You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2023/01/19 17:25:39 UTC

[jackrabbit-oak] branch trunk updated: OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider

This is an automated email from the ASF dual-hosted git repository.

angela pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git


The following commit(s) were added to refs/heads/trunk by this push:
     new bf02e7adc1 OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider
bf02e7adc1 is described below

commit bf02e7adc1f1a0fb06f05b7663ec0a695d1710af
Author: angela <an...@adobe.com>
AuthorDate: Thu Jan 19 18:25:30 2023 +0100

    OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider
---
 .../impl/principal/AutoMembershipProvider.java     |  4 +--
 .../external/impl/DynamicSyncTest.java             | 34 ++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java
index a4c49a70b4..84595ab803 100644
--- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java
+++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java
@@ -52,7 +52,6 @@ import java.util.stream.StreamSupport;
 import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_ID;
 import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.DynamicGroupUtil.getIdpName;
 import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_AUTHORIZABLE;
-import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_GROUP;
 import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_USER;
 import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.REP_AUTHORIZABLE_ID;
 
@@ -190,7 +189,8 @@ class AutoMembershipProvider implements DynamicMembershipProvider {
             return;
         }
 
-        String nodeType = (groupIdpNames.isEmpty()) ? NT_REP_USER : (idpNames.size() == groupIdpNames.size()) ? NT_REP_GROUP : NT_REP_AUTHORIZABLE;
+        // currently 'group.automembership' is added for all users -> search for type authorizable (not just groups)
+        String nodeType = (groupIdpNames.isEmpty()) ? NT_REP_USER : NT_REP_AUTHORIZABLE;
 
         // since this provider is only enabled for dynamic-automembership the 'includeInherited' flag can be ignored.
         // as group-membership for dynamic users is flattened and automembership-configuration for groups is included.
diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java
index 0f55531f0e..348c188ea5 100644
--- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java
+++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java
@@ -37,6 +37,7 @@ import java.util.List;
 import java.util.Set;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -143,6 +144,39 @@ public class DynamicSyncTest extends AbstractDynamicTest {
         assertExpectedIds(expectedIds, aGroup.declaredMemberOf(), aGroup.memberOf());
     }
 
+    @Test
+    public void testAutomembershipGroups() throws Exception {
+        ExternalUser externalUser = idp.getUser(USER_ID);
+        sync(externalUser, SyncResult.Status.ADD);
+
+        Authorizable user = userManager.getAuthorizable(USER_ID);
+        Group aGroup = userManager.getAuthorizable("a", Group.class);
+
+        // verify group 'autoForGroups'
+        Set<String> expMemberIds = ImmutableSet.of("a", "b", "c", "aa", "aaa", USER_ID);
+        assertExpectedIds(expMemberIds, autoForGroups.getDeclaredMembers(), autoForGroups.getMembers());
+        assertIsMember(autoForGroups, true, user, aGroup);
+        assertIsMember(autoForGroups, false, user, aGroup);
+        assertFalse(autoForGroups.isMember(base));
+    }
+
+    @Test
+    public void testAutomembershipUsers() throws Exception {
+        ExternalUser externalUser = idp.getUser(USER_ID);
+        sync(externalUser, SyncResult.Status.ADD);
+
+        Authorizable user = userManager.getAuthorizable(USER_ID);
+        Group aGroup = userManager.getAuthorizable("a", Group.class);
+
+        // verify group 'autoForUsers'
+        Set<String> expMemberIds = ImmutableSet.of(USER_ID);
+        assertExpectedIds(expMemberIds, autoForUsers.getDeclaredMembers(), autoForUsers.getMembers());
+        assertTrue(autoForUsers.isMember(user));
+
+        assertFalse(autoForUsers.isMember(aGroup));
+        assertFalse(autoForUsers.isMember(base));
+    }
+
     private static void assertIsMember(@NotNull Group group, boolean declared, @NotNull Authorizable... members) {
         try {
             for (Authorizable member : members) {