in src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java [952:1069]
protected Set<LdapName> resolveNestedRoles(final LdapName roleDn, final Connection ldapConnection,
String userRoleName, int depth, final boolean rolesearchEnabled,
Set<Map.Entry<String, Settings>> roleSearchBaseSettingsSet)
throws OpenSearchSecurityException, LdapException {
if (nestedRoleMatcher.test(roleDn.toString())) {
if (log.isTraceEnabled()) {
log.trace("Filter nested role {}", roleDn);
}
return Collections.emptySet();
}
depth++;
final boolean isDebugEnabled = log.isDebugEnabled();
final Set<LdapName> result = new HashSet<>(20);
final HashMultimap<LdapName, Map.Entry<String, Settings>> resultRoleSearchBaseKeys = HashMultimap.create();
final LdapEntry e0 = LdapHelper.lookup(ldapConnection, roleDn.toString());
if (e0.getAttribute(userRoleName) != null) {
final Collection<String> userRoles = e0.getAttribute(userRoleName).getStringValues();
for (final String possibleRoleDN : userRoles) {
if (isDebugEnabled){
log.debug("DBGTRACE (10): possibleRoleDN"+possibleRoleDN);
}
if (isValidDn(possibleRoleDN)) {
try {
LdapName ldapName = new LdapName(possibleRoleDN);
result.add(ldapName);
resultRoleSearchBaseKeys.putAll(ldapName, this.roleBaseSettings);
} catch (InvalidNameException e) {
// ignore
}
} else {
if (isDebugEnabled) {
log.debug("Cannot add {} as a role because its not a valid dn", possibleRoleDN);
}
}
}
}
final boolean isTraceEnabled = log.isTraceEnabled();
if (isTraceEnabled) {
log.trace("result nested attr count for depth {} : {}", depth, result.size());
}
if (rolesearchEnabled) {
String escapedDn = roleDn.toString();
if (isDebugEnabled){
log.debug("DBGTRACE (10): escapedDn {}", escapedDn);
}
for (Map.Entry<String, Settings> roleSearchBaseSettingsEntry : Utils
.getOrderedBaseSettings(roleSearchBaseSettingsSet)) {
Settings roleSearchSettings = roleSearchBaseSettingsEntry.getValue();
SearchFilter f = new SearchFilter();
f.setFilter(roleSearchSettings.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_ROLESEARCH));
f.setParameter(LDAPAuthenticationBackend.ZERO_PLACEHOLDER, escapedDn);
f.setParameter(ONE_PLACEHOLDER, escapedDn);
List<LdapEntry> foundEntries = LdapHelper.search(ldapConnection,
roleSearchSettings.get(ConfigConstants.LDAP_AUTHCZ_BASE, DEFAULT_ROLEBASE),
f,
SearchScope.SUBTREE);
if (isTraceEnabled) {
log.trace("Results for LDAP group search for {} in base {}:\n{}", escapedDn, roleSearchBaseSettingsEntry.getKey(), foundEntries);
}
if (foundEntries != null) {
for (final LdapEntry entry : foundEntries) {
try {
final LdapName dn = new LdapName(entry.getDn());
result.add(dn);
resultRoleSearchBaseKeys.put(dn, roleSearchBaseSettingsEntry);
} catch (final InvalidNameException e) {
throw new LdapException(e);
}
}
}
}
}
int maxDepth = ConfigConstants.LDAP_AUTHZ_MAX_NESTED_DEPTH_DEFAULT;
try {
maxDepth = settings.getAsInt(ConfigConstants.LDAP_AUTHZ_MAX_NESTED_DEPTH,
ConfigConstants.LDAP_AUTHZ_MAX_NESTED_DEPTH_DEFAULT);
} catch (Exception e) {
log.error(ConfigConstants.LDAP_AUTHZ_MAX_NESTED_DEPTH + " is not parseable: " + e, e);
}
if (depth < maxDepth) {
for (final LdapName nm : new HashSet<LdapName>(result)) {
Set<Map.Entry<String, Settings>> nameRoleSearchBaseKeys = resultRoleSearchBaseKeys.get(nm);
if (nameRoleSearchBaseKeys == null) {
log.error(
"Could not find roleSearchBaseKeys for " + nm + "; existing: " + resultRoleSearchBaseKeys);
continue;
}
final Set<LdapName> in = resolveNestedRoles(nm, ldapConnection, userRoleName, depth, rolesearchEnabled,
nameRoleSearchBaseKeys);
result.addAll(in);
}
}
return result;
}