Class DefaultSyncContext
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext
-
- All Implemented Interfaces:
SyncContext
- Direct Known Subclasses:
DynamicSyncContext
public class DefaultSyncContext extends Object implements SyncContext
Internal implementation of the sync context
-
-
Field Summary
Fields Modifier and Type Field Description protected DefaultSyncConfig
config
protected boolean
forceGroupSync
protected boolean
forceUserSync
protected ExternalIdentityProvider
idp
protected boolean
keepMissing
protected long
now
protected Value
nowValue
static String
REP_EXTERNAL_ID
Name of theExternalIdentity.getExternalId()
property of a synchronized identity.static String
REP_LAST_SYNCED
Name of the property that stores the time when an identity was synced.protected UserManager
userManager
protected ValueFactory
valueFactory
-
Constructor Summary
Constructors Constructor Description DefaultSyncContext(@NotNull DefaultSyncConfig config, @NotNull ExternalIdentityProvider idp, @NotNull UserManager userManager, @NotNull ValueFactory valueFactory)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected void
applyMembership(@NotNull Authorizable member, @NotNull Set<String> groups)
Ensures that the given authorizable is member of the specific groups.void
close()
Closes this context and releases any resources bound to it.protected @NotNull Group
createGroup(@NotNull ExternalGroup externalGroup)
Creates a new repository group for the given external one.static @Nullable DefaultSyncedIdentity
createSyncedIdentity(@Nullable Authorizable auth)
Creates a synced identity from the given authorizable.protected @NotNull User
createUser(@NotNull ExternalUser externalUser)
Creates a new repository user for the given external one.protected @Nullable Value
createValue(@Nullable Object v)
Creates a new JCR value of the given object, checking the internal type.protected @NotNull Value[]
createValues(@NotNull Collection<?> propValues)
Creates an array of JCR values based on the type.protected <T extends Authorizable>
TgetAuthorizable(@NotNull ExternalIdentity external, @NotNull Class<T> type)
Retrieves the repository authorizable that corresponds to the given external identityprotected @Nullable ExternalGroup
getExternalGroupFromRef(@NotNull ExternalIdentityRef externalGroupRef)
static @Nullable ExternalIdentityRef
getIdentityRef(@Nullable Authorizable auth)
Retrieves the external identity ref from the authorizableprotected boolean
isExpired(@NotNull Authorizable auth, long expirationTime, @NotNull String type)
Checks if the given authorizable needs syncing based on theREP_LAST_SYNCED
property.boolean
isForceGroupSync()
Defines if synchronization of groups always will perform, i.e.boolean
isForceUserSync()
Defines if synchronization of users always will perform, i.e.boolean
isKeepMissing()
Defines if synchronization keeps missing external identities on synchronization of authorizables.protected boolean
isSameIDP(@NotNull ExternalIdentityRef ref)
Tests if the givenExternalIdentityRef
refers to the same IDP as associated with this context instance.protected boolean
isSameIDP(@Nullable Authorizable auth)
Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property.static String
joinPaths(String... paths)
Deprecated.Since Oak 1.3.10.@NotNull SyncContext
setForceGroupSync(boolean forceGroupSync)
@NotNull SyncContext
setForceUserSync(boolean forceUserSync)
@NotNull SyncContext
setKeepMissing(boolean keepMissing)
@NotNull SyncResult
sync(@NotNull String id)
Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.@NotNull SyncResult
sync(@NotNull ExternalIdentity identity)
Synchronizes an external identity with the repository based on the respective configuration.protected @NotNull DefaultSyncResultImpl
syncGroup(@NotNull ExternalGroup external, @NotNull Group group)
protected void
syncMembership(@NotNull ExternalIdentity external, @NotNull Authorizable auth, long depth)
Recursively sync the memberships of an authorizable up-to the specified depth.protected void
syncProperties(@NotNull ExternalIdentity ext, @NotNull Authorizable auth, @NotNull Map<String,String> mapping)
Syncs the properties specified in themapping
from the external identity to the given authorizable.protected @NotNull DefaultSyncResultImpl
syncUser(@NotNull ExternalUser external, @NotNull User user)
protected void
warnForeign(@NotNull ExternalIdentity externalIdentity)
protected void
warnForeignExisting(@NotNull Authorizable existing, boolean expectGroup)
-
-
-
Field Detail
-
REP_EXTERNAL_ID
public static final String REP_EXTERNAL_ID
Name of theExternalIdentity.getExternalId()
property of a synchronized identity.- See Also:
