId instanceof ExternalGroup) {
                extGroup = (ExternalGroup) extId;
            } else {
                log.warn("No external group found for ref '{}'.", ref.getString());
                continue;
            }
        } catch (ExternalIdentityException e) {
            log.warn("Unable to retrieve external group '{}' from provider.", ref.getString(), e);
            continue;
        }
        log.debug("- idp returned '{}'", extGroup.getId());
        Group grp;
        Authorizable a = userManager.getAuthorizable(extGroup.getId());
        if (a == null) {
            grp = createGroup(extGroup);
            log.debug("- created new group");
        } else if (a.isGroup() && isSameIDP(a)) {
            grp = (Group) a;
        } else {
            log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
            continue;
        }
        log.debug("- user manager returned '{}'", grp);
        syncGroup(extGroup, grp);
        // ensure membership
        grp.addMember(auth);
        log.debug("- added '{}' as member to '{}'", auth, grp);
        // remember the declared group
        declaredExternalGroups.remove(grp.getID());
        // recursively apply further membership
        if (depth > 1) {
            log.debug("- recursively sync group membership of '{}' (depth = {}).", grp.getID(), depth);
            syncMembership(extGroup, grp, depth - 1);
        } else {
            log.debug("- group nesting level for '{}' reached", grp.getID());
        }
    }
    timer.mark("adding");
    // remove us from the lost membership groups
    for (Group grp : declaredExternalGroups.values()) {
        grp.removeMember(auth);
        log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID());
    }
    if (log.isDebugEnabled()) {
        timer.mark("removing");
        log.debug("syncMembership({}) {}", external.getId(), timer.getString());
    }
}
Also used : DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer) Group(org.apache.jackrabbit.api.security.user.Group) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef) HashMap(java.util.HashMap) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)

Example 14 with ExternalGroup

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup in project jackrabbit-oak by apache.

the class DefaultSyncContext method sync.

/**
     * {@inheritDoc}
     */
@Nonnull
@Override
public SyncResult sync(@Nonnull String id) throws SyncException {
    try {
        DebugTimer timer = new DebugTimer();
        DefaultSyncResultImpl ret;
        // find authorizable
        Authorizable auth = userManager.getAuthorizable(id);
        if (auth == null) {
            return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, null, false, -1), SyncResult.Status.NO_SUCH_AUTHORIZABLE);
        }
        // check if we need to deal with this authorizable
        ExternalIdentityRef ref = getIdentityRef(auth);
        if (ref == null || !isSameIDP(ref)) {
            return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN);
        }
        if (auth.isGroup()) {
            ExternalGroup external = idp.getGroup(id);
            timer.mark("retrieve");
            if (external == null) {
                ret = handleMissingIdentity(id, auth, timer);
            } else {
                ret = syncGroup(external, (Group) auth);
                timer.mark("sync");
            }
        } else {
            ExternalUser external = idp.getUser(id);
            timer.mark("retrieve");
            if (external == null) {
                ret = handleMissingIdentity(id, auth, timer);
            } else {
                ret = syncUser(external, (User) auth);
                timer.mark("sync");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("sync({}) -> {} {}", id, ref.getString(), timer.getString());
        }
        return ret;
    } catch (RepositoryException e) {
        throw new SyncException(e);
    } catch (ExternalIdentityException e) {
        throw new SyncException(e);
    }
}
Also used : DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer) Group(org.apache.jackrabbit.api.security.user.Group) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) User(org.apache.jackrabbit.api.security.user.User) ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser) ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) RepositoryException(javax.jcr.RepositoryException) SyncException(org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException) ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException) Nonnull(javax.annotation.Nonnull)

Example 15 with ExternalGroup

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup in project jackrabbit-oak by apache.

the class DefaultSyncContext method createGroup.

/**
     * Creates a new repository group for the given external one.
     * Note that this method only creates the authorizable but does not perform any synchronization.
     *
     * @param externalGroup the external group
     * @return the repository group
     * @throws RepositoryException if an error occurs
     */
@Nonnull
protected Group createGroup(@Nonnull ExternalGroup externalGroup) throws RepositoryException {
    Principal principal = new PrincipalImpl(externalGroup.getPrincipalName());
    Group group = userManager.createGroup(externalGroup.getId(), principal, PathUtils.concatRelativePaths(config.group().getPathPrefix(), externalGroup.getIntermediatePath()));
    setExternalId(group, externalGroup);
    return group;
}
Also used : Group(org.apache.jackrabbit.api.security.user.Group) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) Principal(java.security.Principal) PrincipalImpl(org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl) Nonnull(javax.annotation.Nonnull)

Aggregations

ExternalGroup (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)20 Test (org.junit.Test)16 AbstractExternalAuthTest (org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest)8 ExternalIdentityRef (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)8 Group (org.apache.jackrabbit.api.security.user.Group)7 SyncResult (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult)6 ExternalIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity)5 Nonnull (javax.annotation.Nonnull)3 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)3 DebugTimer (org.apache.jackrabbit.oak.commons.DebugTimer)3 ExternalUser (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)3 SyncedIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity)3 Principal (java.security.Principal)2 HashMap (java.util.HashMap)2 RepositoryException (javax.jcr.RepositoryException)2 User (org.apache.jackrabbit.api.security.user.User)2 UserManager (org.apache.jackrabbit.api.security.user.UserManager)2 ExternalIdentityException (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)2 SyncContext (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext)2 SyncException (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException)2