Example 31 with ExternalIdentityRef
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef in project jackrabbit-oak by apache.
the class Delegatee method append.
private static void append(@Nonnull List<String> list, @CheckForNull SyncedIdentity syncedIdentity, @Nonnull String op, @CheckForNull String msg) {
String uid = JsonUtil.getJsonString((syncedIdentity == null ? null : syncedIdentity.getId()));
ExternalIdentityRef externalIdentityRef = (syncedIdentity == null) ? null : syncedIdentity.getExternalIdRef();
String eid = (externalIdentityRef == null) ? "\"\"" : JsonUtil.getJsonString(externalIdentityRef.getString());
if (msg == null) {
list.add(String.format("{op:\"%s\",uid:%s,eid:%s}", op, uid, eid));
} else {
list.add(String.format("{op:\"%s\",uid:%s,eid:%s,msg:%s}", op, uid, eid, JsonUtil.getJsonString(msg)));
}
}
Also used :
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
Example 32 with ExternalIdentityRef
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef in project jackrabbit-oak by apache.
the class DefaultSyncContext method syncMembership.
/**
* Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth
* is equal or less than 0, no syncing is performed.
*
* @param external the external identity
* @param auth the authorizable
* @param depth recursion depth.
* @throws RepositoryException
*/
protected void syncMembership(@Nonnull ExternalIdentity external, @Nonnull Authorizable auth, long depth) throws RepositoryException {
if (depth <= 0) {
return;
}
if (log.isDebugEnabled()) {
log.debug("Syncing membership '{}' -> '{}'", external.getExternalId().getString(), auth.getID());
}
final DebugTimer timer = new DebugTimer();
Iterable<ExternalIdentityRef> externalGroups;
try {
externalGroups = external.getDeclaredGroups();
} catch (ExternalIdentityException e) {
log.error("Error while retrieving external declared groups for '{}'", external.getId(), e);
return;
}
timer.mark("fetching");
// first get the set of the existing groups that are synced ones
Map<String, Group> declaredExternalGroups = new HashMap<String, Group>();
Iterator<Group> grpIter = auth.declaredMemberOf();
while (grpIter.hasNext()) {
Group grp = grpIter.next();
if (isSameIDP(grp)) {
declaredExternalGroups.put(grp.getID(), grp);
}
}
timer.mark("reading");
for (ExternalIdentityRef ref : externalGroups) {
log.debug("- processing membership {}", ref.getId());
// get group
ExternalGroup extGroup;
try {
ExternalIdentity extId = idp.getIdentity(ref);
if (extId instanceof ExternalGroup) {
extGroup = (ExternalGroup) extId;
} else {
log.warn("No external group found for ref '{}'.", ref.getString());
continue;
}
} catch (ExternalIdentityException e) {
log.warn("Unable to retrieve external group '{}' from provider.", ref.getString(), e);
continue;
}
log.debug("- idp returned '{}'", extGroup.getId());
Group grp;
Authorizable a = userManager.getAuthorizable(extGroup.getId());
if (a == null) {
grp = createGroup(extGroup);
log.debug("- created new group");
} else if (a.isGroup() && isSameIDP(a)) {
grp = (Group) a;
} else {
log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
continue;
}
log.debug("- user manager returned '{}'", grp);
syncGroup(extGroup, grp);
// ensure membership
grp.addMember(auth);
log.debug("- added '{}' as member to '{}'", auth, grp);
// remember the declared group
declaredExternalGroups.remove(grp.getID());
// recursively apply further membership
if (depth > 1) {
log.debug("- recursively sync group membership of '{}' (depth = {}).", grp.getID(), depth);
syncMembership(extGroup, grp, depth - 1);
} else {
log.debug("- group nesting level for '{}' reached", grp.getID());
}
}
timer.mark("adding");
// remove us from the lost membership groups
for (Group grp : declaredExternalGroups.values()) {
grp.removeMember(auth);
log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID());
}
if (log.isDebugEnabled()) {
timer.mark("removing");
log.debug("syncMembership({}) {}", external.getId(), timer.getString());
}
}
Also used :
DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer)
Group(org.apache.jackrabbit.api.security.user.Group)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
HashMap(java.util.HashMap)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
Example 33 with ExternalIdentityRef
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef in project jackrabbit-oak by apache.
the class Delegatee method isMyIDP.
