smolnar82 opened a new pull request, #1207: URL: https://github.com/apache/knox/pull/1207
[KNOX-3302](https://issues.apache.org/jira/browse/KNOX-3302) - Falling back to gateway-level credential store while looking up LDAP system password ## What changes were proposed in this pull request? This pull request improves the LDAP system password alias resolution in the Shiro realm (KnoxLdapContextFactory). Key changes include: * Fallback Alias Resolution: Updated `KnoxLdapContextFactory` to check the gateway-level credential store if a system password alias is not found in the cluster-level (topology) credential store. * Centralized Alias Logic: Added isAlias and extractAlias default methods to the `AliasService` interface to standardize how alias strings (e.g., `S{ALIAS=...`}) are identified and processed across the codebase. * Improved Testability: Refactored KnoxLdapContextFactory to allow for better unit testing by extracting the AliasService lookup into a protected method. * Code Cleanup: Replaced manual string parsing with the new AliasService methods and added validation for blank passwords using StringUtils. ## How was this patch tested? The changes were verified by adding a new unit test class: `org.apache.knox.gateway.shirorealm.KnoxLdapContextFactoryTest`. The following scenarios were tested: 1. Blank Password: Verified that null or empty strings do not trigger alias resolution. 2. Literal Password: Verified that passwords not matching the alias pattern are used as-is. 3. Cluster-level Alias: Verified successful resolution when the alias exists in the cluster-specific credential store. 4. Gateway-level Fallback: Verified that the factory correctly falls back to the gateway credential store when the alias is missing from the cluster store. 5. Missing Alias: Verified that the system password is set to an empty string and a warning is logged when an alias cannot be resolved in either store. ## Integration Tests No new integration tests were added as the logic was fully covered by the new unit tests in KnoxLdapContextFactoryTest. Existing Shiro-related integration tests should be monitored for regressions. ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
