mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-07 18:25:23 +00:00
20440: RM: CapabilitiesTest.testDestroyRecordsCapability (MS SQL Server build) - use non-public nodeService 20441: Include virtual tomcat in installers 20442: Change bitrock builder version to use. 20443: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3: (Fixed tabs and removed 'svn:executable' and 'svn:eol-style') 20384: Merged BRANCHES/DEV/BELARUS/HEAD-2010_04_28 to BRANCHES/DEV/V3.3-BUG-FIX: 20271: ALF-803: Asset Service Improvements 20386: Merged V2.2 to V3.3-BUG-FIX 20385: Merged DEV/BELARUS/V2.2-2010_04_06 to V2.2 20379: V2.2-ALF-1888 AssociationQuery was corrected to filter ... 20387: Version Migrator (ALF-1000) - approx x3 boost (policies ignore version2 store) 20388: Merged BRANCHES/DEV/BELARUS/HEAD-2010_04_28 to BRANCHES/DEV/V3.3-BUG-FIX: 20372: ALF-897: It is impossible to create content when default value selected in ContentHeadlineBackground field for intranet_rssi_landing_template web-form (also fixes ALF-2798 & ALF-791) 20389: Merged BRANCHES/DEV/BELARUS/HEAD-2010_04_28 to BRANCHES/DEV/V3.3-BUG-FIX: 20374: ALF-2723: WCM - Http 500 creating content via webform 20394: Fix for ALF-2257 - It's impossible to find and add group at Records Manage Permissions page 20396: Fixed ALF-2956 "XSS attack is made when a rule is being deleted" 20397: Fix for ALF-922: Mysql does not support unique keys that contain nulls as one would expect 20402: ALF-2186 : Rules not being fired on datalist items - because it's a zero byte file? 20404: Fixed ALF-2109 "Rule doesn't apply to the files in sub-folders when 'Run rule for this folder and its subfolders' action was performed" 20406: Fix for ALF-2985 - Share document library throws error if document modifier or creator is deleted from Alfresco 20409: Improved FormServiceImplTest, added more content related tests and some edge case tests using the FDK model (this test needs to be manually enabled though as the FDK model is not available by default) 20414: Merged DEV/BELARUS/HEAD-2010_04_28 to DEV/V3.3-BUG-FIX 20401: ALF-2616: Serious Web Form layout performance issues on IE8. This fix contains: 20427: Merged DEV/BELARUS/HEAD-2010_04_28 to DEV/V3.3-BUG-FIX 20042: ALF-1523: Failed Kerberos SSO auth doesn't fail through, simply returns a blank page 20323: ALF-1523: Failed Kerberos SSO auth doesn't fail through, simply returns a blank page 20428: Merged DEV/BELARUS/HEAD-2010_04_28 to DEV/V3.3-BUG-FIX 20417: ALF-736: WebDAV Folder Renaming fails on Mac but works on Windows. 20430: Fix for ALF-2313 - Accessing a Doclib folder in Share which has a link to a deleted node fails 20431: Version Migrator (ALF-1000) - migrate 1st batch independently 20432: Fix for ALF-2327 - Can not have more than one Transfer Step in a disposal schedule 20438: ALF-479: Merged DEV/BELARUS/V3.2-2010_01_11 to DEV/V3.3-BUG-FIX 18448: ETHREEOH-4044: External Authentication Subsystem does not perform user mapping for WebDAV requests 20444: Fix for ConcurrentModificationException in file server quota manager. ALF-2970. 20445: Merged HEAD to BRANCHES/V3.3: (RECORD ONLY) 20413: Added clean of quickr project 20446: Changed version to 3.3.1dev 20447: Merged V3.3-BUG-FIX to V3.3 20294: Fixes: ALF-1020 & ALF-1013 for all views except agenda. 20451: Merged V2.2 to V3.3 20450: Merged DEV/BELARUS/V2.2-2010_04_06 to V2.2 20412: ALF-1887: too easy to break alfresco - one can remove the guest user and recreate it but then access to RSS is broken - PersonServiceImpl.beforeDeleteNode prohibits attempts to delete a guest user. 20452: Fix for transaction error from NFS server file expiry thread. ALF-3016. 20458: ALF-2729 - rationalise (and deprecate) VersionLabelComparator 20460: Fix for ALF-2430 - AVM nodes are not checked for exclusion - the default ACLEntryVoter will always vote for AVM - avoids embedded AVM permission checks for getType/getAspect and anything else that may be added - seems AVM read is not checked upon "lookup" for the last node in the PATH (getType should have failed too) 20466: Merged V2.2 to V3.3 20243: (RECORD ONLY) ALF-2814: Merged V3.2 to V2.2 17891: Merged DEV_TEMPORARY to V3.2 17873: ETHREEOH-3810: WCM - Recursion detector erroring 20467: Merged V3.1 to V3.3 (RECORD ONLY) 20276: Incremented version label 20275: ALF-2845: Merged V3.2 to V3.1 17768: Merged DEV/BELARUS/V3.2-2009_11_24 to V3.2 17758: ETHREEOH-3757: Oracle upgrade issue: failed "inviteEmailTemplate" patch - also causes subsequent patches to not be applied 19573: Merged V3.2 to V3.1 19539: Merged HEAD to V3.2 19538: Build fix - fix build speed 20468: Merged PATCHES/V3.2.r to V3.3 (RECORD ONLY) 20357: Merged PATCHES/V3.2.0 to PATCHES/V3.2.r 20349: Merged V3.3 to PATCHES/V3.2.0 20346: ALF-2839: Node pre-loading generates needless resultset rows - Added missing Criteria.list() call 20339: Incremented version label 20338: Merged PATCHES/V3.2.0 to PATCHES/V3.2.r 20280: Fixed ALF-2839: Node pre-loading generates needless resultset rows - Split Criteria query to retrieve properties and aspects separately 20272: Backports to help fix ALF-2839: Node pre-loading generates needless resultset rows Merged BRANCHES/V3.2 to PATCHES/V3.2.0: 18490: Added cache for alf_content_data Merged BRANCHES/DEV/V3.3-BUG-FIX to PATCHES/V3.2.0: 20231: Fixed ALF-2784: Degradation of performance between 3.1.1 and 3.2x (observed in JSF) 20266: Test reproduction of ALF-2839 failure: Node pre-loading generates needless resultset rows 20469: Merged PATCHES/V3.1.2 to V3.3 (RECORD ONLY) 20393: Eclipse classpath fix to avoid problems in JBoss 20309: ALF-2777: PrimaryChildAssocCopyBehaviour from MOB-388 corrupts cm:name attributes of copied child nodes - Folded example behaviours from previous AMP into repository - Fixed PrimaryChildAssocCopyBehaviour to back-up and set the cm:name property on copied children 20470: Merged PATCHES/V3.2.0 to V3.3 (RECORD ONLY) 20465: Incremented version label 20464: ALF-3060: Merged V3.2 to PATCHES/V3.2.0 19920: Merged HEAD to BRANCHES/V3.2: 19918: Fix ALF-2499 (Deleting a web project also deletes similarly named web projects - Potential Data Loss) 20448: Merged DEV/V3.3-BUG-FIX to PATCHES/V3.2.0 20414: Merged DEV/BELARUS/HEAD-2010_04_28 to DEV/V3.3-BUG-FIX 20401: ALF-2616: Serious Web Form layout performance issues on IE8. This fix contains: a) X-UA-Compatible head tag with IE=EmulateIE7 value b) alfresco.ieVersion and alfresco.ieEngine in common.js c) recurseOnChildren in _updateDisplay d) Some performance modifications in xforms.js 20350: Increment version label 20349: Merged V3.3 to PATCHES/V3.2.0 20346: ALF-2839: Node pre-loading generates needless resultset rows - Added missing Criteria.list() call 20471: Fix for offline sync losing metadata properties, due to rename/delete of original file. ALF-575. 20478: Merged HEAD to BRANCHES/V3.3: (RECORD ONLY) 20477: Fix ALF-3086: CMIS checkin of a non-versionable document should make it versionable 20479: ALF-2110: Make it possible to determine which person properties are synced via LDAP and hence immutable - Added Set<QName> UserRegistrySynchronizer.getPersonMappedProperties(String username) - UI/Services Fix to follow 20481: Latest SpringSurf libs: - Fix for ALF-1518 - Added support for HTTP and HTTPS proxies for Surf application remote api calls - via the standard JVM cmd line properties such as -Dhttp.proxyHost=... 20484: ALF-2886: LDAP sync defaults display names incorrectly and can't cope with DNs containing escaped trailing whitespace. - Had to work around a JDK bug in LDAP RDN parsing 20486: Added case sensitive flag to the file state cache. Part of ALF-570. 20487: Fix for copy/rename of folders causing file exists errors in some cases. ALF-570. 