@NotNull protected DefaultSyncResultImpl syncGroup(@NotNull ExternalGroup external, @NotNull Group group) throws RepositoryException { // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before. if (!isSameIDP(group)) { return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN); } SyncResult.Status status; // first check if group is expired if (!forceGroupSync && !isExpired(group)) { status = SyncResult.Status.NOP; } else { syncExternalIdentity(external, group, config.group()); // finally "touch" the sync property group.setProperty(REP_LAST_SYNCED, nowValue); status = SyncResult.Status.UPDATE; } return new DefaultSyncResultImpl(createSyncedIdentity(group), status); }
@Test public void testFindPrincipalsFiltersDuplicates() throws Exception { ExternalGroup gr = idp.getGroup("a"); ExternalUser otherUser = new TestUser("anotherUser", ImmutableSet.of(gr.getExternalId())); sync(otherUser); Set<Principal> expected = new HashSet<>(); expected.add(new PrincipalImpl(gr.getPrincipalName())); long depth = syncConfig.user().getMembershipNestingDepth(); if (depth > 1) { collectExpectedPrincipals(expected, gr.getDeclaredGroups(), --depth); } Iterator<? extends Principal> res = principalProvider.findPrincipals("a", PrincipalManager.SEARCH_TYPE_ALL); assertTrue(res.hasNext()); assertEquals(expected, ImmutableSet.copyOf(res)); }
@Test public void testGetMembers() throws Exception { ExternalIdentityRef ref = new ExternalIdentityRef(GROUP_DN, IDP_NAME); ExternalIdentity id = idp.getIdentity(ref); assertTrue("Group instance", id instanceof ExternalGroup); ExternalGroup grp = (ExternalGroup) id; assertIfEquals("Group members", TEST_MEMBERS, grp.getDeclaredMembers()); }
/** * Creates a new repository group for the given external one. * Note that this method only creates the authorizable but does not perform any synchronization. * * @param externalGroup the external group * @return the repository group * @throws RepositoryException if an error occurs */ @NotNull protected Group createGroup(@NotNull ExternalGroup externalGroup) throws RepositoryException { Principal principal = new PrincipalImpl(externalGroup.getPrincipalName()); Group group = userManager.createGroup( externalGroup.getId(), principal, PathUtils.concatRelativePaths(config.group().getPathPrefix(), externalGroup.getIntermediatePath()) ); setExternalId(group, externalGroup); return group; }
@Test public void testResolvePrincipalNameGroup() throws ExternalIdentityException { ExternalGroup gr = idp.getGroup(TEST_GROUP1_NAME); assertNotNull(gr); assertEquals(gr.getPrincipalName(), idp.fromExternalIdentityRef(gr.getExternalId())); }
@Test public void testInitialSyncExternalGroup() throws Exception { ExternalGroup externalGroup = idp.getGroup("a"); String[] externalId = new String[] {externalGroup.getExternalId().getString()}; String[] result = syncMBean.syncExternalUsers(externalId); assertResultMessages(result, "a", "add"); UserManager userManager = getUserManager(); Group aGroup = userManager.getAuthorizable(externalGroup.getId(), Group.class); assertNotNull(aGroup); // membership of groups are not synced (unless imposed by user-sync with membership depth) for (ExternalIdentityRef groupRef : externalGroup.getDeclaredGroups()) { assertNull(userManager.getAuthorizable(groupRef.getId())); } }
@Test public void testSyncMembershipWithChangedGroups() throws Exception { long nesting = 1; syncConfig.user().setMembershipNestingDepth(nesting); ExternalUser externalUser = idp.getUser(USER_ID); sync(externalUser, SyncResult.Status.ADD); Authorizable a = userManager.getAuthorizable(externalUser.getId()); assertDynamicMembership(a, externalUser, nesting); // sync user with modified membership => must be reflected // 1. empty set of declared groups ExternalUser mod = new TestUserWithGroupRefs(externalUser, ImmutableSet.<ExternalIdentityRef>of()); syncContext.syncMembership(mod, a, nesting); assertDynamicMembership(a, mod, nesting); // 2. set with different groups that defined on IDP mod = new TestUserWithGroupRefs(externalUser, ImmutableSet.<ExternalIdentityRef>of( idp.getGroup("a").getExternalId(), idp.getGroup("aa").getExternalId(), idp.getGroup("secondGroup").getExternalId())); syncContext.syncMembership(mod, a, nesting); assertDynamicMembership(a, mod, nesting); }
continue; log.debug("- idp returned '{}'", extGroup.getId()); Group grp = declaredExternalGroups.remove(extGroup.getId()); boolean exists = grp != null; Authorizable a = userManager.getAuthorizable(extGroup.getId()); if (a == null) { grp = createGroup(extGroup); grp = (Group) a; } else { log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName()); continue;
@Nullable @Override public String apply(ExternalGroup input) { return input.getPrincipalName(); } });
@Test public void testSyncMembershipWithChangedExistingGroups() throws Exception { long nesting = 1; syncConfig.user().setMembershipNestingDepth(nesting); ExternalUser externalUser = idp.getUser(USER_ID); DefaultSyncContext ctx = new DefaultSyncContext(syncConfig, idp, userManager, valueFactory); ctx.sync(externalUser); ctx.close(); Authorizable a = userManager.getAuthorizable(externalUser.getId()); assertSyncedMembership(userManager, a, externalUser); // sync user with modified membership => must be reflected // 1. empty set of declared groups ExternalUser mod = new TestUserWithGroupRefs(externalUser, ImmutableSet.<ExternalIdentityRef>of()); syncContext.syncMembership(mod, a, nesting); assertSyncedMembership(userManager, a, mod); // 2. set with different groups that defined on IDP mod = new TestUserWithGroupRefs(externalUser, ImmutableSet.<ExternalIdentityRef>of( idp.getGroup("a").getExternalId(), idp.getGroup("aa").getExternalId(), idp.getGroup("secondGroup").getExternalId())); syncContext.syncMembership(mod, a, nesting); assertSyncedMembership(userManager, a, mod); }
