Refactor JCR utils and home usage

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.ldap / src / main / java / org / argeo / security / ldap / jcr / JcrLdapSynchronizer.java

diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
index 0f59f1ee528c11561e8d9a67b6d4a3c13bb4b1d0..178785602d5aa7eff0ad8d5583c39210f0350fb0 100644 (file)
--- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
+++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2007-2012 Mathieu Baudier
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.ldap.jcr;
 
 import java.security.NoSuchAlgorithmException;
@@ -20,6 +35,7 @@ import javax.jcr.observation.Event;
 import javax.jcr.observation.EventIterator;
 import javax.jcr.observation.EventListener;
 import javax.jcr.query.Query;
+import javax.jcr.version.VersionManager;
 import javax.naming.Binding;
 import javax.naming.Name;
 import javax.naming.NamingException;
@@ -43,6 +59,7 @@ import org.argeo.ArgeoException;
 import org.argeo.jcr.ArgeoNames;
 import org.argeo.jcr.ArgeoTypes;
 import org.argeo.jcr.JcrUtils;
+import org.argeo.jcr.security.SecurityJcrUtils;
 import org.argeo.security.jcr.JcrUserDetails;
 import org.springframework.ldap.core.ContextExecutor;
 import org.springframework.ldap.core.ContextMapper;
@@ -185,10 +202,21 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
                                Node userProfile = it.nextNode();
                                String path = userProfile.getPath();
                                if (!userPaths.contains(path)) {
+                                       log.warn("Path "
+                                                       + path
+                                                       + " not found in LDAP, disabling user "
+                                                       + userProfile.getProperty(ArgeoNames.ARGEO_USER_ID)
+                                                                       .getString());
+                                       VersionManager versionManager = securitySession
+                                                       .getWorkspace().getVersionManager();
+                                       versionManager.checkout(userProfile.getPath());
                                        userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, false);
+                                       securitySession.save();
+                                       versionManager.checkin(userProfile.getPath());
                                }
                        }
                } catch (Exception e) {
+                       JcrUtils.discardQuietly(securitySession);
                        throw new ArgeoException("Cannot synchronized LDAP and JCR", e);
                }
        }
@@ -196,11 +224,12 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
        /** Called during authentication in order to retrieve user details */
        public UserDetails mapUserFromContext(final DirContextOperations ctx,
                        final String username, GrantedAuthority[] authorities) {
+               log.debug("mapUserFromContext");
                if (ctx == null)
                        throw new ArgeoException("No LDAP information for user " + username);
-               Node userHome = JcrUtils.getUserHome(securitySession, username);
-               if (userHome == null)
-                       throw new ArgeoException("No JCR information for user " + username);
+               Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded(securitySession,
+                               username);
+               JcrUserDetails.checkAccountStatus(userProfile);
 
                // password
                SortedSet<?> passwordAttributes = ctx
@@ -216,8 +245,7 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
                }
 
                try {
-                       return new JcrUserDetails(userHome.getNode(ARGEO_PROFILE),
-                                       password, authorities);
+                       return new JcrUserDetails(userProfile, password, authorities);
                } catch (RepositoryException e) {
                        throw new ArgeoException("Cannot retrieve user details for "
                                        + username, e);
@@ -229,17 +257,31 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
         * 
         * @return path to user profile
         */
-       protected String mapLdapToJcr(DirContextAdapter ctx) {
+       protected synchronized String mapLdapToJcr(DirContextAdapter ctx) {
                Session session = securitySession;
                try {
                        // process
                        String username = ctx.getStringAttribute(usernameAttribute);
-                       Node userHome = JcrUtils.createUserHomeIfNeeded(session, username);
+                       Node userHome = SecurityJcrUtils.createUserHomeIfNeeded(session, username);
                        Node userProfile; // = userHome.getNode(ARGEO_PROFILE);
                        if (userHome.hasNode(ARGEO_PROFILE)) {
                                userProfile = userHome.getNode(ARGEO_PROFILE);
+
+                               // compatibility with legacy, will be removed
+                               if (!userProfile.hasProperty(ARGEO_ENABLED)) {
+                                       session.getWorkspace().getVersionManager()
+                                                       .checkout(userProfile.getPath());
+                                       userProfile.setProperty(ARGEO_ENABLED, true);
+                                       userProfile.setProperty(ARGEO_ACCOUNT_NON_EXPIRED, true);
+                                       userProfile.setProperty(ARGEO_ACCOUNT_NON_LOCKED, true);
+                                       userProfile
+                                                       .setProperty(ARGEO_CREDENTIALS_NON_EXPIRED, true);
+                                       session.save();
+                                       session.getWorkspace().getVersionManager()
+                                                       .checkin(userProfile.getPath());
+                               }
                        } else {
-                               userProfile = JcrUtils.createUserProfile(securitySession,
+                               userProfile = SecurityJcrUtils.createUserProfile(securitySession,
                                                username);
                                userProfile.getSession().save();
                                userProfile.getSession().getWorkspace().getVersionManager()