use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.
the class DefaultSyncContext method syncMembership.
/**
* Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth
* is equal or less than 0, no syncing is performed.
*
* @param external the external identity
* @param auth the authorizable
* @param depth recursion depth.
* @throws RepositoryException
*/
protected void syncMembership(@Nonnull ExternalIdentity external, @Nonnull Authorizable auth, long depth) throws RepositoryException {
if (depth <= 0) {
return;
}
if (log.isDebugEnabled()) {
log.debug("Syncing membership '{}' -> '{}'", external.getExternalId().getString(), auth.getID());
}
final DebugTimer timer = new DebugTimer();
Iterable<ExternalIdentityRef> externalGroups;
try {
externalGroups = external.getDeclaredGroups();
} catch (ExternalIdentityException e) {
log.error("Error while retrieving external declared groups for '{}'", external.getId(), e);
return;
}
timer.mark("fetching");
// first get the set of the existing groups that are synced ones
Map<String, Group> declaredExternalGroups = new HashMap<String, Group>();
Iterator<Group> grpIter = auth.declaredMemberOf();
while (grpIter.hasNext()) {
Group grp = grpIter.next();
if (isSameIDP(grp)) {
declaredExternalGroups.put(grp.getID(), grp);
}
}
timer.mark("reading");
for (ExternalIdentityRef ref : externalGroups) {
log.debug("- processing membership {}", ref.getId());
// get group
ExternalGroup extGroup;
try {
ExternalIdentity extId = idp.getIdentity(ref);
if (extId instanceof ExternalGroup) {
extGroup = (ExternalGroup) extId;
} else {
log.warn("No external group found for ref '{}'.", ref.getString());
continue;
}
} catch (ExternalIdentityException e) {
log.warn("Unable to retrieve external group '{}' from provider.", ref.getString(), e);
continue;
}
log.debug("- idp returned '{}'", extGroup.getId());
Group grp;
Authorizable a = userManager.getAuthorizable(extGroup.getId());
if (a == null) {
grp = createGroup(extGroup);
log.debug("- created new group");
} else if (a.isGroup() && isSameIDP(a)) {
grp = (Group) a;
} else {
log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
continue;
}
log.debug("- user manager returned '{}'", grp);
syncGroup(extGroup, grp);
// ensure membership
grp.addMember(auth);
log.debug("- added '{}' as member to '{}'", auth, grp);
// remember the declared group
declaredExternalGroups.remove(grp.getID());
// recursively apply further membership
if (depth > 1) {
log.debug("- recursively sync group membership of '{}' (depth = {}).", grp.getID(), depth);
syncMembership(extGroup, grp, depth - 1);
} else {
log.debug("- group nesting level for '{}' reached", grp.getID());
}
}
timer.mark("adding");
// remove us from the lost membership groups
for (Group grp : declaredExternalGroups.values()) {
grp.removeMember(auth);
log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID());
}
if (log.isDebugEnabled()) {
timer.mark("removing");
log.debug("syncMembership({}) {}", external.getId(), timer.getString());
}
}
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.
the class SyncMBeanImplTest method testSyncAllUsersForeign.
@Test
public void testSyncAllUsersForeign() throws Exception {
// first sync external users + groups from 2 different IDPs into the repo
// but set membership-nesting to 0
syncConfig.user().setMembershipNestingDepth(0);
sync(idp, TestIdentityProvider.ID_TEST_USER, false);
sync(idp, "a", true);
sync(foreignIDP, TestIdentityProvider.ID_SECOND_USER, false);
sync(foreignIDP, "aa", true);
// verify effect of syncAllUsers : foreign user/group must be ignored by the sync.
String[] result = syncMBean.syncAllUsers(false);
Map<String, String> expectedResults = ImmutableMap.of(TestIdentityProvider.ID_TEST_USER, "upd", "a", "upd");
assertResultMessages(result, expectedResults);
ExternalIdentity[] expectedIds = new ExternalIdentity[] { idp.getUser(TestIdentityProvider.ID_TEST_USER), foreignIDP.getUser(TestIdentityProvider.ID_SECOND_USER), idp.getGroup("a"), foreignIDP.getGroup("aa") };
UserManager userManager = getUserManager();
for (ExternalIdentity externalIdentity : expectedIds) {
assertSync(externalIdentity, userManager);
}
}
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.
the class SyncMBeanImplTest method testSyncAllGroups.
@Test
public void testSyncAllGroups() throws Exception {
// first sync external users into the repo
Map<String, String> expected = new HashMap();
Iterator<ExternalGroup> grIt = idp.listGroups();
while (grIt.hasNext()) {
ExternalGroup eg = grIt.next();
sync(idp, eg.getId(), true);
expected.put(eg.getId(), "upd");
}
// verify effect of syncAllUsers (which in this case are groups)
String[] result = syncMBean.syncAllUsers(false);
assertResultMessages(result, expected);
UserManager userManager = getUserManager();
for (String id : expected.keySet()) {
ExternalIdentity ei = idp.getGroup(id);
assertSync(ei, userManager);
}
}
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.
the class SyncMBeanImplTest method testInitialSyncAllExternalUsers.
@Test
public void testInitialSyncAllExternalUsers() throws Exception {
String[] result = syncMBean.syncAllExternalUsers();
Map<String, String> expected = getExpectedUserResult("add", false);
assertResultMessages(result, expected);
UserManager userManager = getUserManager();
for (String id : expected.keySet()) {
ExternalIdentity ei = idp.getUser(id);
if (ei == null) {
ei = idp.getGroup(id);
}
assertSync(ei, userManager);
}
}
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity in project jackrabbit-oak by apache.
the class LdapProviderTest method testGetMembers.
@Test
public void testGetMembers() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME);
ExternalIdentity id = idp.getIdentity(ref);
assertTrue("Group instance", id instanceof ExternalGroup);
ExternalGroup grp = (ExternalGroup) id;
assertIfEquals("Group members", TEST_GROUP1_MEMBERS, grp.getDeclaredMembers());
}
Aggregations