Package com.atlassian.crowd.directory

Class RFC4519Directory

java.lang.Object

com.atlassian.crowd.directory.SpringLDAPConnector

com.atlassian.crowd.directory.RFC4519Directory

All Implemented Interfaces:

LDAPDirectory, RemoteDirectory, Attributes

Direct Known Subclasses:

ApacheDS, MicrosoftActiveDirectory, NovelleDirectory, OpenLDAP, SunONE

public abstract class RFC4519Directory
extends SpringLDAPConnector

Read-write, nesting-aware implementation of RFC4519 user-group membership interactions.

A user is a member of a group if either:

• the DN of user is present in the collection of member attribute values of the group
• the user has a memberOf attribute which contains the DN of the group (must be enabled via LDAPPropertiesMapper)

See Also:

• RFC2307GidNumberMapper
• RFC2307MemberUidMapper

Field Summary

Fields

Modifier and Type	Field	Description
static final ContextMapperWithRequiredAttributes<CrowdLdapName>	DN_MAPPER

Fields inherited from class com.atlassian.crowd.directory.SpringLDAPConnector

attributes, contextSource, contextSourceTransactionManager, DEFAULT_PAGE_SIZE, eventPublisher, ldapPropertiesMapper, ldapQueryTranslater, ldapTemplate, nameConverter, searchDN

Constructor Summary

Constructors

Constructor	Description
RFC4519Directory(LDAPQueryTranslater ldapQueryTranslater, com.atlassian.event.api.EventPublisher eventPublisher, InstanceFactory instanceFactory, LdapContextSourceProvider ldapContextSourceProvider)

Method Summary

Modifier and Type	Method	Description
protected void	addDnToGroup(String dn, LDAPGroupWithAttributes group)
void	addGroupToGroup(String childGroup, String parentGroup)	Adds a group as a member of a parent group.
void	addUserToGroup(String username, String groupName)	Adds a user as a member of a group.
protected Iterable<CrowdLdapName>	findAdditionalDirectMembers(CrowdLdapName groupDn, Supplier<Optional<LDAPGroupWithAttributes>> group, GroupUserCache groupUserCache)
Iterable<CrowdLdapName>	findDirectMembersOfGroup(CrowdLdapName groupDn, ContextMapperWithRequiredAttributes<CrowdLdapName> dnMapper, GroupUserCache groupUserCache)	This method is not part of RemoteDirectory's contract.
protected Iterable<String>	findGroupMembershipNames(MembershipQuery<String> query)
protected List<? extends LDAPGroupWithAttributes>	findGroupMemberships(MembershipQuery<? extends LDAPGroupWithAttributes> query)
protected <T> List<T>	findGroupMembershipsOfUserViaMemberOf(String username, int startIndex, int maxResults, com.atlassian.crowd.directory.RFC4519Directory.LookupByDn<T> mapper)
protected List<LDAPUserWithAttributes>	findUserMembersOfGroupViaMemberDN(String groupName, GroupType groupType, int startIndex, int maxResults)
protected Iterable<LDAPUserWithAttributes>	findUserMembersOfGroupViaMemberOf(String groupName, GroupType groupType, int startIndex, int maxResults)
protected List<AttributeMapper>	getCustomGroupAttributeMappers()	As a minimum, this SHOULD provide an attribute mapper that maps the group members attribute (if available).
protected List<AttributeMapper>	getCustomUserAttributeMappers(UserContextMapperConfig config)
protected List<AttributeMapper>	getMemberDnMappers()
protected List<AttributeMapper>	getMemberOnlyGroupAttributeMappers()	As a minimum, this SHOULD provide an attribute mapper that maps the group members attribute (if available).
Iterable<Membership>	getMemberships()	Get an iterable view of the available group memberships.
protected boolean	isDirectGroupMemberOf(LDAPUserWithAttributes user, String groupDN)
protected boolean	isDnDirectGroupMember(String memberDN, LDAPGroupWithAttributes parentGroup)
boolean	isGroupDirectGroupMember(String childGroup, String parentGroup)	Determines if a group is a direct member of another group.
boolean	isUserDirectGroupMember(String username, String groupName)	Determines if a user is a direct member of a group.
protected org.springframework.ldap.filter.AndFilter	prepareOrFilterForGroupProperty(String propertyName, List<String> propertyValues)
protected void	removeDnFromGroup(String dn, LDAPGroupWithAttributes group)
void	removeGroupFromGroup(String childGroup, String parentGroup)	Removes a group as a member of a parent group.
void	removeUserFromGroup(String username, String groupName)	Removes a user as a member of a group.
protected <T> Iterable<T>	searchGroupRelationshipsWithGroupTypeSpecified(MembershipQuery<T> query)	Execute the search for group relationships given that a group of type GROUP or LEGACY_ROLE has been specified in the EntityDescriptor for the group(s).
protected Collection<LDAPGroupWithAttributes>	searchGroupsByAttribute(Set<String> propertyValues, Function<List<String>,org.springframework.ldap.filter.Filter> filterFunction)
Collection<LDAPGroupWithAttributes>	searchGroupsByDns(Set<String> groupsDn)
protected static <T> Iterable<T>	toGenericIterable(Iterable list)	Converts an Iterable to a generic Iterable.

