Use shedlock for locking

client/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>invite</artifactId>
-        <version>1.1.1-SNAPSHOT</version>
+        <version>1.1.2-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>invite-client</artifactId>

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.openconext</groupId>
     <artifactId>invite</artifactId>
-    <version>1.1.1-SNAPSHOT</version>
+    <version>1.1.2-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>invite</name>
     <description>SURFconext Invite</description>

provisioning-mock/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>invite</artifactId>
-        <version>1.1.1-SNAPSHOT</version>
+        <version>1.1.2-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>provisioning-mock</artifactId>

server/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>invite</artifactId>
-        <version>1.1.1-SNAPSHOT</version>
+        <version>1.1.2-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>invite-server</artifactId>
@@ -87,6 +87,16 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>net.javacrumbs.shedlock</groupId>
+            <artifactId>shedlock-spring</artifactId>
+            <version>7.7.0</version>
+        </dependency>
+        <dependency>
+            <groupId>net.javacrumbs.shedlock</groupId>
+            <artifactId>shedlock-provider-jdbc-template</artifactId>
+            <version>7.7.0</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>

server/src/main/java/invite/cron/ResourceCleaner.java

@@ -3,7 +3,6 @@
 
 import invite.audit.UserRoleAuditService;
 import invite.model.Role;
-import invite.model.Status;
 import invite.model.User;
 import invite.model.UserRole;
 import invite.model.UserRoleAudit;
@@ -12,6 +11,7 @@
 import invite.repository.UserRepository;
 import invite.repository.UserRoleAuditRepository;
 import invite.repository.UserRoleRepository;
+import net.javacrumbs.shedlock.spring.annotation.SchedulerLock;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -20,14 +20,13 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.sql.DataSource;
 import java.time.Instant;
 import java.time.Period;
 import java.util.List;
 import java.util.Map;
 
 @Component
-public class ResourceCleaner extends AbstractNodeLeader {
+public class ResourceCleaner {
 
     public static final String LOCK_NAME = "resource_cleaner_user_level_lock";
     private static final Log LOG = LogFactory.getLog(ResourceCleaner.class);
@@ -47,14 +46,12 @@ public class ResourceCleaner extends AbstractNodeLeader {
     public ResourceCleaner(UserRepository userRepository,
                            UserRoleRepository userRoleRepository,
                            ProvisioningService provisioningService,
-                           DataSource dataSource,
                            UserRoleAuditRepository userRoleAuditRepository,
                            UserRoleAuditService userRoleAuditService,
                            InvitationRepository invitationRepository,
                            @Value("${cron.last-activity-duration-days}") int lastActivityDurationDays,
                            @Value("${cron.purge-audit-log-days}") int purgeAuditLogDays,
                            @Value("${cron.purge-expired-invitations-days}") int purgeExpiredInvitationDays) {
-        super(LOCK_NAME, dataSource);
         this.userRepository = userRepository;
         this.userRoleRepository = userRoleRepository;
         this.userRoleAuditRepository = userRoleAuditRepository;
@@ -68,8 +65,10 @@ public ResourceCleaner(UserRepository userRepository,
 
     @Scheduled(cron = "${cron.user-cleaner-expression}")
     @Transactional
+    @SchedulerLock(name = LOCK_NAME, lockAtLeastFor = "${cron.user-cleaner-lock-at-least-for}",
+            lockAtMostFor = "${cron.user-cleaner-lock-at-most-for}")
     public void clean() {
-        super.perform("ResourceCleaner#clean", this::doClean);
+        this.doClean();
     }
 
     public Map<String, Object> doClean() {

server/src/main/java/invite/cron/RoleExpirationNotifier.java

@@ -6,20 +6,20 @@
 import invite.model.UserRole;
 import invite.repository.UserRoleRepository;
 import lombok.Getter;
+import net.javacrumbs.shedlock.spring.annotation.SchedulerLock;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.sql.DataSource;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.List;
 
 @Component
-public class RoleExpirationNotifier extends AbstractNodeLeader {
+public class RoleExpirationNotifier {
 
     public static final String LOCK_NAME = "role_expiration_notifier_user_level_lock";
     private static final Log LOG = LogFactory.getLog(RoleExpirationNotifier.class);
@@ -34,22 +34,22 @@ public class RoleExpirationNotifier extends AbstractNodeLeader {
     public RoleExpirationNotifier(UserRoleRepository userRoleRepository,
                                   Manage manage,
                                   MailBox mailBox,
-                                  DataSource dataSource,
                                   @Value("${cron.role-expiration-notifier-duration-days}") int roleExpirationNotificationDays) {
-        super(LOCK_NAME, dataSource);
         this.userRoleRepository = userRoleRepository;
         this.manage = manage;
         this.mailBox = mailBox;
         this.roleExpirationNotificationDays = roleExpirationNotificationDays;
     }
 
