inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-07 18:25:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
alfresco-community-repo/source/java/org/alfresco/repo/security/sync/ChainingUserRegistrySynchronizer.java
Dave Ward dbb11a5ce2 Merged V4.0-BUG-FIX to HEAD 
35366: Fix for ALF-13542 - Notification is not displayed, when you try to create duplicate user.
   35538: Merged BRANCHES/DEV/CLOUD1 to BRANCHES/DEV/V4.0-BUG-FIX: (pre-req for ALF-13791)
      35410: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           - fix merge issue (compilation fix)
      35443: Merge build/test fix (record-only)
      35463: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30194: Merged BRANCHES/DEV/THOR0 to BRANCHES/DEV/THOR1:
                29718: ALF-6029: Additional MT fix to force default tenant
                29719: THOR-7: Create tenant
   35541: Fix for ALF-13723 SOLR does not include the same query unit tests as lucene
   - added base tests
   35547: Merged BRANCHES/DEV/CLOUD1 to BRANCHES/DEV/V4.0-BUG-FIX: (ALF-13791)
      35511: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30252: Merged BRANCHES/DEV/THOR0 to BRANCHES/DEV/THOR1:
                 29763: THOR-107: MT-aware immutable singletons
                 29766: THOR-107: MT-aware immutable singletons
                 29768: THOR-31: MT-aware shared cache
                 29770: THOR-107: MT-aware immutable singletons
      35512: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30253: Merged BRANCHES/DEV/THOR0 to BRANCHES/DEV/THOR1:
                 29771: THOR-31: MT-aware shared cache
                 29777: THOR-107: MT-aware immutable singletons
                 29786: THOR-107: MT-aware immutable singletons
                 29787: THOR-31: MT-aware shared cache (fix MultiTNodeServiceInterceptorTest)
                 29799: THOR-107: MT-aware immutable singletons
      35513: Merge build/test fix
      35516: Merged BRANCHES/DEV/THOR0 to BRANCHES/DEV/CLOUD1:
           30026: THOR-5: tenant-aware caches
      35517: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30260: Merged BRANCHES/DEV/THOR0 to BRANCHES/DEV/THOR1: (core)
                 29860: THOR-73: prep for HEAD sync/merge-forward
                 29866: THOR-73: prep for HEAD sync/merge-forward
                 30026: THOR-5: tenant-aware caches
      35520: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30297: THOR-73: Line-endings only
           30298: THOR-73: Line-endings only
           30300: THOR-73: fix ActivitiWorkflowServiceIntegrationTest
           30302: THOR-73: fix SubscriptionServiceActivitiesTest
      35528: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/CLOUD1:
           30459: THOR-156: prep - consolidate/improve get current user's tenant domain
           30469: Fix bootstrap config check when running unit tests (where one tenant already exists)
           (partial merge only)
   35565: MT: fix update tenant entity
   - pre-req for ALF-13757
   35567: Fix merge fallout (compile error)
   35569: ALF-13757: MT - minor patch to migrate existing tenants, if any (when upgrading)
   35592: Merged BRANCHES/DEV/THOR1_SPRINTS to BRANCHES/DEV/V4.0-BUG-FIX: (ALF-13791)
      34153: Minor: THOR-5: MT-aware immutable singletons (spp/vti)
   35598: ALF-11459: Added null-check on in-flight process diagram-generation to prevent error when running headless
   35604: ALF-13426 Transformation: DOCX conversion failure
      <<< Fix split into two parts to make merge of this general part to 3.4.10 simpler. >>>
      <<< The second part contains 4.0.x specific changes. >>>
      - Change to ContentServiceImpl to fail over to other available transformers on error (can be turned off with
        global property content.transformer.failover=false).
   35605: ALF-13426 Transformation: DOCX conversion failure
      <<< Second part >>>
      - Remove explicit transformation sections for OOXML (added in 4.0.1 ALF-12461) as these are stopping other
        transformers from being used. Was done originally as a copy paste from another bean that needed an explicit section.
      - The combination of allowing other transformers (that were used prior to 4.0.1) and fail over from OOXML to these
        transformers allows to docx fixes that do and do not contain an embedded image to be transformed to png.
   35608: fix build
   35609: Merged V3.4-BUG-FIX (3.4.10) to V4.0-BUG-FIX (4.0.2) RECORD ONLY
      35607: Merged V4.0-BUG-FIX (4.0.2) to V3.4-BUG-FIX (3.4.10) 
         35604: ALF-13426 Transformation: DOCX conversion failure
            <<< Fix split into two parts to make merge of this general part to 3.4.10 simpler. >>>
            <<< The second part contains 4.0.x specific changes. >>>
            - Change to ContentServiceImpl to fail over to other available transformers on error (can be turned off with
              global property content.transformer.failover=false).
   35619: ALL LANGUAGES: Translation updates based on EN r35407
   35630: Merged HEAD to BRANCHES/DEV/V4.0-BUG-FIX:
      34289: Upgrading JUnit lib to 4.10 to get full Rules support.
      34317: Some initial documentation on JUnit Rules samples.
      34328: More JUnit rules fun. Added a new rule to help with the creation and automatic cleanup of temporary test nodes.
      34777: Added enhancement to TemporaryNodes rule to allow for dummy content.
      34805: Added a convenience method to the ApplicationContextInit @Rule to allow for easier spring overriding in test code.
      35621: Merged BRANCHES/DEV/CLOUDSYNCLOCAL2 to HEAD:
           35620: More JUnit Rules Enhancements, covering well known nodes and easier context loading
   35631: Fixing some Eclipse junit/lib dependencies which had become out of date - seemingly before my pervious commit (35630).
   35640: Fix for ALF-10085 "Adding/removing CMIS Relationship changes last modified date of source object"
   35647: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-35588 to BRANCHES/DEV/V4.0-BUG-FIX:
      35589: Creating new branch from $FROM
      35591: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-35195 to BRANCHES/DEV/DAM/V4.0-BUG-FIX-35588:
           35196: Creating new branch from $FROM
           35338: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Moved tooltip to simple viewRenderer
           35340: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Moved fnRenderCellSelected logic to DocumentListViewRenderer
                - Moved fnRenderCellStatus logic to DocumentListViewRenderer
                - Moved fnRenderCellDescription logic to DocumentListViewRenderer
                - Moved fnRenderCellActions logic to DocumentListViewRenderer
           35346: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Moved onEventHighlightRow logic to DocumentListViewRenderer
                - Moved onEventUnhighlightRow logic to DocumentListViewRenderer
                - Moved onActionShowMore logic to DocumentListViewRenderer
                - Minor private method renaming
           35427: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Changed check for display of metadata banners and lines to more explicit bannerView and lineView properties which are set to the viewRenderer's name by default, but can now more easily be overridden
           35503: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Renamed bannerView property to more specific metadataBannerViewName
                - Renamed lineView property to more specific metadataLineViewName
           35583: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
                - Added rowClassName property to make finding the row easier in cases where an event trigger element might not be the row itself
                - Added check for expected row element class name in getDataTableRecordIdFromRowElement, if not present trying getAncestorByClassName with rowClassName property
                - Moved onFileRenamed to DocumentListViewRenderer
                - Changed fnActionHandler to use getDataTableRecordIdFromRowElement rather than target.offsetParent
                - Changed onLikes to use getDataTableRecordIdFromRowElement rather than assume the row parameter is the correct element
                - Changed onFavourite to use getDataTableRecordIdFromRowElement rather than assume the row parameter is the correct element
      35610: ALF-13734: Move Additional DocumentList Methods to DocumentListViewRenderer
           - Changed method of grabbing container element in selectFiles to use parentElementIdSuffix from current viewRenderer
   35650: Fix for ALF-13813 SOLR fails for fuzzy queries
   35651: Fix tests for ALF-13813 SOLR fails for fuzzy queries
   More for ALF-13723 SOLR does not include the same query unit tests as lucene
   - added tests for Alfresco fts run via the request handler 
   - fixed fuzzy query tests so far ...
   - report queries that generate errors
   35664: ALF-13294 - CIFS: When versionable aspect is active, using the Microsoft Word for Mac 2008 option "always create a backup copy" leads to document versions loss
   35679: Fix DataList QName hard-codings by pulling out to a proper Model Java Constants Interface
   35689: Add the NameSpace constants for the Links model
   35699: Merged BRANCHES/DEV/CLOUDSYNCLOCAL2 to BRANCHES/DEV/V4.0-BUG-FIX:
      35698: New WebScript to provide the Share View URL for a given NodeRef (based on the Node Type and SysAdminParams)
   35716: Make overriding just the Share URL easier (needed for Cloud installs)
   35741: ALF-13819 Remove description+template for a controller-less webscript that was committed by mistake in v3.4
   35765: Fixed version of junit.jar in build files
   35772: ALF-1994 - Allow user defined white-list of HTML tags for HTML sanitisation process. Spring config added for tags and attributes.