Methods inherited from class com.atlassian.crowd.directory.SpringLDAPConnector

addDefaultSnToUserAttributes, addDefaultValueToUserAttributesForAttribute, addGroup, addUser, addUser, authenticate, avatarMapper, countDirectMembersOfGroup, createModificationItem, expireAllPasswords, findEntityByDN, findEntityByDN, findEntityByDN, findGroupByName, findGroupByNameAndType, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getAttributeAsBoolean, getAttributeAsLong, getAuthoritativeDirectory, getBaseEnvironmentProperties, getContextSource, getCredentialEncoder, getDirectoryId, getGroupContextMapper, getGroupContextMapper, getInitialGroupMemberDN, getKeys, getLdapPropertiesMapper, getNewGroupAttributes, getNewGroupDirectorySpecificAttributes, getNewUserAttributes, getNewUserDirectorySpecificAttributes, getRequiredCustomGroupAttributeMappers, getSearchControls, getSearchDN, getUserAvatarByName, getUserModificationItems, getValue, getValues, isEmpty, isRolesDisabled, pageSearchResults, postprocessGroup, postprocessGroups, removeGroup, removeGroupAttributes, removeUser, removeUserAttributes, renameGroup, renameUser, searchEntities, searchEntitiesWithRequestControls, searchGroupObjects, searchGroupObjectsOfSpecifiedGroupType, searchGroupRelationships, searchGroups, searchUserObjects, searchUsers, searchUsers, setAttributes, setDirectoryId, setLdapPropertiesMapperAttributes, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, supportsNestedGroups, supportsPasswordExpiration, supportsSettingEncryptedCredential, testConnection, typedEntityNotFoundException, updateGroup, updateUser, updateUserCredential

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.atlassian.crowd.directory.RemoteDirectory

getDescriptiveName, getLocallyFilteredGroupNames, updateUserFromRemoteDirectory, userAuthenticated

Field Details

DN_MAPPER

public static final ContextMapperWithRequiredAttributes<CrowdLdapName> DN_MAPPER

Constructor Details

RFC4519Directory

public RFC4519Directory(LDAPQueryTranslater ldapQueryTranslater,
 com.atlassian.event.api.EventPublisher eventPublisher,
 InstanceFactory instanceFactory,
 LdapContextSourceProvider ldapContextSourceProvider)

Method Details

getCustomGroupAttributeMappers

protected List<AttributeMapper> getCustomGroupAttributeMappers()

Description copied from class: SpringLDAPConnector

As a minimum, this SHOULD provide an attribute mapper that maps the group members attribute (if available).

Overrides:

getCustomGroupAttributeMappers in class SpringLDAPConnector

Returns:

collection of custom attribute mappers (cannot be null but can be an empty list).

getMemberOnlyGroupAttributeMappers

protected List<AttributeMapper> getMemberOnlyGroupAttributeMappers()

Description copied from class: SpringLDAPConnector

As a minimum, this SHOULD provide an attribute mapper that maps the group members attribute (if available).

