Lazily lookup LDAP group memberships
By deferring LDAP queries until a contains method is called the server can avoid looking up LDAP group information when only internal Gerrit groups are used in access rules. Change-Id: I96ac1894da07e00935ed6182084885a237ac414e
This commit is contained in:
		| @@ -31,7 +31,6 @@ import com.google.gerrit.server.CurrentUser; | ||||
| import com.google.gerrit.server.IdentifiedUser; | ||||
| import com.google.gerrit.server.account.GroupBackend; | ||||
| import com.google.gerrit.server.account.GroupMembership; | ||||
| import com.google.gerrit.server.account.ListGroupMembership; | ||||
| import com.google.gerrit.server.auth.ldap.Helper.LdapSchema; | ||||
| import com.google.gerrit.server.project.ProjectCache; | ||||
| import com.google.gerrit.server.project.ProjectControl; | ||||
| @@ -60,7 +59,7 @@ import javax.security.auth.login.LoginException; | ||||
|  * Implementation of GroupBackend for the LDAP group system. | ||||
|  */ | ||||
| public class LdapGroupBackend implements GroupBackend { | ||||
|   private static final Logger log = LoggerFactory.getLogger(LdapGroupBackend.class); | ||||
|   static final Logger log = LoggerFactory.getLogger(LdapGroupBackend.class); | ||||
|  | ||||
|   private static final String LDAP_NAME = "ldap/"; | ||||
|   private static final String GROUPNAME = "groupname"; | ||||
| @@ -185,21 +184,7 @@ public class LdapGroupBackend implements GroupBackend { | ||||
|     if (id == null) { | ||||
|       return GroupMembership.EMPTY; | ||||
|     } | ||||
|  | ||||
|     try { | ||||
|       final Set<AccountGroup.UUID> groups = membershipCache.get(id); | ||||
|       return new ListGroupMembership(groups) { | ||||
|         @Override | ||||
|         public Set<AccountGroup.UUID> getKnownGroups() { | ||||
|           Set<AccountGroup.UUID> g = Sets.newHashSet(groups); | ||||
|           g.retainAll(projectCache.guessRelevantGroupUUIDs()); | ||||
|           return g; | ||||
|         } | ||||
|       }; | ||||
|     } catch (ExecutionException e) { | ||||
|       log.warn(String.format("Cannot lookup membershipsOf %s in LDAP", id), e); | ||||
|       return GroupMembership.EMPTY; | ||||
|     } | ||||
|     return new LdapGroupMembership(membershipCache, projectCache, id); | ||||
|   } | ||||
|  | ||||
|   private static String findId(final Collection<AccountExternalId> ids) { | ||||
|   | ||||
| @@ -0,0 +1,76 @@ | ||||
| // Copyright (C) 2015 The Android Open Source Project | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
|  | ||||
| package com.google.gerrit.server.auth.ldap; | ||||
|  | ||||
| import com.google.common.cache.LoadingCache; | ||||
| import com.google.gerrit.reviewdb.client.AccountGroup; | ||||
| import com.google.gerrit.server.account.GroupMembership; | ||||
| import com.google.gerrit.server.account.ListGroupMembership; | ||||
| import com.google.gerrit.server.project.ProjectCache; | ||||
|  | ||||
| import java.util.HashSet; | ||||
| import java.util.Set; | ||||
| import java.util.concurrent.ExecutionException; | ||||
|  | ||||
| class LdapGroupMembership implements GroupMembership { | ||||
|   private final LoadingCache<String, Set<AccountGroup.UUID>> membershipCache; | ||||
|   private final ProjectCache projectCache; | ||||
|   private final String id; | ||||
|   private GroupMembership membership; | ||||
|  | ||||
|   LdapGroupMembership( | ||||
|       LoadingCache<String, Set<AccountGroup.UUID>> membershipCache, | ||||
|       ProjectCache projectCache, | ||||
|       String id) { | ||||
|     this.membershipCache = membershipCache; | ||||
|     this.projectCache = projectCache; | ||||
|     this.id = id; | ||||
|   } | ||||
|  | ||||
|   @Override | ||||
|   public boolean contains(AccountGroup.UUID groupId) { | ||||
|     return get().contains(groupId); | ||||
|   } | ||||
|  | ||||
|   @Override | ||||
|   public boolean containsAnyOf(Iterable<AccountGroup.UUID> groupIds) { | ||||
|     return get().containsAnyOf(groupIds); | ||||
|   } | ||||
|  | ||||
|   @Override | ||||
|   public Set<AccountGroup.UUID> intersection(Iterable<AccountGroup.UUID> groupIds) { | ||||
|     return get().intersection(groupIds); | ||||
|   } | ||||
|  | ||||
|   @Override | ||||
|   public Set<AccountGroup.UUID> getKnownGroups() { | ||||
|     Set<AccountGroup.UUID> g = new HashSet<>(get().getKnownGroups()); | ||||
|     g.retainAll(projectCache.guessRelevantGroupUUIDs()); | ||||
|     return g; | ||||
|   } | ||||
|  | ||||
|   private synchronized GroupMembership get() { | ||||
|     if (membership == null) { | ||||
|       try { | ||||
|         membership = new ListGroupMembership(membershipCache.get(id)); | ||||
|       } catch (ExecutionException e) { | ||||
|         LdapGroupBackend.log.warn(String.format( | ||||
|             "Cannot lookup membershipsOf %s in LDAP", id), e); | ||||
|         membership = GroupMembership.EMPTY; | ||||
|       } | ||||
|     } | ||||
|     return membership; | ||||
|   } | ||||
| } | ||||
		Reference in New Issue
	
	Block a user
	 Shawn Pearce
					Shawn Pearce