public boolean processACL(NotesSession notesSession,
NotesDatabase connectorDatabase, NotesDatabase srcdb,
NotesDocument dbdoc) {
final String METHOD = "processACL";
LOGGER.entering(CLASS_NAME, METHOD);
NotesACL acl = null;
try {
// To determine if the ACL has changed we check the log
String aclActivityText = srcdb.getACLActivityLog()
.firstElement().toString();
if (aclActivityText.contentEquals(
dbdoc.getItemValueString(NCCONST.DITM_ACLTEXT))) {
LOGGER.logp(Level.FINER, CLASS_NAME, METHOD,
"ACL has not changed. Skipping ACL processing. ");
return false;
}
LOGGER.logp(Level.FINEST, CLASS_NAME, METHOD,
"New ACL Text is. " + aclActivityText);
// Build the lists of allowed/denied users and groups.
acl = srcdb.getACL();
ArrayList<String> permitUsers = new ArrayList<String>();
ArrayList<String> permitGroups = new ArrayList<String>();
ArrayList<String> noAccessUsers = new ArrayList<String>();
ArrayList<String> noAccessGroups = new ArrayList<String>();
getPermitDeny(acl, permitUsers, permitGroups, noAccessUsers,
noAccessGroups, notesSession);
// If the database is configured to use ACLs for
// authorization, check to see if we should send
// inherited ACLs (GSA 7.0+) or Policy ACLs.
boolean shouldUpdateAcl = true;
if (dbdoc.getItemValueString(NCCONST.DITM_AUTHTYPE)
.contentEquals(NCCONST.AUTH_ACL)) {
if (((NotesTraversalManager) notesConnectorSession
.getTraversalManager()).getTraversalContext()
.supportsInheritedAcls()) {
if (LOGGER.isLoggable(Level.FINER)) {
LOGGER.logp(Level.FINER, CLASS_NAME, METHOD,
"Creating ACL records for database "
+ dbdoc.getItemValueString(NCCONST.DITM_DBNAME));
}
// We want two database ACLs, one for use when
// documents in the database have readers, one when
// they don't. Inserting a second database ACL
// document later will require a restructuring of the
// way NotesConnectorDocumentList works, so for now,
// simply create two database ACL crawl docs.
Collection<String> gsaPermitUsers =
notesConnectorSession.getUserGroupManager()
.mapNotesNamesToGsaNames(notesSession, permitUsers, false);
Collection<String> gsaNoAccessUsers =
notesConnectorSession.getUserGroupManager()
.mapNotesNamesToGsaNames(notesSession, noAccessUsers, false);
Collection<String> gsaPermitGroups =
GsaUtil.getGsaGroups(permitGroups,
notesConnectorSession.getGsaGroupPrefix());
Collection<String> gsaNoAccessGroups =
GsaUtil.getGsaGroups(noAccessGroups,
notesConnectorSession.getGsaGroupPrefix());
shouldUpdateAcl = createDatabaseAclDocuments(connectorDatabase, dbdoc,
gsaPermitUsers, gsaNoAccessUsers, gsaPermitGroups,
gsaNoAccessGroups);
} else {
if (LOGGER.isLoggable(Level.FINER)) {
LOGGER.logp(Level.FINER, CLASS_NAME, METHOD,
"Sending database Policy ACL to the GSA");
}
if ((permitUsers.size() > 0 || permitGroups.size() > 0) &&
noAccessUsers.size() > 0) {
LOGGER.logp(Level.WARNING, CLASS_NAME, METHOD,
"GSA Policy ACLs do not support DENY. Database "
+ dbdoc.getItemValueString(NCCONST.DITM_DBNAME)
+ " has explict DENY rules which will not be enforced.");
}
shouldUpdateAcl = updateGsaPolicyAcl(notesSession,
connectorDatabase, dbdoc, permitUsers, permitGroups);
}
}
// If we updated the GSA (or didn't need to), update the dbdoc.
if (shouldUpdateAcl) {
dbdoc.replaceItemValue(NCCONST.DITM_ACLTEXT, aclActivityText);
updateTextList(dbdoc, NCCONST.NCITM_DBNOACCESSUSERS, noAccessUsers);
updateTextList(dbdoc, NCCONST.NCITM_DBPERMITUSERS, permitUsers);
updateTextList(dbdoc, NCCONST.NCITM_DBPERMITGROUPS, permitGroups);
updateTextList(dbdoc, NCCONST.NCITM_DBNOACCESSGROUPS, noAccessGroups);
}
} catch (Exception e) {
// TODO: should we return false here?
LOGGER.log(Level.SEVERE, CLASS_NAME, e);
} finally {
if (null != acl) {
try {
acl.recycle();
} catch (RepositoryException e) {
}
}
LOGGER.exiting(CLASS_NAME, METHOD);
}