20488: Fix ALF-680: Previously valid content models now fail with CMISAbstractDictionaryService$DictionaryRegistry exception 20489: Uploaded correct version of spring source jars and reunited them with 3rd-party/.classpath 20490: Fix for cannot delete folders via CIFS from Mac OSX, due to desktop actions. ALF-2553. 20491: Merged DEV/TEMPORARY to V3.3 (With corrections) 20485: ALF-2290: a HTTP GET request of a document redirects to the Home Location when using NTLM SSO The logic related to ADB-61 in NTLMAuthenticationFilter clears previous location and redirects request to default home location. NTLMAuthenticationFilter was changed to process GET requests to documents correctly. Now, fix to ADB-61 processes only “/faces” requests and GET requests to documents are processed correctly. The same fix was made to KerberosAuthenticationFilter 20492: Fix ALF-680: Previously valid content models now fail with CMISAbstractDictionaryService$DictionaryRegistry exception - missing remove directory 20493: Fix ALF-2837: ClassCastException in getProperties() 20498: Fix for ALF-2818: Failure to close index writer under certain conditions. - fix for index writer to close indexes when stopped by exceptions during FTS - fix FTS job to handle exceptions better - debug for FTS background operations 20499: ALF-3094: In ticket authenticate method in AuthenticationHelper, invalidate the current session if its cached ticket doesn't match 20500: Fix for ALF-2858 "Zero KB sized bin files will be created in the contentstore when new sites are created" (RECORD ONLY) 20503: AVMTestSuite: minor fixes to cleanup ctx usage (avoid re-loading) 20505: Merged BRANCHES/V2.2 to BRANCHES/V3.3 (record-only) 13859: (record-only) Removed dev from version label 14003: (record-only) Updated version to 2.2.5dev 14566: (record-only) ETWOTWO-1239 - remove workflow interpreter/console bootstrap 14572: (record-only) ETWOTWO-1239 - fix PersonTest to fix JBPMEngineTest (part-sourced from r13247) 14776: (record-only) Merged V3.1 to V2.2 14748: ETHREEOH-2225 - WCM upgrade (performance improvements for MySQL) 20506: NFS ReadDir/ReadDirPlus skips some folder entries. JLAN-98. 20507: Fixed issue with folder search resume id being reset to the wrong value during NFS folder search. Part of JLAN-98. 20508: Merged BRANCHES/V3.2 to BRANCHES/V3.3: 18319: Merged BRANCHES/DEV/BELARUS/V3.2-2010_01_11 to V3.2 18273: ETHREEOH-3834: WCM: An extral .xml.html file is created when editing newly created content 19182: Merged V3.1 to V3.2 18423: ETHREEOH-3850 - Content Manager unable to edit content items if there is a lock on a generated rendition 18432: (RECORD ONLY) Added FTP data port range configuration via <dataPorts>n:n</dataPorts> config value. ETHREEOH-4103. 18451: (RECORD ONLY) Fixed incorrect FTP debug level name. 18577: (RECORD ONLY) Fix for ETHREEOH-4117, based on CHK-11154 18792: Fix ETHREEOH-2729: Import of property with @ symbol in name fails with "start tag unexpected character @ " 19570: ALF-192 / ALF-1750: System Error if user trying submit web content based on web form which was deleted 19583: Merged DEV/BELARUS/V3.2-2010_03_17 to V3.2 19545: ALF-1954: Regression: same item can be submitted multiple times to workflow 19725: AVMStoreDescriptor - fix minor typo (for debugging) 19917: (RECORD ONLY) Merged HEAD to BRANCHES/V3.2: 19880: Fix ALF-898 - WCM: Deleting a file leads to error (only if RM/DOD installed) 19920: (RECORD ONLY) Merged HEAD to BRANCHES/V3.2: 19918: Fix ALF-2499 (Deleting a web project also deletes similarly named web projects - Potential Data Loss) 20509: Merged BRANCHES/V3.2 to BRANCHES/V3.3 (RECORD ONLY): 19825: (RECORD ONLY) Merged PATCHES/V3.2.r to BRANCHES/V3.2: 19804: Merged PATCHES/V3.2.0 to PATCHES/V3.2.r Merged HEAD to V3.2.0 ... 20510: Merged BRANCHES/V3.1 to BRANCHES/V3.3 (RECORD ONLY) 17482: (RECORD ONLY) Merged V3.2 to V3.1 17478: Fix ETHREEOH-3340 - WCM - Revert to snapshot failure (fix AVM getListing -> AVMSync compare -> WCM revertSnapshot) 18783: (RECORD ONLY) MT: ensure group (EMAIL_CONTRIBUTORS) bootstraps tenant admin user (when creating tenant) 20513: Added port change example for remote Alfresco server to share-config-custom.xml.sample 20518: ALF-657 Created tests to check that the 'runas' functionality works in the AlfrescoJavaScript action handler. Also modified the handler to run as the System user if no Authentication is currently set, as may occur if the action handler is being executed asynchronously. 20519: ALF-657 Created tests to check that the 'runas' functionality works in the AlfrescoJavaScript action handler. Also modified the handler to run as the System user if no Authentication is currently set, as may occur if the action handler is being executed asynchronously. 20520: Removed dev version.label 20522: ALF-3129: Map cm:organization property in LDAP as well as cm:organizationId, since cm:organization is what shows up in JSF and Share. Needed by ALF-2110. 20523: First part of fix for ALF-2110: - Appropriate Person and webframework metadata APIs now return information on immutability of Person properties (as some properties are immutable when synced to LDAP etc.) - Share client now correctly disables profile fields in User Profile and Admin User Console as appropriate based on individual user property mutability - Change Password button now correctly enabled/disabled based on account mutability 20524: VersionMigrator - option to run as scheduled job (ALF-1000) 20525: Fix for various IE6 CSS issues: ALF-3047 - It's impossible to destinate any action with data list item (IE6 specific) ALF-3049 - Incorrect layout of Manage aspects page ALF-3050 - Incorrect layout of Assign Workflow form 20526: Fix for ALF-2915 - Select > None feature for Data Lists not working across multiple pages in IE Closed ALF-2846 - DataList UI not fully I18Ned [Old prototype code] 20527: Fix for ALF-3082 - There is no Edit Offline action at Details page in Share site 20528: Fix various script errors due to typo: ALF-3088 - Script error occurs on creating duplicated record seria ALF-3012 - Incorrect behaviour on creating duplicating folders ALF-3004 - Script error when submitting an item with long data in Prioprity field 20529: Fix for ALF-3006 - Selected Items > Copy to... and Move to actions not working in Document Library 20530: Dynamic Models - fix test(s) - fix concurrency test for Oracle build (retry if txn lock cannot be acquired) - when getting deployed models, skip if invalid (eg. cannot be parsed) 20536: Remove @Override (ALF-657) 20537: Activities - (minor) fix NPE for Oracle build/test 20543: Final part of ALF-2110 - Appropriate person properties disabled for editing in Explorer Client if external mapped sync such as LDAP is used. Fixed issue with Change Password option being disabled incorrectly. 20544: Follow-up fix to r20528 20546: Fix for ALF-3151 - Freemarker causes NPE while deploying 3.3 enterprise onto WebSphere 7.0.0.7 - NOTE: will need to submit patch to freemarker.org 20552: Merged BRANCHES/V3.2 to BRANCHES/V3.3 (RECORD ONLY) 20551: (RECORD ONLY) Merged BRANCHES/V3.3 to BRANCHES/V3.2: 20090: Dynamic models: minor improvements to DictionaryModelType 20553: Fix for escalated issue ALF-2856: Space returns to browse view after completing Add Content dialog; need a way to return to custom view (applied patch provided by customer). 20554: Improvement to model delete validation (investigating intermittent failure of RepoAdminServiceImplTest.testSimpleDynamicModelViaNodeService) 20558: Merged DEV/BELARUS/V3.3-2010_06_08 to V3.3 20550: ALF-922: Mysql does not support unique keys that contain nulls as one would expect ...... duplicates in the alf_access_control_entry table 20562: ALF-3177 - security fix. 20563: Merged BRANCHES/V3.2 to BRANCHES/V3.3: 19412: Fix for ALF-865 "WCM / Cluster: unexpected error when concurrently submitting content" ALF-862 "WCM submit execution will require locking in a clustered WCM authoring env" 20564: Merged BRANCHES/V3.1 to BRANCHES/V3.3: 20542: Fixed ALF-3152: ImporterComponent transaction retry settings can cause IllegalArgumentException 20568: Follow-up on fix ALF-3152. Fix jobLockService's retryWaitIncrementMs git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@20572 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