   35781: Fix for MySQL part of ALF-13150: Performance of Purging Empty Transactions (like 10M)
      ALF-13839: MySQL: "Failed to purge txns" from DeletedNodeCleanupWorker
      - Added MySQL override of the NodeDAO for this call with a dedicated DELETE ... JOIN ... for MySQL
   35784: Fix for ALF-13845 SOLR "alfresco" queries are not cached correctly
   35785: More for ALF-13723 SOLR does not include the same query unit tests as lucene
   - duplicated sort and AFTS tests from the lucene sub-system
   - run queries via request handler
   - addded new locale tests for d:text ordering
   35805: ALF-13828 Method name typo, should be getThumbnailDefinitions not getThumbnailDefintions. (Old method retained, @deprecated, for backwards compatibility)
   35806: More debug to setFileInformation
   35836: Fix for ALF-13794 Mismatch in SOLRAPIClient and NodeContentGet webscript causes content of type d:content not to get indexed
   35862: Fix for ALF-13826 Solr CMIS Query After Delete a Node Throws CmisRuntimeException: Node does not exist
   - make appropriate methods aware of node existence....
   35867: ALF-13886 Certain errors may lead to no conn model object being available, so check it is there before using it to render the "Return to folder" link
   35901: ALF-13474 possibility of deleting compleded workflows + explorer ui cancel action fix
   35923: Fix for ALF-13724 Share folder permission management - changes to parent/child folders not accurately reflected
   35936: More for ALF-13723 SOLR does not include the same query unit tests as lucene
   - tests for mltext localised collation
   35944: BufferedContentDiskDriver needs to use deviceName and sessionKey to make it unique rather than userName
   35949: ALF-13755: MT is configured (but not enabled) by default
   - note: also related to THOR-248 (effectively means that r31407 becomes a merge record-only)
   35951: Merged BRANCHES/DEV/THOR1 to BRANCHES/DEV/V4.0-BUG-FIX: 
       34107: record-only (follow on to r35949 - see ALF-13755 / THOR-248)
   35953: ALF-12792 - Creation Date and Modification Date initialization for open files.
   35968: Follow up to fix for ALF-13839: MySQL: "Failed to purge txns" from DeletedNodeCleanupWorker
    - Sanity check highlighted transactional resource block in the database
    - Each cleanup runs its own transactions as required now
    - See also ALF-13150: Performance of Purging Empty Transactions suffers if the number of unused transactions grows too large (like 10M) 
   35970: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-35924 to BRANCHES/DEV/V4.0-BUG-FIX:
      35925: Creating new branch from BRANCHES/DEV/V4.0-BUG-FIX
      35966: ALF-13912: Move DocumentList.onHighlightFile UI Logic to DocumentListViewRenderer
           - Moved DocumentList.onHighlightFile logic to DocumentListViewRenderer
           - Added DocumentListViewRenderer.getRowElementFromDataTableRecord and DocumentListViewRenderer.getRowSelectElementFromDataTableRecord
           - Changed onHighlightFile to call those new getRow* methods for easier reuse in view renderer extensions
   35979: ALF-10278, ALF-13902: Ending task now done with the right assignee when unassigned (eg. not claimed from pool) or when workflow-owner completes the task assigned to someone else, without claiming first 
   35981: Fix for ALF-12670 - An exception occurs during creation wiki page
   Changed Wiki title field limit to the 100 char limit imposed by QName which unfortunately is used by the underlying service to store the field title.
   35991: ALF-13901: Incorrect workflow-history gathering/displaying on uncompleted tasks in ended parallel multi-instance activity
   35993: ALF-10278, ALF-13902: Fixed failing test (was not using AuthenticationUtil for test-user)
   36001: BDE-69: create test-minimal and continuous-minimal Ant targets
   36004: Fixes for:
   ALF-12813 - jsonUtils.toJSONString mangles up Associative Arrays
    - Added support for nested Java Map/List to jsonUtils
   ALF-13647 - the first time a ICAL calendar URL is called with kerberos SSO a JSESSIONID cookie is not sent by the client, request fails with a 500 Internal server error
    - Support for "negotiate" HTTP auth header and general improvements to that area
   ALF-13877 - Invalid WebScript URLs cause ERROR-level exception stacks
    - DEBUG only output for "missing" webscripts and invalid API call URLs
   36014: ALF-13844: XSLT Filtering Not 100% Secure
      - added more namespaces to the security filter.
      - verified that include/import uses the security filter.
   36018: ALF-13609: Enterprise installers lay down sample site and users
      -Added feature to SiteLoadPatch to disable loading.
      -Added property "disable.sample.site". Set property (system or otherwise)  disable.sample.site=true to skip loading the sample site on a new installation.
   36031: debug improvement.
   36039: ALF-13779: isPooled() implemented correctly now
   36044: ALF-13770: Merged V3.4-BUG-FIX (3.4.10) to V4.0-BUG-FIX (4.0.2)
      36043: ALF-13769: Merged V3.4.8 (3.4.8.7) to V3.4-BUG-FIX (3.4.10)
         35776: ALF-11535 Home Folder Synchronizer fails when destination folder already exists
            - Don't move home folders that are the same as the provider's root folder or even above it!
              If the same, these tend to be shared folders.
              If above, this indicates that an LDAP sync has corrupted the original provider name and has hence
              changed what we think is the root folder!
   36046: ALF-13745: Merged V3.4-BUG-FIX (3.4.10) to V4.0-BUG-FIX (4.0.2)
      <<< Also added placeholder thumbnails (copies if docx, pptx and xlsx which in turn appear to be copies of the 2003 doc, ppt and xls) >>>
      36041: ALF-13667 Additional OpenOffice mimetypes to be added to the mime-type maps
         - Added mimetypes for docm dotx dotm pptm ppsx ppsm potx potm ppam sldx sldm xltm xlsm xltm xlam xlsb
         - Added transformation limits to avoid very long running tasks.
         - Disable Jod and OpenOffice transformers via PDFBox for new types to txt, as there are better options
           with the exception of potm and xlsb that can only be done by Office.
         - TransformerDebug include max source size in available transformer list
      35958: ALF-13745 Add Support for Microsoft Word File Format DOCM
         << General TransformationOptionLimits change >>
         - Addition of TransformationOptionLimitsMap to make it simpler to add lots of TransformationOptionLimits.
           Only one per line rather than about 10 - Needed for this JIRA as lots of limits are needed
         - Changes to transformerDebug to make it more obvious which transformers are excluded
   36047: Fix for ALF-13925 - UsernamePropertyDecorator incorrectly handles displayName construction
   36048: More for ALF-13723 SOLR does not include the same query unit tests as lucene
   - tests and fixes for internal fields
   36061: Fix remoteapi tests by putting back repository tests before, where they belong
   36064: ALF-13682 'View Process Diagram' not working if auditing is turned on
      - modified Auditable annotation on the getWorkflowImage() method which was returning an InputStream
        so we would not consume the input again.
      - modified AuditMethodInterceptor to ignore any InputStream and OutputStream values. Implemented as a
        list of non aubitable classes. Refactored generation of auditable arguments and return value to a method 
        rather than two almost identical in-line copies.
   36065: ALF-13756: MT - replace Tenant attributes with Tenant table
   - update schema comp files for x5 DBs
   - note: will need to be tested in DB build plans (via schema comp -> when fail on error is enabled)
   36066: ALF-13609: Enterprise installers lay down sample site and users
      -Removed extraneous line of code.
      -Renamed boolean to "disabled" and associated accessors.
      -Added property "sample.site.disabled=false" to repository.properties.
      -To disable loading of the sample site on a new installation, set property (system or otherwise)  "sample.site.disabled=true"
   36080: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-36070 to BRANCHES/DEV/V4.0-BUG-FIX:
      36071: Creating new branch from BRANCHES/DEV/V4.0-BUG-FIX
      36079: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-35924 to BRANCHES/DEV/DAM/V4.0-BUG-FIX-36070:
           36069: ALF-13935: Move DocumentList Upload Indicators and Instructions to DocumentListViewRenderer
                - Created renderEmptyDataSourceHtml method in DocumentListViewRenderer which contains the view logic previously in _setupDataSource
                - Created _setEmptyDataSourceMessage which actually appends the constructed empty HTML instructions for cases where extensions simply want the same instructions but in a different container
                - Added firing of Bubbling event postSetupViewRenderers at the end of _setupViewRenderers since all viewRenderers now have to be registered before _setupDataSource is called
   36085: More for ALF-13723 SOLR does not include the same query unit tests as lucene
   - internal fields
   - paging
   - security filters
   36089: ALF-11725:	Replication document with comment fails due to integrity exception
      - updated script transfer service.
   36094: ALF-11725 : config change.
