Add support for groups being members of groups.

[ggreer]

Summary by CodeRabbit

• New Features
  • Enhanced handling of group resources and grants within LDAP.
  • Introduced a new function for creating grants from LDAP entries, improving flexibility.
• Improvements
  • Refined logic for retrieving group members and creating grants.
  • Enhanced error handling for LDAP operations, providing clearer error messages.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The pull request introduces significant modifications to the pkg/connector/group.go file, enhancing the management of group resources and grants in an LDAP context. Key changes include the addition of a variable to map LDAP object classes to resource types, a modified function to create grants with specific resource types, and a new function for creating grants from LDAP entries. The Grants method has been refactored for better member retrieval and error handling, improving the overall robustness and flexibility of grant creation and group membership management.

Changes

File	Change Summary
pkg/connector/group.go	- Added variable objectClassesToResourceTypes for mapping LDAP object classes to resource types. - Updated newGrantFromDN method signature to include resourceType. - Introduced newGrantFromEntry function for grant creation from LDAP entries. - Refactored Grants method for better member retrieval and error handling. - Enhanced error handling in findMember and findMemberByFilter methods.

Possibly related PRs

• Get group membership faster. #58: This PR introduces the newGrantFromDN function, which is also modified in the main PR to accept an additional parameter for resource type, indicating a direct connection in the grant creation process.
• Support member attr for groups. #70: This PR updates the Grants method to handle different member attributes, which relates to the main PR's enhancements in group membership handling and grant creation based on LDAP entries.
• Add support for LDAP primary groups #75: This PR enhances the Grants method to incorporate logic for retrieving user entries based on GID, which relates to the overall improvements in group membership handling in the main PR.
• Normalize object classes. Add groupOfNames to group query. #78: The addition of groupOfNames to the groupObjectClasses constant in this PR directly affects the filtering logic for group entries, which is relevant to the changes made in the main PR regarding group management in LDAP.

🐰 In the LDAP fields where groups do play,
New grants are born, brightening the day.
With classes and types now mapped with care,
We hop through the code, with joy in the air!
Error handling's strong, like a rabbit's swift leap,
In our code burrow, great changes we reap! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between c539549 and ebc7980.

📒 Files selected for processing (1)

• pkg/connector/group.go (5 hunks)

🔇 Additional comments (3)

pkg/connector/group.go (3)

22-31: Object class to resource type mapping implemented correctly

The mapping between LDAP objectClass values and resource types is correctly established, enhancing resource type identification during grant creation.

---

160-168: Updated newGrantFromDN function to handle resource types

The modification of newGrantFromDN to accept a resourceType parameter and adjust grantOpts accordingly improves the flexibility and accuracy of grant creation based on resource types.

---

185-193: Added newGrantFromEntry function for dynamic grant creation

The new newGrantFromEntry function efficiently creates grants by determining the resource type from an LDAP entry's objectClass attributes, enhancing the adaptability of the grant creation process.

[coderabbitai]

⚠️ Potential issue

Handle LDAP search errors to prevent potential panics

If g.client.LdapSearch returns an error, the code logs the error but continues processing. This could lead to unexpected behavior or panics since member might be nil or invalid. It's important to handle the error appropriately by skipping the iteration when an error occurs.

Apply this diff to handle the error:

if err != nil {
    l.Error("ldap-connector: failed to get group member", zap.String("group", groupDN.String()), zap.String("member_id", memberId), zap.Error(err))
+   continue
}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	member, _, err := g.client.LdapSearch(
	ctx,
	ldap3.ScopeWholeSubtree,
	parsedDN,
	"",
	nil,
	"",
	1,
	)
	if err != nil {
	l.Error("ldap-connector: failed to get group member", zap.String("group", groupDN.String()), zap.String("member_id", memberId), zap.Error(err))
	}
	member, _, err := g.client.LdapSearch(
	ctx,
	ldap3.ScopeWholeSubtree,
	parsedDN,
	"",
	nil,
	"",
	1,
	)
	if err != nil {
	l.Error("ldap-connector: failed to get group member", zap.String("group", groupDN.String()), zap.String("member_id", memberId), zap.Error(err))
	continue
	}

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

pkg/connector/group.go (1)

160-181: LGTM! Consider adding validation for resourceType.