1436 lines
67 KiB
Java
1436 lines
67 KiB
Java
/*
|
|
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.repo.security.sync;
|
|
|
|
import java.io.Serializable;
|
|
import java.sql.BatchUpdateException;
|
|
import java.text.DateFormat;
|
|
import java.util.ArrayList;
|
|
import java.util.Collection;
|
|
import java.util.Collections;
|
|
import java.util.Date;
|
|
import java.util.HashMap;
|
|
import java.util.HashSet;
|
|
import java.util.Iterator;
|
|
import java.util.LinkedHashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
import java.util.TreeMap;
|
|
import java.util.TreeSet;
|
|
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.attributes.Attribute;
|
|
import org.alfresco.repo.attributes.LongAttributeValue;
|
|
import org.alfresco.repo.attributes.MapAttributeValue;
|
|
import org.alfresco.repo.batch.BatchProcessor;
|
|
import org.alfresco.repo.batch.BatchProcessor.BatchProcessWorker;
|
|
import org.alfresco.repo.lock.JobLockService;
|
|
import org.alfresco.repo.lock.LockAcquisitionException;
|
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
|
import org.alfresco.repo.management.subsystems.ChildApplicationContextManager;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
|
import org.alfresco.repo.security.authority.UnknownAuthorityException;
|
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport.TxnReadState;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
|
import org.alfresco.service.cmr.attributes.AttributeService;
|
|
import org.alfresco.service.cmr.rule.RuleService;
|
|
import org.alfresco.service.cmr.security.AuthorityService;
|
|
import org.alfresco.service.cmr.security.AuthorityType;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.service.namespace.NamespaceService;
|
|
import org.alfresco.service.namespace.QName;
|
|
import org.alfresco.service.transaction.TransactionService;
|
|
import org.alfresco.util.PropertyMap;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
|
import org.springframework.context.ApplicationContext;
|
|
import org.springframework.context.ApplicationEvent;
|
|
import org.springframework.context.ApplicationEventPublisher;
|
|
import org.springframework.context.ApplicationEventPublisherAware;
|
|
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
|
|
|
|
/**
|
|
* A <code>ChainingUserRegistrySynchronizer</code> is responsible for synchronizing Alfresco's local user (person) and
|
|
* group (authority) information with the external subsystems in the authentication chain (most typically LDAP
|
|
* directories). When the {@link #synchronize(boolean)} method is called, it visits each {@link UserRegistry} bean in
|
|
* the 'chain' of application contexts, managed by a {@link ChildApplicationContextManager}, and compares its
|
|
* timestamped user and group information with the local users and groups last retrieved from the same source. Any
|
|
* updates and additions made to those users and groups are applied to the local copies. The ordering of each
|
|
* {@link UserRegistry} in the chain determines its precedence when it comes to user and group name collisions. The
|
|
* {@link JobLockService} is used to ensure that in a cluster, no two nodes actually run a synchronize at the same time.
|
|
* <p>
|
|
* The <code>force</code> argument determines whether a complete or partial set of information is queried from the
|
|
* {@link UserRegistry}. When <code>true</code> then <i>all</i> users and groups are queried. With this complete set of
|
|
* information, the synchronizer is able to identify which users and groups have been deleted, so it will delete users
|
|
* and groups as well as update and create them. Since processing all users and groups may be fairly time consuming, it
|
|
* is recommended this mode is only used by a background scheduled synchronization job. When the argument is
|
|
* <code>false</code> then only those users and groups modified since the most recent modification date of all the
|
|
* objects last queried from the same {@link UserRegistry} are retrieved. In this mode, local users and groups are
|
|
* created and updated, but not deleted (except where a name collision with a lower priority {@link UserRegistry} is
|
|
* detected). This 'differential' mode is much faster, and by default is triggered on subsystem startup and also by
|
|
* {@link #createMissingPerson(String)} when a user is successfully authenticated who doesn't yet have a local person
|
|
* object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as
|
|
* and when required.
|
|
*
|
|
* @author dward
|
|
*/
|
|
public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean implements UserRegistrySynchronizer,
|
|
ApplicationEventPublisherAware
|
|
{
|
|
|
|
/** The logger. */
|
|
private static final Log logger = LogFactory.getLog(ChainingUserRegistrySynchronizer.class);
|
|
|
|
/** The name of the lock used to ensure that a synchronize does not run on more than one node at the same time. */
|
|
private static final QName LOCK_QNAME = QName.createQName(NamespaceService.SYSTEM_MODEL_1_0_URI,
|
|
"ChainingUserRegistrySynchronizer");
|
|
|
|
/** The maximum time this lock will be held for (1 day). */
|
|
private static final long LOCK_TTL = 1000 * 60 * 60 * 24;
|
|
|
|
/** The path in the attribute service below which we persist attributes. */
|
|
private static final String ROOT_ATTRIBUTE_PATH = ".ChainingUserRegistrySynchronizer";
|
|
|
|
/** The label under which the last group modification timestamp is stored for each zone. */
|
|
private static final String GROUP_LAST_MODIFIED_ATTRIBUTE = "GROUP";
|
|
|
|
/** The label under which the last user modification timestamp is stored for each zone. */
|
|
private static final String PERSON_LAST_MODIFIED_ATTRIBUTE = "PERSON";
|
|
|
|
/** The manager for the autentication chain to be traversed. */
|
|
private ChildApplicationContextManager applicationContextManager;
|
|
|
|
/** The name used to look up a {@link UserRegistry} bean in each child application context. */
|
|
private String sourceBeanName;
|
|
|
|
/** The authority service. */
|
|
private AuthorityService authorityService;
|
|
|
|
/** The person service. */
|
|
private PersonService personService;
|
|
|
|
/** The attribute service. */
|
|
private AttributeService attributeService;
|
|
|
|
/** The transaction service. */
|
|
private TransactionService transactionService;
|
|
|
|
/** The rule service. */
|
|
private RuleService ruleService;
|
|
|
|
/** The job lock service. */
|
|
private JobLockService jobLockService;
|
|
|
|
/** The application event publisher. */
|
|
private ApplicationEventPublisher applicationEventPublisher;
|
|
|
|
/** Should we trigger a differential sync when missing people log in?. */
|
|
private boolean syncWhenMissingPeopleLogIn = true;
|
|
|
|
/** Should we trigger a differential sync on startup?. */
|
|
private boolean syncOnStartup = true;
|
|
|
|
/** Should we auto create a missing person on log in?. */
|
|
private boolean autoCreatePeopleOnLogin = true;
|
|
|
|
/** The number of entries to process before reporting progress. */
|
|
private int loggingInterval = 100;
|
|
|
|
/** The number of worker threads. */
|
|
private int workerThreads = 2;
|
|
|
|
/**
|
|
* Sets the application context manager.
