- 
                Notifications
    You must be signed in to change notification settings 
- Fork 6.2k
Add Support Extracting DN From X500Principal #16984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| Thanks for the PR @franticticktick Upon review, I think that it makes more sense to deprecate and create a  What are your thoughts @jzheaux ? | 
| Yes, @rwinch, I agree. Originally, I was trying to be a bit more conservative and reuse what we have, but I believe a new implementation will allow for a name that clearly indicates what it's for. | 
| @rwinch @jzheaux there is one problem I would like to discuss. By default, the  We see an oid instead of an  To get a text string instead of an encoded value, we need to explicitly specify the format, this is RFC1779. In this case, the generated  In this format we can get email, but no matter what format we specify, we will still get oid in the string. Even if we leave the dn extraction by pattern, it will be very non-obvious. For example: This is a pretty hard to understand API.  At the same time, the  And this will give the same result as the current implementation. If you have any ideas on how to better implement this feature, I'm ready to listen. | 
| @franticticktick Thanks for reaching out. I do not think that we can use the toString method because it is implementation dependent. I think that we should probably allow for the format and regex to be injected. We can have an additional boolean property for extracting the email address that in turn sets the format and regex to extract the email address. This will simplify the usage for users that do not want to dig into the details of how things work under the covers. Does that work? | 
| @rwinch I considered this solution. Provided that we provide the ability to extract dn via cn and email, this will work. Frankly speaking, I don't really like flags, they sometimes confuse, but as I understand it, in our situation there is no other solution. I will prepare a pr. | 
fa9c24b    to
    2f489f1      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes @franticticktick! I think this is getting close. I'd like to preserve the idea of having a regex for extracting the principal name and allowing the user to specify the format. The difference would be that the extractPrincipalNameFromEmail would set the correct format + the correct regex without needing to understand how it works.
I'd argue that we probably don't need any properties on the DSLs but instead just allow the user to set the properties on SubjectX500PrincipalExtractor and then the extractor on the DSL (or exposed as a Bean...however it works now)
| @rwinch I suggest introducing the format as an enum: This will allow you to configure  Or: Extracting dn from email can be enabled with a flag. Since the regex is available through the  | 
| @franticticktick I'm not sure if we need to expose additional properties on the configurer. Instead we could allow users to specify the  | 
| @rwinch I am afraid that the user may not get the result from the regexp that he wants because of the wrong format. Most likely he will try to find this property in the configurer and will be confused when he does not find it. We can make the first version without the format in the configurer and look at the feedback of users. If there are many complaints about the lack of a format, we can always add it. In addition, I will open a separate ticket for the feature of initializing  | 
| @franticticktick I think that is a valid concern. I should have said that we should consider deprecating the other properties in another ticket. What are your thoughts? | 
| @rwinch I agree that additional properties are best discussed in a separate ticket, but I am concerned about backward compatibility. Currently, if a user specifies the regexp  We can also add logging with a warning - use  | 
Closes spring-projectsgh-16980 Signed-off-by: Max Batischev <[email protected]>
This simplifies the logic when extracting the principal and allows more flexibility in the future by allowing the format and regex to be added as setters.
- Provide more details on how the principalName is extracted - Update to specify an OID is used for emailAddress
Enables customizing the X500PrincipalExtractor
- Use include-code - Demo how to customize SubjectX500PrincipalExtractor
| Thanks for the update. I've pushed a few changes and this will be merged as soon as the build passes. You can see the commits for details, but a summary of the main changes are: 
 | 
Closes gh-16980