#503 Only prefetch groups and system users, but also prefetch membership

relationships

Author: ghenzler

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java

@@ -106,7 +106,7 @@ public void installAuthorizables(
             final Session session, InstallationLogger installLog)
             throws RepositoryException, AuthorizableCreatorException, LoginException, IOException, GeneralSecurityException {
 
-        UserManager userManager = new PrefetchedAuthorizablesUserManager(AccessControlUtils.getUserManagerAutoSaveDisabled(session), installLog);
+        PrefetchingUserManager userManager = new PrefetchingUserManager(AccessControlUtils.getUserManagerAutoSaveDisabled(session), session.getValueFactory(), installLog);
 
         Set<String> authorizablesFromConfigurations = authorizablesConfigBeans.getAuthorizableIds();
         for (AuthorizableConfigBean authorizableConfigBean : authorizablesConfigBeans) {
@@ -120,7 +120,7 @@ public void installAuthorizables(
     }
 
     private void installAuthorizableConfigurationBean(final Session session,
-            UserManager userManager,
+            PrefetchingUserManager userManager,
             AcConfiguration acConfiguration,
             AuthorizableConfigBean authorizableConfigBean,
             InstallationLogger installLog, Set<String> authorizablesFromConfigurations)
@@ -250,16 +250,14 @@ private String getPassword(final AuthorizableConfigBean authorizableConfigBean)
      * regular relationships between groups contained in config are kept in isMemberOf */
     @SuppressWarnings("unchecked")
     void applyGroupMembershipConfigMembers(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installLog,
-            String authorizableId, UserManager userManager, Set<String> authorizablesFromConfigurations) throws RepositoryException {
+            String authorizableId, PrefetchingUserManager userManager, Set<String> authorizablesFromConfigurations) throws RepositoryException {
         if (authorizableConfigBean.isGroup()) {
 
-            Group installedGroup = (Group) userManager.getAuthorizable(authorizableId);
-
             String[] membersInConfigArr = authorizableConfigBean.getMembers();
             Set<String> membersInConfig = membersInConfigArr != null ? new HashSet<String>(Arrays.asList(membersInConfigArr)) : new HashSet<String>();
 
             // initial set without regular users (those are never removed because that relationship is typically managed in AEM UI or LDAP/SAML/SSO/etc. )
-            Set<String> relevantMembersInRepo = getDeclaredMembersWithoutRegularUsers(installedGroup);
+            Set<String> relevantMembersInRepo = userManager.getDeclaredMembersWithoutRegularUsers(authorizableId);
 
             // ensure authorizables from config itself that are added via isMemberOf are not deleted
             relevantMembersInRepo = new HashSet<String>(CollectionUtils.subtract(relevantMembersInRepo, authorizablesFromConfigurations));
@@ -271,6 +269,7 @@ void applyGroupMembershipConfigMembers(AcConfiguration acConfiguration, Authoriz
             Set<String> membersToAdd = new HashSet<String>(CollectionUtils.subtract(membersInConfig, relevantMembersInRepo));
             Set<String> membersToRemove = new HashSet<String>(CollectionUtils.subtract(relevantMembersInRepo, membersInConfig));
 
+            Group installedGroup = (Group) userManager.getAuthorizable(authorizableId);
             if (!membersToAdd.isEmpty()) {
                 installLog.addVerboseMessage(LOG,
                         "Adding " + membersToAdd.size() + " external members to group " + authorizableConfigBean.getAuthorizableId());
@@ -301,24 +300,6 @@ void applyGroupMembershipConfigMembers(AcConfiguration acConfiguration, Authoriz
         }
     }
 
-    private Set<String> getDeclaredMembersWithoutRegularUsers(Group installedGroup) throws RepositoryException {
-        Set<String> membersInRepo = new HashSet<String>();
-        Iterator<Authorizable> currentMemberInRepo = installedGroup.getDeclaredMembers();
-        while (currentMemberInRepo.hasNext()) {
-            Authorizable member = currentMemberInRepo.next();
-            if (!isRegularUser(member)) {
-                membersInRepo.add(member.getID());
-            }
-        }
-        return membersInRepo;
-    }
-
-    private boolean isRegularUser(Authorizable member) throws RepositoryException { 
-        return member != null && !member.isGroup() // if user
-            && !member.getPath().startsWith(Constants.USERS_ROOT + "/system/") // but not system user
-            && !member.getID().equals(Constants.USER_ANONYMOUS);  // and not anonymous
-    }
-
     private Set<String> removeExternalMembersUnmanagedByConfiguration(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean,
             Set<String> relevantMembersInRepo, InstallationLogger installLog) {
         Set<String> relevantMembers = new HashSet<String>(relevantMembersInRepo);
@@ -504,13 +485,12 @@ private void deleteOldIntermediatePath(final Session session,
 
