You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by dj...@apache.org on 2016/08/25 14:50:52 UTC
svn commit: r1757698 - in /jackrabbit/oak/branches/1.2/oak-auth-external/src:
main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/
test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/
test/java/org/apache...
Author: dj
Date: Thu Aug 25 14:50:52 2016
New Revision: 1757698
URL: http://svn.apache.org/viewvc?rev=1757698&view=rev
Log:
OAK-4679 - Backport OAK-4119, OAK-4101, OAK-4087 and OAK-4344
- fixing test failures on windows
Added:
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthCredentials.java
- copied unchanged from r1747380, jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthCredentials.java
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java
- copied, changed from r1747380, jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthLoginModule.java
- copied unchanged from r1747380, jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthLoginModule.java
Modified:
jackrabbit/oak/branches/1.2/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalLoginModuleDynamicMembershipTest.java
jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
Modified: jackrabbit/oak/branches/1.2/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java?rev=1757698&r1=1757697&r2=1757698&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java (original)
+++ jackrabbit/oak/branches/1.2/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java Thu Aug 25 14:50:52 2016
@@ -531,10 +531,10 @@ public class DefaultSyncContext implemen
if (a == null) {
grp = createGroup(extGroup);
log.debug("- created new group");
- } else if (a.isGroup()) {
+ } else if (a.isGroup() && isSameIDP(a)) {
grp = (Group) a;
} else {
- log.warn("Authorizable '{}' is not a group, but should be one.", extGroup.getId());
+ log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
continue;
}
log.debug("- user manager returned '{}'", grp);
@@ -557,6 +557,7 @@ public class DefaultSyncContext implemen
}
}
timer.mark("adding");
+
// remove us from the lost membership groups
for (Group grp : declaredExternalGroups.values()) {
grp.removeMember(auth);
Modified: jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java?rev=1757698&r1=1757697&r2=1757698&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java (original)
+++ jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java Thu Aug 25 14:50:52 2016
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.spi.security.authentication.external;
import java.security.PrivilegedExceptionAction;
+import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
@@ -33,13 +34,18 @@ import com.google.common.base.Predicates
import com.google.common.collect.Iterators;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
+import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration;
import org.junit.After;
import org.junit.Before;
@@ -164,4 +170,18 @@ public abstract class AbstractExternalAu
}
return systemRoot;
}
+
+ protected static void waitUntilExpired(@Nonnull User user, @Nonnull Root root, long expTime) throws RepositoryException {
+ Tree t = root.getTree(user.getPath());
+ PropertyState ps = t.getProperty(ExternalIdentityConstants.REP_LAST_SYNCED);
+ if (ps == null || ps.count() == 0) {
+ return;
+ }
+
+ long lastSynced = ps.getValue(Type.LONG);
+ long now = Calendar.getInstance().getTimeInMillis();
+ while (now - lastSynced <= expTime) {
+ now = Calendar.getInstance().getTimeInMillis();
+ }
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalLoginModuleDynamicMembershipTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalLoginModuleDynamicMembershipTest.java?rev=1757698&r1=1757697&r2=1757698&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalLoginModuleDynamicMembershipTest.java (original)
+++ jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalLoginModuleDynamicMembershipTest.java Thu Aug 25 14:50:52 2016
@@ -23,6 +23,7 @@ import javax.jcr.SimpleCredentials;
import javax.jcr.Value;
import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
@@ -165,17 +166,19 @@ public class ExternalLoginModuleDynamicM
// synchronized users with full membership sync.