- Constant Field Values
-
REP_LAST_SYNCED
public static final String REP_LAST_SYNCED
Name of the property that stores the time when an identity was synced.- See Also:
- Constant Field Values
-
config
protected final DefaultSyncConfig config
-
idp
protected final ExternalIdentityProvider idp
-
userManager
protected final UserManager userManager
-
valueFactory
protected final ValueFactory valueFactory
-
keepMissing
protected boolean keepMissing
-
forceUserSync
protected boolean forceUserSync
-
forceGroupSync
protected boolean forceGroupSync
-
now
protected final long now
-
nowValue
protected final Value nowValue
-
-
Constructor Detail
-
DefaultSyncContext
public DefaultSyncContext(@NotNull @NotNull DefaultSyncConfig config, @NotNull @NotNull ExternalIdentityProvider idp, @NotNull @NotNull UserManager userManager, @NotNull @NotNull ValueFactory valueFactory)
-
-
Method Detail
-
createSyncedIdentity
@Nullable public static @Nullable DefaultSyncedIdentity createSyncedIdentity(@Nullable @Nullable Authorizable auth) throws RepositoryException
Creates a synced identity from the given authorizable.- Parameters:
auth
- the authorizable- Returns:
- the id
- Throws:
RepositoryException
- if an error occurs
-
getIdentityRef
@Nullable public static @Nullable ExternalIdentityRef getIdentityRef(@Nullable @Nullable Authorizable auth) throws RepositoryException
Retrieves the external identity ref from the authorizable- Parameters:
auth
- the authorizable- Returns:
- the ref
- Throws:
RepositoryException
- if an error occurs
-
joinPaths
@Deprecated public static String joinPaths(String... paths)
Deprecated.Since Oak 1.3.10. Please usePathUtils.concatRelativePaths(String...)
instead.Robust relative path concatenation.- Parameters:
paths
- relative paths- Returns:
- the concatenated path
-
close
public void close()
Closes this context and releases any resources bound to it. Note that an implementation must not commit theRoot
passed during the creation call. This is the responsibility of the application.- Specified by:
close
in interfaceSyncContext
-
isKeepMissing
public boolean isKeepMissing()
Defines if synchronization keeps missing external identities on synchronization of authorizables. Default isfalse
.- Specified by:
isKeepMissing
in interfaceSyncContext
- Returns:
true
if keep missing.
-
setKeepMissing
@NotNull public @NotNull SyncContext setKeepMissing(boolean keepMissing)
- Specified by:
setKeepMissing
in interfaceSyncContext
-
isForceUserSync
public boolean isForceUserSync()
Defines if synchronization of users always will perform, i.e. ignores the last synced properties.- Specified by:
isForceUserSync
in interfaceSyncContext
- Returns:
true
if forced syncing users
-
setForceUserSync
@NotNull public @NotNull SyncContext setForceUserSync(boolean forceUserSync)
- Specified by:
setForceUserSync
in interfaceSyncContext
-
isForceGroupSync
public boolean isForceGroupSync()
Defines if synchronization of groups always will perform, i.e. ignores the last synced properties.- Specified by:
isForceGroupSync
in interfaceSyncContext
- Returns:
true
if forced syncing groups
-
setForceGroupSync
@NotNull public @NotNull SyncContext setForceGroupSync(boolean forceGroupSync)
Description copied from interface:SyncContext
- Specified by:
setForceGroupSync
in interfaceSyncContext
-
sync
@NotNull public @NotNull SyncResult sync(@NotNull @NotNull ExternalIdentity identity) throws SyncException
Synchronizes an external identity with the repository based on the respective configuration.- Specified by:
sync
in interfaceSyncContext
- Parameters:
identity
- the identity to sync.- Returns:
- the result of the operation
- Throws:
SyncException
- if an error occurs
-
sync
@NotNull public @NotNull SyncResult sync(@NotNull @NotNull String id) throws SyncException
Synchronizes an authorizable with the corresponding external identity with the repository based on the respective configuration.- Specified by:
sync
in interfaceSyncContext
- Parameters:
id
- the id of the authorizable- Returns:
- the result of the operation
- Throws:
SyncException
- if an error occurs
-
getAuthorizable
@Nullable protected <T extends Authorizable> T getAuthorizable(@NotNull @NotNull ExternalIdentity external, @NotNull @NotNull Class<T> type) throws RepositoryException, SyncException
Retrieves the repository authorizable that corresponds to the given external identity- Parameters:
external
- the external identitytype
- the authorizable type- Returns:
- the repository authorizable or
null
if not found. - Throws:
RepositoryException
- if an error occurs.SyncException
- if the repository contains a colliding authorizable with the same name.