   36098: ALF-13719: Javascript addAspect(aspect, properties) does not apply cm:autoVersionOnUpdateProps property value
   36105: SESURF-102: Fix dependency handling when use-checksum-dependencies is not enabled.
   36107: Tweak wiki page create/update logic, to handle clearing the tags when updating a page when all tags are removed (ALF-10979)
   36109: ALF-7874 MimeType definitions for Adobe AfterEffects files
   36110: ALF-7874 Upgrade Tika for improved detection of Adobe Premier and AfterEffects
   36112: ALF-7874 MimeType definition addition for Adobe Premier files
   36133: Merged DEV to V4.0-BUG-FIX
      36130: ALF-13988 : apply_amps script no longer works on Mac OSX
         apply_amps.sh was corrected to resolve "readlink -f" Mac OS problem.
   36135: ALF-12330: Editing of completed task now redirects to referring page (if available) + transition-buttons not rendered on completed tasks
   36141: Merged V3.4-BUG-FIX to V4.0-BUG-FIX
      35641: ALF-13452: Open office startup from Java not working on OSX
      - Fix from Bitrock in combination with new wrapper in BINARIES
      35687: ALF-13520: alfresco.log file ending up in system32 directory
      - Not anymore!
      35736: ALF-13751: Reduce over-agressive traversal of child associations when detecting cyclic groups in LDAP sync
      - Recurse upwards to topmost parent then recurse downwards
      - No need to recurse upwards and downwards on every recursion step!
      35987: Merged DEV to V3.4-BUG-FIX
         35984: ALF-11850 WCM - Incorrect message when copying/cutting assets within a Web Project
            1. In ClipboardBean.addClipboardNode(NodeRef ref, NodeRef parent, ClipboardStatus mode) was added check whether the node in the AVM.
            2. In webclient.properties was added node_added_clipboard_avm property.
      36049: Fix for ALF-9662 To allow admin user to view dashboard of moderated site.
      36050: Fix for ALF-13843 - Content creation silently fails when it's being created with already existent name.
      36054: Fix for ALF-13231 - Message 'Failure' on workflow cancelation
      36055: Fix for ALF-13926 - Intranet compatibility options override share's settings
      36102: Merged BRANCHES/V3.4 to BRANCHES/DEV/V3.4-BUG-FIX
         36097: Fix for ALF-13976 - 404 error handling in Share no longer correctly receives JSON response. OKed by DaveW.
      36103: ALF-13578 : CIFS AlfJLANWorker threads (concurrency) - server not responding
      36137: Merged V3.4 to V3.4-BUG-FIX
         35433: ALF-13021: Folder deletion from Editorial not deleting from Live folder automatically
         - Fix by Valery
         - Needs further work for 4.0.x
         35488: ALF-13718: Full reindex performance on SQL Server
         - ORDER BY on child assoc query changed to only include ID (with Derek's permission)
         - ADMLuceneIndexerImpl altered to not use batch loading in getChildAssocs so as not to blow the transactional caches when reindexing a large hierarchy
         - ADMLuceneIndexerImpl altered so that it only checks for the existence of child associations when 'lazily' creating parent containers
         - ADMLuceneTest corrected (with Andy's permission) so that this doesn't throw the unit test out
         35505: ALF-13718: Corrected ADMLuceneCategoryTest to clear the 'real' index before creating a fake 'test' index
         35809: Merged DEV to V3.4
            35800: ALF-10353 : Internet Explorer hangs when using the object picker with a larger number of documents
               YUI library was modified to use chunked unloading of listeners via a series of setTimeout() functions in event.js for IE 6,7,8.
         36101: ALF-13978: Merged V4.0-BUG-FIX to V3.4
            36014: ALF-13844: XSLT Filtering Not 100% Secure
               - added more namespaces to the security filter.
               - verified that include/import uses the security filter.
         36108: ALF-13978: Fixed compilation errors
         36129: Merged DEV to V3.4
            36123: ALF-13951 : It's impossible to customize dashboard in Alfresco Share
                A yui-2.8.1-patched library contains a fix for ALF-10353.
   36142: Merged V3.4-BUG-FIX to V4.0-BUG-FIX (RECORD ONLY)
      35432: ALF-13762: Merged V4.0-BUG-FIX to V3.4-BUG-FIX
         35366: Fix for ALF-13542 - Notification is not displayed, when you try to create duplicate user.
      35593: Merged BRANCHES/V3.4 to BRANCHES/DEV/V3.4-BUG-FIX:
         35375: Fix for ALF-13711: "Hidden Aspect applied to Mac powerpoint files."
              - re-instated previous hidden aspect behaviour
              - unit tests
              - also fixed cascade behaviour
   36144: Merged V4.0 to V4.0-BUG-FIX
      35918:    31473: -- initial commit for ALF-11027
         -- enables CE / EE deployment of artifacts to a maven repository
         -- added necessary ant build files and build properties. 
         -- also added a README
         31474: -- added .project to svn:ignore
         32534: -- added missing artifacts and fixed wrong ones
         -- added possibility of custom artifacts labeling (by adding -Dmaven.custom.label), e.g. to allow snapshot / release deployments from working branches
         -- TODO: document required ~/.m2/settings.xml
         32582: -- renamed alfresco-datamodel to alfresco-data-model
         -- fixed release/snapshot and custom version labeling
         -- tested with Community, enterprise build undergoing (removed distribute-extras as pre-requisite)
         32610: -- tested enterprise only deployment 
         -- removed tabs 
         -- fixed property placeholding
         -- tested all artifacts
         32611: -- added maven-ant-tasks library to automatically load ant maven tasks without dependencies on the ant installation
         -- added typedef in the main maven.xml
         35250: -- reworking on ALF-11027 to enable automated deployment of artifacts to the Maven repo
         -- following conversations with DaveW implemented the following:
            - removed classifier (just rely on different groupId, org.alfresco for Community and org.alfresco.enterprise for Enterprise)
            - Added debugging lines to make sure proper repo / groupId configuration is picked up
            - enabled SNAPSHOT/RELEASE deployment for both community and enterprise
         -- updated README-maven-deploy.txt with all instructions on how to run the build
         35388: -- added references to Maven settings.xml in the BINARIES as discussed with DaveW
         35648: [ALF-11027] Since artifact:mvn does not support settingsFile attribute, switching to embedded command line -gs parameter to specify a custom settings.xml location
         35649: [ALF-11027] Since artifact:mvn does not support settingsFile attribute, switching to embedded command line -gs parameter to specify a custom settings.xml location
         35652: [ALF-11027] artifact:mvn uses an older Maven version which command line switch is -s instead of -gs
         35775: [ALF-11027] Removed DoD and Kofax deployment from enteprise deployment procedure
         35783: [ALF-11027] removing custom README and added documentation in line of the tw maven.xml files
         35793: Fix comment syntax: no -- allowed there
         35802: [ALF-11027] Removed calls to DoD targets 
         35810: [ALF-11027] Introducing a maven-build-deploy goal to build and deploy at once, maven-deploy now "just does the job
         35822: [ALF-11027] Moved the maven setup steps to a maven-env-prerequisites separate target, so it gets executed earlier and defines the task
         35851: [ALF-11027] Move targets around to fix the regular, non-continuous build
         35894: [ALF-11027] Add maven.do.deploy variable, to control maven deployment from bamboo using parameterised plan
         35896: [ALF-11027] Using Bamboo Plan Variables properly
         35899: [ALF-11027] Use Bamboo variable to specify release vs snapshot rather than deployment or not 
         35905: [ALF-11027] Upload source and javadoc jars into Maven repo as well
         35912: Upgrade maven-deploy-plugin to 2.7, to be able to deploy Javadoc and Source jars as well
      35950: ALF-11027: Fix typo in jlan-embed deployment, removed svn revision from version, removed deployment of jmx-dumper
   36145: Merged V4.0 to V4.0-BUG-FIX (RECORD ONLY)
      34612: Merged V4.0-BUG-FIX to V4.0
         ALF-12740: Update to previous fix (only apply to IE8 and below)
      34618: Merged V4.0-BUG-FIX to V4.0
         34474: ALF-13169 Tomcat fails to shutdown
            - fix non daemon Timers
      34637: Merged BRANCHES/DEV/V4.0-BUG-FIX to BRANCHES/V4.0     (4.0.1)
          34636: Fix for ALF-13365 SOLR: Recently modified docs dashlet sorts incorrectly
      34690: MERGE V4.0_BUG-FIX to V4.0
        34226 : ALF-12780  Mac OS X Lion 10.7.2: Editing a document via CIFS and TextEdit removes versionable aspect from this file
      34716: Merged V4.0-BUG-FIX to V4.0
         34715: Fix for __ShowDetails desktop action returned URL is truncated if hostname too long. ALF-13202.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@36155 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2012-05-08 12:07:00 +00:00

1698 lines
80 KiB
Java
Raw Blame History

/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.sync;
import java.io.Serializable;
import java.text.DateFormat;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Deque;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.batch.BatchProcessor;
import org.alfresco.repo.batch.BatchProcessor.BatchProcessWorker;
import org.alfresco.repo.lock.JobLockService;
import org.alfresco.repo.lock.LockAcquisitionException;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.management.subsystems.ChildApplicationContextManager;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.UnknownAuthorityException;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport.TxnReadState;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.attributes.AttributeService;
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
import org.alfresco.service.cmr.rule.RuleService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.PropertyMap;
import org.alfresco.util.TraceableThreadFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.ConcurrencyFailureException;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
/**
* A <code>ChainingUserRegistrySynchronizer</code> is responsible for synchronizing Alfresco's local user (person) and
* group (authority) information with the external subsystems in the authentication chain (most typically LDAP
* directories). When the {@link #synchronize(boolean)} method is called, it visits each {@link UserRegistry} bean in
* the 'chain' of application contexts, managed by a {@link ChildApplicationContextManager}, and compares its
* timestamped user and group information with the local users and groups last retrieved from the same source. Any
* updates and additions made to those users and groups are applied to the local copies. The ordering of each
* {@link UserRegistry} in the chain determines its precedence when it comes to user and group name collisions. The
* {@link JobLockService} is used to ensure that in a cluster, no two nodes actually run a synchronize at the same time.
