KNOX-3340: Add Control for LDAPRolesLookupInterceptor

[handavid]

KNOX-3340 - Add Control to LDAPRolesLookupInterceptor

What changes were proposed in this pull request?

This commit adds a RolesLookupBypassControl for use with the LDAPRolesLookupInterceptor. The LDAPRolesLookupInterceptor will skip role mapping if this control is present and true in the request. This lets the client decide whether they will receive users' groups or roles.

How was this patch tested?

Unit tests were added to cover the new code.

Manual testing was performed. The LDAP Proxy was configured with the RolesLookup interceptor and the following ldapsearch commands were run.

# add control by OID with value "true"
ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e "1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953=AQP/" '(uid=sam*)' '*'

# add control by OID with value "false"
ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e "1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953=AQMA" '(uid=sam*)' '*'

# don't add control
ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' '(uid=sam*)' '*'

Integration Tests

no integration tests added

UI changes

no UI changes

[handavid]

@smolnar82

[github-actions]

Test Results

22 tests   22 ✅  2s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 1efba9a.

♻️ This comment has been updated with latest results.

[smolnar82]

A BER-encoded Boolean consists of

• Tag: 1 byte (0x01)
• Length: 1 byte (The size of the value)
• Value: 1 byte (0x00 or 0xFF)
• Total: 3 bytes.

The error in the PR is specifically the content of the middle byte (the "Length" field of the TLV).

In BER, the "Length" byte should only represent the size of the Value portion. For a Boolean, the value is only 1 byte long.

• Current PR encoding: 0x01 (Tag) | 0x03 (Length) | Value (1 byte) -> This says "expect 3 more bytes" but only provides 1.
• Correct BER encoding: 0x01 (Tag) | 0x01 (Length) | Value (1 byte).

Setting the length byte to 0x03 while only providing 1 byte of data might cause standard LDAP clients or strict decoders to fail.

Once this change is done, you may also have to change the documentation.

Great work on the implementation and the tests otherwise!

[handavid]

@smolnar82 I've updated the PR for your requested change and also to move the OID into configuration until we get an official OID.

[smolnar82]

This is exactly the same test as the previous one. You might want to remove this one and rename the above to testBypassLookup?

[handavid]

minor difference between the tests.
One checks that the decorator.isBypassRolesLookup matches the decorated instance values by setting the values of the decorated instance.
The other checks that the decorator can set the values on the decorated instance.
I'll tweak the tests to make this more obvious.

[smolnar82]

Thanks, David!

[smolnar82]

Maybe creating a new private method (testEncode(boolean encodeTrue)) and call that one from here and from encodeFalseValue? The only difference is the content of expectedBytes, but we'd save some lines of duplication.

[handavid]

done

[smolnar82]

I see you are throwing throw new ConfigurationException("Roles Lookup Bypass Control OID is not valid"); below in KnoxLDAPServerManager. However, I think that exception belongs here, when the factory wants to create an instance of LDAPRolesLookupInterceptor.
The creation of this interceptor is also happening in KnoxLDAPServerManager.init() by calling createInterceptors, so it'd fail fast in case someone provided an invalid OID.
What do you think?

[handavid]

I can get rid of this change since we have an OID.

[handavid]

outdated comment because I removed the oid configuration

[smolnar82]

I've the same observation here as above wrt. encode/decode testing (one private method would eliminate the majority of duplicated lines here).

[handavid]

done

[smolnar82]

typo: if the value provided is on an OID. -> if the value provided is not an OID.

[handavid]

removed since OID will not be configurable

[smolnar82]

Hi @handavid !

In addition to the above comments, I see that we have unit test failures now:

Error:  Tests run: 16, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.378 s <<< FAILURE! -- in org.apache.knox.gateway.services.ldap.KnoxLDAPServerManagerTest
Error:  org.apache.knox.gateway.services.ldap.KnoxLDAPServerManagerTest.testStartDontRegistersRolesLookupBypassControl -- Time elapsed: 0.166 s <<< FAILURE!
java.lang.AssertionError
	at org.junit.Assert.fail(Assert.java:87)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertFalse(Assert.java:65)
	at org.junit.Assert.assertFalse(Assert.java:75)
	at org.apache.knox.gateway.services.ldap.KnoxLDAPServerManagerTest.testStartDontRegistersRolesLookupBypassControl(KnoxLDAPServerManagerTest.java:415)

The good news is that this test may go away, because we now have an official Knox sub-arc under ASF's OID base. See KNOX-3346 for details.
Given the new KNOX OID base (1.3.6.1.4.1.18060.18), we can drop this temporary configuration and add our own as part of this PR. What do you think?