Merge pull request #3205 from vladak/ldap_plugins_logging

add debug logging to LDAP authorization plugins

Author: tarzanek

plugins/src/main/java/opengrok/auth/plugin/LdapAttrPlugin.java

@@ -18,7 +18,7 @@
  */
 
 /*
- * Copyright (c) 2016, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
  */
 package opengrok.auth.plugin;
 
@@ -70,6 +70,7 @@ public class LdapAttrPlugin extends AbstractLdapPlugin {
     private String ldapAttr;
     private final Set<String> whitelist = new TreeSet<>();
     private Integer ldapUserInstance;
+    private String filePath;
 
     public LdapAttrPlugin() {
         sessionAllowed += "-" + nextId++;
@@ -94,7 +95,6 @@ private void init(Map<String, Object> parameters) {
             throw new NullPointerException("Missing param [" + ATTR_PARAM + "] in the setup");
         }
 
-        String filePath;
         if ((filePath = (String) parameters.get(FILE_PARAM)) == null) {
             throw new NullPointerException("Missing param [" + FILE_PARAM + "] in the setup");
         }
@@ -142,38 +142,41 @@ public void fillSession(HttpServletRequest req, User user) {
         // Check attributes cached in LDAP user object first, then query LDAP server
         // (and if found, cache the result in the LDAP user object).
         attributeValues = ldapUser.getAttribute(ldapAttr);
-        if (attributeValues != null) {
-            sessionAllowed = attributeValues.stream().anyMatch(whitelist::contains);
-        } else {
+        if (attributeValues == null) {
+            AbstractLdapProvider ldapProvider = getLdapProvider();
             try {
                 String dn = ldapUser.getDn();
                 if (dn != null) {
-                    LOGGER.log(Level.FINEST, "searching with dn={0}", dn);
+                    LOGGER.log(Level.FINEST, "searching with dn={0} on {1}",
+                            new Object[]{dn, ldapProvider});
                     AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
-                    if ((res = getLdapProvider().lookupLdapContent(dn, new String[]{ldapAttr})) == null) {
-                        LOGGER.log(Level.WARNING, "cannot lookup attributes {0} for user {1} (LDAP provider: {2})",
-                                new Object[]{ldapAttr, user, getLdapProvider()});
+                    if ((res = ldapProvider.lookupLdapContent(dn, new String[]{ldapAttr})) == null) {
+                        LOGGER.log(Level.WARNING, "cannot lookup attributes {0} for user {1} on {2})",
+                                new Object[]{ldapAttr, user, ldapProvider});
                         return;
                     }
 
                     records = res.getAttrs();
                 } else {
-                    LOGGER.log(Level.FINE, "no DN for user {0}", user);
+                    LOGGER.log(Level.FINE, "no DN for user {0} on {1}",
+                            new Object[]{user, ldapProvider});
                 }
             } catch (LdapException ex) {
                 throw new AuthorizationException(ex);
             }
 
             if (records == null || records.isEmpty() || (attributeValues = records.get(ldapAttr)) == null) {
-                LOGGER.log(Level.WARNING, "empty records or attribute values {0} for user {1}",
-                        new Object[]{ldapAttr, user});
+                LOGGER.log(Level.WARNING, "empty records or attribute values {0} for user {1} on {2}",
+                        new Object[]{ldapAttr, user, ldapProvider});
                 return;
             }
 
             ldapUser.setAttribute(ldapAttr, attributeValues);
-            sessionAllowed = attributeValues.stream().anyMatch(whitelist::contains);
         }
 
+        sessionAllowed = attributeValues.stream().anyMatch(whitelist::contains);
+        LOGGER.log(Level.FINEST, "LDAP user {0} {1} against {2}",
+                new Object[]{ldapUser, sessionAllowed ? "allowed" : "denied", filePath});
         updateSession(req, sessionAllowed);
     }
 

plugins/src/main/java/opengrok/auth/plugin/LdapFilterPlugin.java

@@ -18,7 +18,7 @@
  */
 
 /*
- * Copyright (c) 2016, 2019 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
  */
 package opengrok.auth.plugin;
 