* <p>
* The <code>force</code> argument determines whether a complete or partial set of information is queried from the
* {@link UserRegistry}. When <code>true</code> then <i>all</i> users and groups are queried. With this complete set of
* information, the synchronizer is able to identify which users and groups have been deleted, so it will delete users
* and groups as well as update and create them. Since processing all users and groups may be fairly time consuming, it
* is recommended this mode is only used by a background scheduled synchronization job. When the argument is
* <code>false</code> then only those users and groups modified since the most recent modification date of all the
* objects last queried from the same {@link UserRegistry} are retrieved. In this mode, local users and groups are
* created and updated, but not deleted (except where a name collision with a lower priority {@link UserRegistry} is
* detected). This 'differential' mode is much faster, and by default is triggered on subsystem startup and also by
* {@link #createMissingPerson(String)} when a user is successfully authenticated who doesn't yet have a local person
* object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as
* and when required.
*
* @author dward
*/
public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean implements UserRegistrySynchronizer,
ApplicationEventPublisherAware
{
/** The logger. */
private static final Log logger = LogFactory.getLog(ChainingUserRegistrySynchronizer.class);
/** The name of the lock used to ensure that a synchronize does not run on more than one node at the same time. */
private static final QName LOCK_QNAME = QName.createQName(NamespaceService.SYSTEM_MODEL_1_0_URI,
"ChainingUserRegistrySynchronizer");
/** The time this lock will persist for in the database (now only 2 minutes but refreshed at regular intervals). */
private static final long LOCK_TTL = 1000 * 60 * 2;
/** The path in the attribute service below which we persist attributes. */
public static final String ROOT_ATTRIBUTE_PATH = ".ChainingUserRegistrySynchronizer";
/** The label under which the last group modification timestamp is stored for each zone. */
private static final String GROUP_LAST_MODIFIED_ATTRIBUTE = "GROUP";
/** The label under which the last user modification timestamp is stored for each zone. */
private static final String PERSON_LAST_MODIFIED_ATTRIBUTE = "PERSON";
/** The manager for the autentication chain to be traversed. */
private ChildApplicationContextManager applicationContextManager;
/** The name used to look up a {@link UserRegistry} bean in each child application context. */
private String sourceBeanName;
/** The authority service. */
private AuthorityService authorityService;
/** The person service. */
private PersonService personService;
/** The attribute service. */
private AttributeService attributeService;
/** The transaction service. */
private TransactionService transactionService;
/** The rule service. */
private RuleService ruleService;
/** The job lock service. */
private JobLockService jobLockService;
/** The application event publisher. */
private ApplicationEventPublisher applicationEventPublisher;
/** Should we trigger a differential sync when missing people log in?. */
private boolean syncWhenMissingPeopleLogIn = true;
/** Should we trigger a differential sync on startup?. */
private boolean syncOnStartup = true;
/** Should we auto create a missing person on log in?. */
private boolean autoCreatePeopleOnLogin = true;
/** The number of entries to process before reporting progress. */
private int loggingInterval = 100;
/** The number of worker threads. */
private int workerThreads = 2;
/**
* Sets the application context manager.
*
* @param applicationContextManager
* the applicationContextManager to set
*/
public void setApplicationContextManager(ChildApplicationContextManager applicationContextManager)
{
this.applicationContextManager = applicationContextManager;
}
/**
* Sets the name used to look up a {@link UserRegistry} bean in each child application context.
*
* @param sourceBeanName
* the bean name
*/
public void setSourceBeanName(String sourceBeanName)
{
this.sourceBeanName = sourceBeanName;
}
/**
* Sets the authority service.
*
* @param authorityService
* the new authority service
*/
public void setAuthorityService(AuthorityService authorityService)
{
this.authorityService = authorityService;
}
/**
* Sets the person service.
*
* @param personService
* the new person service
*/
public void setPersonService(PersonService personService)
{
this.personService = personService;
}
/**
* Sets the attribute service.
*
* @param attributeService
* the new attribute service
*/
public void setAttributeService(AttributeService attributeService)
{
this.attributeService = attributeService;
}
/**
* Sets the transaction service.
*
* @param transactionService
* the transaction service
*/
public void setTransactionService(TransactionService transactionService)
{
this.transactionService = transactionService;
}
/**
* Sets the rule service.
*
* @param ruleService
* the new rule service
*/
public void setRuleService(RuleService ruleService)
{
this.ruleService = ruleService;
}
/**
* Sets the job lock service.
*
* @param jobLockService
* the job lock service
*/
public void setJobLockService(JobLockService jobLockService)
{
this.jobLockService = jobLockService;
}
/*
* (non-Javadoc)
* @see
* org.springframework.context.ApplicationEventPublisherAware#setApplicationEventPublisher(org.springframework.context
* .ApplicationEventPublisher)
*/
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
{
this.applicationEventPublisher = applicationEventPublisher;
}
/**
* Controls whether we auto create a missing person on log in.
*
* @param autoCreatePeopleOnLogin
* <code>true</code> if we should auto create a missing person on log in
*/
public void setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin)
{
this.autoCreatePeopleOnLogin = autoCreatePeopleOnLogin;
}
/**
* Controls whether we trigger a differential sync when missing people log in.
*
* @param syncWhenMissingPeopleLogIn
* <codetrue</code> if we should trigger a sync when missing people log in
*/
public void setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn)
{
this.syncWhenMissingPeopleLogIn = syncWhenMissingPeopleLogIn;
}
/**
* Controls whether we trigger a differential sync when the subsystem starts up.
*
* @param syncOnStartup
* <codetrue</code> if we should trigger a sync on startup
*/
public void setSyncOnStartup(boolean syncOnStartup)
{
this.syncOnStartup = syncOnStartup;
}
/**
* Sets the number of entries to process before reporting progress.
*
* @param loggingInterval
* the number of entries to process before reporting progress or zero to disable progress reporting.
*/
public void setLoggingInterval(int loggingInterval)
{
this.loggingInterval = loggingInterval;
}
/**
* Sets the number of worker threads.
*
* @param workerThreads
* the number of worker threads
*/
public void setWorkerThreads(int workerThreads)
{
this.workerThreads = workerThreads;
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#synchronize(boolean, boolean, boolean)
*/
public void synchronize(boolean forceUpdate, boolean allowDeletions, final boolean splitTxns)
{
// Don't proceed with the sync if the repository is read only
if (this.transactionService.isReadOnly())
{
ChainingUserRegistrySynchronizer.logger
.warn("Unable to proceed with user registry synchronization. Repository is read only.");
return;
}
// Create a background executor that will refresh our lock. This means we can request a lock with a relatively
// small persistence time and not worry about it lasting after server restarts. Note we use an independent
// executor because this is a compound operation that spans accross multiple batch processors.
String lockToken = null;
TraceableThreadFactory threadFactory = new TraceableThreadFactory();
threadFactory.setNamePrefix("ChainingUserRegistrySynchronizer lock refresh");
threadFactory.setThreadDaemon(true);
ScheduledExecutorService lockRefresher = new ScheduledThreadPoolExecutor(1, threadFactory);
// Let's ensure all exceptions get logged
try
{
// First, try to obtain a lock to ensure we are the only node trying to run this job
try
{
if (splitTxns)
{
// If this is an automated sync on startup or scheduled sync, don't even wait around for the lock.
