smolnar82 opened a new pull request, #1236: URL: https://github.com/apache/knox/pull/1236
[KNOX-3328](https://issues.apache.org/jira/browse/KNOX-3328) - Support recursive group resolution in LDAP Proxy Service ## What changes were proposed in this pull request? This PR introduces recursive group resolution to the `LdapProxyBackend`. Key changes include: - **Recursive Logic**: Implemented Breadth-First Search (BFS) for group resolution. When enabled, Knox will traverse the group hierarchy to find all transitive memberships. - **Cycle Detection**: Uses a visited Set to track processed DNs, ensuring that circular group references (e.g., Group A -> Group B -> Group A) do not cause infinite loops. - **Depth Limiting**: Added a new configuration gateway.ldap.group.max.depth (default 10) to limit how deep the recursion goes, protecting the Gateway from excessive LDAP round-trips. - **Group Enrichment**: Updated `LdapProxyBackend.getUser` to search both the user and group search bases. This allows group entries to be returned as "proxy entries" enriched with their own `memberOf` attributes. - **Optimized Attribute Fetching**: Implemented a hybrid lookup strategy. Initial user/entry lookups fetch all attributes `(*, +)` to ensure complete profile data, while recursive steps specifically request only the `memberOf` and operational attributes `(+)` to minimize network payload and processing overhead. - **New Configuration Properties**: - gateway.ldap.recursive.group.resolution: Boolean to enable/disable the feature. - gateway.ldap.group.max.depth: Integer to control recursion depth. ## How was this patch tested? The patch was tested using the LdapProxyBackendTest suite with an embedded ApacheDS server. - Unit Tests: Added 4 new test cases to LdapProxyBackendTest: - `testGetUserGroupsRecursive`: Verifies 3-level deep nesting is resolved correctly. - `testGetUserGroupsRecursiveCircular`: Verifies that circular references are handled without errors. - `testGetUserGroupsRecursiveMaxDepth`: Verifies that the recursion stops at the configured depth. - `testGetUserGroupsRecursiveUseMemberOf`: Verifies recursive resolution when `useMemberOf` is set to `true`. - Test Data: Updated `ldap-proxy-backend-test.ldif` to include nested groups, circular groups, and groups with `memberOf` attributes. ## Integration Tests Automated unit tests were added to gateway-server. These tests use an embedded LDAP server to simulate a real-world proxy scenario, which provides high-fidelity verification of the recursive logic and LDAP protocol handling. No changes were required to .github/workflows/tests as the standard test suite covers these new unit tests. ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
