Log deprecation message on legacy ldap pool settings (#2099)

* Log deprecation message on legacy ldap pool settings Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Martin Kemp <[email protected]>
opensearch-project · Oct 6, 2022 · e5ab646 · e5ab646
1 parent ca4917c
commit e5ab646
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 12 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java b/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java
@@ -31,12 +31,12 @@ public class LdapUser extends User {
     private final String originalUsername;
 
     public LdapUser(final String name, String originalUsername, final LdapEntry userEntry,
-            final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) {
+            final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) {
         super(name, null, credentials);
         this.originalUsername = originalUsername;
         this.userEntry = userEntry;
         Map<String, String> attributes = getCustomAttributesMap();
-        attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher));
+        attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
     }
 
     /**
@@ -57,7 +57,7 @@ public String getOriginalUsername() {
     }
 
     public static Map<String, String> extractLdapAttributes(String originalUsername, final LdapEntry userEntry,
-            int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) {
+            int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) {
         Map<String, String> attributes = new HashMap<>();
         attributes.put("ldap.original.username", originalUsername);
         attributes.put("ldap.dn", userEntry.getDn());
@@ -69,7 +69,7 @@ public static Map<String, String> extractLdapAttributes(String originalUsername,
                     // only consider attributes which are not binary and where its value is not
                     // longer than customAttrMaxValueLen characters
                     if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) {
-                        if (whitelistedCustomLdapAttrMatcher.test(attr.getName())) {
+                        if (allowlistedCustomLdapAttrMatcher.test(attr.getName())) {
                             attributes.put("attr.ldap." + attr.getName(), val);
                         }
                     }

diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java
@@ -44,6 +44,8 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
+
 public class LDAPAuthenticationBackend implements AuthenticationBackend {
 
     static final int ZERO_PLACEHOLDER = 0;
@@ -56,7 +58,7 @@ public class LDAPAuthenticationBackend implements AuthenticationBackend {
     private final Path configPath;
     private final List<Map.Entry<String, Settings>> userBaseSettings;
     private final int customAttrMaxValueLen;
-    private final WildcardMatcher whitelistedCustomLdapAttrMatcher;
+    private final WildcardMatcher allowlistedCustomLdapAttrMatcher;
 
     private final String[] returnAttributes;
 
@@ -67,8 +69,10 @@ public LDAPAuthenticationBackend(final Settings settings, final Path configPath)
         this.returnAttributes = settings.getAsList(ConfigConstants.LDAP_RETURN_ATTRIBUTES, Arrays.asList(ReturnAttributes.ALL.value())).toArray(new String[0]);
 
         customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36);
-        whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST,
+        checkForDeprecatedSetting(settings, ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST);
+        final List<String> customAttrAllowList = settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST,
                 Collections.singletonList("*")));
+        allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(customAttrAllowList);
     }
 
     @Override
@@ -127,9 +131,9 @@ public User authenticate(final AuthCredentials credentials) throws OpenSearchSec
 
             // by default all ldap attributes which are not binary and with a max value
             // length of 36 are included in the user object
-            // if the whitelist contains at least one value then all attributes will be
-            // additional check if whitelisted (whitelist can contain wildcard and regex)
-            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher);
+            // if the allowlist contains at least one value then all attributes will be
+            // additional check if allowlisted (allowlist can contain wildcard and regex)
+            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher);
 
         } catch (final Exception e) {
             if (log.isDebugEnabled()) {
@@ -164,7 +168,7 @@ public boolean exists(final User user) {
             boolean exists = userEntry != null;
 
             if(exists) {
-                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher));
+                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
             }
 
             return exists;

diff --git a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java
@@ -73,6 +73,7 @@ public final class ConfigConstants {
     // custom attributes
     public static final String LDAP_CUSTOM_ATTR_MAXVAL_LEN = "custom_attr_maxval_len";
     public static final String LDAP_CUSTOM_ATTR_WHITELIST = "custom_attr_whitelist";
+    public static final String LDAP_CUSTOM_ATTR_ALLOWLIST = "custom_attr_allowlist";
     public static final String LDAP_RETURN_ATTRIBUTES = "custom_return_attributes";
 
     public static final String LDAP_CONNECTION_STRATEGY = "connection_strategy";
@@ -83,6 +84,9 @@ public final class ConfigConstants {
 
     public static final String LDAP_POOL_TYPE = "pool.type";
 
