add RESTful hooks and unchecked exception on LDAP pool failure

fixes #2740

Author: Vladimir Kotal

opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthorizationStack.java

@@ -242,7 +242,7 @@ protected boolean processStack(Nameable entity,
 
                 LOGGER.log(Level.FINEST, "AuthEntity \"{0}\" [{1}] testing a name \"{2}\" => {3}",
                         new Object[]{authEntity.getName(), authEntity.getFlag(), entity.getName(),
-                            pluginDecision ? "true" : "false"});
+                                pluginDecision ? "true" : "false"});
 
                 if (!pluginDecision && authEntity.isRequired()) {
                     // required sets a failure but still invokes all other plugins
@@ -257,6 +257,10 @@ protected boolean processStack(Nameable entity,
                     overallDecision = true;
                     break;
                 }
+            } catch (LdapException ex) {
+                // Propagate up so that proper HTTP error can be given.
+                LOGGER.log(Level.FINEST, "got LDAP exception: " + ex.getMessage());
+                throw ex;
             } catch (Throwable ex) {
                 LOGGER.log(Level.WARNING,
                         String.format("AuthEntity \"%s\" has failed the testing of \"%s\" with an exception.",

opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/LdapException.java

@@ -0,0 +1,43 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * See LICENSE.txt included in this distribution for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at LICENSE.txt.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ */
+
+package org.opengrok.indexer.authorization;
+
+/**
+ * Unchecked exception to be thrown when LDAP server pool is down.
+ */
+public class LdapException extends RuntimeException {
+    public static final long serialVersionUID = -1;
+
+    public LdapException() {
+        super();
+    }
+
+    public LdapException(String str) {
+        super(str);
+    }
+
+    public LdapException(String str, Throwable ex) {
+        super(str, ex);
+    }
+}

opengrok-indexer/src/main/java/org/opengrok/indexer/framework/PluginClassLoader.java

@@ -53,6 +53,7 @@ public class PluginClassLoader extends ClassLoader {
             "org.opengrok.indexer.configuration.RuntimeEnvironment",
             "org.opengrok.indexer.authorization.IAuthorizationPlugin",
             "org.opengrok.indexer.authorization.plugins.*",
+            "org.opengrok.indexer.authorization.LdapError",
             "org.opengrok.indexer.util.*",
             "org.opengrok.indexer.logger.*"
     };

opengrok-web/src/main/webapp/error.jsp

@@ -16,7 +16,7 @@ information: Portions Copyright [yyyy] [name of copyright owner]
 
 CDDL HEADER END
 
-Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
 Portions Copyright 2011 Jens Elkner.
 Portions Copyright (c) 2018, Chris Fraire <[email protected]>.
 
@@ -55,13 +55,6 @@ include file="pageheader.jspf"
 
 %>
         </div>
-        <div id="Masthead">Error</div>
-        <div id="sbar"><%@
-
-include file="menu.jspf"
-
-        %></div>
-    </div>
 <%
 {
     PageConfig cfg = PageConfig.get(request);

plugins/pom.xml

@@ -52,6 +52,21 @@ Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
             <version>4.12</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.core</groupId>
+            <artifactId>jersey-client</artifactId>
+            <version>${jersey.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.media</groupId>
+            <artifactId>jersey-media-json-jackson</artifactId>
+            <version>${jersey.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.inject</groupId>
+            <artifactId>jersey-hk2</artifactId>
+            <version>${jersey.version}</version>
+        </dependency>
     </dependencies>
 
     <build>

plugins/src/opengrok/auth/plugin/LdapAttrPlugin.java

@@ -28,6 +28,8 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.stream.Stream;
 import javax.servlet.http.HttpServletRequest;
 import opengrok.auth.entity.LdapUser;
@@ -42,6 +44,9 @@
  */
 public class LdapAttrPlugin extends AbstractLdapPlugin {
 
+    private static final Logger LOGGER = Logger.getLogger(LdapAttrPlugin.class.getName());
+
+
     protected static final String ATTR_PARAM = "attribute"; // LDAP attribute name to check
     protected static final String FILE_PARAM = "file";
 