// Assume the sync will be completed on another node.
lockToken = this.transactionService.getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionCallback<String>()
{
public String execute() throws Throwable
{
return ChainingUserRegistrySynchronizer.this.jobLockService.getLock(
ChainingUserRegistrySynchronizer.LOCK_QNAME,
ChainingUserRegistrySynchronizer.LOCK_TTL, 0, 1);
}
}, false, splitTxns);
}
else
{
// If this is a login-triggered sync, give it a few retries before giving up
lockToken = this.jobLockService.getLock(ChainingUserRegistrySynchronizer.LOCK_QNAME,
ChainingUserRegistrySynchronizer.LOCK_TTL, 3000, 10);
}
}
catch (LockAcquisitionException e)
{
// Don't proceed with the sync if it is running on another node
ChainingUserRegistrySynchronizer.logger
.warn("User registry synchronization already running in another thread. Synchronize aborted");
return;
}
// Schedule the lock refresh to run at regular intervals
final String token = lockToken;
lockRefresher.scheduleAtFixedRate(new Runnable()
{
public void run()
{
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper()
.doInTransaction(new RetryingTransactionCallback<Object>()
{
public Object execute() throws Throwable
{
ChainingUserRegistrySynchronizer.this.jobLockService.refreshLock(token,
ChainingUserRegistrySynchronizer.LOCK_QNAME,
ChainingUserRegistrySynchronizer.LOCK_TTL);
return null;
}
}, false, splitTxns);
}
}, ChainingUserRegistrySynchronizer.LOCK_TTL / 2, ChainingUserRegistrySynchronizer.LOCK_TTL / 2,
TimeUnit.MILLISECONDS);
Set<String> visitedZoneIds = new TreeSet<String>();
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
// Work out the set of all zone IDs in the authentication chain so that we can decide which users / groups
// need 're-zoning'
Set<String> allZoneIds = new TreeSet<String>();
for (String id : instanceIds)
{
allZoneIds.add(AuthorityService.ZONE_AUTH_EXT_PREFIX + id);
}
for (String id : instanceIds)
{
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
try
{
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
{
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
{
ChainingUserRegistrySynchronizer.logger
.info("Synchronizing users and groups with user registry '" + id + "'");
}
if (allowDeletions && ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger
.warn("Full synchronization with user registry '"
+ id
+ "'; some users and groups previously created by synchronization with this user registry may be removed.");
}
// Work out whether we should do the work in a separate transaction (it's most performant if we
// bunch it into small transactions, but if we are doing a sync on login, it has to be the same
// transaction)
boolean requiresNew = splitTxns
|| AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY;
syncWithPlugin(id, plugin, forceUpdate, allowDeletions, requiresNew, visitedZoneIds, allZoneIds);
}
}
catch (NoSuchBeanDefinitionException e)
{
// Ignore and continue
}
}
}
catch (RuntimeException e)
{
ChainingUserRegistrySynchronizer.logger.error("Synchronization aborted due to error", e);
throw e;
}
// Release the lock if necessary
finally
{
if (lockToken != null)
{
// Cancel the lock refresher
// Because we may hit a perfect storm when trying to interrupt workers in their unsynchronized getTask()
// method we can't wait indefinitely and may have to retry the shutdown
int trys = 0;
do
{
lockRefresher.shutdown();
try
{
lockRefresher
.awaitTermination(ChainingUserRegistrySynchronizer.LOCK_TTL, TimeUnit.MILLISECONDS);
}
catch (InterruptedException e)
{
}
}
while (!lockRefresher.isTerminated() && trys++ < 3);
if (!lockRefresher.isTerminated())
{
lockRefresher.shutdownNow();
ChainingUserRegistrySynchronizer.logger.error("Failed to shut down lock refresher");
}
final String token = lockToken;
this.transactionService.getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionCallback<Object>()
{
public Object execute() throws Throwable
{
ChainingUserRegistrySynchronizer.this.jobLockService.releaseLock(token,
ChainingUserRegistrySynchronizer.LOCK_QNAME);
return null;
}
}, false, splitTxns);
}
}
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#getPersonMappedProperties(java.lang.String)
*/
public Set<QName> getPersonMappedProperties(String username)
{
Set<String> authorityZones = this.authorityService.getAuthorityZones(username);
if (authorityZones == null)
{
return Collections.emptySet();
}
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
// Visit the user registries in priority order and return the person mapping of the first registry that matches
// one of the person's zones
for (String id : instanceIds)
{
String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + id;
if (!authorityZones.contains(zoneId))
{
continue;
}
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
try
{
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
{
return plugin.getPersonMappedProperties();
}
}
catch (NoSuchBeanDefinitionException e)
{
// Ignore and continue
}
}
return Collections.emptySet();
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#createMissingPerson(java.lang.String)
*/
public boolean createMissingPerson(String userName)
{
// synchronize or auto-create the missing person if we are allowed
if (userName != null && !userName.equals(AuthenticationUtil.getSystemUserName()))
{
if (this.syncWhenMissingPeopleLogIn)
{
try
{
synchronize(false, false, false);
}
catch (Exception e)
{
// We don't want to fail the whole login if we can help it
ChainingUserRegistrySynchronizer.logger.warn(
"User authenticated but failed to sync with user registry", e);
}
if (this.personService.personExists(userName))
{
return true;
}
}
if (this.autoCreatePeopleOnLogin && this.personService.createMissingPeople())
{
AuthorityType authorityType = AuthorityType.getAuthorityType(userName);
if (authorityType == AuthorityType.USER)
{
this.personService.getPerson(userName);
return true;
}
}
}
return false;
}
/**
* Synchronizes local groups and users with a {@link UserRegistry} for a particular zone, optionally handling
* deletions.
*
* @param zone
* the zone id. This identifier is used to tag all created groups and users, so that in the future we can
* tell those that have been deleted from the registry.
* @param userRegistry
* the user registry for the zone.
* @param forceUpdate
* Should the complete set of users and groups be updated / created locally or just those known to have
* changed since the last sync? When <code>true</code> then <i>all</i> users and groups are queried from
* the user registry and updated locally. When <code>false</code> then each source is only queried for
* those users and groups modified since the most recent modification date of all the objects last
* queried from that same source.
* @param allowDeletions
* Should a complete set of user and group IDs be queried from the user registries in order to determine
* deletions? This parameter is independent of <code>force</code> as a separate query is run to process
* updates.
* @param splitTxns
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
* <code>true</code>, users and groups are created/updated in batches for increased performance. If
* <code>false</code>, all users and groups are processed in the current transaction. This is required if
* calling synchronously (e.g. in response to an authentication event in the same transaction).
* @param visitedZoneIds
* the set of zone ids already processed. These zones have precedence over the current zone when it comes
* to group name 'collisions'. If a user or group is queried that already exists locally but is tagged
* with one of the zones in this set, then it will be ignored as this zone has lower priority.
* @param allZoneIds
* the set of all zone ids in the authentication chain. Helps us work out whether the zone information
* recorded against a user or group is invalid for the current authentication chain and whether the user
* or group needs to be 're-zoned'.
*/
private void syncWithPlugin(final String zone, UserRegistry userRegistry, boolean forceUpdate,
boolean allowDeletions, boolean splitTxns, final Set<String> visitedZoneIds, final Set<String> allZoneIds)
{
// Create a prefixed zone ID for use with the authority service
final String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + zone;
// The set of zones we associate with new objects (default plus registry specific)
final Set<String> zoneSet = getZones(zoneId);
long lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
Date lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
{
if (lastModified == null)
{
ChainingUserRegistrySynchronizer.logger.info("Retrieving all groups from user registry '" + zone + "'");
}
else
{
ChainingUserRegistrySynchronizer.logger.info("Retrieving groups changed since "
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
}
}
// First, analyze the group structure. Create maps of authorities to their parents for associations to create
// and delete. Also deal with 'overlaps' with other zones in the authentication chain.
