Search in sources :

Example 36 with ExternalIdentity

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.

the class DefaultSyncContext method syncMembership.

/**
     * Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth
     * is equal or less than 0, no syncing is performed.
     *
     * @param external the external identity
     * @param auth the authorizable
     * @param depth recursion depth.
     * @throws RepositoryException
     */
protected void syncMembership(@Nonnull ExternalIdentity external, @Nonnull Authorizable auth, long depth) throws RepositoryException {
    if (depth <= 0) {
        return;
    }
    if (log.isDebugEnabled()) {
        log.debug("Syncing membership '{}' -> '{}'", external.getExternalId().getString(), auth.getID());
    }
    final DebugTimer timer = new DebugTimer();
    Iterable<ExternalIdentityRef> externalGroups;
    try {
        externalGroups = external.getDeclaredGroups();
    } catch (ExternalIdentityException e) {
        log.error("Error while retrieving external declared groups for '{}'", external.getId(), e);
        return;
    }
    timer.mark("fetching");
    // first get the set of the existing groups that are synced ones
    Map<String, Group> declaredExternalGroups = new HashMap<String, Group>();
    Iterator<Group> grpIter = auth.declaredMemberOf();
    while (grpIter.hasNext()) {
        Group grp = grpIter.next();
        if (isSameIDP(grp)) {
            declaredExternalGroups.put(grp.getID(), grp);
        }
    }
    timer.mark("reading");
    for (ExternalIdentityRef ref : externalGroups) {
        log.debug("- processing membership {}", ref.getId());
        // get group
        ExternalGroup extGroup;
        try {
            ExternalIdentity extId = idp.getIdentity(ref);
            if (extId instanceof ExternalGroup) {
                extGroup = (ExternalGroup) extId;
            } else {
                log.warn("No external group found for ref '{}'.", ref.getString());
                continue;
            }
        } catch (ExternalIdentityException e) {
            log.warn("Unable to retrieve external group '{}' from provider.", ref.getString(), e);
            continue;
        }
        log.debug("- idp returned '{}'", extGroup.getId());
        Group grp;
        Authorizable a = userManager.getAuthorizable(extGroup.getId());
        if (a == null) {
            grp = createGroup(extGroup);
            log.debug("- created new group");
        } else if (a.isGroup() && isSameIDP(a)) {
            grp = (Group) a;
        } else {
            log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
            continue;
        }
        log.debug("- user manager returned '{}'", grp);
        syncGroup(extGroup, grp);
        // ensure membership
        grp.addMember(auth);
        log.debug("- added '{}' as member to '{}'", auth, grp);
        // remember the declared group
        declaredExternalGroups.remove(grp.getID());
        // recursively apply further membership
        if (depth > 1) {
            log.debug("- recursively sync group membership of '{}' (depth = {}).", grp.getID(), depth);
            syncMembership(extGroup, grp, depth - 1);
        } else {
            log.debug("- group nesting level for '{}' reached", grp.getID());
        }
    }
    timer.mark("adding");
    // remove us from the lost membership groups
    for (Group grp : declaredExternalGroups.values()) {
        grp.removeMember(auth);
        log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID());
    }
    if (log.isDebugEnabled()) {
        timer.mark("removing");
        log.debug("syncMembership({}) {}", external.getId(), timer.getString());
    }
}
Also used : DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer) Group(org.apache.jackrabbit.api.security.user.Group) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef) HashMap(java.util.HashMap) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)

Example 37 with ExternalIdentity

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.

the class SyncMBeanImplTest method testSyncAllUsersForeign.

