Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)

103946: Merged 5.0.N (5.0.2) to HEAD-BUG-FIX (5.1/Cloud)
      103861: Merged V4.2-BUG-FIX (4.2.5) to 5.0.N (5.0.2)
         103837: MNT-13867: Merged V4.1-BUG-FIX to V4.2-BUG-FIX (4.2.5).
            101406: MNT-12454: Deletion behaviour of LDAP user does NOT work as documented.
                       - was added synchronization.syncDelete property.
            101558: MNT-12454: Deletion behaviour of LDAP user does NOT work as documented.
                       - If allowDeletions=true then authority need move to AuthorityService.ZONE_AUTH_ALFRESCO. ChainingUserRegistrySynchronizerTest.testForcedUpdateWithoutDeletions test was corrected. 


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@104033 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/subsystems/Synchronization/default/default-synchronization-context.xml

@@ -80,6 +80,9 @@
         <property name="allowDeletions">
             <value>${synchronization.allowDeletions}</value>
         </property>
+        <property name="syncDelete">
+            <value>${synchronization.syncDelete}</value>
+        </property>
         <property name="nameChecker" ref="nameChecker" />
     </bean>
 

config/alfresco/subsystems/Synchronization/default/default-synchronization.properties

@@ -30,4 +30,7 @@ synchronization.loggingInterval=100
 synchronization.workerThreads=1
 
 # Synchronization with deletions
-synchronization.allowDeletions=true
+synchronization.allowDeletions=true
+
+# For large LDAP directories the delete query is expensive and time consuming, needing to read the entire LDAP directory.
+synchronization.syncDelete=true

source/java/org/alfresco/repo/security/sync/ChainingUserRegistrySynchronizer.java

@@ -180,6 +180,9 @@ public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean
 
     /** Allow a full sync to perform deletions? */
     private boolean allowDeletions = true;
+    
+    /** Controls whether to query for users and groups that have been deleted in LDAP */
+    private boolean syncDelete = true;
 
     /** Validates person names over cm:filename constraint **/
     private NameChecker nameChecker;
@@ -350,14 +353,30 @@ public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean
     }
     
     /**
-     * Fullsync is run with deletions. By default is set to true.
+     * Controls how deleted users and groups are handled.
+     * By default is set to true.
      * 
      * @param allowDeletions
+     *            If <b>true</b> the entries are deleted from alfresco.
+     *            If <b>false</b> then they are unlinked from their LDAP authentication zone but remain within alfresco.
      */
     public void setAllowDeletions(boolean allowDeletions)
     {
         this.allowDeletions = allowDeletions;
     }
+
+    /**
+     * Controls whether to query for users and groups that have been deleted in LDAP.
+     * For large LDAP directories the delete query is expensive and time consuming, needing to read the entire LDAP directory.
+     * By default is set to true.
+     * 
+     * @param syncDelete
+     *            If <b>false</b> then LDAP sync does not even attempt to search for deleted users. 
+     */
+    public void setSyncDelete(boolean syncDelete)
+    {
+        this.syncDelete = syncDelete;
+    }
     
     @Override
     public SynchronizeDiagnostic testSynchronize(String authenticatorName)
@@ -1425,9 +1444,8 @@ public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean
 
             private void processGroups(UserRegistry userRegistry, boolean isFullSync, boolean splitTxns)
             {
-               // If we got back some groups, we have to cross reference them with the set of known authorities
+               // MNT-12454 fix. If syncDelete is false, there is no need to pull all users and all groups from LDAP during the full synchronization.
-                // MNT-9711 fix. If allowDeletions is false, there is no need to pull all users and all groups from LDAP during the full synchronization.
+               if ((syncDelete || !groupsToCreate.isEmpty()) && (isFullSync || !this.groupParentAssocsToDelete.isEmpty()))
-               if ((allowDeletions || !groupsToCreate.isEmpty()) && (isFullSync || !this.groupParentAssocsToDelete.isEmpty()))
                {
                     final Set<String> allZonePersons = newPersonSet();
                     final Set<String> allZoneGroups = new TreeSet<String>();
@@ -1473,8 +1491,41 @@ public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean
                         this.deletionCandidates.addAll(personDeletionCandidates);
                         this.deletionCandidates.addAll(groupDeletionCandidates);
 
-                        allZonePersons.removeAll(personDeletionCandidates);
+                        if (allowDeletions)
-                        allZoneGroups.removeAll(groupDeletionCandidates);
+                        {
+                            allZonePersons.removeAll(personDeletionCandidates);
+                            allZoneGroups.removeAll(groupDeletionCandidates);
+                        }
+                        else
+                        {
+                            // Complete association deletion information by scanning deleted groups
+                            BatchProcessor<String> groupScanner = new BatchProcessor<String>(zone
+                                    + " Missing Authority Scanning",
+                                    ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper(),
+                                    this.deletionCandidates,
+                                    ChainingUserRegistrySynchronizer.this.workerThreads, 20,
+                                    ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
+                                    ChainingUserRegistrySynchronizer.logger,
+                                    ChainingUserRegistrySynchronizer.this.loggingInterval);
+                            groupScanner.process(new BaseBatchProcessWorker<String>()
+                            {
+
+                                @Override
+                                public String getIdentifier(String entry)
+                                {
+                                    return entry;
+                                }
+
+                                @Override
+                                public void process(String authority) throws Throwable
+                                {
+                                    //MNT-12454 fix. Modifies an authority's zone. Move authority from AUTH.EXT.LDAP1 to AUTH.ALF.
+                                    updateAuthorityZones(authority, Collections.singleton(zoneId),
+                                          Collections.singleton(AuthorityService.ZONE_AUTH_ALFRESCO));
+                                }
+                            }, splitTxns);
+                        }
+
                     }
 
                     // Prune the group associations now that we have complete information

source/test-java/org/alfresco/repo/security/sync/ChainingUserRegistrySynchronizerTest.java

@@ -432,8 +432,8 @@ public class ChainingUserRegistrySynchronizerTest extends TestCase
 
             public Object execute() throws Throwable
             {
-                // MNT-9711 fix. User U6 already exists in zone "Z0". According ChainingUserRegistrySynchronizercurrent
+                // MNT-13867 fix. User U6 already exists in zone "Z0". According ChainingUserRegistrySynchronizercurrent
-                // implementation when allowDeletions==false person that exists in a different zone with higher
+                // implementation when syncDelete==false person that exists in a different zone with higher
                 // precedence  will be ignored
                 assertExists("Z0", "U6");
                 assertExists("Z1", "U1");
@@ -797,8 +797,10 @@ public class ChainingUserRegistrySynchronizerTest extends TestCase
         // Check in correct zone
         if (zone == null)
         {
-            assertEquals(Collections.singleton(AuthorityService.ZONE_APP_DEFAULT), this.authorityService
+            Set<String> zones = new TreeSet<String>();
-                    .getAuthorityZones(longName));
+            zones.add(AuthorityService.ZONE_APP_DEFAULT);
+            zones.add(AuthorityService.ZONE_AUTH_ALFRESCO);
+            assertEquals(zones, this.authorityService.getAuthorityZones(longName));
         }
         else
         {

source/test-resources/sync-test-context.xml

@@ -64,6 +64,9 @@
         <property name="allowDeletions">
             <value>false</value>
         </property>
+        <property name="syncDelete">
+            <value>false</value>
+        </property>
         <property name="sysAdminParams">
             <ref bean="sysAdminParams" />
         </property>