KNL-1230 Remove deprecated use of MultiRefCache and add in new cachin…

…g implementation for the security unlock checks

This still uses the legacy MRC when legacy is enabled (for 10 compatibility)



git-svn-id: https://source.sakaiproject.org/svn/kernel/trunk@309144 66ffb92e-73f9-0310-93c1-f5514f145a0a

kernel/kernel-component/src/main/webapp/WEB-INF/authz-components.xml

@@ -51,6 +51,7 @@
  		<lookup-method name="entityManager" bean="org.sakaiproject.entity.api.EntityManager" />
 		<lookup-method name="sessionManager" bean="org.sakaiproject.tool.api.SessionManager" />
 		<lookup-method name="eventTrackingService" bean="org.sakaiproject.event.api.EventTrackingService" />
+    <lookup-method name="functionManager" bean="org.sakaiproject.authz.api.FunctionManager" />
 
   		<property name="cacheMinutes"><value>5</value></property>
 	</bean>

kernel/kernel-impl/src/main/java/org/sakaiproject/authz/impl/BaseAuthzGroup.java

@@ -21,22 +21,10 @@
 
 package org.sakaiproject.authz.impl;
 
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
-import java.util.Stack;
-
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.sakaiproject.authz.api.AuthzGroup;
-import org.sakaiproject.authz.api.AuthzGroupService;
-import org.sakaiproject.authz.api.Member;
-import org.sakaiproject.authz.api.Role;
-import org.sakaiproject.authz.api.RoleAlreadyDefinedException;
+import org.sakaiproject.authz.api.*;
 import org.sakaiproject.entity.api.Reference;
 import org.sakaiproject.entity.api.ResourceProperties;
 import org.sakaiproject.entity.api.ResourcePropertiesEdit;
@@ -52,6 +40,8 @@
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import java.util.*;
+
 /**
  * <p>
  * BaseAuthzGroup is an implementation of the AuthGroup API AuthzGroup.
@@ -114,6 +104,9 @@ public class BaseAuthzGroup implements AuthzGroup
 
 	private UserDirectoryService userDirectoryService;
 
+    /** The most recently changed set of role/functions - ONLY valid during the save event processing on the same server */
+    public Set<DbAuthzGroupService.DbStorage.RoleAndFunction> m_lastChangedRlFn;
+
 	/**
 	 * Construct.
 	 * 

kernel/kernel-impl/src/main/java/org/sakaiproject/authz/impl/BaseAuthzGroupService.java

@@ -21,40 +21,12 @@
 
 package org.sakaiproject.authz.impl;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.Stack;
-import java.util.Vector;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.sakaiproject.authz.api.AuthzGroup;
-import org.sakaiproject.authz.api.AuthzGroupAdvisor;
-import org.sakaiproject.authz.api.AuthzGroupService;
-import org.sakaiproject.authz.api.AuthzPermissionException;
-import org.sakaiproject.authz.api.FunctionManager;
-import org.sakaiproject.authz.api.GroupAlreadyDefinedException;
-import org.sakaiproject.authz.api.GroupFullException;
-import org.sakaiproject.authz.api.GroupIdInvalidException;
-import org.sakaiproject.authz.api.GroupNotDefinedException;
-import org.sakaiproject.authz.api.GroupProvider;
-import org.sakaiproject.authz.api.Role;
-import org.sakaiproject.authz.api.RoleAlreadyDefinedException;
-import org.sakaiproject.authz.api.SecurityService;
+import org.sakaiproject.authz.api.*;
 import org.sakaiproject.component.api.ServerConfigurationService;
 import org.sakaiproject.component.cover.ComponentManager;
-import org.sakaiproject.entity.api.Edit;
-import org.sakaiproject.entity.api.Entity;
-import org.sakaiproject.entity.api.EntityManager;
-import org.sakaiproject.entity.api.HttpAccess;
-import org.sakaiproject.entity.api.Reference;
-import org.sakaiproject.entity.api.ResourceProperties;
+import org.sakaiproject.entity.api.*;
 import org.sakaiproject.event.api.EventTrackingService;
 import org.sakaiproject.exception.PermissionException;
 import org.sakaiproject.javax.PagingPosition;
@@ -64,10 +36,11 @@
 import org.sakaiproject.tool.api.SessionManager;
 import org.sakaiproject.user.api.UserDirectoryService;
 import org.sakaiproject.user.api.UserNotDefinedException;
-import org.sakaiproject.util.StorageUser;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import java.util.*;
+
 /**
  * <p>
  * BaseAuthzGroupService is a Sakai azGroup service implementation.
@@ -626,10 +599,32 @@ protected void completeSave(AuthzGroup azGroup)
 		// track it
 		String event = ((BaseAuthzGroup) azGroup).getEvent();
 		if (event == null) event = SECURE_UPDATE_AUTHZ_GROUP;
+        // KNL-1230 handle changes to authzgroups by processing caching changes
+        if (SECURE_UPDATE_AUTHZ_GROUP.equals(event)) {
+            // we only care about update events here
+            try {
+                HashSet<String> roles = null;
+                HashSet<String> permissions = null;
+                Set<DbAuthzGroupService.DbStorage.RoleAndFunction> lastChangedPerms = ((BaseAuthzGroup) azGroup).m_lastChangedRlFn;
+                if (lastChangedPerms != null && !lastChangedPerms.isEmpty()) {
+                    roles = new HashSet<String>();
+                    permissions = new HashSet<String>(lastChangedPerms.size());
+                    for (DbAuthzGroupService.DbStorage.RoleAndFunction rf : lastChangedPerms) {
+                        permissions.add(rf.function);
+                        roles.add(rf.role);
+                    }
+                    M_log.info("Changed permissions for roles (" + roles + ") in " + azGroup.getId() + ": " + permissions);
+                }
+                ((SakaiSecurity) securityService()).notifyRealmChanged(azGroup.getId(), roles, permissions);
+            } catch (Exception e) {
+                M_log.warn("Failure while trying to notify SS about realm changes for AZG(" + azGroup.getId() + "): " + e, e);
+            }
+        } // End KNL-1230
 		eventTrackingService().post(eventTrackingService().newEvent(event, azGroup.getReference(), true));
 