The function correctly handles both user and group principals, with proper annotation for expandable grants. Consider adding validation to ensure resourceType is not nil.

Add parameter validation:

 func newGrantFromDN(groupResource *v2.Resource, dn string, resourceType *v2.ResourceType) *v2.Grant {
+	if resourceType == nil {
+		resourceType = resourceTypeUser // fallback to user type
+	}
 	grantOpts := []grant.GrantOption{}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ebc7980 and deab930.

⛔ Files ignored due to path filters (3)

• .github/workflows/ci.yaml is excluded by none and included by none
• scripts/get-baton.sh is excluded by none and included by none
• scripts/grant-revoke.sh is excluded by none and included by none

📒 Files selected for processing (1)

• pkg/connector/group.go (5 hunks)

🔇 Additional comments (4)

pkg/connector/group.go (4)

267-267: LGTM! Consistent grant creation for all member types.

The code properly handles grant creation for both direct members and POSIX group members using the new grant creation functions.

Also applies to: 297-297

---

237-255: ⚠️ Potential issue

Fix error handling in member lookup.

The error handling needs improvement to prevent potential issues with nil member entries.

Apply this diff to properly handle the error:

 if err != nil {
     l.Error("ldap-connector: failed to get group member", zap.String("group", groupDN.String()), zap.String("member_id", memberId), zap.Error(err))
+    continue
 }

---

22-31: LGTM! Comprehensive mapping of LDAP object classes.

The mapping covers standard LDAP object classes and correctly associates them with appropriate resource types, enabling proper handling of both user and group members.

Let's verify that all object classes in use are covered:

✅ Verification successful

The object class mapping is complete and accurate

The verification confirms that all object classes used in LDAP filters (groupObjectClasses and userObjectClasses) are properly mapped in the objectClassesToResourceTypes variable:

Groups:

• group
• groupOfNames
• groupOfUniqueNames
• posixGroup

Users:

• inetOrgPerson
• person
• user
• organizationalPerson

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any unmapped object classes in LDAP entries
# that might be groups or users

# Search for object classes in group entries
rg -g '*.go' 'objectClass=' | grep -i 'group'

# Search for object classes in user entries
rg -g '*.go' 'objectClass=' | grep -i 'user\|person'

Length of output: 394

---

185-201: LGTM! Robust handling of LDAP entry to grant conversion.

The function properly handles DN canonicalization and object class mapping with a sensible fallback to user type.

Let's verify the object class handling:

✅ Verification successful

Object class to resource type mapping is complete and consistent

The verification confirms that:

• The objectClassesToResourceTypes mapping correctly handles all LDAP object classes used in filters (groupOfUniqueNames, groupOfNames, posixGroup, group, inetOrgPerson, person, user, organizationalPerson)
• Each object class maps to the appropriate resource type (resourceTypeUser or resourceTypeGroup)
• The fallback to resourceTypeUser in the function is a safe default when no matching object class is found

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential edge cases in object class handling

# Search for object class attribute usage
ast-grep --pattern 'entry.GetAttributeValues("objectClass")'

# Check for any non-standard object classes in use
rg -g '*.go' 'objectClass\s*=\s*[^)]+' 

Length of output: 569

---

Script:

#!/bin/bash
# Let's check the objectClassesToResourceTypes mapping to ensure it aligns with the object classes we found
rg -g '*.go' 'objectClassesToResourceTypes\s*=\s*' -A 10

# Also check for any resource type definitions
rg -g '*.go' 'resourceType[A-Z][a-zA-Z]*\s*=\s*' -B 1 -A 1

Length of output: 2121