DefaultSyncContext.java

stillalex Thu, 03 May 2018 10:31:36 -0700

Author: stillalex
Date: Thu May  3 17:30:51 2018
New Revision: 1830845

URL: http://svn.apache.org/viewvc?rev=1830845&view=rev
Log:
OAK-7469 User membership synchronization could skip updating groups the user is 
already part of



Modified:
    
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java

Modified: 
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java?rev=1830845&r1=1830844&r2=1830845&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
 Thu May  3 17:30:51 2018
@@ -549,27 +549,31 @@ public class DefaultSyncContext implemen
             }
             log.debug("- idp returned '{}'", extGroup.getId());
 
-            Group grp;
-            Authorizable a = userManager.getAuthorizable(extGroup.getId());
-            if (a == null) {
-                grp = createGroup(extGroup);
-                log.debug("- created new group");
-            } else if (a.isGroup() && isSameIDP(a)) {
-                grp = (Group) a;
-            } else {
-                log.warn("Existing authorizable '{}' is not a group from this 
IDP '{}'.", extGroup.getId(), idp.getName());
-                continue;
+            // mark group as processed
+            Group grp = declaredExternalGroups.remove(extGroup.getId());
+            boolean exists = grp != null;
+
+            if (!exists) {
+                Authorizable a = userManager.getAuthorizable(extGroup.getId());
+                if (a == null) {
+                    grp = createGroup(extGroup);
+                    log.debug("- created new group");
+                } else if (a.isGroup() && isSameIDP(a)) {
+                    grp = (Group) a;
+                } else {
+                    log.warn("Existing authorizable '{}' is not a group from 
this IDP '{}'.", extGroup.getId(), idp.getName());
+                    continue;
+                }
+                log.debug("- user manager returned '{}'", grp);
             }
-            log.debug("- user manager returned '{}'", grp);
 
             syncGroup(extGroup, grp);
 
-            // ensure membership
-            grp.addMember(auth);
-            log.debug("- added '{}' as member to '{}'", auth, grp);
-
-            // remember the declared group
-            declaredExternalGroups.remove(grp.getID());
+            if (!exists) {
+                // ensure membership
+                grp.addMember(auth);
+                log.debug("- added '{}' as member to '{}'", auth, grp);
+            }
 
             // recursively apply further membership
             if (depth > 1) {

svn commit: r1830845 - /jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java

Reply via email to