[jira] [Work logged] (KNOX-3340) Enable KnoxLdapService Role Lookup to return either Roles or Groups

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3340?focusedWorklogId=1024814&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024814
 ]

ASF GitHub Bot logged work on KNOX-3340:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jun/26 08:09
            Start Date: 12/Jun/26 08:09
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1258:
URL: https://github.com/apache/knox/pull/1258#discussion_r3401691596


##########
gateway-server/src/test/java/org/apache/knox/gateway/services/ldap/interceptor/LDAPRolesLookupInterceptorTest.java:
##########
@@ -68,14 +90,95 @@ public void testModifyEntryNoMemberOfNoRoles() throws 
Exception {
         assertNull(modifiedEntry.get("memberOf"));
     }
 
-    private LDAPRolesLookupInterceptor createInterceptor() {
+    @Test
+    public void testRolesLookupNoBypass() throws Exception {

Review Comment:
   With a little bit of refactor, we might save some duplicated lines here too 
(you may think this is "my thing" :) )
   ```
   private TestContext createTestContext(boolean bypass, LDAPRolesLookupService 
rolesService) throws Exception {
       DirectoryService directoryService = new SimpleDirectoryService();
       directoryService.setShutdownHookEnabled(false);
       
directoryService.setSchemaManager(SchemaManagerFactory.createSchemaManager());
   
       LDAPRolesLookupInterceptor interceptor =
               new LDAPRolesLookupInterceptor(rolesService, 
ROLES_LOOKUP_BYPASS_CONTROL_OID);
       interceptor.init(directoryService);
       directoryService.addLast(interceptor);
   
       ConfigurableEntriesTestInterceptor nextInterceptor =
               new ConfigurableEntriesTestInterceptor("NEXT");
       nextInterceptor.init(directoryService);
       directoryService.addLast(nextInterceptor);
   
       SearchOperationContext ctx =
               new SearchOperationContext(directoryService.getSession());
       ctx.setInterceptors(List.of(interceptor.getName(), "NEXT"));
   
       RolesLookupBypassControl control =
               new 
RolesLookupBypassControlImpl(ROLES_LOOKUP_BYPASS_CONTROL_OID);
       control.setBypassRolesLookup(bypass);
       ctx.addRequestControl(control);
   
       return new TestContext(interceptor, nextInterceptor, ctx);
   }
   
   private record TestContext(
           LDAPRolesLookupInterceptor interceptor,
           ConfigurableEntriesTestInterceptor nextInterceptor,
           SearchOperationContext ctx) {
   }
   ```
   Then tests are simpler:
   ```
   @Test
   public void testRolesLookupNoBypass() throws Exception {
       LDAPRolesLookupService mockRolesService = 
EasyMock.createMock(LDAPRolesLookupService.class);
   
       Collection<String> roles = List.of("roleA", "roleG");
       expect(mockRolesService.lookupRoles(anyString(), anyObject()))
               .andReturn(roles)
               .atLeastOnce();
       replay(mockRolesService);
   
       TestContext tc = createTestContext(false, mockRolesService);
   
       Entry userEntry = createUserEntry("alice", 
"cn=group1,ou=groups,dc=hadoop,dc=apache,dc=org");
       tc.nextInterceptor().setEntries(List.of(userEntry));
   
       EntryFilteringCursor entries = tc.interceptor().search(tc.ctx());
   
       assertTrue(entries.next());
       assertMemberOf(entries.get(),
               "cn=roleA,ou=groups,dc=hadoop,dc=apache,dc=org",
               "cn=roleG,ou=groups,dc=hadoop,dc=apache,dc=org");
       assertFalse(entries.next());
   }
   
   @Test
   public void testRolesLookupWithBypass() throws Exception {
       TestContext tc = createTestContext(true, createMockRolesService());
   
       Entry userEntry = createUserEntry("alice", 
"cn=group1,ou=groups,dc=hadoop,dc=apache,dc=org");
       tc.nextInterceptor().setEntries(List.of(userEntry));
   
       EntryFilteringCursor entries = tc.interceptor().search(tc.ctx());
   
       assertTrue(entries.next());
       assertMemberOf(entries.get(), 
"cn=group1,ou=groups,dc=hadoop,dc=apache,dc=org");
       assertFalse(entries.next());
   }
   ```





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1024814)
    Time Spent: 2h  (was: 1h 50m)

> Enable KnoxLdapService Role Lookup to return either Roles or Groups
> -------------------------------------------------------------------
>
>                 Key: KNOX-3340
>                 URL: https://issues.apache.org/jira/browse/KNOX-3340
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: David Han
>            Assignee: David Han
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> The KnoxLdapService, when configured with role lookup will replace all groups 
> in the resulting entries with roles. This Jira provides a mechanism for 
> clients to request the underlying groups instead of the roles. E.g., groups 
> would be needed for some service to admin/manage the mapping between groups 
> and roles.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)