From cdb8e6ef43d8f09bf5e7375bea44b9643a541f2c Mon Sep 17 00:00:00 2001
From: Dave Ward <left@alfresco.com>
Date: Wed, 3 Feb 2010 12:59:34 +0000
Subject: [PATCH] Merged V3.2 to HEAD    18157: ETHREEOH-3787: Support portal
 URL rewriting within surf webscripts       - WebScriptServletResponse
 extended to use portlet helper to rewrite URLs when running in context of a
 portlet. (We can't use WebScriptPortletRequest / Response because we need the
 full servlet runtime for Surf.)       - CMIS test webscripts corrected to be
 portlet enabled    18272: Merged DEV/BELARUS/V3.2-2010_01_11 to V3.2      
 18257: ETHREEOH-4002: User/Group sync does not handle LDAP communication
 failures          - Merged with corrections    18276: ETHREEOH-4002:
 Correction to previous checkin - modification dates are only persisted after
 successful processing of users and groups, so need to delete them on comms
 failure    18326: ETHREEOH-3873: usr:authorityContainer type metadata must be
 left in place for upgraded repositories       - Otherwise you get errors when
 re-indexing the migrated group nodes    18340: ETHREEOH-4069: LDAP sync
 cannot resolve DNs containing a slash character       - Due to JNDI
 interpreting the slash character as a separator    18403: ETHREEOH-4008: LDAP
 sync should preserve case of group members       - Was incorrectly extracting
 attributes from lower-cased DN

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18433 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../security/authentication/userModel.xml     | 39 ++++++++++++++++++-
 .../security/sync/ldap/LDAPUserRegistry.java  | 38 +++++++++++++-----
 2 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/source/java/org/alfresco/repo/security/authentication/userModel.xml b/source/java/org/alfresco/repo/security/authentication/userModel.xml
index 12b622be3a..f6ac271b58 100644
--- a/source/java/org/alfresco/repo/security/authentication/userModel.xml
+++ b/source/java/org/alfresco/repo/security/authentication/userModel.xml
@@ -2,8 +2,8 @@
 
    <description>Alfresco User Model</description>
    <author>Alfresco</author>
-   <published>2009-06-04</published>
-   <version>0.2</version>
+   <published>2010-01-27</published>
+   <version>0.3</version>
 
    <imports>
       <import uri="http://www.alfresco.org/model/dictionary/1.0" prefix="d"/>
@@ -74,6 +74,41 @@
          </properties>
       </type>
    
+      <!--  Note this type is not used and was replaced by cm:authorityContainer -->
+      <!--  Retained here because old authority containers are left in place in upgraded repositories (after migration) -->       
+      <type name="usr:authorityContainer">
+         <title>Deprecated Alfresco Authority Type - NOT USED</title>
+         <parent>usr:authority</parent>
+         <properties>
+			<!-- The tokenisation set here is ignored - it is fixed for this type -->
+			<!-- This is so you can not break group lookup -->
+            <property name="usr:authorityName">
+               <type>d:text</type>
+            </property>
+            <property name="usr:members">
+               <type>d:text</type>
+               <multiple>true</multiple>   
+            </property>
+			<property name="usr:authorityDisplayName">
+               <type>d:text</type>
+            </property>
+         </properties>
+         <associations>
+            <child-association name="usr:member">
+               <source>
+                  <mandatory>false</mandatory>
+                  <many>true</many>
+               </source>
+               <target>
+                  <class>usr:authority</class>
+                  <mandatory>false</mandatory>
+                  <many>true</many>
+               </target>
+               <duplicate>false</duplicate>
+            </child-association>
+         </associations>
+      </type>  
+
    </types>
    
    
diff --git a/source/java/org/alfresco/repo/security/sync/ldap/LDAPUserRegistry.java b/source/java/org/alfresco/repo/security/sync/ldap/LDAPUserRegistry.java
index ca75aeedcb..d4b0af869c 100644
--- a/source/java/org/alfresco/repo/security/sync/ldap/LDAPUserRegistry.java
+++ b/source/java/org/alfresco/repo/security/sync/ldap/LDAPUserRegistry.java
@@ -41,7 +41,9 @@ import java.util.TreeMap;
 import java.util.TreeSet;
 import java.util.regex.Pattern;
 
