NPE in LdapFacade.getSearchDescription caused by LDAP timeout

[vladak]

Another post-mortem induced issue: after LDAP lookup read timed out there was a bunch of NPEs (basically one for each project in the configuration) like this one:

05-Nov-2020 02:36:06.178 WARNING [http-nio-8080-exec-182] org.opengrok.indexer.authorization.AuthorizationStack.processStack AuthEntity "opengrok.auth.plugin.LdapFilterPlugin" has failed the testing of "foo" with an exception.
        java.lang.NullPointerException
                at java.base/java.util.Objects.requireNonNull(Objects.java:221)
                at java.base/java.lang.String.join(String.java:2394)
                at opengrok.auth.plugin.ldap.LdapFacade.getSearchDescription(LdapFacade.java:311)
                at opengrok.auth.plugin.ldap.LdapFacade.lookup(LdapFacade.java:396)
                at opengrok.auth.plugin.ldap.LdapFacade.lookup(LdapFacade.java:305)
                at opengrok.auth.plugin.ldap.LdapFacade.lookupLdapContent(LdapFacade.java:272)
                at opengrok.auth.plugin.ldap.AbstractLdapProvider.lookupLdapContent(AbstractLdapProvider.java:76)
                at opengrok.auth.plugin.LdapFilterPlugin.fillSession(LdapFilterPlugin.java:136)
                at opengrok.auth.plugin.AbstractLdapPlugin.ensureSessionExists(AbstractLdapPlugin.java:255)
                at opengrok.auth.plugin.AbstractLdapPlugin.isAllowed(AbstractLdapPlugin.java:307)
                at org.opengrok.indexer.authorization.AuthorizationFramework$3.decision(AuthorizationFramework.java:197)
                at org.opengrok.indexer.authorization.AuthorizationPlugin.isAllowed(AuthorizationPlugin.java:187)
                at org.opengrok.indexer.authorization.AuthorizationStack.processStack(AuthorizationStack.java:235)
                at org.opengrok.indexer.authorization.AuthorizationStack.isAllowed(AuthorizationStack.java:199)
                at org.opengrok.indexer.authorization.AuthorizationStack.processStack(AuthorizationStack.java:235)
                at org.opengrok.indexer.authorization.AuthorizationStack.isAllowed(AuthorizationStack.java:199)
                at org.opengrok.indexer.authorization.AuthorizationFramework.performCheck(AuthorizationFramework.java:574)
                at org.opengrok.indexer.authorization.AuthorizationFramework.checkAll(AuthorizationFramework.java:538)
                at org.opengrok.indexer.authorization.AuthorizationFramework.isAllowed(AuthorizationFramework.java:190)
                at org.opengrok.web.PageConfig.isAllowed(PageConfig.java:1608)
                at org.opengrok.web.ProjectHelper$2.test(ProjectHelper.java:203)
                at org.opengrok.web.ProjectHelper$2.test(ProjectHelper.java:200)
                at java.base/java.util.Collection.removeIf(Collection.java:544)
                at org.opengrok.web.ProjectHelper.filterGroups(ProjectHelper.java:200)
                at org.opengrok.web.ProjectHelper.cacheGroups(ProjectHelper.java:237)
                at org.opengrok.web.ProjectHelper.getGroups(ProjectHelper.java:247)
                at org.opengrok.web.ProjectHelper.populateGroups(ProjectHelper.java:168)
                at org.opengrok.web.ProjectHelper.<init>(ProjectHelper.java:93)
                at org.opengrok.web.ProjectHelper.getInstance(ProjectHelper.java:107)
                at org.opengrok.web.PageConfig.getProjectHelper(PageConfig.java:1009)
                at org.opengrok.web.PageConfig.lambda$getResourceFileList$4(PageConfig.java:487)
                at java.base/java.util.ArrayList.removeIf(ArrayList.java:1701)
                at java.base/java.util.ArrayList.removeIf(ArrayList.java:1689)
                at org.opengrok.web.PageConfig.getResourceFileList(PageConfig.java:486)
                at org.opengrok.web.PageConfig.canProcess(PageConfig.java:412)
                at org.apache.jsp.list_jsp._jspService(list_jsp.java:289)
...

The getSearchDescription() likely got null attributes.

[vladak]

The problem is that LdapFilterPlugin calls ldapProvider.lookupLdapContent(null, expandedFilter) which is return lookupLdapContent(dn, filter, null); which ends up in LdapFacade:

269      @Override
270      public LdapSearchResult<Map<String, Set<String>>> lookupLdapContent(String dn, String filter, String[] values) throws LdapException {
271  
272          return lookup(
273                  dn != null ? dn : getSearchBase(),
274                  filter == null ? LDAP_FILTER : filter,
275                  values,
276                  new ContentAttributeMapper(values));
277      }

...

303      private <T> LdapSearchResult<T> lookup(String dn, String filter, String[] attributes, AttributeMapper<T> mapper) throws LdapException {
304          Instant start = Instant.now();
305          LdapSearchResult<T> res = lookup(dn, filter, attributes, mapper, 0);
306          ldapLookupTimer.record(Duration.between(start, Instant.now()));
307          return res;
308      }

and due to the exception (probably caused by the timeout) ends up here:

394          } catch (NamingException ex) {
395              LOGGER.log(Level.SEVERE, String.format("An arbitrary LDAP error occurred on server %s " +
396                      "when searching for '%s'", server, getSearchDescription(dn, filter, attributes)), ex);

so the problem is that the values parameter (which becomes the attributes parameter) is null from the beginning.