@@ -92,7 +97,7 @@ public void fillSession(HttpServletRequest req, User user) {
         updateSession(req, sessionAllowed);
 
         if ((ldapUser = (LdapUser) req.getSession().getAttribute(LdapUserPlugin.SESSION_ATTR)) == null) {
-            // TODO log
+            LOGGER.log(Level.FINE, "cannot get {0} attribute", LdapUserPlugin.SESSION_ATTR);
             return;
         }
 

plugins/src/opengrok/auth/plugin/LdapFilterPlugin.java

@@ -71,12 +71,11 @@ protected boolean sessionExists(HttpServletRequest req) {
 
     @Override
     public void fillSession(HttpServletRequest req, User user) {
-        Boolean sessionAllowed = false;
         LdapUser ldapUser;
         Map<String, Set<String>> records;
         String[] dn = {"dn"};
 
-        updateSession(req, sessionAllowed);
+        updateSession(req, false);
 
         if ((ldapUser = (LdapUser) req.getSession().getAttribute(LdapUserPlugin.SESSION_ATTR)) == null) {
             LOGGER.log(Level.FINER, "failed to get attribute " + LdapUserPlugin.SESSION_ATTR);
@@ -92,9 +91,8 @@ public void fillSession(HttpServletRequest req, User user) {
         }
 
         LOGGER.log(Level.FINER, "got {0} records", records.size());
-        sessionAllowed = true;
 
-        updateSession(req, sessionAllowed);
+        updateSession(req, true);
     }
 
     /**

plugins/src/opengrok/auth/plugin/configuration/Configuration.java

@@ -36,12 +36,14 @@
 import java.util.ArrayList;
 import java.util.List;
 import opengrok.auth.plugin.ldap.LdapServer;
+import opengrok.auth.plugin.util.Hooks;
 
 public class Configuration {
 
     private List<LdapServer> servers = new ArrayList<>();
     private int interval;
     private String searchBase;
+    private Hooks hooks;
 
     public void setServers(List<LdapServer> servers) {
         this.servers = servers;
@@ -51,6 +53,14 @@ public List<LdapServer> getServers() {
         return servers;
     }
 
+    public void setHooks(Hooks hooks) {
+        this.hooks = hooks;
+    }
+
+    public Hooks getHooks() {
+        return hooks;
+    }
+
     public int getInterval() {
         return interval;
     }

plugins/src/opengrok/auth/plugin/ldap/LdapFacade.java

@@ -40,8 +40,13 @@
 import javax.naming.directory.Attributes;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
+
 import opengrok.auth.plugin.configuration.Configuration;
 import opengrok.auth.plugin.entity.User;
+import opengrok.auth.plugin.util.Hook;
+import opengrok.auth.plugin.util.Hooks;
+import org.opengrok.indexer.authorization.LdapException;
+import opengrok.auth.plugin.util.RestfulClient;
 
 public class LdapFacade extends AbstractLdapProvider {
 
@@ -77,7 +82,7 @@ public class LdapFacade extends AbstractLdapProvider {
      * Also each server uses this same interval since its last failure - per
      * server waiting.
      */
-    private int interval = 10 * 1000;
+    private int interval = 10 * 1000; // ms
 
     /**
      * LDAP search base
@@ -89,6 +94,11 @@ public class LdapFacade extends AbstractLdapProvider {
      */
     private List<LdapServer> servers = new ArrayList<>();
 
+    /**
+     * server hooks
+     */
+    Hooks hooks;
+
     private SearchControls controls;
     private int actualServer = 0;
     private long errorTimestamp = 0;
@@ -171,10 +181,15 @@ public LdapFacade(Configuration cfg) {
         setServers(cfg.getServers());
         setInterval(cfg.getInterval());
         setSearchBase(cfg.getSearchBase());
+        setHooks(cfg.getHooks());
         prepareSearchControls();
         prepareServers();
     }
 
+    private void setHooks(Hooks hooks) {
+        this.hooks = hooks;
+    }
+
     /**
      * Finds first working server in the pool.
      */
@@ -255,8 +270,6 @@ public Map<String, Set<String>> lookupLdapContent(User user, String filter, Stri
     private SearchControls prepareSearchControls() {
         controls = new SearchControls();
         controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
-        controls.setTimeLimit(LDAP_TIMEOUT);
-        controls.setCountLimit(LDAP_COUNT_LIMIT);
         return controls;
     }
 