|
|
*
|
|
* @param applicationContextManager
|
|
* the applicationContextManager to set
|
|
*/
|
|
public void setApplicationContextManager(ChildApplicationContextManager applicationContextManager)
|
|
{
|
|
this.applicationContextManager = applicationContextManager;
|
|
}
|
|
|
|
/**
|
|
* Sets the name used to look up a {@link UserRegistry} bean in each child application context.
|
|
*
|
|
* @param sourceBeanName
|
|
* the bean name
|
|
*/
|
|
public void setSourceBeanName(String sourceBeanName)
|
|
{
|
|
this.sourceBeanName = sourceBeanName;
|
|
}
|
|
|
|
/**
|
|
* Sets the authority service.
|
|
*
|
|
* @param authorityService
|
|
* the new authority service
|
|
*/
|
|
public void setAuthorityService(AuthorityService authorityService)
|
|
{
|
|
this.authorityService = authorityService;
|
|
}
|
|
|
|
/**
|
|
* Sets the person service.
|
|
*
|
|
* @param personService
|
|
* the new person service
|
|
*/
|
|
public void setPersonService(PersonService personService)
|
|
{
|
|
this.personService = personService;
|
|
}
|
|
|
|
/**
|
|
* Sets the attribute service.
|
|
*
|
|
* @param attributeService
|
|
* the new attribute service
|
|
*/
|
|
public void setAttributeService(AttributeService attributeService)
|
|
{
|
|
this.attributeService = attributeService;
|
|
}
|
|
|
|
/**
|
|
* Sets the transaction service.
|
|
*
|
|
* @param transactionService
|
|
* the transaction service
|
|
*/
|
|
public void setTransactionService(TransactionService transactionService)
|
|
{
|
|
this.transactionService = transactionService;
|
|
}
|
|
|
|
/**
|
|
* Sets the rule service.
|
|
*
|
|
* @param ruleService
|
|
* the new rule service
|
|
*/
|
|
public void setRuleService(RuleService ruleService)
|
|
{
|
|
this.ruleService = ruleService;
|
|
}
|
|
|
|
/**
|
|
* Sets the job lock service.
|
|
*
|
|
* @param jobLockService
|
|
* the job lock service
|
|
*/
|
|
public void setJobLockService(JobLockService jobLockService)
|
|
{
|
|
this.jobLockService = jobLockService;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see
|
|
* org.springframework.context.ApplicationEventPublisherAware#setApplicationEventPublisher(org.springframework.context
|
|
* .ApplicationEventPublisher)
|
|
*/
|
|
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
|
|
{
|
|
this.applicationEventPublisher = applicationEventPublisher;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we auto create a missing person on log in.
|
|
*
|
|
* @param autoCreatePeopleOnLogin
|
|
* <code>true</code> if we should auto create a missing person on log in
|
|
*/
|
|
public void setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin)
|
|
{
|
|
this.autoCreatePeopleOnLogin = autoCreatePeopleOnLogin;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we trigger a differential sync when missing people log in.
|
|
*
|
|
* @param syncWhenMissingPeopleLogIn
|
|
* <codetrue</code> if we should trigger a sync when missing people log in
|
|
*/
|
|
public void setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn)
|
|
{
|
|
this.syncWhenMissingPeopleLogIn = syncWhenMissingPeopleLogIn;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we trigger a differential sync when the subsystem starts up.
|
|
*
|
|
* @param syncOnStartup
|
|
* <codetrue</code> if we should trigger a sync on startup
|
|
*/
|
|
public void setSyncOnStartup(boolean syncOnStartup)
|
|
{
|
|
this.syncOnStartup = syncOnStartup;
|
|
}
|
|
|
|
/**
|
|
* Sets the number of entries to process before reporting progress.
|
|
*
|
|
* @param loggingInterval
|
|
* the number of entries to process before reporting progress or zero to disable progress reporting.
|
|
*/
|
|
public void setLoggingInterval(int loggingInterval)
|
|
{
|
|
this.loggingInterval = loggingInterval;
|
|
}
|
|
|
|
/**
|
|
* Sets the number of worker threads.
|
|
*
|
|
* @param workerThreads
|
|
* the number of worker threads
|
|
*/
|
|
public void setWorkerThreads(int workerThreads)
|
|
{
|
|
this.workerThreads = workerThreads;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#synchronize(boolean, boolean, boolean)
|
|
*/
|
|
public void synchronize(boolean forceUpdate, boolean allowDeletions, boolean splitTxns)
|
|
{
|
|
// Don't proceed with the sync if the repository is read only
|
|
if (this.transactionService.isReadOnly())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Unable to proceed with user registry synchronization. Repository is read only.");
|
|
return;
|
|
}
|
|
|
|
String lockToken = null;
|
|
|
|
// Let's ensure all exceptions get logged
|
|
try
|
|
{
|
|
// First, try to obtain a lock to ensure we are the only node trying to run this job
|
|
try
|
|
{
|
|
if (splitTxns)
|
|
{
|
|
// If this is an automated sync on startup or scheduled sync, don't even wait around for the lock.
|
|
// Assume the sync will be completed on another node.
