Strip out user attribute logic

trinodb · Sep 20, 2024 · 154f761 · 154f761
1 parent e2cfa6a
commit 154f761
Show file tree

Hide file tree

Showing 21 changed files with 364 additions and 1,207 deletions.
diff --git a/plugin/trino-ldap-group-provider/pom.xml b/plugin/trino-ldap-group-provider/pom.xml
@@ -4,7 +4,7 @@
     <parent>
         <groupId>io.trino</groupId>
         <artifactId>trino-root</artifactId>
-        <version>444-SNAPSHOT</version>
+        <version>459-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
@@ -47,11 +47,6 @@
             <artifactId>trino-plugin-toolkit</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>jakarta.inject</groupId>
-            <artifactId>jakarta.inject-api</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>jakarta.validation</groupId>
             <artifactId>jakarta.validation-api</artifactId>
@@ -89,13 +84,6 @@
         </dependency>
 
         <!-- for testing - Trino -->
-        <dependency>
-            <groupId>antlr</groupId>
-            <artifactId>antlr</artifactId>
-            <version>2.7.7</version>
-            <scope>test</scope>
-        </dependency>
-
         <dependency>
             <groupId>io.trino</groupId>
             <artifactId>trino-main</artifactId>
@@ -114,24 +102,27 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>${dep.junit.version}</version>
             <scope>test</scope>
         </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-api</artifactId>
-            <version>${dep.junit.version}</version>
             <scope>test</scope>
         </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-params</artifactId>
-            <version>${dep.junit.version}</version>
             <scope>test</scope>
         </dependency>
 

diff --git a/...dap-group-provider/src/main/java/io/trino/plugin/ldapgroup/ForLdapUserSearchDelegate.java b/...dap-group-provider/src/main/java/io/trino/plugin/ldapgroup/ForLdapUserSearchDelegate.java
diff --git a/...ap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapFilteringGroupProvider.java b/...ap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapFilteringGroupProvider.java
@@ -0,0 +1,132 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.ldapgroup;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.inject.Inject;
+import io.airlift.log.Logger;
+import io.trino.plugin.base.ldap.LdapClient;
+import io.trino.plugin.base.ldap.LdapQuery;
+import io.trino.spi.security.GroupProvider;
+
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.SearchResult;
+
+import java.util.Optional;
+import java.util.Set;
+
+import static java.util.Objects.requireNonNull;
+
+public class LdapFilteringGroupProvider
+        implements GroupProvider
+{
+    private static final Logger log = Logger.get(LdapFilteringGroupProvider.class);
+
+    private final LdapClient ldapClient;
+    private final String ldapAdminUser;
+    private final String ldapAdminPassword;
+    private final String userBaseDN;
+    private final String userSearchFilter;
+    private final String groupBaseDN;
+    private final String groupsNameAttribute;
+    private final String combinedGroupSearchFilter;
+
+    @Inject
+    public LdapFilteringGroupProvider(LdapClient ldapClient,
+                                      LdapGroupProviderConfig config,
+                                      LdapFilteringGroupProviderConfig filteringConfig)
+    {
+        this.ldapClient = requireNonNull(ldapClient, "ldap client is null");
+        this.ldapAdminUser = config.getLdapAdminUser();
+        this.ldapAdminPassword = config.getLdapAdminPassword();
+        this.userBaseDN = config.getLdapUserBaseDN();
+        this.userSearchFilter = config.getLdapUserSearchFilter();
+        this.groupBaseDN = filteringConfig.getLdapGroupBaseDN();
+        this.groupsNameAttribute = config.getLdapGroupsNameAttribute();
+
+        String groupsSearchMemberAttribute = filteringConfig.getLdapGroupsSearchMemberAttribute();
+        combinedGroupSearchFilter = filteringConfig.getLdapGroupsSearchFilter()
+                .map(filter -> String.format("(&(%s)(%s={0}))", filter, groupsSearchMemberAttribute))
+                .orElse(String.format("(%s={0})", groupsSearchMemberAttribute));
+    }
+
+    /**
+     * Perform an LDAP search for groups, fetching only the names, and returning the name of each group.
+     * Filters groups by user membership AND filter expression {@link LdapFilteringGroupProviderConfig#getLdapGroupsSearchFilter()}.
+     * If {@link LdapGroupProviderConfig#getLdapGroupsNameAttribute()} is missing from group document, fallback on full name.
+     * Swallows LDAP exceptions.
+     *
+     * @return Names of groups that the user is a member of
+     */
+    @Override
+    public Set<String> getGroups(String user)
+    {
+        Optional<String> userDistinguishedName;
+        try {
+            userDistinguishedName = ldapClient.executeLdapQuery(ldapAdminUser, ldapAdminPassword,
+                    new LdapQuery.LdapQueryBuilder()
+                            .withSearchBase(userBaseDN)
+                            .withSearchFilter(userSearchFilter)
+                            .withFilterArguments(user)
+                            .build(),
+                    search -> {
+                        if (!search.hasMore()) {
+                            log.warn("LDAP search for user [%s] using filter pattern [%s] found no matches", user, userSearchFilter);
+                            return Optional.empty();
+                        }
+                        SearchResult result = search.next();
+                        return Optional.of(result.getNameInNamespace());
+                    });
+        }
+        catch (NamingException e) {
+            log.error("LDAP search for user [%s] failed", user, e);
+            return ImmutableSet.of();
+        }
+
+        return userDistinguishedName.map(ldapUser -> {
+            try {
+                return ldapClient.executeLdapQuery(ldapAdminUser, ldapAdminPassword,
+                        new LdapQuery.LdapQueryBuilder()
+                                .withSearchBase(groupBaseDN)
+                                .withAttributes(groupsNameAttribute)
+                                .withSearchFilter(combinedGroupSearchFilter)
+                                .withFilterArguments(ldapUser)
+                                .build(),
+                        search -> {
+                            if (!search.hasMore()) {
+                                log.debug("No groups found using search [pattern=%s, arguments={%s}]", combinedGroupSearchFilter, ldapUser);
+                            }
+                            ImmutableSet.Builder<String> groupsBuilder = ImmutableSet.builder();
+                            while (search.hasMore()) {
+                                SearchResult groupResult = search.next();
+                                Attribute groupName = groupResult.getAttributes().get(groupsNameAttribute);
+                                if (groupName == null) {
+                                    log.warn("The group object [%s] does not have group name attribute [%s]. Falling back on object full name.", groupResult, groupsNameAttribute);
+                                    groupsBuilder.add(groupResult.getNameInNamespace());
+                                }
+                                else {
+                                    groupsBuilder.add(groupName.get().toString());
+                                }
+                            }
+                            return groupsBuilder.build();
+                        });
+            }
+            catch (NamingException e) {
+                log.error("LDAP search for user [%s] groups failed", user, e);
+                return ImmutableSet.<String>of();
+            }
+        }).orElse(ImmutableSet.of());
+    }
+}
diff --git a/...apGroupProviderFilteringClientConfig.java → ...oup/LdapFilteringGroupProviderConfig.java b/...apGroupProviderFilteringClientConfig.java → ...oup/LdapFilteringGroupProviderConfig.java
@@ -19,7 +19,7 @@
 