 		// close the azGroup object
 		((BaseAuthzGroup) azGroup).closeEdit();
+        ((BaseAuthzGroup) azGroup).m_lastChangedRlFn = null; // cleanup
 
 		// update the db with latest provider, and site security with the latest changes, using the updated azGroup
 		BaseAuthzGroup updatedRealm = (BaseAuthzGroup) m_storage.get(azGroup.getId());
@@ -833,7 +828,12 @@ public void removeAuthzGroup(AuthzGroup azGroup) throws AuthzPermissionException
 		for (AuthzGroupAdvisor authzGroupAdvisor : authzGroupAdvisors) {
 			authzGroupAdvisor.remove(azGroup);
 		}
-
+        // KNL-1230 handle removal of authzgroups by processing caching changes
+        try {
+            ((SakaiSecurity) securityService()).notifyRealmRemoved(azGroup.getId());
+        } catch (Exception e) {
+            M_log.warn("Failure while trying to notify SS about realm removal for AZG(" + azGroup.getId() + "): " + e, e);
+        } // End KNL-1230
 		// complete the azGroup
 		m_storage.remove(azGroup);
 
@@ -861,25 +861,7 @@ public void removeAuthzGroup(String azGroupId) throws AuthzPermissionException
 			return;
 		}
 
-		// check security (throws if not permitted)
-		unlock(SECURE_REMOVE_AUTHZ_GROUP, authzGroupReference(azGroupId));
-
-		// allow any advisors to make last minute changes 
-		for (AuthzGroupAdvisor authzGroupAdvisor : authzGroupAdvisors) {
-			authzGroupAdvisor.remove(azGroup);
-		}
-
-		// complete the azGroup
-		m_storage.remove(azGroup);
-
-		// track it
-		eventTrackingService().post(eventTrackingService().newEvent(SECURE_REMOVE_AUTHZ_GROUP, azGroup.getReference(), true));
-
-		// close the azGroup object
-		((BaseAuthzGroup) azGroup).closeEdit();
-
-		// clear any site security based on this (if a site) azGroup
-		removeSiteSecurity(azGroup);
+		removeAuthzGroup(azGroup);
 	}
 
 	/**

kernel/kernel-impl/src/main/java/org/sakaiproject/authz/impl/DbAuthzGroupService.java

@@ -1040,6 +1040,15 @@ public Set getAuthzGroupsIsAllowed(String userId, String lock, Collection azGrou
 				return new HashSet();
 			}
 
+            if ("".equals(lock) || "*".equals(lock)) {
+                // SPECIAL CASE - return all authzGroup IDs this user is active in (much faster)
+                String statement = dbAuthzGroupSql.getSelectRealmUserGroupSql("SAKAI_REALM_RL_GR.ACTIVE = '1'");
+                Object[] fields = new Object[1];
+                fields[0] = userId;
+                List dbResult = sqlService().dbRead(statement, fields, null );
+                return new HashSet(dbResult);
+            }
+
 			// Just like unlock, except we use all realms and get their ids
 			// Note: consider over all realms just those realms where there's a grant of a role that satisfies the lock
 			// Ignore realms where anon or auth satisfy the lock.
@@ -1397,6 +1406,16 @@ public Object readSqlResultRecord(ResultSet result)
 				fields[2] = getValueForSubquery(dbAuthzGroupSql.getInsertRealmRoleFunction3Sql(), raf.function);
 				m_sql.dbWrite(sql, fields);
 			}
+
+            // KNL-1230 need to be able to tell when changes occur in the AZG
+            HashSet<RoleAndFunction> lastChanged = new HashSet<RoleAndFunction>();
+            if (!toAdd.isEmpty()) {
+                lastChanged.addAll(toAdd);
+            }
+            if (!toDelete.isEmpty()) {
+                lastChanged.addAll(toDelete);
+            }
+            ((BaseAuthzGroup) azg).m_lastChangedRlFn = lastChanged;
 		}
 
 		protected void save_REALM_RL_GR(AuthzGroup azg)