final BatchProcessor<NodeDescription> groupProcessor = new BatchProcessor<NodeDescription>(zone
+ " Group Analysis", this.transactionService.getRetryingTransactionHelper(), userRegistry
.getGroups(lastModified), this.workerThreads, 20, this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
class Analyzer extends BaseBatchProcessWorker<NodeDescription>
{
private final Map<String, String> groupsToCreate = new TreeMap<String, String>();
private final Map<String, Set<String>> personParentAssocsToCreate = newPersonMap();
private final Map<String, Set<String>> personParentAssocsToDelete = newPersonMap();
private Map<String, Set<String>> groupParentAssocsToCreate = new TreeMap<String, Set<String>>();
private final Map<String, Set<String>> groupParentAssocsToDelete = new TreeMap<String, Set<String>>();
private final Map<String, Set<String>> finalGroupChildAssocs = new TreeMap<String, Set<String>>();
private List<String> personsProcessed = new LinkedList<String>();
private Set<String> allZonePersons = Collections.emptySet();
private Set<String> deletionCandidates;
private long latestTime;
public Analyzer(final long latestTime)
{
this.latestTime = latestTime;
}
public long getLatestTime()
{
return this.latestTime;
}
public Set<String> getDeletionCandidates()
{
return this.deletionCandidates;
}
public String getIdentifier(NodeDescription entry)
{
return entry.getSourceId();
}
public void process(NodeDescription group) throws Throwable
{
PropertyMap groupProperties = group.getProperties();
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
Set<String> groupZones = ChainingUserRegistrySynchronizer.this.authorityService
.getAuthorityZones(groupName);
if (groupZones == null)
{
// The group did not exist at all
updateGroup(group, false);
}
else
{
// Check whether the group is in any of the authentication chain zones
Set<String> intersection = new TreeSet<String>(groupZones);
intersection.retainAll(allZoneIds);
if (intersection.isEmpty())
{
// The group exists, but not in a zone that's in the authentication chain. May be due to
// upgrade or zone changes. Let's re-zone them
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger.warn("Updating group '" + groupShortName
+ "'. This group will in future be assumed to originate from user registry '"
+ zone + "'.");
}
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(groupName,
groupZones);
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(groupName, zoneSet);
}
if (groupZones.contains(zoneId) || intersection.isEmpty())
{
// The group already existed in this zone or no valid zone: update the group
updateGroup(group, true);
}
else
{
// Check whether the group is in any of the higher priority authentication chain zones
intersection.retainAll(visitedZoneIds);
if (!intersection.isEmpty())
{
// A group that exists in a different zone with higher precedence
return;
}
// The group existed, but in a zone with lower precedence
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger
.warn("Recreating occluded group '"
+ groupShortName
+ "'. This group was previously created through synchronization with a lower priority user registry.");
}
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(groupName);
// create the group
updateGroup(group, false);
}
}
synchronized (this)
{
// Maintain the last modified date
Date groupLastModified = group.getLastModified();
if (groupLastModified != null)
{
this.latestTime = Math.max(this.latestTime, groupLastModified.getTime());
}
}
}
// Recursively walks and caches the authorities relating to and from this group so that we can later detect potential cycles
private Set<String> getContainedAuthorities(String groupName)
{
// Return the cached children if it is processed
Set<String> children = this.finalGroupChildAssocs.get(groupName);
if (children != null)
{
return children;
}
// First, recurse to the parent most authorities
for (String parent : ChainingUserRegistrySynchronizer.this.authorityService.getContainingAuthorities(
null, groupName, true))
{
getContainedAuthorities(parent);
}
// Now descend on unprocessed parents.
return cacheContainedAuthorities(groupName);
}
private Set<String> cacheContainedAuthorities(String groupName)
{
// Return the cached children if it is processed
Set<String> children = this.finalGroupChildAssocs.get(groupName);
if (children != null)
{
return children;
}
// Descend on unprocessed parents.
children = ChainingUserRegistrySynchronizer.this.authorityService.getContainedAuthorities(null,
groupName, true);
this.finalGroupChildAssocs.put(groupName, children);
for (String child : children)
{
if (AuthorityType.getAuthorityType(child) != AuthorityType.USER)
{
cacheContainedAuthorities(child);
}
}
return children;
}
private synchronized void updateGroup(NodeDescription group, boolean existed)
{
PropertyMap groupProperties = group.getProperties();
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
String groupDisplayName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_DISPLAY_NAME);
if (groupDisplayName == null)
{
groupDisplayName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
}
// Divide the child associations into person and group associations, dealing with case sensitivity
Set<String> newChildPersons = newPersonSet();
Set<String> newChildGroups = new TreeSet<String>();
for (String child : group.getChildAssociations())
{
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
{
newChildPersons.add(child);
}
else
{
newChildGroups.add(child);
}
}
// Account for differences if already existing
if (existed)
{
// Update the display name now
ChainingUserRegistrySynchronizer.this.authorityService.setAuthorityDisplayName(groupName,
groupDisplayName);
// Work out the association differences
for (String child : new TreeSet<String>(getContainedAuthorities(groupName)))
{
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
{
if (!newChildPersons.remove(child))
{
// Make sure each person with association changes features as a key in the creation map
recordParentAssociationCreation(child, null);
recordParentAssociationDeletion(child, groupName);
}
}
else
{
if (!newChildGroups.remove(child))
{
recordParentAssociationDeletion(child, groupName);
}
}
}
}
// Mark as created if new
else
{
// Make sure each group to be created features in the association deletion map (as these are handled in the same phase)
recordParentAssociationDeletion(groupName, null);
this.groupsToCreate.put(groupName, groupDisplayName);
}
// Create new associations
for (String child : newChildPersons)
{
recordParentAssociationCreation(child, groupName);
}
for (String child : newChildGroups)
{
recordParentAssociationCreation(child, groupName);
}
}
private void recordParentAssociationDeletion(String child, String parent)
{
Map<String, Set<String>> parentAssocs;
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
{
parentAssocs = this.personParentAssocsToDelete;
}
else
{
// Reflect the change in the map of final group associations (for cycle detection later)
parentAssocs = this.groupParentAssocsToDelete;
if (parent != null)
{
Set<String> children = this.finalGroupChildAssocs.get(parent);
children.remove(child);
}
}
Set<String> parents = parentAssocs.get(child);
if (parents == null)
{
parents = new TreeSet<String>();
parentAssocs.put(child, parents);
}
if (parent != null)
{
parents.add(parent);
}
}
private void recordParentAssociationCreation(String child, String parent)
{
Map<String, Set<String>> parentAssocs = AuthorityType.getAuthorityType(child) == AuthorityType.USER ? this.personParentAssocsToCreate : this.groupParentAssocsToCreate;
Set<String> parents = parentAssocs.get(child);
if (parents == null)
{
parents = new TreeSet<String>();
parentAssocs.put(child, parents);
}
if (parent != null)
{
parents.add(parent);
}
}
private void validateGroupParentAssocsToCreate()
{
Iterator<Map.Entry<String, Set<String>>> i = this.groupParentAssocsToCreate.entrySet().iterator();
while (i.hasNext())
{
Map.Entry<String, Set<String>> entry = i.next();
String group = entry.getKey();
Set<String> parents = entry.getValue();
Deque<String> visited = new LinkedList<String>();
Iterator<String> j = parents.iterator();
while (j.hasNext())
{
String parent = j.next();
visited.add(parent);
if (validateAuthorityChildren(visited, group))
{
// The association validated - commit it
Set<String> children = finalGroupChildAssocs.get(parent);
if (children == null)
{
children = new TreeSet<String>();
finalGroupChildAssocs.put(parent, children);
}
children.add(group);
}
else
{
// The association did not validate - prune it out
if (logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger.warn("Not adding group '"
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(group)
+ "' to group '"
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(parent)
+ "' as this creates a cyclic relationship");
}
j.remove();
}
visited.removeLast();
}
if (parents.isEmpty())
{
i.remove();
}
}
// Sort the group associations in parent-first order (root groups first) to minimize reindexing overhead
Map<String, Set<String>> sortedGroupAssociations = new LinkedHashMap<String, Set<String>>(
this.groupParentAssocsToCreate.size() * 2);
Deque<String> visited = new LinkedList<String>();
for (String authority : this.groupParentAssocsToCreate.keySet())
{
visitGroupParentAssocs(visited, authority, this.groupParentAssocsToCreate, sortedGroupAssociations);
}
this.groupParentAssocsToCreate = sortedGroupAssociations;
}
private boolean validateAuthorityChildren(Deque<String> visited, String authority)
{
if (AuthorityType.getAuthorityType(authority) == AuthorityType.USER)
{
return true;
}
if (visited.contains(authority))
{
return false;
}
visited.add(authority);
try
{
Set<String> children = this.finalGroupChildAssocs.get(authority);
if (children != null)
{
for (String child : children)
{
if (!validateAuthorityChildren(visited, child))
{
return false;
}
}
}
return true;
}
finally
{
visited.removeLast();
}
}
/**
* Visits the given authority by recursively visiting its parents in associationsOld and then adding the
* authority to associationsNew. Used to sort associationsOld into 'parent-first' order to minimize
* reindexing overhead.
*
* @param visited
* The ancestors that form the path to the authority to visit. Allows detection of cyclic child
* associations.
