core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java - syncope - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.syncope.core.provisioning.java.propagation;

 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
 import org.apache.commons.jexl3.JexlContext;
 import org.apache.commons.jexl3.MapContext;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.syncope.common.lib.types.AnyTypeKind;
 import org.apache.syncope.core.persistence.api.dao.UserDAO;
 import org.apache.syncope.core.persistence.api.entity.group.Group;
 import org.apache.syncope.core.persistence.api.entity.task.PropagationTask;
 import org.apache.syncope.core.persistence.api.entity.user.User;
 import org.apache.syncope.core.provisioning.api.jexl.JexlUtils;
 import org.apache.syncope.core.persistence.api.dao.AnyTypeDAO;
 import org.apache.syncope.core.persistence.api.dao.GroupDAO;
 import org.apache.syncope.core.persistence.api.entity.resource.ExternalResource;
 import org.apache.syncope.core.persistence.api.entity.resource.Provision;
 import org.apache.syncope.core.provisioning.api.DerAttrHandler;
 import org.apache.syncope.core.provisioning.api.propagation.PropagationActions;
 import org.identityconnectors.framework.common.objects.Attribute;
 import org.identityconnectors.framework.common.objects.AttributeBuilder;
 import org.identityconnectors.framework.common.objects.AttributeUtil;
 import org.identityconnectors.framework.common.objects.ConnectorObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;

 /**
  * Simple action for propagating group memberships to LDAP groups, when the same resource is configured for both users
  * and groups.
  *
  * @see org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions
  */
 public class LDAPMembershipPropagationActions implements PropagationActions {

     protected static final Logger LOG = LoggerFactory.getLogger(LDAPMembershipPropagationActions.class);

     @Autowired
     protected DerAttrHandler derAttrHandler;

     @Autowired
     protected AnyTypeDAO anyTypeDAO;

     @Autowired
     protected UserDAO userDAO;

     @Autowired
     protected GroupDAO groupDAO;

     /**
      * Allows easy subclassing for the ConnId AD connector bundle.
      *
      * @return the name of the attribute used to keep track of group memberships
      */
     protected static String getGroupMembershipAttrName() {
         return "ldapGroups";
     }

     @Transactional(readOnly = true)
     @Override
     public void before(final PropagationTask task, final ConnectorObject beforeObj) {
         Optional<? extends Provision> provision = task.getResource().getProvision(anyTypeDAO.findGroup());
         if (AnyTypeKind.USER == task.getAnyTypeKind()
                 && provision.isPresent() && provision.get().getMapping() != null
                 && StringUtils.isNotBlank(provision.get().getMapping().getConnObjectLink())) {

             User user = userDAO.find(task.getEntityKey());
             if (user != null) {
                 List<String> groupConnObjectLinks = new ArrayList<>();
                 userDAO.findAllGroupKeys(user).forEach(groupKey -> {
                     Group group = groupDAO.find(groupKey);
                     if (group != null && groupDAO.findAllResourceKeys(groupKey).contains(task.getResource().getKey())) {

                         String groupConnObjectLink = evaluateGroupConnObjectLink(
                                 provision.get().getMapping().getConnObjectLink(), group);

                         LOG.debug("ConnObjectLink for {} is '{}'", group, groupConnObjectLink);
                         if (StringUtils.isNotBlank(groupConnObjectLink)) {
                             groupConnObjectLinks.add(groupConnObjectLink);

                         }
                     }
                 });
                 LOG.debug("Group connObjectLinks to propagate for membership: {}", groupConnObjectLinks);

                 Set<Attribute> attributes = new HashSet<>(task.getAttributes());

                 Set<String> groups = new HashSet<>(groupConnObjectLinks);
                 Attribute ldapGroups = AttributeUtil.find(getGroupMembershipAttrName(), attributes);
                 if (ldapGroups != null) {
                     ldapGroups.getValue().forEach(obj -> groups.add(obj.toString()));
                     attributes.remove(ldapGroups);

                     if (beforeObj != null && beforeObj.getAttributeByName(getGroupMembershipAttrName()) != null) {
                         Set<String> connObjectLinks = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
                         buildManagedGroupConnObjectLinks(
                                 provision.get().getResource(),
                                 provision.get().getMapping().getConnObjectLink(),
                                 connObjectLinks);

                         Attribute beforeLdapGroups = beforeObj.getAttributeByName(getGroupMembershipAttrName());
                         LOG.debug("Memberships not managed by Syncope: {}", beforeLdapGroups);
                         beforeLdapGroups.getValue().stream().
                                 filter(value -> !connObjectLinks.contains(String.valueOf(value))).
                                 forEach(value -> groups.add(String.valueOf(value)));
                     }
                 }
                 LOG.debug("Add ldapGroups to attributes: {}", groups);
                 attributes.add(AttributeBuilder.build(getGroupMembershipAttrName(), groups));

                 task.setAttributes(attributes);
             }
         } else {
             LOG.debug("Not about user, or group mapping missing for resource: not doing anything");
         }
     }

     private String evaluateGroupConnObjectLink(final String connObjectLinkTemplate, final Group group) {
         LOG.debug("Evaluating connObjectLink for {}", group);

         JexlContext jexlContext = new MapContext();
         JexlUtils.addFieldsToContext(group, jexlContext);
         JexlUtils.addPlainAttrsToContext(group.getPlainAttrs(), jexlContext);
         JexlUtils.addDerAttrsToContext(group, derAttrHandler, jexlContext);

         return JexlUtils.evaluate(connObjectLinkTemplate, jexlContext);
     }

     private void buildManagedGroupConnObjectLinks(final ExternalResource externalResource,
             final String connObjectLinkTemplate, final Set<String> connObjectLinks) {
         List<Group> managedGroups = groupDAO.findByResource(externalResource);
         managedGroups.forEach(group -> connObjectLinks.add(evaluateGroupConnObjectLink(connObjectLinkTemplate, group)));
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.syncope.core.provisioning.java.propagation;

	import java.util.ArrayList;
	import java.util.HashSet;
	import java.util.List;
	import java.util.Optional;
	import java.util.Set;
	import java.util.TreeSet;
	import org.apache.commons.jexl3.JexlContext;
	import org.apache.commons.jexl3.MapContext;
	import org.apache.commons.lang3.StringUtils;
	import org.apache.syncope.common.lib.types.AnyTypeKind;
	import org.apache.syncope.core.persistence.api.dao.UserDAO;
	import org.apache.syncope.core.persistence.api.entity.group.Group;
	import org.apache.syncope.core.persistence.api.entity.task.PropagationTask;
	import org.apache.syncope.core.persistence.api.entity.user.User;
	import org.apache.syncope.core.provisioning.api.jexl.JexlUtils;
	import org.apache.syncope.core.persistence.api.dao.AnyTypeDAO;
	import org.apache.syncope.core.persistence.api.dao.GroupDAO;
	import org.apache.syncope.core.persistence.api.entity.resource.ExternalResource;
	import org.apache.syncope.core.persistence.api.entity.resource.Provision;
	import org.apache.syncope.core.provisioning.api.DerAttrHandler;
	import org.apache.syncope.core.provisioning.api.propagation.PropagationActions;
	import org.identityconnectors.framework.common.objects.Attribute;
	import org.identityconnectors.framework.common.objects.AttributeBuilder;
	import org.identityconnectors.framework.common.objects.AttributeUtil;
	import org.identityconnectors.framework.common.objects.ConnectorObject;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.transaction.annotation.Transactional;

	/**
	* Simple action for propagating group memberships to LDAP groups, when the same resource is configured for both users
	* and groups.
	*
	* @see org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions
	*/
	public class LDAPMembershipPropagationActions implements PropagationActions {

	protected static final Logger LOG = LoggerFactory.getLogger(LDAPMembershipPropagationActions.class);

	@Autowired
	protected DerAttrHandler derAttrHandler;

	@Autowired
	protected AnyTypeDAO anyTypeDAO;