@Test public void testSyncAllGroups() throws Exception { // first sync external users into the repo Map<String, String> expected = new HashMap<>(); Iterator<ExternalGroup> grIt = idp.listGroups(); while (grIt.hasNext()) { ExternalGroup eg = grIt.next(); sync(idp, eg.getId(), true); expected.put(eg.getId(), "upd"); } // verify effect of syncAllUsers (which in this case are groups) String[] result = syncMBean.syncAllUsers(false); assertResultMessages(result, expected); UserManager userManager = getUserManager(); for (String id : expected.keySet()) { ExternalIdentity ei = idp.getGroup(id); assertSync(ei, userManager); } }
@Before public void before() throws Exception { externalUser = idp.getUser(TestIdentityProvider.ID_TEST_USER); assertNotNull(externalUser); si = new DefaultSyncedIdentity(externalUser.getId(), externalUser.getExternalId(), false, 234); externalGroup = idp.listGroups().next(); siGroup = new DefaultSyncedIdentity(externalGroup.getId(), externalGroup.getExternalId(), true, 234); }
@Test public void testGetExternalIdRef() { assertEquals(externalUser.getExternalId(), si.getExternalIdRef()); assertEquals(externalGroup.getExternalId(), siGroup.getExternalIdRef()); SyncedIdentity siNullExtRef = new DefaultSyncedIdentity(TestIdentityProvider.ID_TEST_USER, null, false, 234); assertNull(siNullExtRef.getExternalIdRef()); }
@Test public void testSyncExternalGroup() throws Exception { ExternalGroup gr = idp.listGroups().next(); syncContext.sync(gr); assertNull(userManager.getAuthorizable(gr.getId())); assertFalse(r.hasPendingChanges()); }
@Test public void testGetMembers() throws Exception { ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME); ExternalIdentity id = idp.getIdentity(ref); assertTrue("Group instance", id instanceof ExternalGroup); ExternalGroup grp = (ExternalGroup) id; assertIfEquals("Group members", TEST_GROUP1_MEMBERS, grp.getDeclaredMembers()); providerConfig.setUseUidForExtId(true); idp.close(); idp = new LdapIdentityProvider(providerConfig); ref = new ExternalIdentityRef(TEST_GROUP1_NAME, IDP_NAME); id = idp.getIdentity(ref); assertTrue("Group instance", id instanceof ExternalGroup); grp = (ExternalGroup) id; assertIfEquals("Group members", TEST_GROUP1_MEMBERS, grp.getDeclaredMembers()); }
@Test public void testSyncExternalToExistingLocalGroup() throws Exception { ExternalGroup external = idp.listGroups().next(); syncCtx.sync(external); Group gr = userManager.getAuthorizable(external.getId(), Group.class); gr.removeProperty(ExternalIdentityConstants.REP_EXTERNAL_ID); SyncResult result = syncCtx.sync(external); assertEquals(SyncResult.Status.FOREIGN, result.getStatus()); SyncedIdentity si = result.getIdentity(); assertNotNull(si); assertEquals(external.getExternalId(), si.getExternalIdRef()); }
@Test public void testIsSameIDPExternalIdentityRef() throws Exception { assertFalse(syncCtx.isSameIDP(new TestIdentityProvider.ForeignExternalUser().getExternalId())); assertFalse(syncCtx.isSameIDP(new TestIdentityProvider.ForeignExternalGroup().getExternalId())); assertTrue(syncCtx.isSameIDP(new TestIdentityProvider.TestIdentity().getExternalId())); assertTrue(syncCtx.isSameIDP(idp.listGroups().next().getExternalId())); assertTrue(syncCtx.isSameIDP(idp.listUsers().next().getExternalId())); }
@Test public void testGetId() { assertEquals(externalUser.getId(), si.getId()); assertEquals(externalGroup.getId(), siGroup.getId()); SyncedIdentity siOtherId = new DefaultSyncedIdentity("otherId", externalUser.getExternalId(), false, -1); assertEquals("otherId", siOtherId.getId()); }
@Test public void testSyncExternalToForeignLocalGroup() throws Exception { ExternalGroup external = idp.listGroups().next(); syncCtx.sync(external); Group gr = userManager.getAuthorizable(external.getId(), Group.class); setExternalID(gr, "differentIDP"); SyncResult result = syncCtx.sync(external); assertEquals(SyncResult.Status.FOREIGN, result.getStatus()); SyncedIdentity si = result.getIdentity(); assertNotNull(si); assertEquals(external.getExternalId(), si.getExternalIdRef()); }
@Test public void testSyncGroupsForeign() throws Exception { // sync user from foreign IDP into the repository SyncResult res = sync(foreignIDP, "a", true); assertNotNull(getUserManager().getAuthorizable("a")); assertEquals(foreignIDP.getGroup("a").getExternalId(), res.getIdentity().getExternalIdRef()); // syncUsers with testIDP must detect the foreign status String[] result = syncMBean.syncUsers(new String[]{"a"}, false); assertResultMessages(result, "a", "for"); assertNotNull(getUserManager().getAuthorizable("a")); // same expected with 'purge' set to true result = syncMBean.syncUsers(new String[] {"a"}, true); assertResultMessages(result, "a", "for"); assertNotNull(getUserManager().getAuthorizable("a")); }