Unboundid #167
Unboundid #167
Conversation
|
|
||
| /** | ||
| * Created by dvoet on 6/6/17. | ||
| */ | ||
| trait DirectorySubjectNameSupport extends JndiSupport { |
There was a problem hiding this comment.
the additions to this trait moved from JndiSupport
| @@ -40,8 +45,17 @@ object Boot extends App with LazyLogging { | |||
| implicit val materializer = ActorMaterializer() | |||
| import scala.concurrent.ExecutionContext.Implicits.global | |||
|
|
|||
| val accessPolicyDAO = new JndiAccessPolicyDAO(directoryConfig) | |||
| val directoryDAO = new JndiDirectoryDAO(directoryConfig) | |||
| val dirURI = new URI(directoryConfig.directoryUrl) | |||
There was a problem hiding this comment.
jndi supports a ldap url which is what we have in conifg. Unboundid does not so here is a little tap dance to figure it out.
| @@ -88,7 +88,8 @@ package object config { | |||
| config.getString("user"), | |||
| config.getString("password"), | |||
| config.getString("baseDn"), | |||
| config.getString("enabledUsersGroupDn") | |||
| config.getString("enabledUsersGroupDn"), | |||
| config.as[Option[Int]]("connectionPoolSize").getOrElse(20) | |||
There was a problem hiding this comment.
default value for backwards compatibility
There was a problem hiding this comment.
I did not go over LdapDirectoryDAO and LdapPolicyDAO in terribly close detail. I scanned them quickly, but otherwise am counting on the tests and the coverage results from Coveralls to verify these classes. @dvoet if you want me to go over them in closer detail, just let me know.
| case unsupported => throw new WorkbenchException(s"unsupported directory url scheme: $unsupported") | ||
| } | ||
| val port = if (dirURI.getPort > 0) dirURI.getPort else defaultPort | ||
| val ldapConnectionPool = new LDAPConnectionPool(new LDAPConnection(socketFactory, dirURI.getHost, port, directoryConfig.user, directoryConfig.password), directoryConfig.connectionPoolSize) |
There was a problem hiding this comment.
Maybe we don't want to do anything now, but going off of @MatthewBemis's observation last week about setting the TTL on the connections, we might consider throwing in a call to https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/LDAPConnectionPool.html#setMaxConnectionAgeMillis() at some point.
There was a problem hiding this comment.
I am not ready to do anything yet... let's keep with current behavior and see how it goes
| protected def dnMatcher(matchAttributeNames: Seq[String], baseDn: String): Regex = { | ||
| val partStrings = matchAttributeNames.map { attrName => s"$attrName=([^,]+)" } | ||
| partStrings.mkString("(?i)", ",", s",$baseDn").r | ||
| } |
There was a problem hiding this comment.
Are there tests for this?
There was a problem hiding this comment.
this code was just moved, not changed. I don't know if there are specific tests but it is tested.
| @@ -62,4 +80,7 @@ trait DirectorySubjectNameSupport extends JndiSupport { | |||
| case _ => throw new WorkbenchException(s"not a group dn [$dn]") | |||
| } | |||
| } | |||
|
|
|||
| protected def formattedDate(date: Date) = new SimpleDateFormat("yyyyMMddHHmmss.SSSZ").format(date) | |||
| protected def parseDate(date: String) = new SimpleDateFormat("yyyyMMddHHmmss.SSSZ").parse(date) | |||
There was a problem hiding this comment.
Nit, but extract string. Maybe add just a couple of basic tests.
| } recover { | ||
| case _: NoSuchAttributeException => () // don't fail if the member is already not in the group | ||
| case _: NoSuchAttributeException => false |
There was a problem hiding this comment.
Is this what we want? If I am trying to remove User1 from group foo and the user is already not present in the group, maybe that should be OK and just return true. In other words, I'm interpreting the method contract as: "When I return, the subject specified will no longer be a member of the group and I will return True. I will throw an exception if the group doesn't exist or some other error occurs while trying to remove the user from the group."
