Google Git
Sign in
apache / syncope / edfa956032ee2aee3a8ee693f90132754955c29e / . / core / provisioning-java / src / main / java / org / apache / syncope / core / provisioning / java / pushpull / DefaultUserPullResultHandler.java
blob: 11cd1ba4900444ed7e64cdf261a3747ef24f8102 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.syncope.core.provisioning.java.pushpull;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.Attr;
import org.apache.syncope.common.lib.request.AnyCR;
import org.apache.syncope.common.lib.request.AnyUR;
import org.apache.syncope.common.lib.request.UserCR;
import org.apache.syncope.common.lib.request.UserUR;
import org.apache.syncope.common.lib.request.LinkedAccountUR;
import org.apache.syncope.common.lib.to.AnyTO;
import org.apache.syncope.common.lib.to.LinkedAccountTO;
import org.apache.syncope.common.lib.to.PropagationStatus;
import org.apache.syncope.common.lib.to.UserTO;
import org.apache.syncope.common.lib.types.AnyTypeKind;
import org.apache.syncope.common.lib.types.AuditElements;
import org.apache.syncope.common.lib.types.AuditElements.Result;
import org.apache.syncope.common.lib.types.MatchType;
import org.apache.syncope.common.lib.types.MatchingRule;
import org.apache.syncope.common.lib.types.PatchOperation;
import org.apache.syncope.common.lib.types.ResourceOperation;
import org.apache.syncope.common.lib.types.UnmatchingRule;
import org.apache.syncope.core.persistence.api.dao.PullMatch;
import org.apache.syncope.core.persistence.api.entity.Any;
import org.apache.syncope.core.persistence.api.entity.AnyUtils;
import org.apache.syncope.core.persistence.api.entity.Remediation;
import org.apache.syncope.core.persistence.api.entity.resource.Provision;
import org.apache.syncope.core.persistence.api.entity.user.LinkedAccount;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.provisioning.api.PropagationByResource;
import org.apache.syncope.core.provisioning.api.ProvisioningManager;
import org.apache.syncope.core.provisioning.api.UserProvisioningManager;
import org.apache.syncope.core.provisioning.api.WorkflowResult;
import org.apache.syncope.core.provisioning.api.propagation.PropagationException;
import org.apache.syncope.common.lib.to.ProvisioningReport;
import org.apache.syncope.core.provisioning.api.pushpull.PullActions;
import org.apache.syncope.core.spring.security.AuthContextUtils;
import org.identityconnectors.framework.common.objects.SyncDelta;
import org.apache.syncope.core.provisioning.api.pushpull.UserPullResultHandler;
import org.identityconnectors.framework.common.objects.AttributeUtil;
import org.identityconnectors.framework.common.objects.SyncDeltaType;
import org.quartz.JobExecutionException;
import org.springframework.beans.factory.annotation.Autowired;
public class DefaultUserPullResultHandler extends AbstractPullResultHandler implements UserPullResultHandler {
@Autowired
private UserProvisioningManager userProvisioningManager;
@Override
protected AnyUtils getAnyUtils() {
return anyUtilsFactory.getInstance(AnyTypeKind.USER);
}
@Override
protected String getName(final AnyTO anyTO) {
return UserTO.class.cast(anyTO).getUsername();
}
@Override
protected String getName(final AnyCR anyCR) {
return UserCR.class.cast(anyCR).getUsername();
}
@Override
protected ProvisioningManager<?, ?> getProvisioningManager() {
return userProvisioningManager;
}
@Override
protected AnyTO getAnyTO(final Any<?> any) {
return userDataBinder.getUserTO((User) any, true);
}
@Override
protected WorkflowResult<? extends AnyUR> update(final AnyUR req) {
WorkflowResult<Pair<UserUR, Boolean>> update =
uwfAdapter.update((UserUR) req, profile.getExecutor(), getContext());
return new WorkflowResult<>(update.getResult().getLeft(), update.getPropByRes(), update.getPerformedTasks());
}
protected Boolean enabled(final SyncDelta delta) {
return profile.getTask().isSyncStatus() ? AttributeUtil.isEnabled(delta.getObject()) : null;
}
@Override
protected AnyTO doCreate(final AnyCR anyCR, final SyncDelta delta) {
Map.Entry<String, List<PropagationStatus>> created = userProvisioningManager.create(
UserCR.class.cast(anyCR),
true,
enabled(delta),
Set.of(profile.getTask().getResource().getKey()),
true,
profile.getExecutor(),
getContext());
return userDataBinder.getUserTO(created.getKey());
}
@Override
protected AnyUR doUpdate(
final AnyTO before,
final AnyUR anyUR,
final SyncDelta delta,
final ProvisioningReport result) {
Pair<UserUR, List<PropagationStatus>> updated = userProvisioningManager.update(
UserUR.class.cast(anyUR),
result,
enabled(delta),
Set.of(profile.getTask().getResource().getKey()),
true,
profile.getExecutor(),
getContext());
return updated.getLeft();
}
@Override
protected void handleLinkedAccounts(
final SyncDelta delta,
final List<PullMatch> matches,
final Provision provision) throws JobExecutionException {
for (PullMatch match : matches) {
User user = (User) match.getAny();
if (user == null) {
LOG.error("Could not find linking user, cannot process match {}", match);
return;
}
Optional<? extends LinkedAccount> found =
user.getLinkedAccount(provision.getResource().getKey(), delta.getUid().getUidValue());
if (found.isPresent()) {
LinkedAccount account = found.get();
if (SyncDeltaType.CREATE_OR_UPDATE == delta.getDeltaType()) {
switch (profile.getTask().getMatchingRule()) {
case UPDATE:
update(delta, account, provision).ifPresent(profile.getResults()::add);
break;
case DEPROVISION:
case UNASSIGN:
deprovision(profile.getTask().getMatchingRule(), delta, account).
ifPresent(profile.getResults()::add);
break;
case LINK:
case UNLINK:
LOG.warn("{} not applicable to linked accounts, ignoring",
profile.getTask().getMatchingRule());
break;
case IGNORE:
profile.getResults().add(ignore(delta, account, true));
break;
default:
// do nothing
}
} else if (SyncDeltaType.DELETE == delta.getDeltaType()) {
delete(delta, account, provision).ifPresent(profile.getResults()::add);
}
} else {
if (SyncDeltaType.CREATE_OR_UPDATE == delta.getDeltaType()) {
LinkedAccountTO accountTO = new LinkedAccountTO();
accountTO.setConnObjectKeyValue(delta.getUid().getUidValue());
accountTO.setResource(provision.getResource().getKey());
switch (profile.getTask().getUnmatchingRule()) {
case ASSIGN:
case PROVISION:
provision(profile.getTask().getUnmatchingRule(), delta, user, accountTO, provision).
ifPresent(profile.getResults()::add);
break;
case IGNORE:
profile.getResults().add(ignore(delta, null, false));
break;
default:
// do nothing
}
} else if (SyncDeltaType.DELETE == delta.getDeltaType()) {
end(
AnyTypeKind.USER,
ResourceOperation.DELETE.name().toLowerCase(),
AuditElements.Result.SUCCESS,
null,
null,
delta);
LOG.debug("No match found for deletion");
}
}
}
}
protected Optional<ProvisioningReport> deprovision(
final MatchingRule matchingRule,
final SyncDelta delta,
final LinkedAccount account) throws JobExecutionException {
if (!profile.getTask().isPerformUpdate()) {
LOG.debug("PullTask not configured for update");
end(AnyTypeKind.USER,
MatchingRule.toEventName(MatchingRule.UPDATE), Result.SUCCESS, null, null, delta);
return Optional.empty();
}
LOG.debug("About to deprovision {}", account);
ProvisioningReport report = new ProvisioningReport();
report.setOperation(ResourceOperation.DELETE);
report.setAnyType(MatchType.LINKED_ACCOUNT.name());
report.setStatus(ProvisioningReport.Status.SUCCESS);
report.setKey(account.getKey());
report.setUidValue(account.getConnObjectKeyValue());
LinkedAccountTO before = userDataBinder.getLinkedAccountTO(account);
if (!profile.isDryRun()) {
Object output = before;
Result resultStatus;
try {
if (matchingRule == MatchingRule.UNASSIGN) {
for (PullActions action : profile.getActions()) {
action.beforeUnassign(profile, delta, before);
}
} else if (matchingRule == MatchingRule.DEPROVISION) {
for (PullActions action : profile.getActions()) {
action.beforeDeprovision(profile, delta, before);
}
}
PropagationByResource<Pair<String, String>> propByLinkedAccount = new PropagationByResource<>();
propByLinkedAccount.add(
ResourceOperation.DELETE,
Pair.of(account.getResource().getKey(), account.getConnObjectKeyValue()));
taskExecutor.execute(propagationManager.getDeleteTasks(
AnyTypeKind.USER,
account.getOwner().getKey(),
null,
propByLinkedAccount,
null),
false,
AuthContextUtils.getUsername());
for (PullActions action : profile.getActions()) {
action.after(profile, delta, before, report);
}
resultStatus = Result.SUCCESS;
LOG.debug("Linked account {} successfully updated", account.getConnObjectKeyValue());
} catch (PropagationException e) {
// A propagation failure doesn't imply a pull failure.
// The propagation exception status will be reported into the propagation task execution.
LOG.error("Could not propagate linked acccount {}", account.getConnObjectKeyValue());
output = e;
resultStatus = Result.FAILURE;
} catch (Exception e) {
throwIgnoreProvisionException(delta, e);
report.setStatus(ProvisioningReport.Status.FAILURE);
report.setMessage(ExceptionUtils.getRootCauseMessage(e));
LOG.error("Could not update linked account {}", account, e);
output = e;
resultStatus = Result.FAILURE;
}
end(AnyTypeKind.USER, MatchingRule.toEventName(matchingRule), resultStatus, before, output, delta);
}
return Optional.of(report);
}
protected Optional<ProvisioningReport> provision(
final UnmatchingRule rule,
final SyncDelta delta,
final User user,
final LinkedAccountTO accountTO,
final Provision provision)
throws JobExecutionException {
if (!profile.getTask().isPerformCreate()) {
LOG.debug("PullTask not configured for create");
end(AnyTypeKind.USER, UnmatchingRule.toEventName(rule), Result.SUCCESS, null, null, delta);
return Optional.empty();
}
LOG.debug("About to create {}", accountTO);
ProvisioningReport report = new ProvisioningReport();
report.setOperation(ResourceOperation.CREATE);
report.setName(accountTO.getConnObjectKeyValue());
report.setUidValue(accountTO.getConnObjectKeyValue());
report.setAnyType(MatchType.LINKED_ACCOUNT.name());
report.setStatus(ProvisioningReport.Status.SUCCESS);
if (profile.isDryRun()) {
report.setKey(null);
end(AnyTypeKind.USER, UnmatchingRule.toEventName(rule), Result.SUCCESS, null, null, delta);
} else {
UserTO owner = userDataBinder.getUserTO(user, false);
UserCR connObject = connObjectUtils.getAnyCR(
delta.getObject(), profile.getTask(), provision, false);
if (connObject.getUsername().equals(owner.getUsername())) {
accountTO.setUsername(null);
} else if (!connObject.getUsername().equals(accountTO.getUsername())) {
accountTO.setUsername(connObject.getUsername());
}
if (connObject.getPassword() != null) {
accountTO.setPassword(connObject.getPassword());
}
accountTO.setSuspended(BooleanUtils.isTrue(BooleanUtils.negate(enabled(delta))));
connObject.getPlainAttrs().forEach(connObjectAttr -> {
Optional<Attr> ownerAttr = owner.getPlainAttr(connObjectAttr.getSchema());
if (ownerAttr.isPresent() && ownerAttr.get().getValues().equals(connObjectAttr.getValues())) {
accountTO.getPlainAttrs().removeIf(attr -> connObjectAttr.getSchema().equals(attr.getSchema()));
} else {
accountTO.getPlainAttrs().add(connObjectAttr);
}
});
for (PullActions action : profile.getActions()) {
if (rule == UnmatchingRule.ASSIGN) {
action.beforeAssign(profile, delta, accountTO);
} else if (rule == UnmatchingRule.PROVISION) {
action.beforeProvision(profile, delta, accountTO);
}
}
report.setName(accountTO.getConnObjectKeyValue());
UserUR req = new UserUR();
req.setKey(user.getKey());
req.getLinkedAccounts().add(new LinkedAccountUR.Builder().
operation(PatchOperation.ADD_REPLACE).linkedAccountTO(accountTO).build());
Result resultStatus;
Object output;
try {
userProvisioningManager.update(
req,
report,
null,
Set.of(profile.getTask().getResource().getKey()),
true,
profile.getExecutor(),
getContext());
LinkedAccountTO created = userDAO.find(req.getKey()).
getLinkedAccount(accountTO.getResource(), accountTO.getConnObjectKeyValue()).
map(acct -> userDataBinder.getLinkedAccountTO(acct)).
orElse(null);
output = created;
resultStatus = Result.SUCCESS;
for (PullActions action : profile.getActions()) {
action.after(profile, delta, created, report);
}
LOG.debug("Linked account {} successfully created", accountTO.getConnObjectKeyValue());
} catch (PropagationException e) {
// A propagation failure doesn't imply a pull failure.
// The propagation exception status will be reported into the propagation task execution.
LOG.error("Could not propagate linked acccount {}", accountTO.getConnObjectKeyValue());
output = e;
resultStatus = Result.FAILURE;
} catch (Exception e) {
throwIgnoreProvisionException(delta, e);
report.setStatus(ProvisioningReport.Status.FAILURE);
report.setMessage(ExceptionUtils.getRootCauseMessage(e));
LOG.error("Could not create linked account {} ", accountTO.getConnObjectKeyValue(), e);
output = e;
resultStatus = Result.FAILURE;
if (profile.getTask().isRemediation()) {
Remediation entity = entityFactory.newEntity(Remediation.class);
entity.setAnyType(provision.getAnyType());
entity.setOperation(ResourceOperation.UPDATE);
entity.setPayload(req);
entity.setError(report.getMessage());
entity.setInstant(new Date());
entity.setRemoteName(delta.getObject().getName().getNameValue());
entity.setPullTask(profile.getTask());
remediationDAO.save(entity);
}
}
end(AnyTypeKind.USER, UnmatchingRule.toEventName(rule), resultStatus, null, output, delta);
}
return Optional.of(report);
}
protected Optional<ProvisioningReport> update(
final SyncDelta delta,
final LinkedAccount account,
final Provision provision)
throws JobExecutionException {
if (!profile.getTask().isPerformUpdate()) {
LOG.debug("PullTask not configured for update");
end(AnyTypeKind.USER, MatchingRule.toEventName(MatchingRule.UPDATE), Result.SUCCESS, null, null, delta);
return Optional.empty();
}
LOG.debug("About to update {}", account);
ProvisioningReport report = new ProvisioningReport();
report.setOperation(ResourceOperation.UPDATE);
report.setKey(account.getKey());
report.setUidValue(account.getConnObjectKeyValue());
report.setName(account.getConnObjectKeyValue());
report.setAnyType(MatchType.LINKED_ACCOUNT.name());
report.setStatus(ProvisioningReport.Status.SUCCESS);
if (!profile.isDryRun()) {
LinkedAccountTO before = userDataBinder.getLinkedAccountTO(account);
UserTO owner = userDataBinder.getUserTO(account.getOwner(), false);
UserCR connObject = connObjectUtils.getAnyCR(
delta.getObject(), profile.getTask(), provision, false);
LinkedAccountTO update = userDataBinder.getLinkedAccountTO(account);
if (connObject.getUsername().equals(owner.getUsername())) {
update.setUsername(null);
} else if (!connObject.getUsername().equals(update.getUsername())) {
update.setUsername(connObject.getUsername());
}
if (connObject.getPassword() != null) {
update.setPassword(connObject.getPassword());
}
update.setSuspended(BooleanUtils.isTrue(BooleanUtils.negate(enabled(delta))));
Set<String> attrsToRemove = new HashSet<>();
connObject.getPlainAttrs().forEach(connObjectAttr -> {
Optional<Attr> ownerAttr = owner.getPlainAttr(connObjectAttr.getSchema());
if (ownerAttr.isPresent() && ownerAttr.get().getValues().equals(connObjectAttr.getValues())) {
attrsToRemove.add(connObjectAttr.getSchema());
} else {
Optional<Attr> updateAttr = update.getPlainAttr(connObjectAttr.getSchema());
if (updateAttr.isEmpty() || !updateAttr.get().getValues().equals(connObjectAttr.getValues())) {
attrsToRemove.add(connObjectAttr.getSchema());
update.getPlainAttrs().add(connObjectAttr);
}
}
});
update.getPlainAttrs().removeIf(attr -> attrsToRemove.contains(attr.getSchema()));
UserUR patch = new UserUR();
patch.setKey(account.getOwner().getKey());
patch.getLinkedAccounts().add(new LinkedAccountUR.Builder().
operation(PatchOperation.ADD_REPLACE).linkedAccountTO(update).build());
for (PullActions action : profile.getActions()) {
action.beforeUpdate(profile, delta, before, patch);
}
Result resultStatus;
Object output;
try {
userProvisioningManager.update(
patch,
report,
null,
Set.of(profile.getTask().getResource().getKey()),
true,
profile.getExecutor(),
getContext());
resultStatus = Result.SUCCESS;
LinkedAccountTO updated = userDAO.find(patch.getKey()).
getLinkedAccount(account.getResource().getKey(), account.getConnObjectKeyValue()).
map(acct -> userDataBinder.getLinkedAccountTO(acct)).
orElse(null);
output = updated;
resultStatus = Result.SUCCESS;
for (PullActions action : profile.getActions()) {
action.after(profile, delta, updated, report);
}
LOG.debug("Linked account {} successfully updated", account.getConnObjectKeyValue());
} catch (PropagationException e) {
// A propagation failure doesn't imply a pull failure.
// The propagation exception status will be reported into the propagation task execution.