     @Scheduled(cron = "${cron.role-expiration-notifier-expression}")
+    @SchedulerLock(name = LOCK_NAME, lockAtLeastFor = "${cron.role-expiration-notifier-lock-at-least-for}",
+            lockAtMostFor = "${cron.role-expiration-notifier-lock-at-most-for}")
     @Transactional
     public void sweep() {
         if (roleExpirationNotificationDays == -1) {
             return;
         }
-        super.perform("RoleExpirationNotifier#sweep", () -> this.doSweep());
+        this.doSweep();
     }
 
     public List<String> doSweep() {

server/src/main/java/invite/cron/ShedLockConfig.java

@@ -0,0 +1,34 @@
+package invite.cron;
+
+import net.javacrumbs.shedlock.core.LockProvider;
+import net.javacrumbs.shedlock.provider.jdbctemplate.JdbcTemplateLockProvider;
+import net.javacrumbs.shedlock.spring.annotation.EnableSchedulerLock;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.jdbc.core.JdbcTemplate;
+
+import javax.sql.DataSource;
+import java.util.Optional;
+
+@Configuration
+@EnableSchedulerLock(defaultLockAtMostFor = "PT10M")
+public class ShedLockConfig {
+
+    @Bean
+    @Profile("!test")
+    public LockProvider lockProvider(DataSource dataSource) {
+        return new JdbcTemplateLockProvider(
+                JdbcTemplateLockProvider.Configuration.builder()
+                        .withJdbcTemplate(new JdbcTemplate(dataSource))
+                        .usingDbTime() // Use DB time, not app-node time — avoids clock skew
+                        .build()
+        );
+    }
+
+    @Bean
+    @Profile("test")
+    public LockProvider noOpLockProvider() {
+        return lockConfiguration -> Optional.of(() -> {});
+    }
+}

server/src/main/resources/application.yml

@@ -79,10 +79,14 @@ crypto:
 
 cron:
   user-cleaner-expression: "0 0/30 * * * *"
+  user-cleaner-lock-at-least-for: "PT5M"
+  user-cleaner-lock-at-most-for: "PT28M"
   last-activity-duration-days: 1000
   role-expiration-notifier-expression: "0 0/30 * * * *"
   # Set to -1 to suppress role expiry notifications
   role-expiration-notifier-duration-days: 5
+  role-expiration-notifier-lock-at-least-for: "PT5M"
+  role-expiration-notifier-lock-at-most-for: "PT28M"
   metadata-resolver-initial-delay-milliseconds: 1
   metadata-resolver-fixed-rate-milliseconds: 86_400_000
   metadata-resolver-url: "classpath:/metadata/idps-metadata.xml"

server/src/main/resources/db/mysql/migration/V58_0__shedlock_locking_table.sql

@@ -0,0 +1,14 @@
+CREATE TABLE shedlock (
+    name        VARCHAR(64)  NOT NULL,
+    lock_until  TIMESTAMP(3) NOT NULL,
+    locked_at   TIMESTAMP(3) NOT NULL,
+    locked_by   VARCHAR(255) NOT NULL,
+    PRIMARY KEY (name)
+) ENGINE=InnoDB
+    DEFAULT CHARSET = utf8mb4;
+
+-- Pre-insert your lock rows (critical for Galera safety)
+INSERT INTO shedlock (name, lock_until, locked_at, locked_by)
+VALUES ('resource_cleaner_user_level_lock', '2000-01-01 00:00:00.000', '2000-01-01 00:00:00.000', 'init');
+INSERT INTO shedlock (name, lock_until, locked_at, locked_by)
+VALUES ('role_expiration_notifier_user_level_lock', '2000-01-01 00:00:00.000', '2000-01-01 00:00:00.000', 'init');

server/src/test/java/invite/AbstractTest.java

@@ -124,7 +124,8 @@
                 "manage.enabled: true",
                 "spring.task.scheduling.enabled=false",
                 "spring.jpa.properties.hibernate.format_sql=false",
-                "spring.jpa.show-sql=false"
+                "spring.jpa.show-sql=false",
+                "spring.main.allow-bean-definition-overriding=true"
         })
 @SuppressWarnings("unchecked")
 public abstract class AbstractTest {