org.apache.jackrabbit.oak.spi.security.authentication.external.basic

Class DefaultSyncContext

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext

All Implemented Interfaces:

SyncContext

Direct Known Subclasses:

DynamicSyncContext

public class DefaultSyncContext
extends Object
implements SyncContext

Internal implementation of the sync context

Field Summary

Fields

Modifier and Type	Field and Description
protected DefaultSyncConfig	config
protected boolean	forceGroupSync
protected boolean	forceUserSync
protected ExternalIdentityProvider	idp
protected boolean	keepMissing
protected long	now
protected Value	nowValue
static String	REP_EXTERNAL_ID Name of the ExternalIdentity.getExternalId() property of a synchronized identity.
static String	REP_LAST_SYNCED Name of the property that stores the time when an identity was synced.
protected UserManager	userManager
protected ValueFactory	valueFactory

Constructor Summary

Constructors

Constructor and Description
DefaultSyncContext(@NotNull DefaultSyncConfig config, @NotNull ExternalIdentityProvider idp, @NotNull UserManager userManager, @NotNull ValueFactory valueFactory)

Method Summary

Modifier and Type	Method and Description
protected void	applyMembership(@NotNull Authorizable member, @NotNull Set<String> groups) Ensures that the given authorizable is member of the specific groups.
void	close() Closes this context and releases any resources bound to it.
protected @NotNull Group	createGroup(@NotNull ExternalGroup externalGroup) Creates a new repository group for the given external one.
static @Nullable DefaultSyncedIdentity	createSyncedIdentity(@Nullable Authorizable auth) Creates a synced identity from the given authorizable.
protected @NotNull User	createUser(@NotNull ExternalUser externalUser) Creates a new repository user for the given external one.
protected @Nullable Value	createValue(@Nullable Object v) Creates a new JCR value of the given object, checking the internal type.
protected @Nullable Value[]	createValues(@NotNull Collection<?> propValues) Creates an array of JCR values based on the type.
protected <T extends Authorizable> T	getAuthorizable(@NotNull ExternalIdentity external, @NotNull Class<T> type) Retrieves the repository authorizable that corresponds to the given external identity
static @Nullable ExternalIdentityRef	getIdentityRef(@Nullable Authorizable auth) Retrieves the external identity ref from the authorizable
protected boolean	isExpired(@NotNull Authorizable auth, long expirationTime, @NotNull String type) Checks if the given authorizable needs syncing based on the REP_LAST_SYNCED property.
boolean	isForceGroupSync() Defines if synchronization of groups always will perform, i.e.
boolean	isForceUserSync() Defines if synchronization of users always will perform, i.e.
boolean	isKeepMissing() Defines if synchronization keeps missing external identities on synchronization of authorizables.
protected boolean	isSameIDP(@Nullable Authorizable auth) Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property.
protected boolean	isSameIDP(@NotNull ExternalIdentityRef ref) Tests if the given ExternalIdentityRef refers to the same IDP as associated with this context instance.
static String	joinPaths(String... paths) Deprecated. Since Oak 1.3.10. Please use PathUtils.concatRelativePaths(String...) instead.
@NotNull SyncContext	setForceGroupSync(boolean forceGroupSync) See SyncContext.isForceGroupSync()
@NotNull SyncContext	setForceUserSync(boolean forceUserSync) See SyncContext.isForceUserSync()
@NotNull SyncContext	setKeepMissing(boolean keepMissing) See SyncContext.isKeepMissing()
@NotNull SyncResult	sync(@NotNull ExternalIdentity identity) Synchronizes an external identity with the repository based on the respective configuration.
@NotNull SyncResult	sync(@NotNull String id) Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.
protected @NotNull DefaultSyncResultImpl	syncGroup(@NotNull ExternalGroup external, @NotNull Group group)
protected void	syncMembership(@NotNull ExternalIdentity external, @NotNull Authorizable auth, long depth) Recursively sync the memberships of an authorizable up-to the specified depth.
protected void	syncProperties(@NotNull ExternalIdentity ext, @NotNull Authorizable auth, @NotNull Map<String,String> mapping) Syncs the properties specified in the mapping from the external identity to the given authorizable.
protected @NotNull DefaultSyncResultImpl	syncUser(@NotNull ExternalUser external, @NotNull User user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REP_EXTERNAL_ID

public static final String REP_EXTERNAL_ID

Name of the ExternalIdentity.getExternalId() property of a synchronized identity.