|
|
lockToken = this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<String>()
|
|
{
|
|
public String execute() throws Throwable
|
|
{
|
|
return ChainingUserRegistrySynchronizer.this.jobLockService.getLock(
|
|
ChainingUserRegistrySynchronizer.LOCK_QNAME,
|
|
ChainingUserRegistrySynchronizer.LOCK_TTL, 0, 1);
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
else
|
|
{
|
|
// If this is a login-triggered sync, give it a few retries before giving up
|
|
this.jobLockService.getTransactionalLock(ChainingUserRegistrySynchronizer.LOCK_QNAME,
|
|
ChainingUserRegistrySynchronizer.LOCK_TTL, 3000, 10);
|
|
}
|
|
}
|
|
catch (LockAcquisitionException e)
|
|
{
|
|
// Don't proceed with the sync if it is running on another node
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("User registry synchronization already running in another thread. Synchronize aborted");
|
|
return;
|
|
}
|
|
|
|
Set<String> visitedZoneIds = new TreeSet<String>();
|
|
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
|
|
|
|
// Work out the set of all zone IDs in the authentication chain so that we can decide which users / groups
|
|
// need 're-zoning'
|
|
Set<String> allZoneIds = new TreeSet<String>();
|
|
for (String id : instanceIds)
|
|
{
|
|
allZoneIds.add(AuthorityService.ZONE_AUTH_EXT_PREFIX + id);
|
|
}
|
|
for (String id : instanceIds)
|
|
{
|
|
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
|
|
try
|
|
{
|
|
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
|
|
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.info("Synchronizing users and groups with user registry '" + id + "'");
|
|
}
|
|
if (allowDeletions && ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Full synchronization with user registry '"
|
|
+ id
|
|
+ "'; some users and groups previously created by synchronization with this user registry may be removed.");
|
|
}
|
|
// Work out whether we should do the work in a separate transaction (it's most performant if we
|
|
// bunch it into small transactions, but if we are doing a sync on login, it has to be the same
|
|
// transaction)
|
|
boolean requiresNew = splitTxns
|
|
|| AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY;
|
|
|
|
syncWithPlugin(id, plugin, forceUpdate, allowDeletions, requiresNew, visitedZoneIds, allZoneIds);
|
|
}
|
|
}
|
|
catch (NoSuchBeanDefinitionException e)
|
|
{
|
|
// Ignore and continue
|
|
}
|
|
}
|
|
}
|
|
catch (RuntimeException e)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.error("Synchronization aborted due to error", e);
|
|
throw e;
|
|
}
|
|
// Release the lock if necessary
|
|
finally
|
|
{
|
|
if (lockToken != null)
|
|
{
|
|
final String token = lockToken;
|
|
this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<Object>()
|
|
{
|
|
public Object execute() throws Throwable
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.jobLockService.releaseLock(token,
|
|
ChainingUserRegistrySynchronizer.LOCK_QNAME);
|
|
return null;
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#getPersonMappedProperties(java.lang.String)
|
|
*/
|
|
public Set<QName> getPersonMappedProperties(String username)
|
|
{
|
|
Set<String> authorityZones = this.authorityService.getAuthorityZones(username);
|
|
if (authorityZones == null)
|
|
{
|
|
return Collections.emptySet();
|
|
}
|
|
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
|
|
|
|
// Visit the user registries in priority order and return the person mapping of the first registry that matches
|
|
// one of the person's zones
|
|
for (String id : instanceIds)
|
|
{
|
|
String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + id;
|
|
if (!authorityZones.contains(zoneId))
|
|
{
|
|
continue;
|
|
}
|
|
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
|
|
try
|
|
{
|
|
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
|
|
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
|
|
{
|
|
return plugin.getPersonMappedProperties();
|
|
}
|
|
}
|
|
catch (NoSuchBeanDefinitionException e)
|
|
{
|
|
// Ignore and continue
|
|
}
|
|
}
|
|
|
|
return Collections.emptySet();
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#createMissingPerson(java.lang.String)
|
|
*/
|
|
public boolean createMissingPerson(String userName)
|
|
{
|
|
// synchronize or auto-create the missing person if we are allowed
|
|
if (userName != null && !userName.equals(AuthenticationUtil.getSystemUserName()))
|
|
{
|
|
if (this.syncWhenMissingPeopleLogIn)
|
|
{
|
|
try
|
|
{
|
|
synchronize(false, false, false);
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
// We don't want to fail the whole login if we can help it
|
|
ChainingUserRegistrySynchronizer.logger.warn(
|
|
"User authenticated but failed to sync with user registry", e);
|
|
}
|
|
if (this.personService.personExists(userName))
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
if (this.autoCreatePeopleOnLogin && this.personService.createMissingPeople())
|
|
{
|
|
AuthorityType authorityType = AuthorityType.getAuthorityType(userName);
|
|
if (authorityType == AuthorityType.USER)
|
|
{
|
|
this.personService.getPerson(userName);
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Synchronizes local groups and users with a {@link UserRegistry} for a particular zone, optionally handling
|
|
* deletions.
|
|
*
|
|
* @param zone
|
|
* the zone id. This identifier is used to tag all created groups and users, so that in the future we can
|
|
* tell those that have been deleted from the registry.
|
|
* @param userRegistry
|
|
* the user registry for the zone.
|
|
* @param forceUpdate
|
|
* Should the complete set of users and groups be updated / created locally or just those known to have
|
|
* changed since the last sync? When <code>true</code> then <i>all</i> users and groups are queried from
|
|
* the user registry and updated locally. When <code>false</code> then each source is only queried for
|
|
* those users and groups modified since the most recent modification date of all the objects last
|
|
* queried from that same source.
|
|
* @param allowDeletions
|
|
* Should a complete set of user and group IDs be queried from the user registries in order to determine
|
|
* deletions? This parameter is independent of <code>force</code> as a separate query is run to process
|
|
* updates.
|
|
* @param splitTxns
|
|
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
|
|
* <code>true</code>, users and groups are created/updated in batches for increased performance. If
|
|
* <code>false</code>, all users and groups are processed in the current transaction. This is required if
|
|
* calling synchronously (e.g. in response to an authentication event in the same transaction).
|
|
* @param visitedZoneIds
|
|
* the set of zone ids already processed. These zones have precedence over the current zone when it comes
|
|
* to group name 'collisions'. If a user or group is queried that already exists locally but is tagged
|
|
* with one of the zones in this set, then it will be ignored as this zone has lower priority.
|
|
* @param allZoneIds
|
|
* the set of all zone ids in the authentication chain. Helps us work out whether the zone information
|
|
* recorded against a user or group is invalid for the current authentication chain and whether the user
|
|
* or group needs to be 're-zoned'.
|
|
*/
|
|
private void syncWithPlugin(final String zone, UserRegistry userRegistry, boolean forceUpdate,
|
|
boolean allowDeletions, boolean splitTxns, final Set<String> visitedZoneIds, final Set<String> allZoneIds)
|
|
{
|
|
// Create a prefixed zone ID for use with the authority service
|
|
final String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + zone;
|
|
|
|
// The set of zones we associate with new objects (default plus registry specific)
|
|
final Set<String> zoneSet = getZones(zoneId);
|
|
|
|
long lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
|
|
ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
|
|
Date lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
|
|
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
if (lastModified == null)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving all groups from user registry '" + zone + "'");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving groups changed since "
|
|
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
|
|
}
|
|
}
|
|
|
|
// First, analyze the group structure. Create maps of authorities to their parents for associations to create
|
|
// and delete. Also deal with 'overlaps' with other zones in the authentication chain.