     private void applyGroupMembershipConfigIsMemberOf(InstallationLogger installLog,
             AcConfiguration acConfiguration,
-            AuthorizableConfigBean authorizableConfigBean, UserManager userManager, Session session,
+            AuthorizableConfigBean authorizableConfigBean, PrefetchingUserManager userManager, Session session,
             Set<String> authorizablesFromConfigurations) throws RepositoryException, AuthorizableCreatorException {
-        String[] memberOf = authorizableConfigBean.getIsMemberOf();
 
-        Authorizable currentGroupFromRepository = userManager.getAuthorizable(authorizableConfigBean.getAuthorizableId());
-        Set<String> membershipGroupsFromConfig = getMembershipGroupsFromConfig(memberOf);
-        Set<String> membershipGroupsFromRepository = getMembershipGroupsFromRepository(currentGroupFromRepository);
+        String authId = authorizableConfigBean.getAuthorizableId();
+        Set<String> membershipGroupsFromConfig = getMembershipGroupsFromConfig(authorizableConfigBean.getIsMemberOf());
+        Set<String> membershipGroupsFromRepository = userManager.getDeclaredIsMemberOf(authId);
 
         applyGroupMembershipConfigIsMemberOf(authorizableConfigBean, acConfiguration, installLog, userManager, session,
                 membershipGroupsFromConfig,
@@ -547,19 +527,6 @@ private Authorizable createNewAuthorizable(
         return newAuthorizable;
     }
 
-    private Set<String> getMembershipGroupsFromRepository(Authorizable currentGroupFromRepository) throws RepositoryException {
-        Set<String> membershipGroupsFromRepository = new HashSet<String>();
-        Iterator<Group> memberOfGroupsIterator = currentGroupFromRepository.declaredMemberOf();
-
-        // build Set which contains the all Groups of which the existingGroup is
-        // a member of
-        while (memberOfGroupsIterator.hasNext()) {
-            Authorizable memberOfGroup = memberOfGroupsIterator.next();
-            membershipGroupsFromRepository.add(memberOfGroup.getID());
-        }
-        return membershipGroupsFromRepository;
-    }
-
     private Set<String> getMembershipGroupsFromConfig(String[] memberOf) {
         // Set which holds all other groups which the current Group from config
         // is a member of

…/PrefetchedAuthorizablesUserManager.java …staller/impl/PrefetchingUserManager.javaaccesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/PrefetchedAuthorizablesUserManager.java renamed to accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/PrefetchingUserManager.java accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/PrefetchedAuthorizablesUserManager.java renamed to accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/PrefetchingUserManager.java

@@ -3,51 +3,86 @@
 import static biz.netcentric.cq.tools.actool.history.PersistableInstallationLogger.msHumanReadable;
 
 import java.security.Principal;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 
 import javax.jcr.RepositoryException;
+import javax.jcr.ValueFactory;
 
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.Query;
 import org.apache.jackrabbit.api.security.user.QueryBuilder;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import biz.netcentric.cq.tools.actool.history.InstallationLogger;
+import com.google.common.annotations.VisibleForTesting;
 
-/** Prefetches all authorizables in constructor to be able to answer getAuthorizable(userId) requests much quicker than the ootb oak
- * UserManager itself. */
-class PrefetchedAuthorizablesUserManager implements UserManager {
+import biz.netcentric.cq.tools.actool.helper.Constants;
+import biz.netcentric.cq.tools.actool.history.InstallationLogger;
 
-    private static final Logger LOG = LoggerFactory.getLogger(PrefetchedAuthorizablesUserManager.class);
+/** Prefetches a) all groups and system users (but not regular users) and b) all memberships between these authorizables in constructor.  */
+class PrefetchingUserManager implements UserManager {
 
