Split LdapConfig into Client and Authenticator config

plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/JdkLdapAuthenticatorClient.java

@@ -54,7 +54,7 @@ public class JdkLdapAuthenticatorClient
     private final Optional<SSLContext> sslContext;
 
     @Inject
-    public JdkLdapAuthenticatorClient(LdapConfig ldapConfig)
+    public JdkLdapAuthenticatorClient(LdapClientConfig ldapConfig)
     {
         String ldapUrl = requireNonNull(ldapConfig.getLdapUrl(), "ldapUrl is null");
         if (ldapUrl.startsWith("ldap://")) {

plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapAuthenticator.java

@@ -60,15 +60,15 @@ public class LdapAuthenticator
     private final NonKeyEvictableLoadingCache<Credential, Principal> authenticationCache;
 
     @Inject
-    public LdapAuthenticator(LdapAuthenticatorClient client, LdapConfig ldapConfig)
+    public LdapAuthenticator(LdapAuthenticatorClient client, LdapAuthenticatorConfig ldapAuthenticatorConfig)
     {
         this.client = requireNonNull(client, "client is null");
 
-        this.userBindSearchPatterns = ldapConfig.getUserBindSearchPatterns();
-        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapConfig.getGroupAuthorizationSearchPattern());
-        this.userBaseDistinguishedName = Optional.ofNullable(ldapConfig.getUserBaseDistinguishedName());
-        this.bindDistinguishedName = Optional.ofNullable(ldapConfig.getBindDistingushedName());
-        this.bindPassword = Optional.ofNullable(ldapConfig.getBindPassword());
+        this.userBindSearchPatterns = ldapAuthenticatorConfig.getUserBindSearchPatterns();
+        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapAuthenticatorConfig.getGroupAuthorizationSearchPattern());
+        this.userBaseDistinguishedName = Optional.ofNullable(ldapAuthenticatorConfig.getUserBaseDistinguishedName());
+        this.bindDistinguishedName = Optional.ofNullable(ldapAuthenticatorConfig.getBindDistingushedName());
+        this.bindPassword = Optional.ofNullable(ldapAuthenticatorConfig.getBindPassword());
 
         checkArgument(
                 groupAuthorizationSearchPattern.isEmpty() || userBaseDistinguishedName.isPresent(),
@@ -85,7 +85,7 @@ public LdapAuthenticator(LdapAuthenticatorClient client, LdapConfig ldapConfig)
 
         this.authenticationCache = buildNonEvictableCacheWithWeakInvalidateAll(
                 CacheBuilder.newBuilder()
-                        .expireAfterWrite(ldapConfig.getLdapCacheTtl().toMillis(), MILLISECONDS),
+                        .expireAfterWrite(ldapAuthenticatorConfig.getLdapCacheTtl().toMillis(), MILLISECONDS),
                 CacheLoader.from(bindDistinguishedName.isPresent()
                         ? this::authenticateWithBindDistinguishedName
                         : this::authenticateWithUserBind));

plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapAuthenticatorConfig.java