Alternatively, instead of just returning false, should we return an ErrorReport?
There was a problem hiding this comment.
look in the DirectoryDAO trait for the docs of how this should work. In general though, if at the end of the call the user is not in the group the function is successful. The boolean output signifies whether or not the user as actually removed during the course of the function call. This is a common pattern (https://docs.oracle.com/javase/7/docs/api/java/util/Set.html#remove(java.lang.Object)).
It is not an error so no ErrorReport.
| case Success(_) => true | ||
| case Failure(_: AttributeInUseException) => false | ||
| case Failure(regrets) => throw regrets | ||
| } |
There was a problem hiding this comment.
This method uses a Try block, whereas removeGroupMember uses just a withContext{...}recover{...}. Is there a reason why the alternative approaches are used? Since these methods are a matching pair, I think it makes sense for them to be consistent in implementation.
There was a problem hiding this comment.
this class is on the chopping block anyway, the change was only made because it made sense to change the return type
| directoryDAO.addGroupMember(resourceAndPolicyName, subject) recover { | ||
| case _: AttributeInUseException => // subject is already there | ||
| } andThen { | ||
| directoryDAO.addGroupMember(resourceAndPolicyName, subject).map(_ => ()) andThen { | ||
| case Success(_) => fireGroupUpdateNotification(resourceAndPolicyName) |
There was a problem hiding this comment.
It is possible that addGroupMember returns Success(false), in which case, we probably don't need to call fireGroupUpdateNotification because nothing changed. Furthermore, the fact that the user wasn't added, is not bubbled up in any way here, which means addSubjectToPolicy did not successfully perform its task and that's not reported out in any way.
There was a problem hiding this comment.
at the end of this function the subject is in the policy which is the desired result so everything is ok. I think you misunderstand what Success(false) means, it is not an error, it means the user was already there.
Technically we don't need to fireGroupUpdateNotification on Success(false) but I think that is needless complexity
| directoryDAO.removeGroupMember(resourceAndPolicyName, subject) recover { | ||
| case _: NoSuchAttributeException => // subject already gone | ||
| } andThen { | ||
| directoryDAO.removeGroupMember(resourceAndPolicyName, subject).map(_ => ()) andThen { | ||
| case Success(_) => fireGroupUpdateNotification(resourceAndPolicyName) |
There was a problem hiding this comment.
See comment for addSubjectToPolicy above. I'm not sure we want to treat Success(true) and Success(false) the same way.
There was a problem hiding this comment.
we do, none of this is new functionality
| @@ -58,20 +58,6 @@ trait JndiSupport { | |||
| t.get | |||
| } | |||
There was a problem hiding this comment.
I think we should we mark this method and/or class as deprecated and identify that it is still permitted to be used by the JndiSchemaDAO only.
Do we have a longer term task to refactor the JndiSchemaDAO to use unboundid? Or are we just going to leave it using JNDI?
| @@ -48,6 +53,11 @@ class JndiDirectoryDAOSpec extends FlatSpec with Matchers with TestSupport with | |||
| runAndWait(dao.createGroup(group)) | |||
| } | |||
|
|
|||
| val conflict = intercept[WorkbenchExceptionWithErrorReport] { | |||
There was a problem hiding this comment.
The name of the spec is "JndiGroupDirectoryDAO" should "create... should be renamed to LdapGroupDirectoryDAO
|
jenkins retest with leo fix merged |
|
jenkins retest |
implemented new version of directory and access policy daos using unboundid. I did not touch the schema dao, it still uses jndi. But I did turn off the jndi connection pool (schema dao is the only one to use it now and it just runs at the beginning)
Have you read CONTRIBUTING.md lately? If not, do that first.
I, the developer opening this PR, do solemnly pinky swear that:
In all cases: