Skip to content

Commit

Permalink
SYNCOPE-1853 avoid unwanted user/any deprovision on group delete (#958)
Browse files Browse the repository at this point in the history 
* [SYNCOPE-1853] Avoid unwanted user/any object propagation on group delete
  • Loading branch information
@andrea-patricelli
andrea-patricelli committed Jan 21, 2025
1 parent 4607be4 commit 0e3d072
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 3 deletions.
12 changes: 9 additions & 3 deletions ...ava/src/main/java/org/apache/syncope/core/provisioning/java/data/GroupDataBinderImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@
import org.apache.syncope.core.persistence.api.dao.RelationshipTypeDAO;
import org.apache.syncope.core.persistence.api.dao.UserDAO;
import org.apache.syncope.core.persistence.api.dao.search.SearchCond;
import org.apache.syncope.core.persistence.api.entity.Any;
import org.apache.syncope.core.persistence.api.entity.AnyType;
import org.apache.syncope.core.persistence.api.entity.AnyTypeClass;
import org.apache.syncope.core.persistence.api.entity.AnyUtilsFactory;
import org.apache.syncope.core.persistence.api.entity.DerSchema;
import org.apache.syncope.core.persistence.api.entity.DynGroupMembership;
import org.apache.syncope.core.persistence.api.entity.EntityFactory;
import org.apache.syncope.core.persistence.api.entity.GroupableRelatable;
import org.apache.syncope.core.persistence.api.entity.Realm;
import org.apache.syncope.core.persistence.api.entity.VirSchema;
import org.apache.syncope.core.persistence.api.entity.anyobject.ADynGroupMembership;
Expand Down Expand Up @@ -445,11 +445,17 @@ public GroupTO getGroupTO(final String key) {
}

protected static void populateTransitiveResources(
final Group group, final Any<?> any, final Map<String, PropagationByResource<String>> result) {
final Group group,
final GroupableRelatable<?, ?, ?, ?, ?> any,
final Map<String, PropagationByResource<String>> result) {

PropagationByResource<String> propByRes = new PropagationByResource<>();
group.getResources().forEach(resource -> {
if (!any.getResources().contains(resource)) {
// exclude from propagation those objects that have that resource assigned by some other membership(s)
if (!any.getResources().contains(resource) && any.getMemberships().stream()
.filter(otherGrpMemb -> !otherGrpMemb.getRightEnd().equals(group))
.noneMatch(otherGrpMemb -> otherGrpMemb.getRightEnd().getResources().stream()
.anyMatch(r -> resource.getKey().equals(r.getKey())))) {
propByRes.add(ResourceOperation.DELETE, resource.getKey());
}

Expand Down
58 changes: 58 additions & 0 deletions fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.apache.syncope.fit.core;

import static org.awaitility.Awaitility.await;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
Expand All @@ -40,6 +41,8 @@
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.naming.NamingException;
import org.apache.commons.lang3.tuple.Triple;
import org.apache.cxf.helpers.IOUtils;
Expand Down Expand Up @@ -71,6 +74,7 @@
import org.apache.syncope.common.lib.to.MembershipTO;
import org.apache.syncope.common.lib.to.PlainSchemaTO;
import org.apache.syncope.common.lib.to.PropagationStatus;
import org.apache.syncope.common.lib.to.PropagationTaskTO;
import org.apache.syncope.common.lib.to.ProvisioningResult;
import org.apache.syncope.common.lib.to.PushTaskTO;
import org.apache.syncope.common.lib.to.RealmTO;
Expand All @@ -93,13 +97,15 @@
import org.apache.syncope.common.lib.types.PolicyType;
import org.apache.syncope.common.lib.types.ResourceAssociationAction;
import org.apache.syncope.common.lib.types.ResourceDeassociationAction;
import org.apache.syncope.common.lib.types.ResourceOperation;
import org.apache.syncope.common.lib.types.SchemaType;
import org.apache.syncope.common.lib.types.StatusRType;
import org.apache.syncope.common.lib.types.TaskType;
import org.apache.syncope.common.lib.types.UnmatchingRule;
import org.apache.syncope.common.rest.api.RESTHeaders;
import org.apache.syncope.common.rest.api.beans.RealmQuery;
import org.apache.syncope.common.rest.api.beans.ReconQuery;
import org.apache.syncope.common.rest.api.beans.TaskQuery;
import org.apache.syncope.common.rest.api.service.UserService;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
import org.apache.syncope.core.provisioning.java.propagation.DBPasswordPropagationActions;
Expand Down Expand Up @@ -1839,4 +1845,56 @@ void issueSYNCOPE1818() {
jdbcTemplate.update("DELETE FROM TESTPULL WHERE USERNAME = 'rossini'");
}
}