See Also:

Constant Field Values

REP_LAST_SYNCED

public static final String REP_LAST_SYNCED

Name of the property that stores the time when an identity was synced.

See Also:

Constant Field Values

config

protected final DefaultSyncConfig config

idp

protected final ExternalIdentityProvider idp

userManager

protected final UserManager userManager

valueFactory

protected final ValueFactory valueFactory

keepMissing

protected boolean keepMissing

forceUserSync

protected boolean forceUserSync

forceGroupSync

protected boolean forceGroupSync

now

protected final long now

nowValue

protected final Value nowValue

Constructor Detail

DefaultSyncContext

public DefaultSyncContext(@NotNull
                          @NotNull DefaultSyncConfig config,
                          @NotNull
                          @NotNull ExternalIdentityProvider idp,
                          @NotNull
                          @NotNull UserManager userManager,
                          @NotNull
                          @NotNull ValueFactory valueFactory)

Method Detail

createSyncedIdentity

@Nullable
public static @Nullable DefaultSyncedIdentity createSyncedIdentity(@Nullable
                                                                             @Nullable Authorizable auth)
                                                                      throws RepositoryException

Creates a synced identity from the given authorizable.

Parameters:

auth - the authorizable

Returns:

the id

Throws:

RepositoryException - if an error occurs

getIdentityRef

@Nullable
public static @Nullable ExternalIdentityRef getIdentityRef(@Nullable
                                                                     @Nullable Authorizable auth)
                                                              throws RepositoryException

Retrieves the external identity ref from the authorizable

Parameters:

auth - the authorizable

Returns:

the ref

Throws:

RepositoryException - if an error occurs

joinPaths

public static String joinPaths(String... paths)

Deprecated. Since Oak 1.3.10. Please use PathUtils.concatRelativePaths(String...) instead.

Robust relative path concatenation.

Parameters:

paths - relative paths

Returns:

the concatenated path

close

public void close()

Closes this context and releases any resources bound to it. Note that an implementation must not commit the Root passed during the creation call. This is the responsibility of the application.

Specified by:

close in interface SyncContext

isKeepMissing

public boolean isKeepMissing()

Defines if synchronization keeps missing external identities on synchronization of authorizables. Default is false.

Specified by:

isKeepMissing in interface SyncContext

Returns:

true if keep missing.

setKeepMissing

@NotNull
public @NotNull SyncContext setKeepMissing(boolean keepMissing)

See SyncContext.isKeepMissing()

Specified by:

setKeepMissing in interface SyncContext

isForceUserSync

public boolean isForceUserSync()

Defines if synchronization of users always will perform, i.e. ignores the last synced properties.

Specified by:

isForceUserSync in interface SyncContext

Returns:

true if forced syncing users

setForceUserSync

@NotNull
public @NotNull SyncContext setForceUserSync(boolean forceUserSync)

See SyncContext.isForceUserSync()

Specified by:

setForceUserSync in interface SyncContext

isForceGroupSync

public boolean isForceGroupSync()

Defines if synchronization of groups always will perform, i.e. ignores the last synced properties.

Specified by:

isForceGroupSync in interface SyncContext

Returns:

true if forced syncing groups

setForceGroupSync

@NotNull
public @NotNull SyncContext setForceGroupSync(boolean forceGroupSync)

Description copied from interface: SyncContext

See SyncContext.isForceGroupSync()

Specified by:

setForceGroupSync in interface SyncContext

sync

@NotNull
public @NotNull SyncResult sync(@NotNull
                                         @NotNull ExternalIdentity identity)
                                  throws SyncException

Synchronizes an external identity with the repository based on the respective configuration.

Specified by:

sync in interface SyncContext

Parameters:

identity - the identity to sync.

Returns:

the result of the operation

Throws:

SyncException - if an error occurs

sync

@NotNull
public @NotNull SyncResult sync(@NotNull
                                         @NotNull String id)
                                  throws SyncException

Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.

Specified by:

sync in interface SyncContext

Parameters:

id - the id of the authorizable

Returns:

the result of the operation

Throws:

SyncException - if an error occurs

getAuthorizable

@Nullable
protected <T extends Authorizable> T getAuthorizable(@NotNull
                                                               @NotNull ExternalIdentity external,
                                                               @NotNull
                                                               @NotNull Class<T> type)
                                                        throws RepositoryException,
                                                               SyncException

Retrieves the repository authorizable that corresponds to the given external identity

Parameters:

external - the external identity

type - the authorizable type

Returns:

the repository authorizable or null if not found.

