Author: ilgrosso
Date: Fri Dec 7 14:29:41 2012
New Revision: 1418327
URL: http://svn.apache.org/viewvc?rev=1418327&view=rev
Log:
Adding a utility PropagationActions class allowing transparent LDAP role
membership propagation
Modified:
syncope/branches/DEV_ROLE_PROVISIONING/core/src/main/java/org/apache/syncope/core/propagation/LDAPMembershipPropagationActions.java
syncope/branches/DEV_ROLE_PROVISIONING/core/src/test/resources/content.xml
Modified:
syncope/branches/DEV_ROLE_PROVISIONING/core/src/main/java/org/apache/syncope/core/propagation/LDAPMembershipPropagationActions.java
URL:
http://svn.apache.org/viewvc/syncope/branches/DEV_ROLE_PROVISIONING/core/src/main/java/org/apache/syncope/core/propagation/LDAPMembershipPropagationActions.java?rev=1418327&r1=1418326&r2=1418327&view=diff
==============================================================================
---
syncope/branches/DEV_ROLE_PROVISIONING/core/src/main/java/org/apache/syncope/core/propagation/LDAPMembershipPropagationActions.java
(original)
+++
syncope/branches/DEV_ROLE_PROVISIONING/core/src/main/java/org/apache/syncope/core/propagation/LDAPMembershipPropagationActions.java
Fri Dec 7 14:29:41 2012
@@ -19,28 +19,42 @@
package org.apache.syncope.core.propagation;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import org.apache.commons.jexl2.JexlContext;
import org.apache.commons.jexl2.MapContext;
import org.apache.commons.lang.StringUtils;
import org.apache.syncope.core.persistence.beans.PropagationTask;
import org.apache.syncope.core.persistence.beans.role.SyncopeRole;
-import org.apache.syncope.core.persistence.dao.RoleDAO;
+import org.apache.syncope.core.persistence.beans.user.SyncopeUser;
+import org.apache.syncope.core.persistence.dao.UserDAO;
import org.apache.syncope.core.util.JexlUtil;
+import org.apache.syncope.types.AttributableType;
+import org.apache.syncope.types.ResourceOperation;
+import org.identityconnectors.framework.common.objects.Attribute;
import org.identityconnectors.framework.common.objects.AttributeBuilder;
import org.identityconnectors.framework.common.objects.ConnectorObject;
-import org.identityconnectors.framework.common.objects.ObjectClass;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.transaction.annotation.Transactional;
+/**
+ * Simple action for propagating role memberships to LDAP groups, when the
same resource is configured for both users
+ * and roles.
+ */
public class LDAPMembershipPropagationActions extends
DefaultPropagationActions {
private static final Logger LOG =
LoggerFactory.getLogger(LDAPMembershipPropagationActions.class);
+ /**
+ * Allows easy subclassing for the ConnId AD connector bundle.
+ */
+ protected static final String GROUP_MEMBERSHIP_ATTR = "ldapGroups";
+
@Autowired
- private RoleDAO roleDAO;
+ private UserDAO userDAO;
@Autowired
private JexlUtil jexlUtil;
@@ -50,10 +64,17 @@ public class LDAPMembershipPropagationAc
public void before(final PropagationTask task, final ConnectorObject
beforeObj) {
super.before(task, beforeObj);
- if (beforeObj.getObjectClass() == ObjectClass.ACCOUNT &&
task.getResource().getRmapping() != null) {
+ if (ResourceOperation.DELETE != task.getPropagationOperation()
+ && AttributableType.USER == task.getSubjectType() &&
task.getResource().getRmapping() != null) {
+
+ SyncopeUser user = userDAO.find(task.getSubjectId());
+ if (user == null) {
+ throw new IllegalArgumentException("User " +
task.getSubjectId() + " not found");
+ }
+
List<String> roleAccountLinks = new ArrayList<String>();
- for (SyncopeRole role : roleDAO.findAll()) {
- if (role.getResources().contains(task.getResource())
+ for (SyncopeRole role : user.getRoles()) {
+ if
(role.getResourceNames().contains(task.getResource().getName())
&&
StringUtils.isNotBlank(task.getResource().getRmapping().getAccountLink())) {
LOG.debug("Evaluating accountLink for {}", role);
@@ -73,10 +94,12 @@ public class LDAPMembershipPropagationAc
LOG.debug("Role accountLinks to propagate for membership: {}",
roleAccountLinks);
if (!roleAccountLinks.isEmpty()) {
- task.getAttributes().add(AttributeBuilder.build("ldapGroups",
roleAccountLinks));
+ Set<Attribute> attributes = new
HashSet<Attribute>(task.getAttributes());
+ attributes.add(AttributeBuilder.build(GROUP_MEMBERSHIP_ATTR,
roleAccountLinks));
+ task.setAttributes(attributes);
}
} else {
- LOG.debug("It's {}, not doing anything",
beforeObj.getObjectClass());
+ LOG.debug("Not about user, or role mapping missing for resource:
not doing anything");
}
}
}
Modified:
syncope/branches/DEV_ROLE_PROVISIONING/core/src/test/resources/content.xml
URL:
http://svn.apache.org/viewvc/syncope/branches/DEV_ROLE_PROVISIONING/core/src/test/resources/content.xml?rev=1418327&r1=1418326&r2=1418327&view=diff
==============================================================================
--- syncope/branches/DEV_ROLE_PROVISIONING/core/src/test/resources/content.xml
(original)
+++ syncope/branches/DEV_ROLE_PROVISIONING/core/src/test/resources/content.xml
Fri Dec 7 14:29:41 2012
@@ -373,6 +373,7 @@ under the License.
<ExternalResource name="resource-ldap" connector_id="105"
enforceMandatoryCondition="1" propagationMode="ONE_PHASE"
propagationPriority="0" propagationPrimary="1"
+
propagationActionsClassName="org.apache.syncope.core.propagation.LDAPMembershipPropagationActions"
createTraceLevel="ALL" deleteTraceLevel="ALL"
updateTraceLevel="ALL" syncTraceLevel="ALL"/>
<ExternalResource name="ws-target-resource-nopropagation" connector_id="103"
enforceMandatoryCondition="1" propagationMode="TWO_PHASES"