 import java.util.Optional;
 
-public class LdapGroupProviderFilteringClientConfig
+public class LdapFilteringGroupProviderConfig
 {
     private String ldapGroupBaseDN;
     private String ldapGroupsSearchFilter;
@@ -33,7 +33,7 @@ public String getLdapGroupBaseDN()
 
     @Config("ldap.group-base-dn")
     @ConfigDescription("Base distinguished name for groups. Example: dc=example,dc=com")
-    public LdapGroupProviderFilteringClientConfig setLdapGroupBaseDN(String ldapGroupBaseDN)
+    public LdapFilteringGroupProviderConfig setLdapGroupBaseDN(String ldapGroupBaseDN)
     {
         this.ldapGroupBaseDN = ldapGroupBaseDN;
         return this;
@@ -47,7 +47,7 @@ public Optional<String> getLdapGroupsSearchFilter()
 
     @Config("ldap.group-search-filter")
     @ConfigDescription("Search filter for group documents. Example: (cn=trino_*)")
-    public LdapGroupProviderFilteringClientConfig setLdapGroupsSearchFilter(String ldapGroupsSearchFilter)
+    public LdapFilteringGroupProviderConfig setLdapGroupsSearchFilter(String ldapGroupsSearchFilter)
     {
         this.ldapGroupsSearchFilter = ldapGroupsSearchFilter;
         return this;
@@ -61,7 +61,7 @@ public String getLdapGroupsSearchMemberAttribute()
 
     @Config("ldap.group-search-member-attribute")
     @ConfigDescription("Attribute from group documents used for filtering by member. Example: cn")
-    public LdapGroupProviderFilteringClientConfig setLdapGroupsSearchMemberAttribute(String ldapGroupsSearchMemberAttribute)
+    public LdapFilteringGroupProviderConfig setLdapGroupsSearchMemberAttribute(String ldapGroupsSearchMemberAttribute)
     {
         this.ldapGroupsSearchMemberAttribute = ldapGroupsSearchMemberAttribute;
         return this;

diff --git a/.../trino-ldap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapGroupProvider.java b/.../trino-ldap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapGroupProvider.java
diff --git a/...-ldap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapGroupProviderClient.java b/...-ldap-group-provider/src/main/java/io/trino/plugin/ldapgroup/LdapGroupProviderClient.java