@@ -292,22 +305,26 @@ private <T> T lookup(String dn, String filter, String[] attributes, AttributeMap
         if (errorTimestamp > 0 && errorTimestamp + interval > System.currentTimeMillis()) {
             if (!reported) {
                 reported = true;
-                LOGGER.log(Level.SEVERE, "Server pool is still broken");
+                LOGGER.log(Level.SEVERE, "LDAP server pool is still broken");
             }
-            return null;
+            throw new LdapException("LDAP server pool is still broken");
         }
 
         if (fail > servers.size() - 1) {
             // did the whole rotation
-            LOGGER.log(Level.SEVERE, "Tried all servers in a pool but no server works");
+            LOGGER.log(Level.SEVERE, "Tried all LDAP servers in a pool but no server works");
             errorTimestamp = System.currentTimeMillis();
             reported = false;
-            return null;
+            Hook hook;
+            if ((hook = hooks.getFail()) != null) {
+                RestfulClient.postIt(hook.getURI(), hook.getContent());
+            }
+            throw new LdapException("Tried all LDAP servers in a pool but no server works");
         }
 
         if (!isConfigured()) {
             LOGGER.log(Level.SEVERE, "LDAP is not configured");
-            return null;
+            throw new LdapException("LDAP is not configured");
         }
 
         NamingEnumeration<SearchResult> namingEnum = null;
@@ -317,11 +334,17 @@ private <T> T lookup(String dn, String filter, String[] attributes, AttributeMap
             for (namingEnum = server.search(dn, filter, controls); namingEnum.hasMore();) {
                 SearchResult sr = namingEnum.next();
                 reported = false;
+                if (errorTimestamp > 0) {
+                    errorTimestamp = 0;
+                    Hook hook;
+                    if ((hook = hooks.getRecover()) != null) {
+                        RestfulClient.postIt(hook.getURI(), hook.getContent());
+                    }
+                }
                 return processResult(sr, mapper);
             }
         } catch (NameNotFoundException ex) {
-            LOGGER.log(Level.SEVERE, "The LDAP name was not found.", ex);
-            return null;
+            throw new LdapException("The LDAP name was not found.", ex);
         } catch (SizeLimitExceededException ex) {
             LOGGER.log(Level.SEVERE, "The maximum size of the LDAP result has exceeded.", ex);
             closeActualServer();
@@ -352,7 +375,8 @@ private <T> T lookup(String dn, String filter, String[] attributes, AttributeMap
                 }
             }
         }
-        return null;
+
+        throw new LdapException("LDAP naming problem");
     }
 
     private void closeActualServer() {

plugins/src/opengrok/auth/plugin/ldap/LdapServer.java

@@ -134,7 +134,7 @@ private synchronized LdapContext connect() {
         LOGGER.log(Level.INFO, "Server {0} connecting", this.url);
 
         if (errorTimestamp > 0 && errorTimestamp + interval > System.currentTimeMillis()) {
-            LOGGER.log(Level.INFO, "Server {0} is down", this.url);
+            LOGGER.log(Level.INFO, "LDAP server {0} is down", this.url);
             close();
             return null;
         }
@@ -156,10 +156,10 @@ private synchronized LdapContext connect() {
                 ctx = new InitialLdapContext(env, null);
                 ctx.reconnect(null);
                 ctx.setRequestControls(null);
-                LOGGER.log(Level.INFO, "Connected to server {0}", env.get(Context.PROVIDER_URL));
+                LOGGER.log(Level.INFO, "Connected to LDAP server {0}", env.get(Context.PROVIDER_URL));
                 errorTimestamp = 0;
             } catch (NamingException ex) {
-                LOGGER.log(Level.INFO, "Server {0} is not responding", env.get(Context.PROVIDER_URL));
+                LOGGER.log(Level.INFO, "LDAP server {0} is not responding", env.get(Context.PROVIDER_URL));
                 errorTimestamp = System.currentTimeMillis();
                 close();
                 return ctx = null;
@@ -198,14 +198,16 @@ public NamingEnumeration<SearchResult> search(String name, String filter, Search
 
         if (!isWorking()) {
             close();
-            throw new CommunicationException(String.format("Server \"%s\" is down", env.get(Context.PROVIDER_URL)));
+            throw new CommunicationException(String.format("LDAP server \"%s\" is down",
+                    env.get(Context.PROVIDER_URL)));
         }
 
         if (reconnected) {
-            LOGGER.log(Level.INFO, "Server {0} reconnect", env.get(Context.PROVIDER_URL));
+            LOGGER.log(Level.INFO, "LDAP server {0} reconnect", env.get(Context.PROVIDER_URL));
             close();
             if ((ctx = connect()) == null) {
-                throw new CommunicationException(String.format("Server \"%s\" cannot reconnect", env.get(Context.PROVIDER_URL)));
+                throw new CommunicationException(String.format("LDAP server \"%s\" cannot reconnect",
+                        env.get(Context.PROVIDER_URL)));
             }
         }