@@ -32,6 +32,7 @@
 import javax.servlet.http.HttpServletRequest;
 import opengrok.auth.entity.LdapUser;
 import opengrok.auth.plugin.entity.User;
+import opengrok.auth.plugin.ldap.AbstractLdapProvider;
 import opengrok.auth.plugin.ldap.LdapException;
 import opengrok.auth.plugin.util.FilterUtil;
 import org.opengrok.indexer.authorization.AuthorizationException;
@@ -122,22 +123,28 @@ public void fillSession(HttpServletRequest req, User user) {
         updateSession(req, false);
 
         if ((ldapUser = (LdapUser) req.getSession().getAttribute(getSessionAttr())) == null) {
-            LOGGER.log(Level.FINER, "failed to get LDAP attribute " + LdapUserPlugin.SESSION_ATTR);
+            LOGGER.log(Level.WARNING, "failed to get LDAP attribute ''{0}'' from session for user {1}",
+                    new Object[]{LdapUserPlugin.SESSION_ATTR, user});
             return;
         }
 
         String expandedFilter = expandFilter(ldapFilter, ldapUser, user);
-        LOGGER.log(Level.FINER, "expanded filter for user {0} and LDAP user {1} into ''{2}''",
+        LOGGER.log(Level.FINEST, "expanded filter for user {0} and LDAP user {1} into ''{2}''",
                 new Object[]{user, ldapUser, expandedFilter});
+        AbstractLdapProvider ldapProvider = getLdapProvider();
         try {
-            if ((getLdapProvider().lookupLdapContent(null, expandedFilter)) == null) {
-                LOGGER.log(Level.FINER, "failed to get content for user from LDAP server");
+            if ((ldapProvider.lookupLdapContent(null, expandedFilter)) == null) {
+                LOGGER.log(Level.WARNING,
+                        "failed to get content for LDAP user {0} with filter {1} on {2}",
+                        new Object[]{ldapUser, expandedFilter, ldapProvider});
                 return;
             }
         } catch (LdapException ex) {
             throw new AuthorizationException(ex);
         }
 
+        LOGGER.log(Level.FINEST, "LDAP user {0} allowed on {2}",
+                new Object[]{ldapUser, ldapProvider});
         updateSession(req, true);
     }
 

plugins/src/main/java/opengrok/auth/plugin/LdapUserPlugin.java

@@ -18,7 +18,7 @@
  */
 
 /*
- * Copyright (c) 2016, 2019 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
  */
 package opengrok.auth.plugin;
 
@@ -153,17 +153,24 @@ public void fillSession(HttpServletRequest req, User user) {
             return;
         }
 
-        String expandedFilter = null;
         String dn = null;
         if (useDN) {
             dn = user.getUsername();
+            LOGGER.log(Level.FINEST, "using DN ''{0}'' for user {1}",
+                    new Object[]{dn, user});
         }
+
+        String expandedFilter = null;
         if (ldapFilter != null) {
             expandedFilter = expandFilter(user);
+            LOGGER.log(Level.FINEST, "expanded filter for user {0} into ''{1}''",
+                    new Object[]{user, expandedFilter});
         }
+
+        AbstractLdapProvider ldapProvider = getLdapProvider();
         try {
             AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
-            if ((res = getLdapProvider().lookupLdapContent(dn, expandedFilter,
+            if ((res = ldapProvider.lookupLdapContent(dn, expandedFilter,
                     attributes.toArray(new String[0]))) == null) {
                 LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " +
                                 "with filter ''{1}'' from LDAP provider {3}",
@@ -174,21 +181,23 @@ public void fillSession(HttpServletRequest req, User user) {
             records = res.getAttrs();
             if (!useDN) {
                 dn = res.getDN();
+                LOGGER.log(Level.FINEST, "got DN ''{0}'' for user {1} on {2}",
+                        new Object[]{dn, user});
             }
         } catch (LdapException ex) {
             throw new AuthorizationException(ex);
         }
 
         if (records.isEmpty()) {
-            LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty",
-                    user);
+            LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty on {1}",
+                    new Object[]{user, ldapProvider});
             return;
         }
 
         for (String attrName : attributes) {
             if (!records.containsKey(attrName) || records.get(attrName) == null || records.get(attrName).isEmpty()) {
-                LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty (LDAP provider: {2})",
-                        new Object[]{attrName, user, getLdapProvider()});
+                LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty on {2}",
+                        new Object[]{attrName, user, ldapProvider});
             }
         }
 