@Test
public void testSyncAllUsersForeign() throws Exception {
    // first sync external users + groups from 2 different IDPs into the repo
    // but set membership-nesting to 0
    syncConfig.user().setMembershipNestingDepth(0);
    sync(idp, TestIdentityProvider.ID_TEST_USER, false);
    sync(idp, "a", true);
    sync(foreignIDP, TestIdentityProvider.ID_SECOND_USER, false);
    sync(foreignIDP, "aa", true);
    // verify effect of syncAllUsers : foreign user/group must be ignored by the sync.
    String[] result = syncMBean.syncAllUsers(false);
    Map<String, String> expectedResults = ImmutableMap.of(TestIdentityProvider.ID_TEST_USER, "upd", "a", "upd");
    assertResultMessages(result, expectedResults);
    ExternalIdentity[] expectedIds = new ExternalIdentity[] { idp.getUser(TestIdentityProvider.ID_TEST_USER), foreignIDP.getUser(TestIdentityProvider.ID_SECOND_USER), idp.getGroup("a"), foreignIDP.getGroup("aa") };
    UserManager userManager = getUserManager();
    for (ExternalIdentity externalIdentity : expectedIds) {
        assertSync(externalIdentity, userManager);
    }
}
Also used : UserManager(org.apache.jackrabbit.api.security.user.UserManager) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Test(org.junit.Test)

Example 38 with ExternalIdentity

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.

the class SyncMBeanImplTest method testSyncAllGroups.

@Test
public void testSyncAllGroups() throws Exception {
    // first sync external users into the repo
    Map<String, String> expected = new HashMap();
    Iterator<ExternalGroup> grIt = idp.listGroups();
    while (grIt.hasNext()) {
        ExternalGroup eg = grIt.next();
        sync(idp, eg.getId(), true);
        expected.put(eg.getId(), "upd");
    }
    // verify effect of syncAllUsers (which in this case are groups)
    String[] result = syncMBean.syncAllUsers(false);
    assertResultMessages(result, expected);
    UserManager userManager = getUserManager();
    for (String id : expected.keySet()) {
        ExternalIdentity ei = idp.getGroup(id);
        assertSync(ei, userManager);
    }
}
Also used : HashMap(java.util.HashMap) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) UserManager(org.apache.jackrabbit.api.security.user.UserManager) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Test(org.junit.Test)

Example 39 with ExternalIdentity

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.

the class SyncMBeanImplTest method testInitialSyncAllExternalUsers.

@Test
public void testInitialSyncAllExternalUsers() throws Exception {
    String[] result = syncMBean.syncAllExternalUsers();
    Map<String, String> expected = getExpectedUserResult("add", false);
    assertResultMessages(result, expected);
    UserManager userManager = getUserManager();
    for (String id : expected.keySet()) {
        ExternalIdentity ei = idp.getUser(id);
        if (ei == null) {
            ei = idp.getGroup(id);
        }
        assertSync(ei, userManager);
    }
}
Also used : UserManager(org.apache.jackrabbit.api.security.user.UserManager) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Test(org.junit.Test)

Example 40 with ExternalIdentity

use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.

the class LdapProviderTest method testGetMembers.

@Test
public void testGetMembers() throws Exception {
    ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME);
    ExternalIdentity id = idp.getIdentity(ref);
    assertTrue("Group instance", id instanceof ExternalGroup);
    ExternalGroup grp = (ExternalGroup) id;
    assertIfEquals("Group members", TEST_GROUP1_MEMBERS, grp.getDeclaredMembers());
}
Also used : ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef) ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup) ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity) Test(org.junit.Test)

Aggregations

ExternalIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity)40 Test (org.junit.Test)34 AbstractExternalAuthTest (org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest)20 ExternalIdentityRef (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)9 ExternalGroup (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)7 ExternalUser (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)7 SyncResult (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult)7 UserManager (org.apache.jackrabbit.api.security.user.UserManager)5 SyncedIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity)4 Group (org.apache.jackrabbit.api.security.user.Group)3 HashMap (java.util.HashMap)2 ExternalIdentityException (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)2 PrincipalImpl (org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl)2 Principal (java.security.Principal)1 ArrayList (java.util.ArrayList)1 Nonnull (javax.annotation.Nonnull)1 User (org.apache.jackrabbit.api.security.user.User)1 Tree (org.apache.jackrabbit.oak.api.Tree)1 DebugTimer (org.apache.jackrabbit.oak.commons.DebugTimer)1