diff --git a/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java b/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java index 37f16dd3b5..ab26a94402 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java @@ -31,12 +31,12 @@ public class LdapUser extends User { private final String originalUsername; public LdapUser(final String name, String originalUsername, final LdapEntry userEntry, - final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) { + final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) { super(name, null, credentials); this.originalUsername = originalUsername; this.userEntry = userEntry; Map attributes = getCustomAttributesMap(); - attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)); + attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)); } /** @@ -57,7 +57,7 @@ public String getOriginalUsername() { } public static Map extractLdapAttributes(String originalUsername, final LdapEntry userEntry, - int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) { + int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) { Map attributes = new HashMap<>(); attributes.put("ldap.original.username", originalUsername); attributes.put("ldap.dn", userEntry.getDn()); @@ -69,7 +69,7 @@ public static Map extractLdapAttributes(String originalUsername, // only consider attributes which are not binary and where its value is not // longer than customAttrMaxValueLen characters if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) { - if (whitelistedCustomLdapAttrMatcher.test(attr.getName())) { + if (allowlistedCustomLdapAttrMatcher.test(attr.getName())) { attributes.put("attr.ldap." + attr.getName(), val); } } diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java index 05fa70c821..fac06dc9a3 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java @@ -44,6 +44,8 @@ import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.user.User; +import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting; + public class LDAPAuthenticationBackend implements AuthenticationBackend { static final int ZERO_PLACEHOLDER = 0; @@ -56,7 +58,7 @@ public class LDAPAuthenticationBackend implements AuthenticationBackend { private final Path configPath; private final List> userBaseSettings; private final int customAttrMaxValueLen; - private final WildcardMatcher whitelistedCustomLdapAttrMatcher; + private final WildcardMatcher allowlistedCustomLdapAttrMatcher; private final String[] returnAttributes; @@ -67,8 +69,10 @@ public LDAPAuthenticationBackend(final Settings settings, final Path configPath) this.returnAttributes = settings.getAsList(ConfigConstants.LDAP_RETURN_ATTRIBUTES, Arrays.asList(ReturnAttributes.ALL.value())).toArray(new String[0]); customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36); - whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, + checkForDeprecatedSetting(settings, ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST); + final List customAttrAllowList = settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST, settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, Collections.singletonList("*"))); + allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(customAttrAllowList); } @Override @@ -127,9 +131,9 @@ public User authenticate(final AuthCredentials credentials) throws OpenSearchSec // by default all ldap attributes which are not binary and with a max value // length of 36 are included in the user object - // if the whitelist contains at least one value then all attributes will be - // additional check if whitelisted (whitelist can contain wildcard and regex) - return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher); + // if the allowlist contains at least one value then all attributes will be + // additional check if allowlisted (allowlist can contain wildcard and regex) + return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher); } catch (final Exception e) { if (log.isDebugEnabled()) { @@ -164,7 +168,7 @@ public boolean exists(final User user) { boolean exists = userEntry != null; if(exists) { - user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)); + user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)); } return exists; diff --git a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java index 12366daf82..25c3a89fb4 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java @@ -73,6 +73,7 @@ public final class ConfigConstants { // custom attributes public static final String LDAP_CUSTOM_ATTR_MAXVAL_LEN = "custom_attr_maxval_len"; public static final String LDAP_CUSTOM_ATTR_WHITELIST = "custom_attr_whitelist"; + public static final String LDAP_CUSTOM_ATTR_ALLOWLIST = "custom_attr_allowlist"; public static final String LDAP_RETURN_ATTRIBUTES = "custom_return_attributes"; public static final String LDAP_CONNECTION_STRATEGY = "connection_strategy"; @@ -83,6 +84,9 @@ public final class ConfigConstants { public static final String LDAP_POOL_TYPE = "pool.type"; + public static final String LDAP_LEGACY_POOL_PRUNING_PERIOD = "pruning.period"; + public static final String LDAP_LEGACY_POOL_IDLE_TIME = "pruning.idleTime"; + public static final String LDAP_POOL_PRUNING_PERIOD = "pool.pruning_period"; public static final String LDAP_POOL_IDLE_TIME = "pool.idle_time"; diff --git a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java index 74d8989ae3..f711e41982 100644 --- a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java +++ b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPConnectionFactoryFactory.java @@ -62,6 +62,8 @@ import org.opensearch.common.settings.Settings; +import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting; + public class LDAPConnectionFactoryFactory { private static final Logger log = LogManager.getLogger(LDAPConnectionFactoryFactory.class); @@ -127,10 +129,13 @@ public ConnectionPool createConnectionPool() { } result.setValidator(getConnectionValidator()); + + checkForDeprecatedSetting(settings, ConfigConstants.LDAP_LEGACY_POOL_PRUNING_PERIOD, ConfigConstants.LDAP_POOL_PRUNING_PERIOD); + checkForDeprecatedSetting(settings, ConfigConstants.LDAP_LEGACY_POOL_IDLE_TIME, ConfigConstants.LDAP_POOL_IDLE_TIME); result.setPruneStrategy(new IdlePruneStrategy( - Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_PRUNING_PERIOD, this.settings.getAsLong("pruning.period", 5l))), - Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_IDLE_TIME, this.settings.getAsLong("pruning.idleTime", 10l)))) + Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_PRUNING_PERIOD, this.settings.getAsLong(ConfigConstants.LDAP_LEGACY_POOL_PRUNING_PERIOD, 5l))), + Duration.ofMinutes(this.settings.getAsLong(ConfigConstants.LDAP_POOL_IDLE_TIME, this.settings.getAsLong(ConfigConstants.LDAP_LEGACY_POOL_IDLE_TIME, 10l)))) ); result.initialize(); diff --git a/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java b/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java new file mode 100644 index 0000000000..7aa54fbea3 --- /dev/null +++ b/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java @@ -0,0 +1,26 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.opensearch.security.setting; + +import org.opensearch.common.logging.DeprecationLogger; +import org.opensearch.common.settings.Settings; + +/** + * Functionality around settings that have been deprecated + */ +public class DeprecatedSettings { + + static DeprecationLogger DEPRECATION_LOGGER = DeprecationLogger.getLogger(DeprecatedSettings.class); + + /** + * Checks for an deprecated key found in a setting, logs that it should be replaced with the another key + */ + public static void checkForDeprecatedSetting(final Settings settings, final String legacySettingKey, final String validSettingKey) { + if (settings.hasValue(legacySettingKey)) { + DEPRECATION_LOGGER.deprecate(legacySettingKey, "Found deprecated setting '{}', please replace with '{}'", legacySettingKey, validSettingKey); + } + } +} diff --git a/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java b/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java new file mode 100644 index 0000000000..d8227c53d7 --- /dev/null +++ b/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java @@ -0,0 +1,63 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.opensearch.security.setting; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +import org.opensearch.common.logging.DeprecationLogger; +import org.opensearch.common.settings.Settings; + +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting; + +@RunWith(MockitoJUnitRunner.class) +public class DeprecatedSettingsTest { + + @Mock + private DeprecationLogger logger; + + private DeprecationLogger original; + + @Before + public void before() { + original = DeprecatedSettings.DEPRECATION_LOGGER; + DeprecatedSettings.DEPRECATION_LOGGER = logger; + } + + @After + public void after() { + DeprecatedSettings.DEPRECATION_LOGGER = original; + verifyNoMoreInteractions(logger); + } + + @Test + public void testCheckForDeprecatedSettingNoLegacy() { + final Settings settings = Settings.builder().put("properKey", "value").build(); + + checkForDeprecatedSetting(settings, "legacyKey", "properKey"); + + verifyNoInteractions(logger); + } + + @Test + public void testCheckForDeprecatedSettingFoundLegacy() { + final Settings settings = Settings.builder().put("legacyKey", "value").build(); + + checkForDeprecatedSetting(settings, "legacyKey", "properKey"); + + verify(logger).deprecate(eq("legacyKey"), anyString(), any()); + } +}