@Test
void issueSYNCOPE1853() {
GroupTO cGroupForPropagation = createGroup(
new GroupCR.Builder(SyncopeConstants.ROOT_REALM, "cGroupForPropagation")
.resource(RESOURCE_NAME_LDAP)
.build()).getEntity();
GroupTO dGroupForPropagation = createGroup(
new GroupCR.Builder(SyncopeConstants.ROOT_REALM, "dGroupForPropagation")
.resource(RESOURCE_NAME_LDAP)
.build()).getEntity();
// 1. assign both groups cGroupForPropagation and dGroupForPropagation with resource-csv to bellini
updateUser(new UserUR.Builder("c9b2dec2-00a7-4855-97c0-d854842b4b24").memberships(
new MembershipUR.Builder(cGroupForPropagation.getKey()).build(),
new MembershipUR.Builder(dGroupForPropagation.getKey()).build()).build());
// 2. assign cGroupForPropagation also to vivaldi
updateUser(new UserUR.Builder("b3cbc78d-32e6-4bd4-92e0-bbe07566a2ee").membership(
new MembershipUR.Builder(dGroupForPropagation.getKey()).build()).build());
// 3. propagation tasks cleanup
TASK_SERVICE.search(
new TaskQuery.Builder(TaskType.PROPAGATION)
.anyTypeKind(AnyTypeKind.USER)
.resource(RESOURCE_NAME_LDAP)
.entityKey("c9b2dec2-00a7-4855-97c0-d854842b4b24")
.build()).getResult()
.forEach(pt -> TASK_SERVICE.delete(TaskType.PROPAGATION, pt.getKey()));
TASK_SERVICE.search(
new TaskQuery.Builder(TaskType.PROPAGATION)
.anyTypeKind(AnyTypeKind.USER)
.resource(RESOURCE_NAME_LDAP)
.entityKey("b3cbc78d-32e6-4bd4-92e0-bbe07566a2ee")
.build()).getResult()
.forEach(pt -> TASK_SERVICE.delete(TaskType.PROPAGATION, pt.getKey()));
// 4. delete group cGroupForPropagation: no deprovision should be fired on bellini, since there is already
// bGroupForPropagation, deprovision instead must be fired for vivaldi
GROUP_SERVICE.delete(cGroupForPropagation.getKey());
await().during(5, TimeUnit.SECONDS).atMost(10, TimeUnit.SECONDS).until(() -> TASK_SERVICE.search(
new TaskQuery.Builder(TaskType.PROPAGATION)
.anyTypeKind(AnyTypeKind.USER)
.resource(RESOURCE_NAME_LDAP)
.entityKey("c9b2dec2-00a7-4855-97c0-d854842b4b24").build())
.getResult().stream().map(PropagationTaskTO.class::cast)
.collect(Collectors.toList()).stream().noneMatch(pt -> ResourceOperation.DELETE == pt.getOperation()));
GROUP_SERVICE.delete(dGroupForPropagation.getKey());
await().atMost(10, TimeUnit.SECONDS).until(() -> TASK_SERVICE.search(
new TaskQuery.Builder(TaskType.PROPAGATION)
.anyTypeKind(AnyTypeKind.USER)
.resource(RESOURCE_NAME_LDAP)
.entityKey("b3cbc78d-32e6-4bd4-92e0-bbe07566a2ee").build())
.getResult().stream().map(PropagationTaskTO.class::cast)
.collect(Collectors.toList()).stream().anyMatch(pt -> ResourceOperation.DELETE == pt.getOperation()));
}
}

0 comments on commit 0e3d072

Please sign in to comment.