//------------------------------------------------------------< private >---
private boolean isMyIDP(@Nonnull SyncedIdentity id) {
ExternalIdentityRef ref = id.getExternalIdRef();
String providerName = (ref == null) ? null : ref.getProviderName();
return providerName != null && (providerName.isEmpty() || providerName.equals(idp.getName()));
}
Also used :
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
Example 34 with ExternalIdentityRef
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef in project jackrabbit-oak by apache.
the class DefaultSyncContext method sync.
/**
* {@inheritDoc}
*/
@Nonnull
@Override
public SyncResult sync(@Nonnull String id) throws SyncException {
try {
DebugTimer timer = new DebugTimer();
DefaultSyncResultImpl ret;
// find authorizable
Authorizable auth = userManager.getAuthorizable(id);
if (auth == null) {
return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, null, false, -1), SyncResult.Status.NO_SUCH_AUTHORIZABLE);
}
// check if we need to deal with this authorizable
ExternalIdentityRef ref = getIdentityRef(auth);
if (ref == null || !isSameIDP(ref)) {
return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN);
}
if (auth.isGroup()) {
ExternalGroup external = idp.getGroup(id);
timer.mark("retrieve");
if (external == null) {
ret = handleMissingIdentity(id, auth, timer);
} else {
ret = syncGroup(external, (Group) auth);
timer.mark("sync");
}
} else {
ExternalUser external = idp.getUser(id);
timer.mark("retrieve");
if (external == null) {
ret = handleMissingIdentity(id, auth, timer);
} else {
ret = syncUser(external, (User) auth);
timer.mark("sync");
}
}
if (log.isDebugEnabled()) {
log.debug("sync({}) -> {} {}", id, ref.getString(), timer.getString());
}
return ret;
} catch (RepositoryException e) {
throw new SyncException(e);
} catch (ExternalIdentityException e) {
throw new SyncException(e);
}
}
Also used :
DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer)
Group(org.apache.jackrabbit.api.security.user.Group)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
User(org.apache.jackrabbit.api.security.user.User)
ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
RepositoryException(javax.jcr.RepositoryException)
SyncException(org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
Nonnull(javax.annotation.Nonnull)
Example 35 with ExternalIdentityRef
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef in project jackrabbit-oak by apache.
the class SyncMBeanImplTest method testSyncExternalForeign.
/**
* @see <a href="https://issues.apache.org/jira/browse/OAK-4346">OAK-4346</a>
*/
@Test
public void testSyncExternalForeign() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef(TestIdentityProvider.ID_TEST_USER, "anotherIDP");
String[] result = syncMBean.syncExternalUsers(new String[] { ref.getString() });
assertResultMessages(result, TestIdentityProvider.ID_TEST_USER, "for");
result = syncMBean.syncExternalUsers(new String[] { ref.getString() });
assertResultMessages(result, TestIdentityProvider.ID_TEST_USER, "for");
}
Also used :
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
Test(org.junit.Test)
Aggregations
ExternalIdentityRef (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)64
Test (org.junit.Test)47
ExternalUser (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)23
ExternalIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity)18
ExternalGroup (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)15
AbstractExternalAuthTest (org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest)14
Group (org.apache.jackrabbit.api.security.user.Group)11
User (org.apache.jackrabbit.api.security.user.User)10
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)7
SyncedIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity)6
Nonnull (javax.annotation.Nonnull)5
DebugTimer (org.apache.jackrabbit.oak.commons.DebugTimer)5
ExternalIdentityException (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)5
SyncResult (org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult)5
Principal (java.security.Principal)4
HashMap (java.util.HashMap)4
LdapInvalidAttributeValueException (org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)4
UserManager (org.apache.jackrabbit.api.security.user.UserManager)4
Root (org.apache.jackrabbit.oak.api.Root)4
DefaultSyncedIdentity (org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncedIdentity)4