@@ -0,0 +1,127 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.password.ldap;
+
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import io.airlift.configuration.Config;
+import io.airlift.configuration.ConfigDescription;
+import io.airlift.configuration.ConfigSecuritySensitive;
+import io.airlift.units.Duration;
+
+import javax.validation.constraints.NotNull;
+
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static java.util.Objects.requireNonNull;
+
+public class LdapAuthenticatorConfig
+{
+    private List<String> userBindSearchPatterns = ImmutableList.of();
+    private String groupAuthorizationSearchPattern;
+    private String userBaseDistinguishedName;
+    private String bindDistinguishedName;
+    private String bindPassword;
+    private Duration ldapCacheTtl = new Duration(1, TimeUnit.HOURS);
+
+    @NotNull
+    public List<String> getUserBindSearchPatterns()
+    {
+        return userBindSearchPatterns;
+    }
+
+    public LdapAuthenticatorConfig setUserBindSearchPatterns(List<String> userBindSearchPatterns)
+    {
+        this.userBindSearchPatterns = requireNonNull(userBindSearchPatterns, "userBindSearchPatterns is null");
+        return this;
+    }
+
+    @Config("ldap.user-bind-pattern")
+    @ConfigDescription("Custom user bind pattern. Example: ${USER}@example.com")
+    public LdapAuthenticatorConfig setUserBindSearchPatterns(String userBindSearchPatterns)
+    {
+        this.userBindSearchPatterns = Splitter.on(":")
+                .trimResults()
+                .omitEmptyStrings()
+                .splitToList(userBindSearchPatterns);
+        return this;
+    }
+
+    public String getGroupAuthorizationSearchPattern()
+    {
+        return groupAuthorizationSearchPattern;
+    }
+
+    @Config("ldap.group-auth-pattern")
+    @ConfigDescription("Custom group authorization check query. Example: &(objectClass=user)(memberOf=cn=group)(user=username)")
+    public LdapAuthenticatorConfig setGroupAuthorizationSearchPattern(String groupAuthorizationSearchPattern)
+    {
+        this.groupAuthorizationSearchPattern = groupAuthorizationSearchPattern;
+        return this;
+    }
+
+    public String getUserBaseDistinguishedName()
+    {
+        return userBaseDistinguishedName;
+    }
+
+    @Config("ldap.user-base-dn")
+    @ConfigDescription("Base distinguished name of the user. Example: dc=example,dc=com")
+    public LdapAuthenticatorConfig setUserBaseDistinguishedName(String userBaseDistinguishedName)
+    {
+        this.userBaseDistinguishedName = userBaseDistinguishedName;
+        return this;
+    }
+
+    public String getBindDistingushedName()
+    {
+        return bindDistinguishedName;
+    }
+
+    @Config("ldap.bind-dn")
+    @ConfigDescription("Bind distinguished name. Example: CN=User Name,OU=CITY_OU,OU=STATE_OU,DC=domain,DC=domain_root")
+    public LdapAuthenticatorConfig setBindDistingushedName(String bindDistingushedName)
+    {
+        this.bindDistinguishedName = bindDistingushedName;
+        return this;
+    }
+
+    public String getBindPassword()
+    {
+        return bindPassword;
+    }
+
+    @Config("ldap.bind-password")
+    @ConfigDescription("Bind password used. Example: password1234")
+    @ConfigSecuritySensitive
+    public LdapAuthenticatorConfig setBindPassword(String bindPassword)
+    {
+        this.bindPassword = bindPassword;
+        return this;
+    }
+
+    @NotNull
+    public Duration getLdapCacheTtl()
+    {
+        return ldapCacheTtl;
+    }
+
+    @Config("ldap.cache-ttl")
+    public LdapAuthenticatorConfig setLdapCacheTtl(Duration ldapCacheTtl)
+    {
+        this.ldapCacheTtl = ldapCacheTtl;
+        return this;
+    }
+}

plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapAuthenticatorFactory.java

@@ -37,7 +37,8 @@ public PasswordAuthenticator create(Map<String, String> config)
     {
         Bootstrap app = new Bootstrap(
                 binder -> {
-                    configBinder(binder).bindConfig(LdapConfig.class);
+                    configBinder(binder).bindConfig(LdapClientConfig.class);
+                    configBinder(binder).bindConfig(LdapAuthenticatorConfig.class);
                     binder.bind(LdapAuthenticator.class).in(Scopes.SINGLETON);
                     binder.bind(LdapAuthenticatorClient.class).to(JdkLdapAuthenticatorClient.class).in(Scopes.SINGLETON);
                 });

plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapConfig.java → plugin/trino-password-authenticators/src/main/java/io/trino/plugin/password/ldap/LdapClientConfig.java

@@ -13,8 +13,6 @@
  */
 package io.trino.plugin.password.ldap;
 