-    static final Query ALL_AUTHORIZABLES_QUERY = new Query() {
-        public <T> void build(QueryBuilder<T> builder) {
-            // fetch all authorizables
-        }
-    };
+    private static final Logger LOG = LoggerFactory.getLogger(PrefetchingUserManager.class);
 
     private final UserManager delegate;
-    private final Map<String, Authorizable> authorizableCache;
+    private final Map<String, Authorizable> authorizableCache = new HashMap<>();
+
+    private final Map<String, Set<String>> nonRegularUserMembersByAuthorizableId = new HashMap<>();
+    private final Map<String, Set<String>> isMemberOfByAuthorizableId = new HashMap<>();
 
-    public PrefetchedAuthorizablesUserManager(UserManager delegate, InstallationLogger installLog) throws RepositoryException {
+    public PrefetchingUserManager(UserManager delegate, final ValueFactory valueFactory, InstallationLogger installLog)
+            throws RepositoryException {
         this.delegate = delegate;
-        this.authorizableCache = new HashMap<>();
 
         long startPrefetch = System.currentTimeMillis();
-        Iterator<Authorizable> allAuthorizables = delegate.findAuthorizables(ALL_AUTHORIZABLES_QUERY);
+        Iterator<Authorizable> allAuthorizables = delegate.findAuthorizables(new Query() {
+            public <T> void build(QueryBuilder<T> builder) {
+                builder.setCondition(
+                        builder.or( //
+                                builder.neq("@" + JcrConstants.JCR_PRIMARYTYPE, valueFactory.createValue(UserConstants.NT_REP_USER)),
+                                builder.eq("@" + UserConstants.REP_AUTHORIZABLE_ID, valueFactory.createValue(Constants.USER_ANONYMOUS))) //
+                );
+            }
+        });
         while (allAuthorizables.hasNext()) {
             Authorizable auth = allAuthorizables.next();
-            authorizableCache.put(auth.getID(), auth);
+            String authId = auth.getID();
+            authorizableCache.put(authId, auth);
+
+            // init lists
+            nonRegularUserMembersByAuthorizableId.put(authId, new HashSet<String>());
+            isMemberOfByAuthorizableId.put(authId, new HashSet<String>());
         }
 
         installLog.addMessage(LOG, "Prefetched " + authorizableCache.size() + " authorizables in "
                 + msHumanReadable(System.currentTimeMillis() - startPrefetch));
+
+        long startPrefetchMemberships = System.currentTimeMillis();
+        int membershipCount = 0;
+        for (Authorizable authorizable : authorizableCache.values()) {
+            String authId = authorizable.getID();
+            Iterator<Group> declaredMemberOf = authorizable.declaredMemberOf();
+            while (declaredMemberOf.hasNext()) {
+                Group memberOfGroup = declaredMemberOf.next();
+                String memberOfGroupId = memberOfGroup.getID();
+                isMemberOfByAuthorizableId.get(authId).add(memberOfGroupId);
+                nonRegularUserMembersByAuthorizableId.get(memberOfGroupId).add(authId);
+                membershipCount++;
+            }
+        }
+
+        installLog.addMessage(LOG, "Prefetched " + membershipCount + " memberships in "
+                + msHumanReadable(System.currentTimeMillis() - startPrefetchMemberships));
     }
 
     @Override
@@ -60,6 +95,26 @@ public Authorizable getAuthorizable(String id) throws RepositoryException {
         return authorizable;
     }
 
+    public Set<String> getDeclaredIsMemberOf(String id) throws RepositoryException {
+        
+        if(isMemberOfByAuthorizableId.containsKey(id)) {
+            return isMemberOfByAuthorizableId.get(id);
+        } else {
+            // for users fall back to retrieve on demand 
+            Set<String> memberOfSet = new HashSet<String>();
+            Iterator<Group> memberOfIt = getAuthorizable(id).declaredMemberOf();
+            while (memberOfIt.hasNext()) {
+                Authorizable memberOfGroup = memberOfIt.next();
+                memberOfSet.add(memberOfGroup.getID());
+            }
+            return memberOfSet;
+        }
+    }
+
+    public Set<String> getDeclaredMembersWithoutRegularUsers(String id) {
+        return nonRegularUserMembersByAuthorizableId.containsKey(id) ? nonRegularUserMembersByAuthorizableId.get(id): Collections.<String>emptySet();
+    }
+
     public int getCacheSize() {
         return authorizableCache.size();
     }