-
createUser
@NotNull protected @NotNull User createUser(@NotNull @NotNull ExternalUser externalUser) throws RepositoryException
Creates a new repository user for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.- Parameters:
externalUser
- the external user- Returns:
- the repository user
- Throws:
RepositoryException
- if an error occurs
-
createGroup
@NotNull protected @NotNull Group createGroup(@NotNull @NotNull ExternalGroup externalGroup) throws RepositoryException
Creates a new repository group for the given external one. Note that this method only creates the authorizable but does not perform any synchronization.- Parameters:
externalGroup
- the external group- Returns:
- the repository group
- Throws:
RepositoryException
- if an error occurs
-
syncUser
@NotNull protected @NotNull DefaultSyncResultImpl syncUser(@NotNull @NotNull ExternalUser external, @NotNull @NotNull User user) throws RepositoryException
- Throws:
RepositoryException
-
syncGroup
@NotNull protected @NotNull DefaultSyncResultImpl syncGroup(@NotNull @NotNull ExternalGroup external, @NotNull @NotNull Group group) throws RepositoryException
- Throws:
RepositoryException
-
syncMembership
protected void syncMembership(@NotNull @NotNull ExternalIdentity external, @NotNull @NotNull Authorizable auth, long depth) throws RepositoryException
Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth is equal or less than 0, no syncing is performed.- Parameters:
external
- the external identityauth
- the authorizabledepth
- recursion depth.- Throws:
RepositoryException
- If a user management specific error occurs upon synchronizing membership
-
getExternalGroupFromRef
@Nullable protected @Nullable ExternalGroup getExternalGroupFromRef(@NotNull @NotNull ExternalIdentityRef externalGroupRef)
-
applyMembership
protected void applyMembership(@NotNull @NotNull Authorizable member, @NotNull @NotNull Set<String> groups) throws RepositoryException
Ensures that the given authorizable is member of the specific groups. Note that it does not create groups if missing, nor remove memberships of groups not in the given set.- Parameters:
member
- the authorizablegroups
- set of groups.- Throws:
RepositoryException
-
syncProperties
protected void syncProperties(@NotNull @NotNull ExternalIdentity ext, @NotNull @NotNull Authorizable auth, @NotNull @NotNull Map<String,String> mapping) throws RepositoryException
Syncs the properties specified in themapping
from the external identity to the given authorizable. Note that this method does not check for value equality and just blindly copies or deletes the properties.- Parameters:
ext
- external identityauth
- the authorizablemapping
- the property mapping- Throws:
RepositoryException
- if an error occurs
-
isExpired
protected boolean isExpired(@NotNull @NotNull Authorizable auth, long expirationTime, @NotNull @NotNull String type) throws RepositoryException
Checks if the given authorizable needs syncing based on theREP_LAST_SYNCED
property.- Parameters:
auth
- the authorizable to checkexpirationTime
- the expiration time to compare to.type
- debug message type- Returns:
true
if the authorizable needs sync- Throws:
RepositoryException
-
createValue
@Nullable protected @Nullable Value createValue(@Nullable @Nullable Object v) throws RepositoryException
Creates a new JCR value of the given object, checking the internal type.- Parameters:
v
- the value- Returns:
- the JCR value or null
- Throws:
RepositoryException
- if an error occurs
-
createValues
@NotNull protected @NotNull Value[] createValues(@NotNull @NotNull Collection<?> propValues) throws RepositoryException
Creates an array of JCR values based on the type.- Parameters:
propValues
- the given values- Returns:
- and array of JCR values
- Throws:
RepositoryException
- if an error occurs
-
isSameIDP
protected boolean isSameIDP(@Nullable @Nullable Authorizable auth) throws RepositoryException
Checks if the given authorizable was synced from the same IDP by comparing the IDP name of the "rep:externalId" property.- Parameters:
auth
- the authorizable.- Returns:
true
if same IDP.- Throws:
RepositoryException
-
isSameIDP
protected boolean isSameIDP(@NotNull @NotNull ExternalIdentityRef ref)
Tests if the givenExternalIdentityRef
refers to the same IDP as associated with this context instance.- Parameters:
ref
- TheExternalIdentityRef
to be tested.- Returns:
true
ifExternalIdentityRef.getProviderName()
refers to the IDP associated with this context instance.
-
warnForeign
protected void warnForeign(@NotNull @NotNull ExternalIdentity externalIdentity)
-
warnForeignExisting
protected void warnForeignExisting(@NotNull @NotNull Authorizable existing, boolean expectGroup) throws RepositoryException
- Throws:
RepositoryException
-
-