+    public static final String LDAP_LEGACY_POOL_PRUNING_PERIOD = "pruning.period";
+    public static final String LDAP_LEGACY_POOL_IDLE_TIME = "pruning.idleTime";
+
     public static final String LDAP_POOL_PRUNING_PERIOD = "pool.pruning_period";
     public static final String LDAP_POOL_IDLE_TIME = "pool.idle_time";
 

diff --git a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java
@@ -62,6 +62,8 @@
 
 import org.opensearch.common.settings.Settings;
 
+import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
+
 public class LDAPConnectionFactoryFactory {
 
     private static final Logger log = LogManager.getLogger(LDAPConnectionFactoryFactory.class);
@@ -127,10 +129,13 @@ public ConnectionPool createConnectionPool() {
         }
 
         result.setValidator(getConnectionValidator());
+
+        checkForDeprecatedSetting(settings, ConfigConstants.LDAP_LEGACY_POOL_PRUNING_PERIOD, ConfigConstants.LDAP_POOL_PRUNING_PERIOD);
+        checkForDeprecatedSetting(settings, ConfigConstants.LDAP_LEGACY_POOL_IDLE_TIME, ConfigConstants.LDAP_POOL_IDLE_TIME);
 
         result.setPruneStrategy(new IdlePruneStrategy(
-            Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_PRUNING_PERIOD, this.settings.getAsLong("pruning.period", 5l))),
-            Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_IDLE_TIME, this.settings.getAsLong("pruning.idleTime", 10l))))
+            Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_PRUNING_PERIOD, this.settings.getAsLong(ConfigConstants.LDAP_LEGACY_POOL_PRUNING_PERIOD, 5l))),
+            Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_IDLE_TIME, this.settings.getAsLong(ConfigConstants.LDAP_LEGACY_POOL_IDLE_TIME, 10l))))
         );
 
         result.initialize();

diff --git a/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java b/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.security.setting;
+
+import org.opensearch.common.logging.DeprecationLogger;
+import org.opensearch.common.settings.Settings;
+
+/**
+ * Functionality around settings that have been deprecated
+ */
+public class DeprecatedSettings {
+
+    static DeprecationLogger DEPRECATION_LOGGER = DeprecationLogger.getLogger(DeprecatedSettings.class);
+
+    /**
+     * Checks for an deprecated key found in a setting, logs that it should be replaced with the another key
+     */
+    public static void checkForDeprecatedSetting(final Settings settings, final String legacySettingKey, final String validSettingKey) {
+        if (settings.hasValue(legacySettingKey)) {
+            DEPRECATION_LOGGER.deprecate(legacySettingKey, "Found deprecated setting '{}', please replace with '{}'", legacySettingKey, validSettingKey);
+        }
+    }
+}
diff --git a/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java b/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.security.setting;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import org.opensearch.common.logging.DeprecationLogger;
+import org.opensearch.common.settings.Settings;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
+
+@RunWith(MockitoJUnitRunner.class)
+public class DeprecatedSettingsTest {
+
+    @Mock
+    private DeprecationLogger logger;
+
+    private DeprecationLogger original; 
+
+    @Before
+    public void before() {
+        original = DeprecatedSettings.DEPRECATION_LOGGER;
+        DeprecatedSettings.DEPRECATION_LOGGER = logger;
+    }
+
+    @After
+    public void after() {
+        DeprecatedSettings.DEPRECATION_LOGGER = original;
+        verifyNoMoreInteractions(logger);
+    }
+
+    @Test
+    public void testCheckForDeprecatedSettingNoLegacy() {
+        final Settings settings = Settings.builder().put("properKey", "value").build();
+
+        checkForDeprecatedSetting(settings, "legacyKey", "properKey");
+
+        verifyNoInteractions(logger);
+    }
+
+    @Test
+    public void testCheckForDeprecatedSettingFoundLegacy() {
+        final Settings settings = Settings.builder().put("legacyKey", "value").build();
+
+        checkForDeprecatedSetting(settings, "legacyKey", "properKey");
+
+        verify(logger).deprecate(eq("legacyKey"), anyString(), any());
+    }
+}