+import javax.naming.CompositeName;
 import javax.naming.InvalidNameException;
+import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
@@ -684,13 +686,14 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
                             {
                                 // Attempt to parse the member attribute as a DN. If this fails we have a fallback
                                 // in the catch block
-                                LdapName distinguishedName = new LdapName(attribute.toLowerCase());
+                                LdapName distinguishedNameForComparison = new LdapName(attribute.toLowerCase());
                                 Attribute nameAttribute;
 
                                 // If the user and group search bases are different we may be able to recognize user
                                 // and group DNs without a secondary lookup
                                 if (disjoint)
                                 {
+                                    LdapName distinguishedName = new LdapName(attribute);
                                     Attributes nameAttributes = distinguishedName.getRdn(distinguishedName.size() - 1)
                                             .toAttributes();
 
@@ -714,12 +717,12 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
                                 }
 
                                 // If we can't determine the name and type from the DN alone, try a directory lookup
-                                if (distinguishedName.startsWith(userDistinguishedNamePrefix)
-                                        || distinguishedName.startsWith(groupDistinguishedNamePrefix))
+                                if (distinguishedNameForComparison.startsWith(userDistinguishedNamePrefix)
+                                        || distinguishedNameForComparison.startsWith(groupDistinguishedNamePrefix))
                                 {
                                     try
                                     {
-                                        Attributes childAttributes = this.ctx.getAttributes(attribute, new String[]
+                                        Attributes childAttributes = this.ctx.getAttributes(jndiName(attribute), new String[]
                                         {
                                             "objectclass", LDAPUserRegistry.this.groupIdAttributeName,
                                             LDAPUserRegistry.this.userIdAttributeName
@@ -805,7 +808,7 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
                     // fetch the next batch
                     if (nextStart > 0 && !PATTERN_RANGE_END.matcher(memAttribute.getID().toLowerCase()).find())
                     {
-                        Attributes childAttributes = this.ctx.getAttributes(result.getNameInNamespace(), new String[]
+                        Attributes childAttributes = this.ctx.getAttributes(jndiName(result.getNameInNamespace()), new String[]
                         {
                             LDAPUserRegistry.this.memberAttributeName + ";range=" + nextStart + '-'
                                     + (nextStart + LDAPUserRegistry.this.attributeBatchSize - 1)
@@ -835,6 +838,23 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
         return lookup.values();
     }
 
+    /**
+     * Converts a given DN into one suitable for use through JNDI. In particular, escapes special characters such as '/'
+     * which have special meaning to JNDI.
+     * 
+     * @param dn
+     *            the dn
+     * @return the name
+     * @throws InvalidNameException
+     *             the invalid name exception
+     */
+    private static Name jndiName(String dn) throws InvalidNameException
+    {
+        Name n = new CompositeName();
+        n.add(dn);
+        return n;
+    }
+
     /**
      * Invokes the given callback on each entry returned by the given query.
      * 
@@ -862,7 +882,7 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
                 NamingEnumeration<SearchResult> searchResults;
                 searchResults = ctx.search(searchBase, query, searchControls);
 
-                while (searchResults.hasMoreElements())
+                while (searchResults.hasMore())
                 {
                     SearchResult result = searchResults.next();
                     callback.process(result);
@@ -919,9 +939,9 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
             NamingEnumeration<SearchResult> searchResults = ctx.search(this.userSearchBase, "(&" + this.personQuery
                     + "(" + this.userIdAttributeName + "=" + userId + "))", userSearchCtls);
 
-            if (searchResults.hasMoreElements())
+            if (searchResults.hasMore())
             {
-                return searchResults.next().getNameInNamespace();
+                return jndiName(searchResults.next().getNameInNamespace()).toString();
             }
             throw new AuthenticationException("Failed to resolve user: " + userId);
         }
@@ -1200,7 +1220,7 @@ public class LDAPUserRegistry implements UserRegistry, LDAPNameResolver, Initial
                 do
                 {
                     readyForNextPage = this.searchResults == null;
-                    while (!readyForNextPage && this.searchResults.hasMoreElements())
+                    while (!readyForNextPage && this.searchResults.hasMore())
                     {
                         SearchResult result = this.searchResults.next();
                         Attributes attributes = result.getAttributes();