@@ -197,7 +206,8 @@ public void fillSession(HttpServletRequest req, User user) {
             attrSet.put(attrName, records.get(attrName));
         }
 
-        LOGGER.log(Level.FINEST, "DN for user {0}: {1}", new Object[]{user, dn});
+        LOGGER.log(Level.FINEST, "DN for user {0} is ''{1}'' on {2}",
+                new Object[]{user, dn, ldapProvider});
         updateSession(req, new LdapUser(dn, attrSet));
     }
 

plugins/src/main/java/opengrok/auth/plugin/ldap/LdapFacade.java

@@ -18,7 +18,7 @@
  */
 
 /*
- * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
  */
 package opengrok.auth.plugin.ldap;
 
@@ -30,7 +30,6 @@
 import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import java.util.stream.Collectors;
 import javax.naming.CommunicationException;
 import javax.naming.NameNotFoundException;
 import javax.naming.NamingEnumeration;
@@ -431,8 +430,7 @@ private <T> T processResult(SearchResult result, AttributeMapper<T> mapper) thro
     }
 
     public String toString() {
-        return "{servers=" + String.join(",",
-                getServers().stream().map(LdapServer::getUrl).collect(Collectors.toList())) +
+        return "{server=" + (actualServer != -1 ? servers.get(actualServer) : "no active server") +
                 ", searchBase=" + getSearchBase() + "}";
     }
 }

plugins/src/test/java/opengrok/auth/plugin/ldap/LdapFacadeTest.java

@@ -7,6 +7,7 @@
 import org.mockito.Mockito;
 
 import javax.naming.directory.SearchControls;
+import javax.naming.ldap.LdapContext;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -45,16 +46,35 @@ public void testConnectTimeoutInheritance() {
     }
 
     @Test
-    public void testToString() {
+    public void testToStringNegative() throws UnknownHostException {
         Configuration config = new Configuration();
-        config.setServers(Arrays.asList(new LdapServer("http://foo.foo"),
-                new LdapServer("http://bar.bar",
-                        "cn=FOOBAR,l=amer,dc=example,dc=com", "MySecretPassword")));
+        LdapServer server1 = new LdapServer("ldap://foo.com");
+        LdapServer serverSpy1 = Mockito.spy(server1);
+        Mockito.when(serverSpy1.getAddresses(any())).thenReturn(new InetAddress[]{InetAddress.getLocalHost()});
+        Mockito.when(serverSpy1.isReachable()).thenReturn(false);
+
+        config.setServers(Collections.singletonList(serverSpy1));
         config.setSearchBase("dc=foo,dc=com");
-        int timeoutValue = 42;
+        int timeoutValue = 3;
+        config.setConnectTimeout(timeoutValue);
+        LdapFacade facade = new LdapFacade(config);
+        assertEquals("{server=no active server, searchBase=dc=foo,dc=com}",
+                facade.toString());
+    }
+
+    @Test
+    public void testToStringPositive() throws UnknownHostException {
+        Configuration config = new Configuration();
+        LdapServer server1 = new LdapServer("ldap://foo.com");
+        LdapServer serverSpy1 = Mockito.spy(server1);
+        Mockito.doReturn(true).when(serverSpy1).isWorking();
+
+        config.setServers(Collections.singletonList(serverSpy1));
+        config.setSearchBase("dc=foo,dc=com");
+        int timeoutValue = 3;
         config.setConnectTimeout(timeoutValue);
         LdapFacade facade = new LdapFacade(config);
-        assertEquals("{servers=http://foo.foo,http://bar.bar, searchBase=dc=foo,dc=com}",
+        assertEquals("{server=ldap://foo.com timeout: 3, searchBase=dc=foo,dc=com}",
                 facade.toString());
     }