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableList;
 import io.airlift.configuration.Config;
 import io.airlift.configuration.ConfigDescription;
 import io.airlift.configuration.ConfigSecuritySensitive;
@@ -27,29 +25,20 @@
 import javax.validation.constraints.Pattern;
 
 import java.io.File;
-import java.util.List;
 import java.util.Optional;
-import java.util.concurrent.TimeUnit;
 
 import static com.google.common.base.Strings.nullToEmpty;
-import static java.util.Objects.requireNonNull;
 
 @DefunctConfig("ldap.ssl-trust-certificate")
-public class LdapConfig
+public class LdapClientConfig
 {
     private String ldapUrl;
     private boolean allowInsecure;
     private File keystorePath;
     private String keystorePassword;
     private File trustStorePath;
     private String truststorePassword;
-    private List<String> userBindSearchPatterns = ImmutableList.of();
-    private String groupAuthorizationSearchPattern;
-    private String userBaseDistinguishedName;
-    private String bindDistinguishedName;
-    private String bindPassword;
     private boolean ignoreReferrals;
-    private Duration ldapCacheTtl = new Duration(1, TimeUnit.HOURS);
     private Optional<Duration> ldapConnectionTimeout = Optional.empty();
     private Optional<Duration> ldapReadTimeout = Optional.empty();
 
@@ -62,7 +51,7 @@ public String getLdapUrl()
 
     @Config("ldap.url")
     @ConfigDescription("URL of the LDAP server")
-    public LdapConfig setLdapUrl(String url)
+    public LdapClientConfig setLdapUrl(String url)
     {
         this.ldapUrl = url;
         return this;
@@ -75,7 +64,7 @@ public boolean isAllowInsecure()
 
     @Config("ldap.allow-insecure")
     @ConfigDescription("Allow insecure connection to the LDAP server")
-    public LdapConfig setAllowInsecure(boolean allowInsecure)
+    public LdapClientConfig setAllowInsecure(boolean allowInsecure)
     {
         this.allowInsecure = allowInsecure;
         return this;
@@ -94,7 +83,7 @@ public boolean isUrlConfigurationValid()
 
     @Config("ldap.ssl.keystore.path")
     @ConfigDescription("Path to the PEM or JKS key store")
-    public LdapConfig setKeystorePath(File path)
+    public LdapClientConfig setKeystorePath(File path)
     {
         this.keystorePath = path;
         return this;
@@ -108,7 +97,7 @@ public Optional<String> getKeystorePassword()
     @Config("ldap.ssl.keystore.password")
     @ConfigSecuritySensitive
     @ConfigDescription("Password for the key store")
-    public LdapConfig setKeystorePassword(String password)
+    public LdapClientConfig setKeystorePassword(String password)
     {
         this.keystorePassword = password;
         return this;
@@ -121,7 +110,7 @@ public LdapConfig setKeystorePassword(String password)
 
     @Config("ldap.ssl.truststore.path")
     @ConfigDescription("Path to the PEM or JKS trust store")
-    public LdapConfig setTrustStorePath(File path)
+    public LdapClientConfig setTrustStorePath(File path)
     {
         this.trustStorePath = path;
         return this;
@@ -135,122 +124,33 @@ public Optional<String> getTruststorePassword()
     @Config("ldap.ssl.truststore.password")
     @ConfigSecuritySensitive
     @ConfigDescription("Password for the trust store")
-    public LdapConfig setTruststorePassword(String password)
+    public LdapClientConfig setTruststorePassword(String password)
     {
         this.truststorePassword = password;
         return this;
     }
 
