org.apache.jackrabbit.oak.spi.security.authentication.external.basic

Class DefaultSyncContext

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext

All Implemented Interfaces:

SyncContext

public class DefaultSyncContext
extends Object
implements SyncContext

Internal implementation of the sync context

Field Summary

Fields

Modifier and Type	Field and Description
protected DefaultSyncConfig	config
protected boolean	forceGroupSync
protected boolean	forceUserSync
protected ExternalIdentityProvider	idp
protected boolean	keepMissing
protected long	now
protected javax.jcr.Value	nowValue
static String	REP_EXTERNAL_ID Name of the ExternalIdentity.getExternalId() property of a synchronized identity.
static String	REP_LAST_SYNCED Name of the property that stores the time when an identity was synced.
protected org.apache.jackrabbit.api.security.user.UserManager	userManager
protected javax.jcr.ValueFactory	valueFactory

Constructor Summary

Constructors

Constructor and Description
DefaultSyncContext(DefaultSyncConfig config, ExternalIdentityProvider idp, org.apache.jackrabbit.api.security.user.UserManager userManager, javax.jcr.ValueFactory valueFactory)

Method Summary

Methods

Modifier and Type	Method and Description
protected void	applyMembership(org.apache.jackrabbit.api.security.user.Authorizable member, Set<String> groups) Ensures that the given authorizable is member of the specific groups.
void	close() Closes this context and releases any resources bound to it.
protected org.apache.jackrabbit.api.security.user.Group	createGroup(ExternalGroup externalGroup) Creates a new repository group for the given external one.
static DefaultSyncedIdentity	createSyncedIdentity(org.apache.jackrabbit.api.security.user.Authorizable auth) Creates a synced identity from the given authorizable.
protected org.apache.jackrabbit.api.security.user.User	createUser(ExternalUser externalUser) Creates a new repository user for the given external one.
protected javax.jcr.Value	createValue(Object v) Creates a new JCR value of the given object, checking the internal type.
protected javax.jcr.Value[]	createValues(Collection<?> propValues) Creates an array of JCR values based on the type.
protected <T extends org.apache.jackrabbit.api.security.user.Authorizable> T	getAuthorizable(ExternalIdentity external, Class<T> type) Retrieves the repository authorizable that corresponds to the given external identity
static ExternalIdentityRef	getIdentityRef(org.apache.jackrabbit.api.security.user.Authorizable auth) Retrieves the external identity ref from the authorizable
protected boolean	isExpired(org.apache.jackrabbit.api.security.user.Authorizable auth, long expirationTime, String type) Checks if the given authorizable needs syncing based on the REP_LAST_SYNCED property.
boolean	isForceGroupSync() Defines if synchronization of groups always will perform, i.e.
boolean	isForceUserSync() Defines if synchronization of users always will perform, i.e.
boolean	isKeepMissing() Defines if synchronization keeps missing external identities on synchronization of authorizables.
protected boolean	isSameIDP(org.apache.jackrabbit.api.security.user.Authorizable auth) Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property.
static String	joinPaths(String... paths) Deprecated. Since Oak 1.3.10. Please use PathUtils.concatRelativePaths(String...) instead.
SyncContext	setForceGroupSync(boolean forceGroupSync) See SyncContext.isForceGroupSync()
SyncContext	setForceUserSync(boolean forceUserSync) See SyncContext.isForceUserSync()
SyncContext	setKeepMissing(boolean keepMissing) See SyncContext.isKeepMissing()
SyncResult	sync(ExternalIdentity identity) Synchronizes an external identity with the repository based on the respective configuration.
SyncResult	sync(String id) Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.
protected DefaultSyncResultImpl	syncGroup(ExternalGroup external, org.apache.jackrabbit.api.security.user.Group group)
protected void	syncMembership(ExternalIdentity external, org.apache.jackrabbit.api.security.user.Authorizable auth, long depth) Recursively sync the memberships of an authorizable up-to the specified depth.
protected void	syncProperties(ExternalIdentity ext, org.apache.jackrabbit.api.security.user.Authorizable auth, Map<String,String> mapping) Syncs the properties specified in the mapping from the external identity to the given authorizable.
protected DefaultSyncResultImpl	syncUser(ExternalUser external, org.apache.jackrabbit.api.security.user.User user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REP_EXTERNAL_ID

public static final String REP_EXTERNAL_ID

Name of the ExternalIdentity.getExternalId() property of a synchronized identity.

See Also:

Constant Field Values

REP_LAST_SYNCED

public static final String REP_LAST_SYNCED

Name of the property that stores the time when an identity was synced.