Throws:

RepositoryException - if an error occurs.

SyncException - if the repository contains a colliding authorizable with the same name.

createUser

@NotNull
protected @NotNull User createUser(@NotNull
                                            @NotNull ExternalUser externalUser)
                                     throws RepositoryException

Creates a new repository user for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.

Parameters:

externalUser - the external user

Returns:

the repository user

Throws:

RepositoryException - if an error occurs

createGroup

@NotNull
protected @NotNull Group createGroup(@NotNull
                                              @NotNull ExternalGroup externalGroup)
                                       throws RepositoryException

Creates a new repository group for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.

Parameters:

externalGroup - the external group

Returns:

the repository group

Throws:

RepositoryException - if an error occurs

syncUser

@NotNull
protected @NotNull DefaultSyncResultImpl syncUser(@NotNull
                                                           @NotNull ExternalUser external,
                                                           @NotNull
                                                           @NotNull User user)
                                                    throws RepositoryException

Throws:

RepositoryException

syncGroup

@NotNull
protected @NotNull DefaultSyncResultImpl syncGroup(@NotNull
                                                            @NotNull ExternalGroup external,
                                                            @NotNull
                                                            @NotNull Group group)
                                                     throws RepositoryException

Throws:

RepositoryException

syncMembership

protected void syncMembership(@NotNull
                              @NotNull ExternalIdentity external,
                              @NotNull
                              @NotNull Authorizable auth,
                              long depth)
                       throws RepositoryException

Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth is equal or less than 0, no syncing is performed.

Parameters:

external - the external identity

auth - the authorizable

depth - recursion depth.

Throws:

RepositoryException

applyMembership

protected void applyMembership(@NotNull
                               @NotNull Authorizable member,
                               @NotNull
                               @NotNull Set<String> groups)
                        throws RepositoryException

Ensures that the given authorizable is member of the specific groups. Note that it does not create groups if missing, nor remove memberships of groups not in the given set.

Parameters:

member - the authorizable

groups - set of groups.

Throws:

RepositoryException

syncProperties

protected void syncProperties(@NotNull
                              @NotNull ExternalIdentity ext,
                              @NotNull
                              @NotNull Authorizable auth,
                              @NotNull
                              @NotNull Map<String,String> mapping)
                       throws RepositoryException

Syncs the properties specified in the mapping from the external identity to the given authorizable. Note that this method does not check for value equality and just blindly copies or deletes the properties.

Parameters:

ext - external identity

auth - the authorizable

mapping - the property mapping

Throws:

RepositoryException - if an error occurs

isExpired

protected boolean isExpired(@NotNull
                            @NotNull Authorizable auth,
                            long expirationTime,
                            @NotNull
                            @NotNull String type)
                     throws RepositoryException

Checks if the given authorizable needs syncing based on the REP_LAST_SYNCED property.

Parameters:

auth - the authorizable to check

expirationTime - the expiration time to compare to.

type - debug message type

Returns:

true if the authorizable needs sync

Throws:

RepositoryException

createValue

@Nullable
protected @Nullable Value createValue(@Nullable
                                                @Nullable Object v)
                                         throws RepositoryException

Creates a new JCR value of the given object, checking the internal type.

Parameters:

v - the value

Returns:

the JCR value or null

Throws:

RepositoryException - if an error occurs

createValues

@Nullable
protected @Nullable Value[] createValues(@NotNull
                                                   @NotNull Collection<?> propValues)
                                            throws RepositoryException

Creates an array of JCR values based on the type.

Parameters:

propValues - the given values

Returns:

and array of JCR values

Throws:

RepositoryException - if an error occurs

isSameIDP

protected boolean isSameIDP(@Nullable
                            @Nullable Authorizable auth)
                     throws RepositoryException

Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property.

Parameters:

auth - the authorizable.

Returns:

true if same IDP.

Throws:

RepositoryException

isSameIDP

protected boolean isSameIDP(@NotNull
                            @NotNull ExternalIdentityRef ref)

Tests if the given ExternalIdentityRef refers to the same IDP as associated with this context instance.

Parameters:

ref - The ExternalIdentityRef to be tested.

Returns:

true if ExternalIdentityRef.getProviderName() refers to the IDP associated with this context instance.