LOG.error("Could not propagate linked acccount {}", account.getConnObjectKeyValue());
output = e;
resultStatus = Result.FAILURE;
} catch (Exception e) {
throwIgnoreProvisionException(delta, e);
report.setStatus(ProvisioningReport.Status.FAILURE);
report.setMessage(ExceptionUtils.getRootCauseMessage(e));
LOG.error("Could not update linked account {}", account, e);
output = e;
resultStatus = Result.FAILURE;
if (profile.getTask().isRemediation()) {
Remediation entity = entityFactory.newEntity(Remediation.class);
entity.setAnyType(provision.getAnyType());
entity.setOperation(ResourceOperation.UPDATE);
entity.setPayload(patch);
entity.setError(report.getMessage());
entity.setInstant(new Date());
entity.setRemoteName(delta.getObject().getName().getNameValue());
entity.setPullTask(profile.getTask());
remediationDAO.save(entity);
}
}
end(AnyTypeKind.USER, MatchingRule.toEventName(MatchingRule.UPDATE), resultStatus, before, output, delta);
}
return Optional.of(report);
}
protected Optional<ProvisioningReport> delete(
final SyncDelta delta,
final LinkedAccount account,
final Provision provision)
throws JobExecutionException {
if (!profile.getTask().isPerformDelete()) {
LOG.debug("PullTask not configured for delete");
end(AnyTypeKind.USER, ResourceOperation.DELETE.name().toLowerCase(), Result.SUCCESS, null, null, delta);
return Optional.empty();
}
LOG.debug("About to delete {}", account);
Object output;
Result resultStatus = Result.FAILURE;
ProvisioningReport report = new ProvisioningReport();
try {
report.setKey(account.getKey());
report.setName(account.getConnObjectKeyValue());
report.setUidValue(account.getConnObjectKeyValue());
report.setOperation(ResourceOperation.DELETE);
report.setAnyType(MatchType.LINKED_ACCOUNT.name());
report.setStatus(ProvisioningReport.Status.SUCCESS);
if (!profile.isDryRun()) {
LinkedAccountTO before = userDataBinder.getLinkedAccountTO(account);
for (PullActions action : profile.getActions()) {
action.beforeDelete(profile, delta, before);
}
UserUR req = new UserUR();
req.setKey(account.getOwner().getKey());
req.getLinkedAccounts().add(new LinkedAccountUR.Builder().
operation(PatchOperation.DELETE).linkedAccountTO(before).build());
try {
userProvisioningManager.update(
req,
report,
null,
Set.of(profile.getTask().getResource().getKey()),
true,
profile.getExecutor(),
getContext());
resultStatus = Result.SUCCESS;
output = null;
for (PullActions action : profile.getActions()) {
action.after(profile, delta, before, report);
}
} catch (Exception e) {
throwIgnoreProvisionException(delta, e);
report.setStatus(ProvisioningReport.Status.FAILURE);
report.setMessage(ExceptionUtils.getRootCauseMessage(e));
LOG.error("Could not delete linked account {}", account, e);
output = e;
if (profile.getTask().isRemediation()) {
Remediation entity = entityFactory.newEntity(Remediation.class);
entity.setAnyType(provision.getAnyType());
entity.setOperation(ResourceOperation.UPDATE);
entity.setPayload(req);
entity.setError(report.getMessage());
entity.setInstant(new Date());
entity.setRemoteName(delta.getObject().getName().getNameValue());
entity.setPullTask(profile.getTask());
remediationDAO.save(entity);
}
}
end(AnyTypeKind.USER,
ResourceOperation.DELETE.name().toLowerCase(), resultStatus, before, output, delta);
}
} catch (Exception e) {
LOG.error("Could not delete linked account {}", account, e);
}
return Optional.of(report);
}
protected ProvisioningReport ignore(
final SyncDelta delta,
final LinkedAccount account,
final boolean matching,
final String... message)
throws JobExecutionException {
LOG.debug("Linked account to ignore {}", delta.getObject().getUid().getUidValue());
ProvisioningReport report = new ProvisioningReport();
report.setName(delta.getUid().getUidValue());
report.setUidValue(delta.getUid().getUidValue());
report.setOperation(ResourceOperation.NONE);
report.setAnyType(MatchType.LINKED_ACCOUNT.name());
report.setStatus(ProvisioningReport.Status.SUCCESS);
if (message != null && message.length >= 1) {
report.setMessage(message[0]);
}
if (account != null) {
report.setKey(account.getKey());
}
end(AnyTypeKind.USER,
matching
? MatchingRule.toEventName(MatchingRule.IGNORE)
: UnmatchingRule.toEventName(UnmatchingRule.IGNORE),
AuditElements.Result.SUCCESS, null, null, delta);
return report;
}
}