* @param authority
* the authority to visit
* @param associationsOld
* the association map to sort
* @param associationsNew
* the association map to add to in parent-first order
*/
private boolean visitGroupParentAssocs(Deque<String> visited, String authority,
Map<String, Set<String>> associationsOld, Map<String, Set<String>> associationsNew)
{
if (visited.contains(authority))
{
// Prevent cyclic paths (Shouldn't happen as we've already validated)
return false;
}
visited.add(authority);
try
{
if (!associationsNew.containsKey(authority))
{
Set<String> oldParents = associationsOld.get(authority);
if (oldParents != null)
{
Set<String> newParents = new TreeSet<String>();
for (String parent: oldParents)
{
if (visitGroupParentAssocs(visited, parent, associationsOld, associationsNew))
{
newParents.add(parent);
}
}
associationsNew.put(authority, newParents);
}
}
return true;
}
finally
{
visited.removeLast();
}
}
private Set<String> newPersonSet()
{
return ChainingUserRegistrySynchronizer.this.personService.getUserNamesAreCaseSensitive() ? new TreeSet<String>()
: new TreeSet<String>(String.CASE_INSENSITIVE_ORDER);
}
private Map<String, Set<String>> newPersonMap()
{
return ChainingUserRegistrySynchronizer.this.personService.getUserNamesAreCaseSensitive() ? new TreeMap<String, Set<String>>()
: new TreeMap<String, Set<String>>(String.CASE_INSENSITIVE_ORDER);
}
private void logRetainParentAssociations(Map<String, Set<String>> parentAssocs, Set<String> toRetain)
{
Iterator<Map.Entry<String, Set<String>>> i = parentAssocs.entrySet().iterator();
StringBuilder groupList = null;
while (i.hasNext())
{
Map.Entry<String, Set<String>> entry = i.next();
String child = entry.getKey();
if (!toRetain.contains(child))
{
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
if (groupList == null)
{
groupList = new StringBuilder(1024);
}
else
{
groupList.setLength(0);
}
for (String parent : entry.getValue())
{
if (groupList.length() > 0)
{
groupList.append(", ");
}
groupList.append('\'').append(
ChainingUserRegistrySynchronizer.this.authorityService.getShortName(parent))
.append('\'');
}
ChainingUserRegistrySynchronizer.logger.debug("Ignoring non-existent member '"
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(child)
+ "' in groups {" + groupList.toString() + "}");
}
i.remove();
}
}
}
public void processGroups(UserRegistry userRegistry, boolean allowDeletions, boolean splitTxns)
{
// If we got back some groups, we have to cross reference them with the set of known authorities
if (allowDeletions || !this.groupParentAssocsToCreate.isEmpty()
|| !this.personParentAssocsToCreate.isEmpty())
{
final Set<String> allZonePersons = newPersonSet();
final Set<String> allZoneGroups = new TreeSet<String>();
// Add in current set of known authorities
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper()
.doInTransaction(new RetryingTransactionCallback<Void>()
{
public Void execute() throws Throwable
{
allZonePersons.addAll(ChainingUserRegistrySynchronizer.this.authorityService
.getAllAuthoritiesInZone(zoneId, AuthorityType.USER));
allZoneGroups.addAll(ChainingUserRegistrySynchronizer.this.authorityService
.getAllAuthoritiesInZone(zoneId, AuthorityType.GROUP));
return null;
}
}, true, splitTxns);
final Set<String> personDeletionCandidates = newPersonSet();
personDeletionCandidates.addAll(allZonePersons);
final Set<String> groupDeletionCandidates = new TreeSet<String>();
groupDeletionCandidates.addAll(allZoneGroups);
allZoneGroups.addAll(this.groupsToCreate.keySet());
// Prune our set of authorities according to deletions
if (allowDeletions)
{
for (String person : userRegistry.getPersonNames())
{
personDeletionCandidates.remove(person);
}
for (String group : userRegistry.getGroupNames())
{
groupDeletionCandidates.remove(group);
}
this.deletionCandidates = new TreeSet<String>();
this.deletionCandidates.addAll(personDeletionCandidates);
this.deletionCandidates.addAll(groupDeletionCandidates);
allZonePersons.removeAll(personDeletionCandidates);
allZoneGroups.removeAll(groupDeletionCandidates);
}
// Prune the group associations now that we have complete information
this.groupParentAssocsToCreate.keySet().retainAll(allZoneGroups);
logRetainParentAssociations(this.groupParentAssocsToDelete, allZoneGroups);
this.finalGroupChildAssocs.keySet().retainAll(allZoneGroups);
// Pruning person associations will have to wait until we have passed over all persons and built up
// this set
this.allZonePersons = allZonePersons;
if (!this.groupParentAssocsToDelete.isEmpty())
{
// Create/update the groups and delete parent associations to be deleted
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
zone + " Group Creation and Association Deletion",
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper(),
this.groupParentAssocsToDelete.entrySet(),
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger,
ChainingUserRegistrySynchronizer.this.loggingInterval);
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
{
public String getIdentifier(Map.Entry<String, Set<String>> entry)
{
return entry.getKey() + " " + entry.getValue();
}
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
{
String child = entry.getKey();
String groupDisplayName = Analyzer.this.groupsToCreate.get(child);
if (groupDisplayName != null)
{
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService
.getShortName(child);
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger.debug("Creating group '"
+ groupShortName + "'");
}
// create the group
ChainingUserRegistrySynchronizer.this.authorityService.createAuthority(
AuthorityType.getAuthorityType(child), groupShortName, groupDisplayName,
zoneSet);
}
else
{
// Maintain association deletions now. The creations will have to be done later once
// we have performed all the deletions in order to avoid creating cycles
maintainAssociationDeletions(child);
}
}
}, splitTxns);
}
}
}
public void finalizeAssociations(UserRegistry userRegistry, boolean splitTxns)
{
// First validate the group associations to be created for potential cycles. Remove any offending association
validateGroupParentAssocsToCreate();
// Now go ahead and create the group associations
if (!this.groupParentAssocsToCreate.isEmpty())
{
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
zone + " Group Association Creation", ChainingUserRegistrySynchronizer.this.transactionService
.getRetryingTransactionHelper(), this.groupParentAssocsToCreate.entrySet(),
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger,
ChainingUserRegistrySynchronizer.this.loggingInterval);
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
{
public String getIdentifier(Map.Entry<String, Set<String>> entry)
{
return entry.getKey() + " " + entry.getValue();
}
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
{
maintainAssociationCreations(entry.getKey());
}
}, splitTxns);
}
// Remove all the associations we have already dealt with
this.personParentAssocsToCreate.keySet().removeAll(this.personsProcessed);
// Filter out associations to authorities that simply can't exist (and log if debugging is enabled)
logRetainParentAssociations(this.personParentAssocsToCreate, this.allZonePersons);
// Update associations to persons not updated themselves
if (!this.personParentAssocsToCreate.isEmpty())
{
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
zone + " Person Association", ChainingUserRegistrySynchronizer.this.transactionService
.getRetryingTransactionHelper(), this.personParentAssocsToCreate.entrySet(),
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger,
ChainingUserRegistrySynchronizer.this.loggingInterval);
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
{
public String getIdentifier(Map.Entry<String, Set<String>> entry)
{
return entry.getKey() + " " + entry.getValue();
}
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
{
maintainAssociationDeletions(entry.getKey());
maintainAssociationCreations(entry.getKey());
}
}, splitTxns);
}
}
private void maintainAssociationDeletions(String authorityName)
{
boolean isPerson = AuthorityType.getAuthorityType(authorityName) == AuthorityType.USER;
Set<String> parentsToDelete = isPerson ? this.personParentAssocsToDelete.get(authorityName)
: this.groupParentAssocsToDelete.get(authorityName);
if (parentsToDelete != null && !parentsToDelete.isEmpty())
{
for (String parent : parentsToDelete)
{
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger
.debug("Removing '"
+ ChainingUserRegistrySynchronizer.this.authorityService
.getShortName(authorityName)
+ "' from group '"
+ ChainingUserRegistrySynchronizer.this.authorityService
.getShortName(parent) + "'");
}
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthority(parent, authorityName);
}
}
}
private void maintainAssociationCreations(String authorityName)
{
boolean isPerson = AuthorityType.getAuthorityType(authorityName) == AuthorityType.USER;
Set<String> parents = isPerson ? this.personParentAssocsToCreate.get(authorityName)
: this.groupParentAssocsToCreate.get(authorityName);
if (parents != null && !parents.isEmpty())
{
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
for (String groupName : parents)
{
ChainingUserRegistrySynchronizer.logger.debug("Adding '"
+ ChainingUserRegistrySynchronizer.this.authorityService
.getShortName(authorityName) + "' to group '"
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName)
+ "'");
}
}
try
{
ChainingUserRegistrySynchronizer.this.authorityService.addAuthority(parents, authorityName);
}
catch (UnknownAuthorityException e)
{
// Let's force a transaction retry if a parent doesn't exist. It may be because we are
// waiting for another worker thread to create it
throw new ConcurrencyFailureException("Forcing batch retry for unknown authority", e);
}
catch (InvalidNodeRefException e)
{
// Another thread may have written the node, but it is not visible to this transaction
// See: ALF-5471: 'authorityMigration' patch can report 'Node does not exist'
throw new ConcurrencyFailureException("Forcing batch retry for invalid node", e);
}
}
// Remember that this person's associations have been maintained
if (isPerson)
{
synchronized (this)
{
this.personsProcessed.add(authorityName);
}
}
}
}
final Analyzer groupAnalyzer = new Analyzer(lastModifiedMillis);
int groupProcessedCount = groupProcessor.process(groupAnalyzer, splitTxns);
