You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2023/01/11 12:19:19 UTC

[jackrabbit-oak] 01/01: OAK-10061 : WARN when for an external group a local group with the same name is already present

This is an automated email from the ASF dual-hosted git repository.

angela pushed a commit to branch OAK-10061
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git

commit 1684f2b9ec6f1acdbcf5bee9ab90a9e70c50aae6
Author: angela <an...@adobe.com>
AuthorDate: Wed Jan 11 13:18:58 2023 +0100

    OAK-10061 : WARN when for an external group a local group with the same name is already present
---
 .../external/basic/DefaultSyncContext.java               | 16 +++++++++++++++-
 .../authentication/external/basic/package-info.java      |  2 +-
 .../authentication/external/impl/DynamicSyncContext.java |  3 ++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
index 073efb4fab..bf4ba40c04 100644
--- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
+++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
@@ -229,6 +229,7 @@ public class DefaultSyncContext implements SyncContext {
         ExternalIdentityRef ref = identity.getExternalId();
         if (!isSameIDP(ref)) {
             // create result in accordance with sync(String) where status is FOREIGN
+            warnForeign(identity);
             boolean isGroup = (identity instanceof ExternalGroup);
             return new DefaultSyncResultImpl(new DefaultSyncedIdentity(identity.getId(), ref, isGroup, -1), SyncResult.Status.FOREIGN);
         }
@@ -286,6 +287,7 @@ public class DefaultSyncContext implements SyncContext {
             // check if we need to deal with this authorizable
             ExternalIdentityRef ref = getIdentityRef(auth);
             if (ref == null || !isSameIDP(ref)) {
+                warnForeignExisting(auth, auth.isGroup());
                 return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN);
             }
 
@@ -428,6 +430,7 @@ public class DefaultSyncContext implements SyncContext {
     protected DefaultSyncResultImpl syncUser(@NotNull ExternalUser external, @NotNull User user) throws RepositoryException {
         // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before.
         if (!isSameIDP(user)) {
+            warnForeignExisting(user, false);
             return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN);
         }
 
@@ -457,6 +460,7 @@ public class DefaultSyncContext implements SyncContext {
     protected DefaultSyncResultImpl syncGroup(@NotNull ExternalGroup external, @NotNull Group group) throws RepositoryException {
         // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before.
         if (!isSameIDP(group)) {
+            warnForeignExisting(group, true);
             return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN);
         }
 
@@ -554,7 +558,7 @@ public class DefaultSyncContext implements SyncContext {
                 } else if (a.isGroup() && isSameIDP(a)) {
                     grp = (Group) a;
                 } else {
-                    log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
+                    warnForeignExisting(a, true);
                     continue;
                 }
                 log.debug("- user manager returned '{}'", grp.getID());
@@ -773,6 +777,16 @@ public class DefaultSyncContext implements SyncContext {
         return idp.getName().equals(ref.getProviderName());
     }
 
+    protected void warnForeign(@NotNull ExternalIdentity externalIdentity) {
+        log.warn("Cannot sync externally identity '{}' due to IDP mismatch; expected IDP '{}'.", externalIdentity.getId(), idp.getName());
+    }
+    
+    protected void warnForeignExisting(@NotNull Authorizable existing, boolean expectGroup) throws RepositoryException {
+        String typeName = (existing.isGroup()) ? "group" : "user";
+        String expectedType = (expectGroup) ? "group" : "user";
+        log.warn("Cannot sync external identity: Existing {} with id '{}' and principal name '{}' is not a {} defined by IDP '{}'.", typeName, existing.getID(), existing.getPrincipal().getName(), expectedType, idp.getName());
+    }
+    
     private static String authType(@NotNull Authorizable a) {
         return a.isGroup() ? "group" : "user";
     }
diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java
index abb95360ee..21e8576349 100644
--- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java
+++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-@Version("1.7.0")
+@Version("1.8.0")
 package org.apache.jackrabbit.oak.spi.security.authentication.external.basic;
 
 import org.osgi.annotation.versioning.Version;
diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java
index 14614ef41e..6662b86d30 100644
--- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java
+++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java
@@ -104,6 +104,7 @@ public class DynamicSyncContext extends DefaultSyncContext {
             ExternalIdentityRef ref = identity.getExternalId();
             if (!isSameIDP(ref)) {
                 // create result in accordance with sync(String) where status is FOREIGN
+                warnForeign(identity);
                 return new DefaultSyncResultImpl(new DefaultSyncedIdentity(identity.getId(), ref, true, -1), SyncResult.Status.FOREIGN);
             }
             return sync((ExternalGroup) identity, ref);
@@ -286,7 +287,7 @@ public class DynamicSyncContext extends DefaultSyncContext {
             // there exists a group with the same id or principal name but it doesn't belong to the same IDP
             // in consistency with DefaultSyncContext don't sync this very membership into the repository
             // and log a warning about the collision instead.
-            log.warn("Existing group with id '{}' and principal name '{}' is not defined by IDP '{}'.", authorizable.getID(), authorizable.getPrincipal().getName(), idp.getName());
+            warnForeignExisting(authorizable, true);
             return true;
         } else if (!principalName.equals(authorizable.getPrincipal().getName())) {
             // there exists a group with matching ID but principal-mismatch, don't sync this very membership into the