You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/05/24 09:25:34 UTC
svn commit: r1745336 - in /jackrabbit/oak/trunk/oak-auth-external/src:
main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/
test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/
Author: angela
Date: Tue May 24 09:25:33 2016
New Revision: 1745336
URL: http://svn.apache.org/viewvc?rev=1745336&view=rev
Log:
OAK-4397 : DefaultSyncContext.syncMembership may sync group of a foreign IDP
Modified:
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java?rev=1745336&r1=1745335&r2=1745336&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java (original)
+++ jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java Tue May 24 09:25:33 2016
@@ -531,10 +531,10 @@ public class DefaultSyncContext implemen
if (a == null) {
grp = createGroup(extGroup);
log.debug("- created new group");
- } else if (a.isGroup()) {
+ } else if (a.isGroup() && isSameIDP(a)) {
grp = (Group) a;
} else {
- log.warn("Authorizable '{}' is not a group, but should be one.", extGroup.getId());
+ log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
continue;
}
log.debug("- user manager returned '{}'", grp);
@@ -557,6 +557,7 @@ public class DefaultSyncContext implemen
}
}
timer.mark("adding");
+
// remove us from the lost membership groups
for (Group grp : declaredExternalGroups.values()) {
grp.removeMember(auth);
Modified: jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java?rev=1745336&r1=1745335&r2=1745336&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java Tue May 24 09:25:33 2016
@@ -23,6 +23,7 @@ import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
@@ -574,6 +575,70 @@ public class DefaultSyncContextTest exte
}
@Test
+ public void testLostMembershipWithExpirationSet() throws Exception {
+ long expTime = 2;
+ syncConfig.user().setMembershipNestingDepth(1).setMembershipExpirationTime(expTime).setExpirationTime(expTime);
+
+ Group gr = createTestGroup();
+ setExternalID(gr, idp.getName());
+
+ SyncResult result = syncCtx.sync(idp.listUsers().next());
+ User user = (User) userManager.getAuthorizable(result.getIdentity().getId());
+ gr.addMember(user);
+ root.commit();
+
+ DefaultSyncContext newCtx = new DefaultSyncContext(syncConfig, idp, userManager, valueFactory);
+ while (!newCtx.isExpired(user, expTime, "Properties")) {
+ newCtx = new DefaultSyncContext(syncConfig, idp, userManager, valueFactory);
+ }
+
+ result = newCtx.sync(user.getID());
+ root.commit();
+ assertSame(SyncResult.Status.UPDATE, result.getStatus());
+
+ gr = (Group) userManager.getAuthorizable(gr.getID());
+ assertFalse(gr.isDeclaredMember(userManager.getAuthorizable(user.getID())));
+ }
+
+ /**
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a>
+ */
+ @Test
+ public void testMembershipForExistingForeignGroup() throws Exception {
+ syncConfig.user().setMembershipNestingDepth(1).setMembershipExpirationTime(-1).setExpirationTime(-1);
+ syncConfig.group().setExpirationTime(-1);
+
+ ExternalUser externalUser = idp.getUser(USER_ID);
+ ExternalIdentityRef groupRef = externalUser.getDeclaredGroups().iterator().next();
+
+ // create the group as if it had been synced by a foreign IDP
+ Group gr = userManager.createGroup(groupRef.getId());
+ setExternalID(gr, "foreignIDP"); // but don't set rep:lastSynced :-)
+ root.commit();
+
+ SyncResult result = syncCtx.sync(externalUser);
+ assertSame(SyncResult.Status.ADD, result.getStatus());
+
+ User user = userManager.getAuthorizable(externalUser.getId(), User.class);
+ assertNotNull(user);
+
+ // synchronizing the user from our IDP must _neither_ change the group
+ // members of the group belonging to a different IDP nor synchronizing
+ // that foreign group with information retrieved from this IDP (e.g.
+ // properties and as such must _not_ set the last-synced property.
+
+ // -> verify group last-synced has not been added
+ assertFalse(gr.hasProperty(DefaultSyncContext.REP_LAST_SYNCED));
+
+ // -> verify group membership has not changed
+ assertFalse(gr.isDeclaredMember(user));
+ Iterator<Group> declared = user.declaredMemberOf();
+ while (declared.hasNext()) {
+ assertFalse(gr.getID().equals(declared.next().getID()));
+ }
+ }
+
+ @Test
public void testGetAuthorizableUser() throws Exception {
ExternalIdentity extUser = idp.listUsers().next();
User user = syncCtx.getAuthorizable(extUser, User.class);