Add dep folder

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.jackrabbit / src / main / java / org / argeo / security / jackrabbit / JackrabbitSecurityModel.java
diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/JackrabbitSecurityModel.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/JackrabbitSecurityModel.java

index 75345edc8495afe03bb177d42ed57f1614bc2d63..a9985f94f409ecbc8b72703b02eba90c8117500a 100644 (file)
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/JackrabbitSecurityModel.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/JackrabbitSecurityModel.java
@@ -1,35 +1,109 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
  package org.argeo.security.jackrabbit;
  
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
  import javax.jcr.Node;
  import javax.jcr.RepositoryException;
  import javax.jcr.Session;
  
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
  import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.user.Group;
  import org.apache.jackrabbit.api.security.user.User;
  import org.apache.jackrabbit.api.security.user.UserManager;
  import org.argeo.ArgeoException;
-import org.argeo.security.jcr.JcrSecurityModel;
-import org.argeo.util.security.SimplePrincipal;
+import org.argeo.jcr.ArgeoNames;
+import org.argeo.security.jcr.SimpleJcrSecurityModel;
  
  /** Make sure that user authorizable exists before syncing user directories. */
-public class JackrabbitSecurityModel extends JcrSecurityModel {
+public class JackrabbitSecurityModel extends SimpleJcrSecurityModel {
+       private final static Log log = LogFactory
+                       .getLog(JackrabbitSecurityModel.class);
  
         @Override
-       public Node sync(Session session, String username) {
+       public synchronized Node sync(Session session, String username,
+                       List<String> roles) {
+               if (!(session instanceof JackrabbitSession))
+                       return super.sync(session, username, roles);
+
                 try {
-                       if (session instanceof JackrabbitSession) {
-                               UserManager userManager = ((JackrabbitSession) session)
-                                               .getUserManager();
-                               User user = (User) userManager
-                                               .getAuthorizable(new SimplePrincipal(username));
-                               if (user == null)
-                                       userManager.createUser(username, "");
+                       UserManager userManager = ((JackrabbitSession) session)
+                                       .getUserManager();
+                       User user = (User) userManager.getAuthorizable(username);
+                       if (user != null) {
+                               String principalName = user.getPrincipal().getName();
+                               if (!principalName.equals(username)) {
+                                       log.warn("Jackrabbit principal is '" + principalName
+                                                       + "' but username is '" + username
+                                                       + "'. Recreating...");
+                                       user.remove();
+                                       user = userManager.createUser(username, "");
+                               }
+                       } else {
+                               // create new principal
+                               user = userManager.createUser(username, "");
+                               log.info(username + " added as Jackrabbit user " + user);
                         }
+
+                       // generic JCR sync
+                       Node userProfile = super.sync(session, username, roles);
+
+                       Boolean enabled = userProfile.getProperty(ArgeoNames.ARGEO_ENABLED)
+                                       .getBoolean();
+                       if (enabled && user.isDisabled())
+                               user.disable(null);
+                       else if (!enabled && !user.isDisabled())
+                               user.disable(userProfile.getPath() + " is disabled");
+
+                       // Sync Jackrabbit roles
+                       if (roles != null)
+                               syncRoles(userManager, user, roles);
+
+                       return userProfile;
                 } catch (RepositoryException e) {
                         throw new ArgeoException(
-                                       "Cannot perform Jackrabbit specific operaitons", e);
+                                       "Cannot perform Jackrabbit specific operations", e);
                 }
-               return super.sync(session, username);
         }
  
+       /** Make sure Jackrabbit roles are in line with authentication */
+       void syncRoles(UserManager userManager, User user, List<String> roles)
+                       throws RepositoryException {
+               List<String> userGroupIds = new ArrayList<String>();
+               for (String role : roles) {
+                       Group group = (Group) userManager.getAuthorizable(role);
+                       if (group == null) {
+                               group = userManager.createGroup(role);
+                               log.info(role + " added as " + group);
+                       }
+                       if (!group.isMember(user))
+                               group.addMember(user);
+                       userGroupIds.add(role);
+               }
+
+               // check if user has not been removed from some groups
+               for (Iterator<Group> it = user.declaredMemberOf(); it.hasNext();) {
+                       Group group = it.next();
+                       if (!userGroupIds.contains(group.getID()))
+                               group.removeMember(user);
+               }
+       }
  }