See Also:

Constant Field Values

config

protected final DefaultSyncConfig config

idp

protected final ExternalIdentityProvider idp

userManager

protected final org.apache.jackrabbit.api.security.user.UserManager userManager

valueFactory

protected final javax.jcr.ValueFactory valueFactory

keepMissing

protected boolean keepMissing

forceUserSync

protected boolean forceUserSync

forceGroupSync

protected boolean forceGroupSync

now

protected final long now

nowValue

protected final javax.jcr.Value nowValue

Constructor Detail

DefaultSyncContext

public DefaultSyncContext(@Nonnull
                  DefaultSyncConfig config,
                  @Nonnull
                  ExternalIdentityProvider idp,
                  @Nonnull
                  org.apache.jackrabbit.api.security.user.UserManager userManager,
                  @Nonnull
                  javax.jcr.ValueFactory valueFactory)

Method Detail

createSyncedIdentity

@CheckForNull
public static DefaultSyncedIdentity createSyncedIdentity(@Nullable
                                                      org.apache.jackrabbit.api.security.user.Authorizable auth)
                                                  throws javax.jcr.RepositoryException

Creates a synced identity from the given authorizable.

Parameters:

auth - the authorizable

Returns:

the id

Throws:

javax.jcr.RepositoryException - if an error occurs

getIdentityRef

@CheckForNull
public static ExternalIdentityRef getIdentityRef(@Nullable
                                              org.apache.jackrabbit.api.security.user.Authorizable auth)
                                          throws javax.jcr.RepositoryException

Retrieves the external identity ref from the authorizable

Parameters:

auth - the authorizable

Returns:

the ref

Throws:

javax.jcr.RepositoryException - if an error occurs

joinPaths

public static String joinPaths(String... paths)

Deprecated. Since Oak 1.3.10. Please use PathUtils.concatRelativePaths(String...) instead.

Robust relative path concatenation.

Parameters:

paths - relative paths

Returns:

the concatenated path

close

public void close()

Closes this context and releases any resources bound to it. Note that an implementation must not commit the Root passed during the creation call. This is the responsibility of the application.

Specified by:

close in interface SyncContext

isKeepMissing

public boolean isKeepMissing()

Defines if synchronization keeps missing external identities on synchronization of authorizables. Default is false.

Specified by:

isKeepMissing in interface SyncContext

Returns:

true if keep missing.

setKeepMissing

@Nonnull
public SyncContext setKeepMissing(boolean keepMissing)

See SyncContext.isKeepMissing()

Specified by:

setKeepMissing in interface SyncContext

isForceUserSync

public boolean isForceUserSync()

Defines if synchronization of users always will perform, i.e. ignores the last synced properties.

Specified by:

isForceUserSync in interface SyncContext

Returns:

true if forced syncing users

setForceUserSync

@Nonnull
public SyncContext setForceUserSync(boolean forceUserSync)

See SyncContext.isForceUserSync()

Specified by:

setForceUserSync in interface SyncContext

isForceGroupSync

public boolean isForceGroupSync()

Defines if synchronization of groups always will perform, i.e. ignores the last synced properties.

Specified by:

isForceGroupSync in interface SyncContext

Returns:

true if forced syncing groups

setForceGroupSync

@Nonnull
public SyncContext setForceGroupSync(boolean forceGroupSync)

Description copied from interface: SyncContext

See SyncContext.isForceGroupSync()

Specified by:

setForceGroupSync in interface SyncContext

sync

@Nonnull
public SyncResult sync(@Nonnull
                      ExternalIdentity identity)
                throws SyncException

Synchronizes an external identity with the repository based on the respective configuration.

Specified by:

sync in interface SyncContext

Parameters:

identity - the identity to sync.

Returns:

the result of the operation

Throws:

SyncException - if an error occurs

sync

@Nonnull
public SyncResult sync(@Nonnull
                      String id)
                throws SyncException

Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.

Specified by:

sync in interface SyncContext

Parameters:

id - the id of the authorizable

Returns:

the result of the operation

Throws:

SyncException - if an error occurrs

getAuthorizable

@CheckForNull
protected <T extends org.apache.jackrabbit.api.security.user.Authorizable> T getAuthorizable(@Nonnull
                                                                                              ExternalIdentity external,
                                                                                              @Nonnull
                                                                                              Class<T> type)
                                                                                  throws javax.jcr.RepositoryException,
                                                                                         SyncException

Retrieves the repository authorizable that corresponds to the given external identity

Parameters:

external - the external identity

type - the authorizable type

Returns:

the repository authorizable or null if not found.