groupAnalyzer.processGroups(userRegistry, allowDeletions, splitTxns);
// Process persons and their parent associations
lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
{
if (lastModified == null)
{
ChainingUserRegistrySynchronizer.logger.info("Retrieving all users from user registry '" + zone + "'");
}
else
{
ChainingUserRegistrySynchronizer.logger.info("Retrieving users changed since "
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
}
}
final BatchProcessor<NodeDescription> personProcessor = new BatchProcessor<NodeDescription>(zone
+ " User Creation and Association", this.transactionService.getRetryingTransactionHelper(),
userRegistry.getPersons(lastModified), this.workerThreads, 10, this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
class PersonWorker extends BaseBatchProcessWorker<NodeDescription>
{
private long latestTime;
public PersonWorker(final long latestTime)
{
this.latestTime = latestTime;
}
public long getLatestTime()
{
return this.latestTime;
}
public String getIdentifier(NodeDescription entry)
{
return entry.getSourceId();
}
public void process(NodeDescription person) throws Throwable
{
// Make a mutable copy of the person properties, since they get written back to by person service
HashMap<QName, Serializable> personProperties = new HashMap<QName, Serializable>(person.getProperties());
String personName = (String) personProperties.get(ContentModel.PROP_USERNAME);
Set<String> zones = ChainingUserRegistrySynchronizer.this.authorityService
.getAuthorityZones(personName);
if (zones == null)
{
// The person did not exist at all
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger.debug("Creating user '" + personName + "'");
}
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
}
else if (zones.contains(zoneId))
{
// The person already existed in this zone: update the person
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger.debug("Updating user '" + personName + "'");
}
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
personProperties, false);
}
else
{
// Check whether the user is in any of the authentication chain zones
Set<String> intersection = new TreeSet<String>(zones);
intersection.retainAll(allZoneIds);
if (intersection.size() == 0)
{
// The person exists, but not in a zone that's in the authentication chain. May be due
// to upgrade or zone changes. Let's re-zone them
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger.warn("Updating user '" + personName
+ "'. This user will in future be assumed to originate from user registry '" + zone
+ "'.");
}
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(personName,
zones);
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(personName, zoneSet);
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
personProperties, false);
}
else
{
// Check whether the user is in any of the higher priority authentication chain zones
intersection.retainAll(visitedZoneIds);
if (intersection.size() > 0)
{
// A person that exists in a different zone with higher precedence - ignore
return;
}
// The person existed, but in a zone with lower precedence
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
{
ChainingUserRegistrySynchronizer.logger
.warn("Recreating occluded user '"
+ personName
+ "'. This user was previously created through synchronization with a lower priority user registry.");
}
ChainingUserRegistrySynchronizer.this.personService.deletePerson(personName);
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
}
}
// Maintain association deletions and creations in one shot (safe to do this with persons as we can't
// create cycles)
groupAnalyzer.maintainAssociationDeletions(personName);
groupAnalyzer.maintainAssociationCreations(personName);
synchronized (this)
{
// Maintain the last modified date
Date personLastModified = person.getLastModified();
if (personLastModified != null)
{
this.latestTime = Math.max(this.latestTime, personLastModified.getTime());
}
}
}
}
PersonWorker persons = new PersonWorker(lastModifiedMillis);
int personProcessedCount = personProcessor.process(persons, splitTxns);
// Process those associations to persons who themselves have not been updated
groupAnalyzer.finalizeAssociations(userRegistry, splitTxns);
// Only now that the whole tree has been processed is it safe to persist the last modified dates
long latestTime = groupAnalyzer.getLatestTime();
if (latestTime != -1)
{
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, latestTime,
splitTxns);
}
latestTime = persons.getLatestTime();
if (latestTime != -1)
{
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId,
latestTime, splitTxns);
}
// Delete authorities if we have complete information for the zone
Set<String> deletionCandidates = groupAnalyzer.getDeletionCandidates();
if (allowDeletions && !deletionCandidates.isEmpty())
{
BatchProcessor<String> authorityDeletionProcessor = new BatchProcessor<String>(
zone + " Authority Deletion", this.transactionService.getRetryingTransactionHelper(),
deletionCandidates, this.workerThreads, 10, this.applicationEventPublisher,
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
class AuthorityDeleter extends BaseBatchProcessWorker<String>
{
private int personProcessedCount;
private int groupProcessedCount;
public int getPersonProcessedCount()
{
return this.personProcessedCount;
}
public int getGroupProcessedCount()
{
return this.groupProcessedCount;
}
public String getIdentifier(String entry)
{
return entry;
}
public void process(String authority) throws Throwable
{
if (AuthorityType.getAuthorityType(authority) == AuthorityType.USER)
{
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger.debug("Deleting user '" + authority + "'");
}
ChainingUserRegistrySynchronizer.this.personService.deletePerson(authority);
synchronized (this)
{
this.personProcessedCount++;
}
}
else
{
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
{
ChainingUserRegistrySynchronizer.logger.debug("Deleting group '"
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(authority)
+ "'");
}
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(authority);
synchronized (this)
{
this.groupProcessedCount++;
}
}
}
}
AuthorityDeleter authorityDeleter = new AuthorityDeleter();
authorityDeletionProcessor.process(authorityDeleter, splitTxns);
groupProcessedCount += authorityDeleter.getGroupProcessedCount();
personProcessedCount += authorityDeleter.getPersonProcessedCount();
}
// Remember we have visited this zone
visitedZoneIds.add(zoneId);
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
{
ChainingUserRegistrySynchronizer.logger.info("Finished synchronizing users and groups with user registry '"
+ zone + "'");
ChainingUserRegistrySynchronizer.logger.info(personProcessedCount + " user(s) and " + groupProcessedCount
+ " group(s) processed");
}
}
/**
* Gets the persisted most recent update time for a label and zone.
*
* @param label
* the label
* @param zoneId
* the zone id
* @return the most recent update time in milliseconds
*/
private long getMostRecentUpdateTime(final String label, final String zoneId, boolean splitTxns)
{
return this.transactionService.getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionCallback<Long>()
{
public Long execute() throws Throwable
{
Long updateTime = (Long) ChainingUserRegistrySynchronizer.this.attributeService.getAttribute(
ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH, label, zoneId);
return updateTime == null ? -1 : updateTime;
}
}, true, splitTxns);
}
/**
* Persists the most recent update time for a label and zone.
*
* @param label
* the label
* @param zoneId
* the zone id
* @param lastModifiedMillis
* the update time in milliseconds
* @param splitTxns
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
* <code>true</code>, the attribute is persisted in a new transaction for increased performance and
* reliability.
*/
private void setMostRecentUpdateTime(final String label, final String zoneId, final long lastModifiedMillis,
boolean splitTxns)
{
this.transactionService.getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionHelper.RetryingTransactionCallback<Object>()
{
public Object execute() throws Throwable
{
ChainingUserRegistrySynchronizer.this.attributeService.setAttribute(Long
.valueOf(lastModifiedMillis), ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH,
label, zoneId);
return null;
}
}, false, splitTxns);
}
/**
* Gets the default set of zones to set on a person or group belonging to the user registry with the given zone ID.
* We add the default zone as well as the zone corresponding to the user registry so that the users and groups are
* visible in the UI.
*
* @param zoneId
* the zone id
* @return the zone set
*/
private Set<String> getZones(String zoneId)
{
Set<String> zones = new HashSet<String>(5);
zones.add(AuthorityService.ZONE_APP_DEFAULT);
zones.add(zoneId);
return zones;
}
/*
* (non-Javadoc)
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onBootstrap(org.springframework.context.
* ApplicationEvent)
*/
@Override
protected void onBootstrap(ApplicationEvent event)
{
// Do an initial differential sync on startup, using transaction splitting. This ensures that on the very
// first startup, we don't have to wait for a very long login operation to trigger the first sync!
if (this.syncOnStartup)
{
AuthenticationUtil.runAs(new RunAsWork<Object>()
{
public Object doWork() throws Exception
{
try
{
synchronize(false, false, true);
}
catch (Exception e)
{
ChainingUserRegistrySynchronizer.logger.warn("Failed initial synchronize with user registries",
e);
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
}
/*
* (non-Javadoc)
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onShutdown(org.springframework.context.
* ApplicationEvent)
*/
@Override
protected void onShutdown(ApplicationEvent event)
{
}
protected abstract class BaseBatchProcessWorker <T> implements BatchProcessWorker<T>
{
public final void beforeProcess() throws Throwable
{
// Disable rules
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
// Authentication
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
}
public final void afterProcess() throws Throwable
{
// Enable rules
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
// Clear authentication
AuthenticationUtil.clearCurrentSecurityContext();
}
}
}
Reference in New Issue View Git Blame Copy Permalink