|
|
final BatchProcessor<NodeDescription> groupProcessor = new BatchProcessor<NodeDescription>(zone
|
|
+ " Group Analysis", this.transactionService.getRetryingTransactionHelper(), userRegistry
|
|
.getGroups(lastModified), this.workerThreads, 20, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class Analyzer implements BatchProcessWorker<NodeDescription>
|
|
{
|
|
private final Set<String> allZoneAuthorities = new TreeSet<String>();
|
|
private final Map<String, String> groupsToCreate = new TreeMap<String, String>();
|
|
private final Map<String, Set<String>> groupAssocsToCreate = new TreeMap<String, Set<String>>();
|
|
private final Map<String, Set<String>> groupAssocsToDelete = new TreeMap<String, Set<String>>();
|
|
private final Set<String> authoritiesMaintained = new TreeSet<String>();
|
|
private Set<String> deletionCandidates;
|
|
|
|
private long latestTime;
|
|
|
|
public Analyzer(final long latestTime)
|
|
{
|
|
this.latestTime = latestTime;
|
|
}
|
|
|
|
public long getLatestTime()
|
|
{
|
|
return this.latestTime;
|
|
}
|
|
|
|
public Set<String> getDeletionCandidates()
|
|
{
|
|
return this.deletionCandidates;
|
|
}
|
|
|
|
public String getIdentifier(NodeDescription entry)
|
|
{
|
|
return entry.getSourceId();
|
|
}
|
|
|
|
public void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
|
|
public void process(NodeDescription group) throws Throwable
|
|
{
|
|
PropertyMap groupProperties = group.getProperties();
|
|
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
|
|
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
|
|
Set<String> groupZones = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAuthorityZones(groupName);
|
|
|
|
if (groupZones == null)
|
|
{
|
|
// The group did not exist at all
|
|
addGroup(group);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the group is in any of the authentication chain zones
|
|
Set<String> intersection = new TreeSet<String>(groupZones);
|
|
intersection.retainAll(allZoneIds);
|
|
if (intersection.isEmpty())
|
|
{
|
|
// The group exists, but not in a zone that's in the authentication chain. May be due to
|
|
// upgrade or zone changes. Let's re-zone them
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Updating group '" + groupShortName
|
|
+ "'. This group will in future be assumed to originate from user registry '"
|
|
+ zone + "'.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(groupName,
|
|
groupZones);
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(groupName, zoneSet);
|
|
}
|
|
if (groupZones.contains(zoneId) || intersection.isEmpty())
|
|
{
|
|
// The group already existed in this zone or no valid zone: update the group
|
|
updateGroup(group);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the group is in any of the higher priority authentication chain zones
|
|
intersection.retainAll(visitedZoneIds);
|
|
if (!intersection.isEmpty())
|
|
{
|
|
// A group that exists in a different zone with higher precedence
|
|
return;
|
|
}
|
|
// The group existed, but in a zone with lower precedence
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Recreating occluded group '"
|
|
+ groupShortName
|
|
+ "'. This group was previously created through synchronization with a lower priority user registry.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(groupName);
|
|
|
|
// create the group
|
|
addGroup(group);
|
|
}
|
|
}
|
|
|
|
synchronized (this)
|
|
{
|
|
// Maintain the last modified date
|
|
Date groupLastModified = group.getLastModified();
|
|
if (groupLastModified != null)
|
|
{
|
|
this.latestTime = Math.max(this.latestTime, groupLastModified.getTime());
|
|
}
|
|
}
|
|
}
|
|
|
|
private void updateGroup(NodeDescription group)
|
|
{
|
|
PropertyMap groupProperties = group.getProperties();
|
|
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
|
|
String groupDisplayName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_DISPLAY_NAME);
|
|
if (groupDisplayName == null)
|
|
{
|
|
groupDisplayName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
|
|
}
|
|
// Update the display name now
|
|
ChainingUserRegistrySynchronizer.this.authorityService.setAuthorityDisplayName(groupName,
|
|
groupDisplayName);
|
|
|
|
// Work out the association differences
|
|
Set<String> oldChildren = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getContainedAuthorities(null, groupName, true);
|
|
Set<String> newChildren = group.getChildAssociations();
|
|
Set<String> toDelete = new TreeSet<String>(oldChildren);
|
|
Set<String> toAdd = new TreeSet<String>(newChildren);
|
|
toDelete.removeAll(newChildren);
|
|
toAdd.removeAll(oldChildren);
|
|
synchronized (this)
|
|
{
|
|
addAssociations(groupName, toAdd);
|
|
deleteAssociations(groupName, toDelete);
|
|
}
|
|
}
|
|
|
|
private void addGroup(NodeDescription group)
|
|
{
|
|
PropertyMap groupProperties = group.getProperties();
|
|
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
|
|
String groupDisplayName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_DISPLAY_NAME);
|
|
if (groupDisplayName == null)
|
|
{
|
|
groupDisplayName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
|
|
}
|
|
|
|
synchronized (this)
|
|
{
|
|
this.groupsToCreate.put(groupName, groupDisplayName);
|
|
addAssociations(groupName, group.getChildAssociations());
|
|
}
|
|
}
|
|
|
|
private synchronized void addAssociations(String groupName, Set<String> children)
|
|
{
|
|
this.allZoneAuthorities.add(groupName);
|
|
// Add an entry for the parent itself, in case it is a root group
|
|
Set<String> parents = this.groupAssocsToCreate.get(groupName);
|
|
if (parents == null)
|
|
{
|
|
parents = new TreeSet<String>();
|
|
this.groupAssocsToCreate.put(groupName, parents);
|
|
}
|
|
for (String child : children)
|
|
{
|
|
parents = this.groupAssocsToCreate.get(child);
|
|
if (parents == null)
|
|
{
|
|
parents = new TreeSet<String>();
|
|
this.groupAssocsToCreate.put(child, parents);
|
|
}
|
|
parents.add(groupName);
|
|
}
|
|
}
|
|
|
|
private synchronized void deleteAssociations(String groupName, Set<String> children)
|
|
{
|
|
for (String child : children)
|
|
{
|
|
// Make sure each child features as a key in the creation map
|
|
addAssociations(child, Collections.<String> emptySet());
|
|
|
|
Set<String> parents = this.groupAssocsToDelete.get(child);
|
|
if (parents == null)
|
|
{
|
|
parents = new TreeSet<String>();
|
|
this.groupAssocsToDelete.put(child, parents);
|
|
}
|
|
parents.add(groupName);
|
|
}
|
|
}
|
|
|
|
public void processGroups(UserRegistry userRegistry, boolean allowDeletions, boolean splitTxns)
|
|
{
|
|
// If we got back some groups, we have to cross reference them with the set of known authorities
|
|
if (allowDeletions || !this.groupAssocsToCreate.isEmpty())
|
|
{
|
|
// Add in current set of known authorities
|
|
this.allZoneAuthorities.addAll(ChainingUserRegistrySynchronizer.this.transactionService
|
|
.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<Set<String>>()
|
|
{
|
|
public Set<String> execute() throws Throwable
|
|
{
|
|
return ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAllAuthoritiesInZone(zoneId, null);
|
|
}
|
|
}, true, splitTxns));
|
|
|
|
// Prune our set of authorities according to deletions
|
|
if (allowDeletions)
|
|
{
|
|
this.deletionCandidates = new TreeSet<String>(this.allZoneAuthorities);
|
|
userRegistry.processDeletions(this.deletionCandidates);
|
|
this.allZoneAuthorities.removeAll(this.deletionCandidates);
|
|
this.groupAssocsToCreate.keySet().removeAll(this.deletionCandidates);
|
|
this.groupAssocsToDelete.keySet().removeAll(this.deletionCandidates);
|
|
}
|
|
|
|
if (!this.groupAssocsToCreate.isEmpty())
|
|
{
|
|
// Sort the group associations in depth-first order (root groups first) and filter out
|
|
// non-existent parents
|
|
Map<String, Set<String>> sortedGroupAssociations = new LinkedHashMap<String, Set<String>>(
|
|
this.groupAssocsToCreate.size() * 2);
|
|
List<String> authorityPath = new ArrayList<String>(5);
|
|
for (String authority : this.groupAssocsToCreate.keySet())
|
|
{
|
|
if (this.allZoneAuthorities.contains(authority))
|
|
{
|
|
authorityPath.add(authority);
|
|
visitGroupAssociations(authorityPath, this.allZoneAuthorities,
|
|
this.groupAssocsToCreate, sortedGroupAssociations);
|
|
authorityPath.clear();
|
|
}
|
|
}
|
|
|
|
// Add the groups and their parent associations in depth-first order
|
|
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
|
|
zone + " Group Creation and Association",
|
|
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper(),
|
|
sortedGroupAssociations.entrySet(),
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupCreator.process(new BatchProcessWorker<Map.Entry<String, Set<String>>>()
|
|
{
|
|
public String getIdentifier(Map.Entry<String, Set<String>> entry)
|
|
{
|
|
return entry.getKey() + " " + entry.getValue();
|
|
}
|
|
|
|
public void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
|
|
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
|
|
{
|
|
String child = entry.getKey();
|
|
|
|
String groupDisplayName = Analyzer.this.groupsToCreate.get(child);
|
|
if (groupDisplayName != null)
|
|
{
|
|
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(child);
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Creating group '"
|
|
+ groupShortName + "'");
|
|
}
|
|
// create the group
|
|
ChainingUserRegistrySynchronizer.this.authorityService.createAuthority(
|
|
AuthorityType.getAuthorityType(child), groupShortName, groupDisplayName,
|
|
zoneSet);
|
|
}
|
|
maintainAssociations(child);
|
|
}
|
|
}, splitTxns);
|
|
}
|
|
}
|
|
}
|
|
|
|
public void finalizeAssociations(UserRegistry userRegistry, boolean splitTxns)
|
|
{
|
|
// Remove all the associations we have already dealt with
|
|
this.groupAssocsToCreate.keySet().removeAll(this.authoritiesMaintained);
|
|
|
|
// Filter out associations to authorities that simply can't exist
|
|
this.groupAssocsToCreate.keySet().retainAll(this.allZoneAuthorities);
|