	@Autowired
	protected UserDAO userDAO;

	@Autowired
	protected GroupDAO groupDAO;

	/**
	* Allows easy subclassing for the ConnId AD connector bundle.
	*
	* @return the name of the attribute used to keep track of group memberships
	*/
	protected static String getGroupMembershipAttrName() {
	return "ldapGroups";
	}

	@Transactional(readOnly = true)
	@Override
	public void before(final PropagationTask task, final ConnectorObject beforeObj) {
	Optional<? extends Provision> provision = task.getResource().getProvision(anyTypeDAO.findGroup());
	if (AnyTypeKind.USER == task.getAnyTypeKind()
	&& provision.isPresent() && provision.get().getMapping() != null
	&& StringUtils.isNotBlank(provision.get().getMapping().getConnObjectLink())) {

	User user = userDAO.find(task.getEntityKey());
	if (user != null) {
	List<String> groupConnObjectLinks = new ArrayList<>();
	userDAO.findAllGroupKeys(user).forEach(groupKey -> {
	Group group = groupDAO.find(groupKey);
	if (group != null && groupDAO.findAllResourceKeys(groupKey).contains(task.getResource().getKey())) {

	String groupConnObjectLink = evaluateGroupConnObjectLink(
	provision.get().getMapping().getConnObjectLink(), group);

	LOG.debug("ConnObjectLink for {} is '{}'", group, groupConnObjectLink);
	if (StringUtils.isNotBlank(groupConnObjectLink)) {
	groupConnObjectLinks.add(groupConnObjectLink);

	}
	}
	});
	LOG.debug("Group connObjectLinks to propagate for membership: {}", groupConnObjectLinks);

	Set<Attribute> attributes = new HashSet<>(task.getAttributes());

	Set<String> groups = new HashSet<>(groupConnObjectLinks);
	Attribute ldapGroups = AttributeUtil.find(getGroupMembershipAttrName(), attributes);
	if (ldapGroups != null) {
	ldapGroups.getValue().forEach(obj -> groups.add(obj.toString()));
	attributes.remove(ldapGroups);

	if (beforeObj != null && beforeObj.getAttributeByName(getGroupMembershipAttrName()) != null) {
	Set<String> connObjectLinks = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
	buildManagedGroupConnObjectLinks(
	provision.get().getResource(),
	provision.get().getMapping().getConnObjectLink(),
	connObjectLinks);

	Attribute beforeLdapGroups = beforeObj.getAttributeByName(getGroupMembershipAttrName());
	LOG.debug("Memberships not managed by Syncope: {}", beforeLdapGroups);
	beforeLdapGroups.getValue().stream().
	filter(value -> !connObjectLinks.contains(String.valueOf(value))).
	forEach(value -> groups.add(String.valueOf(value)));
	}
	}
	LOG.debug("Add ldapGroups to attributes: {}", groups);
	attributes.add(AttributeBuilder.build(getGroupMembershipAttrName(), groups));

	task.setAttributes(attributes);
	}
	} else {
	LOG.debug("Not about user, or group mapping missing for resource: not doing anything");
	}
	}

	private String evaluateGroupConnObjectLink(final String connObjectLinkTemplate, final Group group) {
	LOG.debug("Evaluating connObjectLink for {}", group);

	JexlContext jexlContext = new MapContext();
	JexlUtils.addFieldsToContext(group, jexlContext);
	JexlUtils.addPlainAttrsToContext(group.getPlainAttrs(), jexlContext);
	JexlUtils.addDerAttrsToContext(group, derAttrHandler, jexlContext);

	return JexlUtils.evaluate(connObjectLinkTemplate, jexlContext);
	}

	private void buildManagedGroupConnObjectLinks(final ExternalResource externalResource,
	final String connObjectLinkTemplate, final Set<String> connObjectLinks) {
	List<Group> managedGroups = groupDAO.findByResource(externalResource);
	managedGroups.forEach(group -> connObjectLinks.add(evaluateGroupConnObjectLink(connObjectLinkTemplate, group)));
	}
	}