Overrides:

getMemberOnlyGroupAttributeMappers in class SpringLDAPConnector

Returns:

collection of custom attribute mappers (cannot be null but can be an empty list).

getMemberDnMappers

protected List<AttributeMapper> getMemberDnMappers()

getCustomUserAttributeMappers

protected List<AttributeMapper> getCustomUserAttributeMappers(UserContextMapperConfig config)

Overrides:

getCustomUserAttributeMappers in class SpringLDAPConnector

Returns:

a collection of custom attribute mappers. By default just return an empty list.

searchGroupsByDns

public Collection<LDAPGroupWithAttributes> searchGroupsByDns(Set<String> groupsDn)
                                                      throws OperationFailedException

Throws:

OperationFailedException

searchGroupsByAttribute

protected Collection<LDAPGroupWithAttributes> searchGroupsByAttribute(Set<String> propertyValues,
 Function<List<String>,org.springframework.ldap.filter.Filter> filterFunction)
                                                               throws OperationFailedException

Throws:

OperationFailedException

prepareOrFilterForGroupProperty

protected org.springframework.ldap.filter.AndFilter prepareOrFilterForGroupProperty(String propertyName,
 List<String> propertyValues)

isDnDirectGroupMember

protected boolean isDnDirectGroupMember(String memberDN,
 LDAPGroupWithAttributes parentGroup)

isDirectGroupMemberOf

protected boolean isDirectGroupMemberOf(LDAPUserWithAttributes user,
 String groupDN)

isUserDirectGroupMember

public boolean isUserDirectGroupMember(String username,
 String groupName)
                                throws OperationFailedException

Description copied from interface: RemoteDirectory

Determines if a user is a direct member of a group. The directory is NOT expected to resolve any transitive group relationships.

Parameters:

username - name of user.

groupName - name of group.

Returns:

true iff the user is a direct member of the group.

Throws:

OperationFailedException - underlying directory implementation failed to execute the operation.

isGroupDirectGroupMember

public boolean isGroupDirectGroupMember(String childGroup,
 String parentGroup)
                                 throws OperationFailedException

Description copied from interface: RemoteDirectory

Determines if a group is a direct member of another group. The directory is NOT expected to resolve any transitive group relationships.

Parameters:

childGroup - name of child group.

parentGroup - name of parent group.

Returns:

true iff the childGroup is a direct member of the parentGroup.

Throws:

OperationFailedException - underlying directory implementation failed to execute the operation.

addDnToGroup

protected void addDnToGroup(String dn,
 LDAPGroupWithAttributes group)
                     throws OperationFailedException

Throws:

OperationFailedException

addUserToGroup

public void addUserToGroup(String username,
 String groupName)
                    throws GroupNotFoundException,
OperationFailedException,
UserNotFoundException,
MembershipAlreadyExistsException

Description copied from interface: RemoteDirectory

Adds a user as a member of a group. This means that all user members of childGroup will appear as members of parentGroup to querying applications.

Parameters:

username - The user that will become a member of groupName

groupName - The group that will gain a new member.

Throws:

GroupNotFoundException - If the group cannot be found.

OperationFailedException - underlying directory implementation failed to execute the operation.

UserNotFoundException - If the user cannot be found.

MembershipAlreadyExistsException - if the user is already a member of the group

addGroupToGroup

public void addGroupToGroup(String childGroup,
 String parentGroup)
                     throws GroupNotFoundException,
InvalidMembershipException,
OperationFailedException,
MembershipAlreadyExistsException

Description copied from interface: RemoteDirectory

Adds a group as a member of a parent group.

Parameters:

childGroup - The group that will become a member of parentGroup

parentGroup - The group that will gain a new member

Throws:

GroupNotFoundException - One or both of the groups cannot be found.

InvalidMembershipException - if the childGroup and parentGroup exist but are of different GroupTypes.

OperationFailedException - underlying directory implementation failed to execute the operation.

MembershipAlreadyExistsException - if the child group is already a child of the parent group

removeDnFromGroup

protected void removeDnFromGroup(String dn,
 LDAPGroupWithAttributes group)
                          throws OperationFailedException

Throws:

OperationFailedException

removeUserFromGroup

public void removeUserFromGroup(String username,
 String groupName)
                         throws UserNotFoundException,
GroupNotFoundException,
MembershipNotFoundException,
OperationFailedException

Description copied from interface: RemoteDirectory

Removes a user as a member of a group.

Parameters:

username - The user that will be removed from parentGroup

groupName - The group that will lose the member.

Throws:

UserNotFoundException - If the user cannot be found.

GroupNotFoundException - If the group cannot be found.

MembershipNotFoundException - if the user is not a direct member of the group.

OperationFailedException - underlying directory implementation failed to execute the operation.

removeGroupFromGroup

public void removeGroupFromGroup(String childGroup,
 String parentGroup)
                          throws GroupNotFoundException,
MembershipNotFoundException,
InvalidMembershipException,
OperationFailedException

Description copied from interface: RemoteDirectory

Removes a group as a member of a parent group.