-    @NotNull
-    public List<String> getUserBindSearchPatterns()
-    {
-        return userBindSearchPatterns;
-    }
-
-    public LdapConfig setUserBindSearchPatterns(List<String> userBindSearchPatterns)
-    {
-        this.userBindSearchPatterns = requireNonNull(userBindSearchPatterns, "userBindSearchPatterns is null");
-        return this;
-    }
-
-    @Config("ldap.user-bind-pattern")
-    @ConfigDescription("Custom user bind pattern. Example: ${USER}@example.com")
-    public LdapConfig setUserBindSearchPatterns(String userBindSearchPatterns)
-    {
-        this.userBindSearchPatterns = Splitter.on(":")
-                .trimResults()
-                .omitEmptyStrings()
-                .splitToList(userBindSearchPatterns);
-        return this;
-    }
-
-    public String getGroupAuthorizationSearchPattern()
-    {
-        return groupAuthorizationSearchPattern;
-    }
-
-    @Config("ldap.group-auth-pattern")
-    @ConfigDescription("Custom group authorization check query. Example: &(objectClass=user)(memberOf=cn=group)(user=username)")
-    public LdapConfig setGroupAuthorizationSearchPattern(String groupAuthorizationSearchPattern)
-    {
-        this.groupAuthorizationSearchPattern = groupAuthorizationSearchPattern;
-        return this;
-    }
-
-    public String getUserBaseDistinguishedName()
-    {
-        return userBaseDistinguishedName;
-    }
-
-    @Config("ldap.user-base-dn")
-    @ConfigDescription("Base distinguished name of the user. Example: dc=example,dc=com")
-    public LdapConfig setUserBaseDistinguishedName(String userBaseDistinguishedName)
-    {
-        this.userBaseDistinguishedName = userBaseDistinguishedName;
-        return this;
-    }
-
-    public String getBindDistingushedName()
-    {
-        return bindDistinguishedName;
-    }
-
-    @Config("ldap.bind-dn")
-    @ConfigDescription("Bind distinguished name. Example: CN=User Name,OU=CITY_OU,OU=STATE_OU,DC=domain,DC=domain_root")
-    public LdapConfig setBindDistingushedName(String bindDistingushedName)
-    {
-        this.bindDistinguishedName = bindDistingushedName;
-        return this;
-    }
-
-    public String getBindPassword()
-    {
-        return bindPassword;
-    }
-
-    @Config("ldap.bind-password")
-    @ConfigDescription("Bind password used. Example: password1234")
-    @ConfigSecuritySensitive
-    public LdapConfig setBindPassword(String bindPassword)
-    {
-        this.bindPassword = bindPassword;
-        return this;
-    }
-
     public boolean isIgnoreReferrals()
     {
         return ignoreReferrals;
     }
 
     @Config("ldap.ignore-referrals")
     @ConfigDescription("Referrals allow finding entries across multiple LDAP servers. Ignore them to only search within 1 LDAP server")
-    public LdapConfig setIgnoreReferrals(boolean ignoreReferrals)
+    public LdapClientConfig setIgnoreReferrals(boolean ignoreReferrals)
     {
         this.ignoreReferrals = ignoreReferrals;
         return this;
     }
 
-    @NotNull
-    public Duration getLdapCacheTtl()
-    {
-        return ldapCacheTtl;
-    }
-
-    @Config("ldap.cache-ttl")
-    public LdapConfig setLdapCacheTtl(Duration ldapCacheTtl)
-    {
-        this.ldapCacheTtl = ldapCacheTtl;
-        return this;
-    }
-
     public Optional<Duration> getLdapConnectionTimeout()
     {
         return ldapConnectionTimeout;
     }
 
     @Config("ldap.timeout.connect")
     @ConfigDescription("Timeout for establishing a connection")
-    public LdapConfig setLdapConnectionTimeout(Duration ldapConnectionTimeout)
+    public LdapClientConfig setLdapConnectionTimeout(Duration ldapConnectionTimeout)
     {
         this.ldapConnectionTimeout = Optional.ofNullable(ldapConnectionTimeout);
         return this;
@@ -263,7 +163,7 @@ public Optional<Duration> getLdapReadTimeout()
 
     @Config("ldap.timeout.read")
     @ConfigDescription("Timeout for reading data from LDAP")
-    public LdapConfig setLdapReadTimeout(Duration ldapReadTimeout)
+    public LdapClientConfig setLdapReadTimeout(Duration ldapReadTimeout)
     {
         this.ldapReadTimeout = Optional.ofNullable(ldapReadTimeout);
         return this;