Root systemRoot = getSystemRoot();
UserManager userManager = getUserManager(systemRoot);
- Authorizable a = userManager.getAuthorizable(USER_ID);
- a.removeProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
+ User user = userManager.getAuthorizable(USER_ID, User.class);
+ user.removeProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
systemRoot.commit();
+ waitUntilExpired(user, systemRoot, syncConfig.user().getExpirationTime());
+
// login again
login(new SimpleCredentials(USER_ID, new char[0])).close();
systemRoot.refresh();
- a = userManager.getAuthorizable(USER_ID);
- assertTrue(a.hasProperty(ExternalIdentityConstants.REP_LAST_SYNCED));
- assertFalse(a.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES));
+ user = userManager.getAuthorizable(USER_ID, User.class);
+ assertTrue(user.hasProperty(ExternalIdentityConstants.REP_LAST_SYNCED));
+ assertFalse(user.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES));
for (ExternalIdentityRef ref : idp.getUser(USER_ID).getDeclaredGroups()) {
assertNotNull(userManager.getAuthorizable(ref.getId()));
Copied: jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java (from r1747380, jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java?p2=jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java&p1=jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java&r1=1747380&r2=1757698&rev=1757698&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java (original)
+++ jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java Thu Aug 25 14:50:52 2016
@@ -26,6 +26,7 @@ import javax.security.auth.login.Configu
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
@@ -46,7 +47,7 @@ import static org.junit.Assert.assertNul
*/
public class PreAuthDefaultExternalLoginModuleTest extends ExternalLoginModuleTestBase {
- private Map<String, Object> preAuthOptions = new HashMap<>();
+ private Map<String, Object> preAuthOptions = new HashMap<String, Object>();
@Before
public void before() throws Exception {
@@ -154,7 +155,8 @@ public class PreAuthDefaultExternalLogin
@Test
public void testExistingExternalReSync() throws Exception {
// sync user upfront
- SyncContext syncContext = new DefaultSyncContext(syncConfig, idp, getUserManager(root), getValueFactory(root));
+ UserManager uMgr = getUserManager(root);
+ SyncContext syncContext = new DefaultSyncContext(syncConfig, idp, uMgr, getValueFactory(root));
SyncResult result = syncContext.sync(idp.getUser(TestIdentityProvider.ID_TEST_USER));
long lastSynced = result.getIdentity().lastSynced();
root.commit();
@@ -162,6 +164,9 @@ public class PreAuthDefaultExternalLogin
PreAuthCredentials creds = new PreAuthCredentials(TestIdentityProvider.ID_TEST_USER);
ContentSession cs = null;
try {
+ // wait until the synced user is expired
+ waitUntilExpired(uMgr.getAuthorizable(TestIdentityProvider.ID_TEST_USER, User.class), root, syncConfig.user().getExpirationTime());
+
cs = login(creds);
assertEquals(PreAuthCredentials.PRE_AUTH_DONE, creds.getMessage());
Modified: jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java?rev=1757698&r1=1757697&r2=1757698&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java (original)
+++ jackrabbit/oak/branches/1.2/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java Thu Aug 25 14:50:52 2016
@@ -23,6 +23,7 @@ import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
@@ -574,6 +575,68 @@ public class DefaultSyncContextTest exte
}
@Test
+ public void testLostMembershipWithExpirationSet() throws Exception {
+ long expTime = 2;
+ syncConfig.user().setMembershipNestingDepth(1).setMembershipExpirationTime(expTime).setExpirationTime(expTime);
+
+ Group gr = createTestGroup();
+ setExternalID(gr, idp.getName());
+
+ SyncResult result = syncCtx.sync(idp.listUsers().next());
+ User user = (User) userManager.getAuthorizable(result.getIdentity().getId());
+ gr.addMember(user);
+ root.commit();
+
+ waitUntilExpired(user, root, expTime);
+ DefaultSyncContext newCtx = new DefaultSyncContext(syncConfig, idp, userManager, valueFactory);
+
+ result = newCtx.sync(user.getID());
+ root.commit();
+ assertSame(SyncResult.Status.UPDATE, result.getStatus());
+
+ gr = (Group) userManager.getAuthorizable(gr.getID());
+ assertFalse(gr.isDeclaredMember(userManager.getAuthorizable(user.getID())));
+ }
+
+ /**
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a>
+ */
+ @Test
+ public void testMembershipForExistingForeignGroup() throws Exception {
+ syncConfig.user().setMembershipNestingDepth(1).setMembershipExpirationTime(-1).setExpirationTime(-1);
+ syncConfig.group().setExpirationTime(-1);
+
+ ExternalUser externalUser = idp.getUser(USER_ID);
+ ExternalIdentityRef groupRef = externalUser.getDeclaredGroups().iterator().next();
+
+ // create the group as if it had been synced by a foreign IDP
+ Group gr = userManager.createGroup(groupRef.getId());
+ setExternalID(gr, "foreignIDP"); // but don't set rep:lastSynced :-)
+ root.commit();
+
+ SyncResult result = syncCtx.sync(externalUser);
+ assertSame(SyncResult.Status.ADD, result.getStatus());
+
+ User user = userManager.getAuthorizable(externalUser.getId(), User.class);
+ assertNotNull(user);
+
+ // synchronizing the user from our IDP must _neither_ change the group
+ // members of the group belonging to a different IDP nor synchronizing
+ // that foreign group with information retrieved from this IDP (e.g.
+ // properties and as such must _not_ set the last-synced property.
+
+ // -> verify group last-synced has not been added
+ assertFalse(gr.hasProperty(DefaultSyncContext.REP_LAST_SYNCED));
+
+ // -> verify group membership has not changed
+ assertFalse(gr.isDeclaredMember(user));
+ Iterator<Group> declared = user.declaredMemberOf();
+ while (declared.hasNext()) {
+ assertFalse(gr.getID().equals(declared.next().getID()));
+ }
+ }
+
+ @Test
public void testGetAuthorizableUser() throws Exception {
ExternalIdentity extUser = idp.listUsers().next();
User user = syncCtx.getAuthorizable(extUser, User.class);