smolnar82 opened a new pull request, #1242: URL: https://github.com/apache/knox/pull/1242
[KNOX-3328](https://issues.apache.org/jira/browse/KNOX-3328) - Add Docker-based integration tests for Knox LDAP service ## What changes were proposed in this pull request? This PR enhances the integrated Knox LDAP service to support authentication (bind operations) and dynamic user/group lookups by proxying requests to an external LDAP backend. These changes enable the Knox LDAP service to act as a functional LDAP interface for applications that require LDAP-based authentication while delegating the actual identity management to a primary directory service. Key enhancements include: * Authentication Proxying: Added a bind interceptor to `GroupLookupInterceptor` that allows the Knox LDAP server to authenticate users against a configured backend (e.g., an external LDAP server or a local file-based store). * Dynamic User Lookup: Implemented lookup functionality in the interceptor to dynamically retrieve user entries from the backend when they are not found in the local LDAP partition. * Interceptor Reordering: Updated `KnoxLDAPServerManager` to insert the `GroupLookupInterceptor` before the standard AuthenticationInterceptor. This allows Knox to intercept and process bind requests for non-system users. * Backend Interface Update: Extended the LdapBackend interface and its implementations (`LdapProxyBackend`, `FileBackend`) with an authenticate method to support password verification. * Dependency Management: Moved `mina-core` from `test` scope to compile scope in `gateway-server` to support the LDAP server's runtime requirements. * CI/Test Improvements: * Updated the GitHub Actions workflow configuration to enable the Knox LDAP service and point it to the demo LDAP backend. * Refined the integration tests in `test_knox_auth_service_and_LDAP.py` to match the updated service endpoints and configurations. ## How was this patch tested? I built Knox locally then ran Docker-based integration tests: ``` tests-1 | ============================= test session starts ============================== tests-1 | platform linux -- Python 3.9.25, pytest-8.3.4, pluggy-1.6.0 tests-1 | rootdir: /tests tests-1 | collected 21 items tests-1 | tests-1 | test_health.py ..... [ 23%] tests-1 | test_knox_auth_service_and_LDAP.py .. [ 33%] tests-1 | test_knox_configs.py . [ 38%] tests-1 | test_knoxauth_preauth_and_paths.py ...... [ 66%] tests-1 | test_remote_auth.py ... [ 80%] tests-1 | test_remoteauth_extauthz_additional_path.py .... [100%] tests-1 | ... tests-1 | ----------------- generated xml file: /tests/test-results.xml ------------------ tests-1 | ======================= 21 passed, 21 warnings in 0.73s ======================== ``` ## Integration Tests The updated LDAP-related integration tests are now connection to the embedded Knox LDAP service instead of the demo LDAP running in a different container. ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