|
|
|
if (!this.groupAssocsToCreate.isEmpty())
|
|
{
|
|
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
|
|
zone + " Authority Association", ChainingUserRegistrySynchronizer.this.transactionService
|
|
.getRetryingTransactionHelper(), this.groupAssocsToCreate.entrySet(),
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupCreator.process(new BatchProcessWorker<Map.Entry<String, Set<String>>>()
|
|
{
|
|
public String getIdentifier(Map.Entry<String, Set<String>> entry)
|
|
{
|
|
return entry.getKey() + " " + entry.getValue();
|
|
}
|
|
|
|
public void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
|
|
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
|
|
{
|
|
maintainAssociations(entry.getKey());
|
|
}
|
|
}, splitTxns);
|
|
}
|
|
}
|
|
|
|
private void maintainAssociations(String authorityName) throws BatchUpdateException
|
|
{
|
|
Set<String> parents = this.groupAssocsToCreate.get(authorityName);
|
|
if (parents != null && !parents.isEmpty())
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
for (String groupName : parents)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Adding '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(authorityName) + "' to group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName)
|
|
+ "'");
|
|
}
|
|
}
|
|
try
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthority(parents, authorityName);
|
|
}
|
|
catch (UnknownAuthorityException e)
|
|
{
|
|
// Let's force a transaction retry if a parent doesn't exist. It may be because we are
|
|
// waiting for another worker thread to create it
|
|
BatchUpdateException e1 = new BatchUpdateException();
|
|
e1.initCause(e);
|
|
throw e1;
|
|
}
|
|
}
|
|
Set<String> parentsToDelete = this.groupAssocsToDelete.get(authorityName);
|
|
if (parentsToDelete != null && !parentsToDelete.isEmpty())
|
|
{
|
|
for (String parent : parentsToDelete)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.debug("Removing '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(authorityName)
|
|
+ "' from group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(parent) + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthority(parent, authorityName);
|
|
}
|
|
}
|
|
|
|
// Remember that this authority's associations have been maintained
|
|
synchronized (this)
|
|
{
|
|
this.authoritiesMaintained.add(authorityName);
|
|
}
|
|
}
|
|
}
|
|
|
|
final Analyzer groupAnalyzer = new Analyzer(lastModifiedMillis);
|
|
int groupProcessedCount = groupProcessor.process(groupAnalyzer, splitTxns);
|
|
|
|
groupAnalyzer.processGroups(userRegistry, allowDeletions, splitTxns);
|
|
|
|
// Process persons and their parent associations
|
|
|
|
lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
|
|
ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
|
|
lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
if (lastModified == null)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving all users from user registry '" + zone + "'");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving users changed since "
|
|
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
|
|
}
|
|
}
|
|
final BatchProcessor<NodeDescription> personProcessor = new BatchProcessor<NodeDescription>(zone
|
|
+ " User Creation and Association", this.transactionService.getRetryingTransactionHelper(),
|
|
userRegistry.getPersons(lastModified), this.workerThreads, 10, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class PersonWorker implements BatchProcessWorker<NodeDescription>
|
|
{
|
|
private long latestTime;
|
|
|
|
public PersonWorker(final long latestTime)
|
|
{
|
|
this.latestTime = latestTime;
|
|
}
|
|
|
|
public long getLatestTime()
|
|
{
|
|
return this.latestTime;
|
|
}
|
|
|
|
public String getIdentifier(NodeDescription entry)
|
|
{
|
|
return entry.getSourceId();
|
|
}
|
|
|
|
public void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
|
|
public void process(NodeDescription person) throws Throwable
|
|
{
|
|
// Make a mutable copy of the person properties, since they get written back to by person service
|
|
HashMap<QName, Serializable> personProperties = new HashMap<QName, Serializable>(person.getProperties());
|
|
String personName = (String) personProperties.get(ContentModel.PROP_USERNAME);
|
|
Set<String> zones = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAuthorityZones(personName);
|
|
if (zones == null)
|
|
{
|
|
// The person did not exist at all
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Creating user '" + personName + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
|
|
}
|
|
else if (zones.contains(zoneId))
|
|
{
|
|
// The person already existed in this zone: update the person
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Updating user '" + personName + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
|
|
personProperties, false);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the user is in any of the authentication chain zones
|
|
Set<String> intersection = new TreeSet<String>(zones);
|
|
intersection.retainAll(allZoneIds);
|
|
if (intersection.size() == 0)
|
|
{
|
|
// The person exists, but not in a zone that's in the authentication chain. May be due
|
|
// to upgrade or zone changes. Let's re-zone them
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Updating user '" + personName
|
|
+ "'. This user will in future be assumed to originate from user registry '" + zone
|
|
+ "'.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(personName,
|
|
zones);
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(personName, zoneSet);
|
|
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
|
|
personProperties);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the user is in any of the higher priority authentication chain zones
|
|
intersection.retainAll(visitedZoneIds);
|
|
if (intersection.size() > 0)
|
|
{
|
|
// A person that exists in a different zone with higher precedence - ignore
|
|
return;
|
|
}
|
|
|
|
// The person existed, but in a zone with lower precedence
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Recreating occluded user '"
|
|
+ personName
|
|
+ "'. This user was previously created through synchronization with a lower priority user registry.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.deletePerson(personName);
|
|
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
|
|
}
|
|
}
|
|
|
|
// Maintain associations
|
|
groupAnalyzer.maintainAssociations(personName);
|
|
|
|
synchronized (this)
|
|
{
|
|
// Maintain the last modified date
|
|
Date personLastModified = person.getLastModified();
|
|
if (personLastModified != null)
|
|
{
|
|
this.latestTime = Math.max(this.latestTime, personLastModified.getTime());
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
PersonWorker persons = new PersonWorker(lastModifiedMillis);
|
|
int personProcessedCount = personProcessor.process(persons, splitTxns);
|
|
|
|
// Process those associations to persons who themselves have not been updated
|
|
groupAnalyzer.finalizeAssociations(userRegistry, splitTxns);
|
|
|
|
// Only now that the whole tree has been processed is it safe to persist the last modified dates
|
|
long latestTime = groupAnalyzer.getLatestTime();
|
|
if (latestTime != -1)
|
|
{
|
|
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, latestTime,
|
|
splitTxns);
|
|
}
|
|
latestTime = persons.getLatestTime();
|
|
if (latestTime != -1)
|
|
{
|
|
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId,
|
|
latestTime, splitTxns);
|
|
}
|
|
|
|
// Delete authorities if we have complete information for the zone
|
|
if (allowDeletions)
|
|
{
|
|
BatchProcessor<String> authorityDeletionProcessor = new BatchProcessor<String>(
|
|
zone + " Authority Deletion", this.transactionService.getRetryingTransactionHelper(), groupAnalyzer
|
|
.getDeletionCandidates(), this.workerThreads, 10, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class AuthorityDeleter implements BatchProcessWorker<String>
|
|
{
|
|
private int personProcessedCount;
|
|
private int groupProcessedCount;
|
|
|
|
public int getPersonProcessedCount()
|
|
{
|
|
return this.personProcessedCount;
|
|
}
|
|
|
|
public int getGroupProcessedCount()
|
|
{
|
|
return this.groupProcessedCount;
|
|
}
|
|
|
|
public String getIdentifier(String entry)
|
|
{
|
|
return entry;
|
|
}
|
|
|
|
public void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
|
|
public void process(String authority) throws Throwable
|
|
{
|
|
if (AuthorityType.getAuthorityType(authority) == AuthorityType.USER)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Deleting user '" + authority + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.deletePerson(authority);
|
|
synchronized (this)
|
|
{
|
|
this.personProcessedCount++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Deleting group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(authority)
|
|
+ "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(authority);
|
|
synchronized (this)
|
|
{
|
|
this.groupProcessedCount++;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
AuthorityDeleter authorityDeleter = new AuthorityDeleter();
|
|
authorityDeletionProcessor.process(authorityDeleter, splitTxns);
|
|
groupProcessedCount += authorityDeleter.getGroupProcessedCount();
|
|
personProcessedCount += authorityDeleter.getPersonProcessedCount();
|
|
}
|
|
|
|
// Remember we have visited this zone
|
|
visitedZoneIds.add(zoneId);
|
|
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Finished synchronizing users and groups with user registry '"
|
|
+ zone + "'");
|
|
ChainingUserRegistrySynchronizer.logger.info(personProcessedCount + " user(s) and " + groupProcessedCount
|
|
+ " group(s) processed");
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Visits the last authority in the given list by recursively visiting its parents in associationsOld and then
|
|
* adding the authority to associationsNew. Used to sort associationsOld into 'depth-first' order.