Throws:

javax.jcr.RepositoryException - if an error occurs.

SyncException - if the repository contains a colliding authorizable with the same name.

createUser

@Nonnull
protected org.apache.jackrabbit.api.security.user.User createUser(@Nonnull
                                                              ExternalUser externalUser)
                                                           throws javax.jcr.RepositoryException

Creates a new repository user for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.

Parameters:

externalUser - the external user

Returns:

the repository user

Throws:

javax.jcr.RepositoryException - if an error occurs

createGroup

@Nonnull
protected org.apache.jackrabbit.api.security.user.Group createGroup(@Nonnull
                                                                ExternalGroup externalGroup)
                                                             throws javax.jcr.RepositoryException

Creates a new repository group for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.

Parameters:

externalGroup - the external group

Returns:

the repository group

Throws:

javax.jcr.RepositoryException - if an error occurs

syncUser

@Nonnull
protected DefaultSyncResultImpl syncUser(@Nonnull
                                     ExternalUser external,
                                     @Nonnull
                                     org.apache.jackrabbit.api.security.user.User user)
                                  throws javax.jcr.RepositoryException

Throws:

javax.jcr.RepositoryException

syncGroup

@Nonnull
protected DefaultSyncResultImpl syncGroup(@Nonnull
                                      ExternalGroup external,
                                      @Nonnull
                                      org.apache.jackrabbit.api.security.user.Group group)
                                   throws javax.jcr.RepositoryException

Throws:

javax.jcr.RepositoryException

syncMembership

protected void syncMembership(@Nonnull
                  ExternalIdentity external,
                  @Nonnull
                  org.apache.jackrabbit.api.security.user.Authorizable auth,
                  long depth)
                       throws javax.jcr.RepositoryException

Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth is equal or less than 0, no syncing is performed.

Parameters:

external - the external identity

auth - the authorizable

depth - recursion depth.

Throws:

javax.jcr.RepositoryException

applyMembership

protected void applyMembership(@Nonnull
                   org.apache.jackrabbit.api.security.user.Authorizable member,
                   @Nonnull
                   Set<String> groups)
                        throws javax.jcr.RepositoryException

Ensures that the given authorizable is member of the specific groups. Note that it does not create groups if missing, nor remove memberships of groups not in the given set.

Parameters:

member - the authorizable

groups - set of groups.

Throws:

javax.jcr.RepositoryException

syncProperties

protected void syncProperties(@Nonnull
                  ExternalIdentity ext,
                  @Nonnull
                  org.apache.jackrabbit.api.security.user.Authorizable auth,
                  @Nonnull
                  Map<String,String> mapping)
                       throws javax.jcr.RepositoryException

Syncs the properties specified in the mapping from the external identity to the given authorizable. Note that this method does not check for value equality and just blindly copies or deletes the properties.

Parameters:

ext - external identity

auth - the authorizable

mapping - the property mapping

Throws:

javax.jcr.RepositoryException - if an error occurs

isExpired

protected boolean isExpired(@Nonnull
                org.apache.jackrabbit.api.security.user.Authorizable auth,
                long expirationTime,
                @Nonnull
                String type)
                     throws javax.jcr.RepositoryException

Checks if the given authorizable needs syncing based on the REP_LAST_SYNCED property.

Parameters:

auth - the authorizable to check

expirationTime - the expiration time to compare to.

type - debug message type

Returns:

true if the authorizable needs sync

Throws:

javax.jcr.RepositoryException

createValue

@CheckForNull
protected javax.jcr.Value createValue(@Nullable
                                       Object v)
                               throws javax.jcr.RepositoryException

Creates a new JCR value of the given object, checking the internal type.

Parameters:

v - the value

Returns:

the JCR value or null

Throws:

javax.jcr.RepositoryException - if an error occurs

createValues

@CheckForNull
protected javax.jcr.Value[] createValues(@Nonnull
                                          Collection<?> propValues)
                                  throws javax.jcr.RepositoryException

Creates an array of JCR values based on the type.

Parameters:

propValues - the given values

Returns:

and array of JCR values

Throws:

javax.jcr.RepositoryException - if an error occurs

isSameIDP

protected boolean isSameIDP(@Nullable
                org.apache.jackrabbit.api.security.user.Authorizable auth)
                     throws javax.jcr.RepositoryException

Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property. todo: allow multiple IDPs on 1 authorizable

Parameters:

auth - the authorizable.

Returns:

true if same IDP.

Throws:

javax.jcr.RepositoryException