Parameters:

childGroup - The group that will be removed from parentGroup

parentGroup - The group that will lose the member.

Throws:

GroupNotFoundException - One or both of the groups cannot be found.

MembershipNotFoundException - if the childGroup is not a direct member of the parentGroup.

InvalidMembershipException - if the childGroup and parentGroup exist but are of different GroupTypes.

OperationFailedException - underlying directory implementation failed to execute the operation.

getMemberships

public Iterable<Membership> getMemberships()
                                    throws OperationFailedException

Description copied from interface: RemoteDirectory

Get an iterable view of the available group memberships. This may be implemented as a single remote call or separate calls, depending on the directory.

If there is a failure in the underlying retrieval, the iterator may throw Membership.MembershipIterationException at runtime.

If the directory does not have a bulk call interface then a typical implementation would be:

 
 return new DirectoryMembershipsIterable(this);
 
 

Returns:

an iterable view of the available group memberships

Throws:

OperationFailedException - if the underlying directory implementation failed to execute the operation

searchGroupRelationshipsWithGroupTypeSpecified

protected <T> Iterable<T> searchGroupRelationshipsWithGroupTypeSpecified(MembershipQuery<T> query)
                                                                  throws OperationFailedException

Description copied from class: SpringLDAPConnector

Execute the search for group relationships given that a group of type GROUP or LEGACY_ROLE has been specified in the EntityDescriptor for the group(s).

Specified by:

searchGroupRelationshipsWithGroupTypeSpecified in class SpringLDAPConnector

Parameters:

query - membership query with all GroupType's not null.

Returns:

list of members or memberships depending on the query.

Throws:

OperationFailedException - if the operation failed due to a communication error with the remote directory, or if the query is invalid

findGroupMemberships

protected List<? extends LDAPGroupWithAttributes> findGroupMemberships(MembershipQuery<? extends LDAPGroupWithAttributes> query)
                                                                throws OperationFailedException

Throws:

OperationFailedException

findGroupMembershipNames

protected Iterable<String> findGroupMembershipNames(MembershipQuery<String> query)
                                             throws OperationFailedException

Throws:

OperationFailedException

findGroupMembershipsOfUserViaMemberOf

protected <T> List<T> findGroupMembershipsOfUserViaMemberOf(String username,
 int startIndex,
 int maxResults,
 com.atlassian.crowd.directory.RFC4519Directory.LookupByDn<T> mapper)
                                                     throws OperationFailedException

Throws:

OperationFailedException

findUserMembersOfGroupViaMemberDN

protected List<LDAPUserWithAttributes> findUserMembersOfGroupViaMemberDN(String groupName,
 GroupType groupType,
 int startIndex,
 int maxResults)
                                                                  throws OperationFailedException

Throws:

OperationFailedException

findUserMembersOfGroupViaMemberOf

protected Iterable<LDAPUserWithAttributes> findUserMembersOfGroupViaMemberOf(String groupName,
 GroupType groupType,
 int startIndex,
 int maxResults)
                                                                      throws OperationFailedException

Throws:

OperationFailedException

toGenericIterable

protected static <T> Iterable<T> toGenericIterable(Iterable list)

Converts an Iterable to a generic Iterable.

findDirectMembersOfGroup

public Iterable<CrowdLdapName> findDirectMembersOfGroup(CrowdLdapName groupDn,
 ContextMapperWithRequiredAttributes<CrowdLdapName> dnMapper,
 GroupUserCache groupUserCache)
                                                 throws OperationFailedException

This method is not part of RemoteDirectory's contract. It is introduced by RFC4519Directory to support RFC4519DirectoryMembershipsIterable. Children of this class can add additional groups by overriding findAdditionalDirectMembers(CrowdLdapName, Supplier, GroupUserCache)

Parameters:

groupDn - LDAP name of a group

dnMapper - mapper that converts the LDAP search result into an CrowdLdapName

groupUserCache - Contains details of any groups/users that have already been retrieved.

Returns:

the LDAP names of the direct members (users and groups) of the given group

Throws:

OperationFailedException - if the operation fails for any reason

findAdditionalDirectMembers

protected Iterable<CrowdLdapName> findAdditionalDirectMembers(CrowdLdapName groupDn,
 @Nullable
 Supplier<Optional<LDAPGroupWithAttributes>> group,
 GroupUserCache groupUserCache)
                                                       throws OperationFailedException

Throws:

OperationFailedException