|
|
*
|
|
* @param authorityPath
|
|
* The authority to visit, preceeded by all its descendants. Allows detection of cyclic child
|
|
* associations.
|
|
* @param allAuthorities
|
|
* the set of all known authorities
|
|
* @param associationsOld
|
|
* the association map to sort
|
|
* @param associationsNew
|
|
* the association map to add to in depth first order
|
|
*/
|
|
private void visitGroupAssociations(List<String> authorityPath, Set<String> allAuthorities,
|
|
Map<String, Set<String>> associationsOld, Map<String, Set<String>> associationsNew)
|
|
{
|
|
String authorityName = authorityPath.get(authorityPath.size() - 1);
|
|
if (!associationsNew.containsKey(authorityName))
|
|
{
|
|
Set<String> associations = associationsOld.get(authorityName);
|
|
|
|
if (!associations.isEmpty())
|
|
{
|
|
// Filter out associations to unknown parent authorities
|
|
associations.retainAll(allAuthorities);
|
|
int insertIndex = authorityPath.size();
|
|
Iterator<String> i = associations.iterator();
|
|
while (i.hasNext())
|
|
{
|
|
String parentAuthority = i.next();
|
|
|
|
// Prevent cyclic paths
|
|
if (authorityPath.contains(parentAuthority))
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Detected cyclic dependencies in group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(parentAuthority) + "'");
|
|
}
|
|
i.remove();
|
|
}
|
|
else
|
|
{
|
|
authorityPath.add(parentAuthority);
|
|
visitGroupAssociations(authorityPath, allAuthorities, associationsOld, associationsNew);
|
|
authorityPath.remove(insertIndex);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Omit associations from users from this map, as they will be processed separately
|
|
if (AuthorityType.getAuthorityType(authorityName) != AuthorityType.USER)
|
|
{
|
|
associationsNew.put(authorityName, associations);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Gets the persisted most recent update time for a label and zone.
|
|
*
|
|
* @param label
|
|
* the label
|
|
* @param zoneId
|
|
* the zone id
|
|
* @return the most recent update time in milliseconds
|
|
*/
|
|
private long getMostRecentUpdateTime(final String label, final String zoneId, boolean splitTxns)
|
|
{
|
|
return this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<Long>()
|
|
{
|
|
|
|
public Long execute() throws Throwable
|
|
{
|
|
Attribute attribute = ChainingUserRegistrySynchronizer.this.attributeService
|
|
.getAttribute(ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH + '/' + label + '/'
|
|
+ zoneId);
|
|
return attribute == null ? -1 : attribute.getLongValue();
|
|
}
|
|
}, true, splitTxns);
|
|
}
|
|
|
|
/**
|
|
* Persists the most recent update time for a label and zone.
|
|
*
|
|
* @param label
|
|
* the label
|
|
* @param zoneId
|
|
* the zone id
|
|
* @param lastModifiedMillis
|
|
* the update time in milliseconds
|
|
* @param splitTxns
|
|
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
|
|
* <code>true</code>, the attribute is persisted in a new transaction for increased performance and
|
|
* reliability.
|
|
*/
|
|
private void setMostRecentUpdateTime(final String label, final String zoneId, final long lastModifiedMillis,
|
|
boolean splitTxns)
|
|
{
|
|
final String path = ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH + '/' + label;
|
|
this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionHelper.RetryingTransactionCallback<Object>()
|
|
{
|
|
|
|
public Object execute() throws Throwable
|
|
{
|
|
if (!ChainingUserRegistrySynchronizer.this.attributeService.exists(path))
|
|
{
|
|
if (!ChainingUserRegistrySynchronizer.this.attributeService
|
|
.exists(ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH))
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.attributeService.setAttribute("",
|
|
ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH, new MapAttributeValue());
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.attributeService.setAttribute(
|
|
ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH, label,
|
|
new MapAttributeValue());
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.attributeService.setAttribute(path, zoneId,
|
|
new LongAttributeValue(lastModifiedMillis));
|
|
return null;
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
|
|
/**
|
|
* Gets the default set of zones to set on a person or group belonging to the user registry with the given zone ID.
|
|
* We add the default zone as well as the zone corresponding to the user registry so that the users and groups are
|
|
* visible in the UI.
|
|
*
|
|
* @param zoneId
|
|
* the zone id
|
|
* @return the zone set
|
|
*/
|
|
private Set<String> getZones(String zoneId)
|
|
{
|
|
Set<String> zones = new HashSet<String>(5);
|
|
zones.add(AuthorityService.ZONE_APP_DEFAULT);
|
|
zones.add(zoneId);
|
|
return zones;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onBootstrap(org.springframework.context.
|
|
* ApplicationEvent)
|
|
*/
|
|
@Override
|
|
protected void onBootstrap(ApplicationEvent event)
|
|
{
|
|
// Do an initial differential sync on startup, using transaction splitting. This ensures that on the very
|
|
// first startup, we don't have to wait for a very long login operation to trigger the first sync!
|
|
if (this.syncOnStartup)
|
|
{
|
|
AuthenticationUtil.runAs(new RunAsWork<Object>()
|
|
{
|
|
public Object doWork() throws Exception
|
|
{
|
|
try
|
|
{
|
|
synchronize(false, false, true);
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Failed initial synchronize with user registries",
|
|
e);
|
|
}
|
|
return null;
|
|
}
|
|
}, AuthenticationUtil.getSystemUserName());
|
|
}
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onShutdown(org.springframework.context.
|
|
* ApplicationEvent)
|
|
*/
|
|
@Override
|
|
protected void onShutdown(ApplicationEvent event)
|
|
{
|
|
}
|
|
}
|