Rename customGroupAttributeFilters to additionalGroupAttributeFilters

nightkr · nightkr · commit 32af10b5ef5d · 2025-02-26T15:15:49.000+01:00
diff --git a/deploy/helm/opa-operator/crds/crds.yaml b/deploy/helm/opa-operator/crds/crds.yaml
@@ -68,6 +68,15 @@ spec:
                             experimentalActiveDirectory:
                               description: Backend that fetches user information from Active Directory
                               properties:
+                                additionalGroupAttributeFilters:
+                                  additionalProperties:
+                                    type: string
+                                  default: {}
+                                  description: |-
+                                    Attributes that groups must have to be returned.
+
+                                    These fields will be spliced into an LDAP Search Query, so wildcards can be used, but characters with a special meaning in LDAP will need to be escaped.
+                                  type: object
                                 baseDistinguishedName:
                                   description: The root Distinguished Name (DN) where users and groups are located.
                                   type: string
@@ -77,15 +86,6 @@ spec:
                                   default: {}
                                   description: Custom attributes, and their LDAP attribute names.
                                   type: object
-                                customGroupAttributeFilters:
-                                  additionalProperties:
-                                    type: string
-                                  default: {}
-                                  description: |-
-                                    Attributes that groups must have to be returned.
-
-                                    These fields will be spliced into an LDAP Search Query, so wildcards can be used, but characters with a special meaning in LDAP will need to be escaped.
-                                  type: object
                                 kerberosSecretClassName:
                                   description: The name of the Kerberos SecretClass.
                                   type: string
diff --git a/rust/crd/src/user_info_fetcher.rs b/rust/crd/src/user_info_fetcher.rs
@@ -118,7 +118,7 @@ pub struct ActiveDirectoryBackend {
     /// These fields will be spliced into an LDAP Search Query, so wildcards can be used,
     /// but characters with a special meaning in LDAP will need to be escaped.
     #[serde(default)]
-    pub custom_group_attribute_filters: BTreeMap<String, String>,
+    pub additional_group_attribute_filters: BTreeMap<String, String>,
 }
 
 #[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
diff --git a/rust/user-info-fetcher/src/backend/active_directory.rs b/rust/user-info-fetcher/src/backend/active_directory.rs
@@ -94,15 +94,15 @@ const LDAP_FIELD_GROUP_MEMBER: &str = "member";
     tls,
     base_distinguished_name,
     custom_attribute_mappings,
-    group_attribute_filters,
+    additional_group_attribute_filters,
 ))]
 pub(crate) async fn get_user_info(
     request: &UserInfoRequest,
     ldap_server: &str,
     tls: &TlsClientDetails,
     base_distinguished_name: &str,
     custom_attribute_mappings: &BTreeMap<String, String>,
-    group_attribute_filters: &BTreeMap<String, String>,
+    additional_group_attribute_filters: &BTreeMap<String, String>,
 ) -> Result<UserInfo, Error> {
     let ldap_tls = utils::tls::configure_native_tls(tls)
         .await
@@ -174,7 +174,7 @@ pub(crate) async fn get_user_info(
         base_distinguished_name,
         &user,
         custom_attribute_mappings,
-        group_attribute_filters,
+        additional_group_attribute_filters,
     )
     .await
 }
@@ -185,7 +185,7 @@ pub(crate) async fn get_user_info(
         base_dn,
         user,
         custom_attribute_mappings,
-        group_attribute_filters,
+        additional_group_attribute_filters,
     ),
     fields(user.dn),
 )]
@@ -194,7 +194,7 @@ async fn user_attributes(
     base_dn: &str,
     user: &SearchEntry,
     custom_attribute_mappings: &BTreeMap<String, String>,
-    group_attribute_filters: &BTreeMap<String, String>,
+    additional_group_attribute_filters: &BTreeMap<String, String>,
 ) -> Result<UserInfo, Error> {
     let user_sid = user
         .bin_attrs
@@ -259,8 +259,14 @@ async fn user_attributes(
         })
         .collect::<HashMap<_, _>>();
     let groups = if let Some(user_sid) = &user_sid {
-        user_group_distinguished_names(ldap, base_dn, user, user_sid, group_attribute_filters)
-            .await?
+        user_group_distinguished_names(
+            ldap,
+            base_dn,
+            user,
+            user_sid,
+            additional_group_attribute_filters,
+        )
+        .await?
     } else {
         tracing::debug!(user.dn, "user has no SID, cannot fetch groups...");
         Vec::new()
@@ -275,13 +281,13 @@ async fn user_attributes(
 }
 
 /// Gets the distinguished names of all of `user`'s groups, both primary and secondary.
-#[tracing::instrument(skip(ldap, base_dn, user, user_sid, group_attribute_filters))]
+#[tracing::instrument(skip(ldap, base_dn, user, user_sid, additional_group_attribute_filters))]
 async fn user_group_distinguished_names(
     ldap: &mut Ldap,
     base_dn: &str,
     user: &SearchEntry,
     user_sid: &SecurityId,
-    group_attribute_filters: &BTreeMap<String, String>,
+    additional_group_attribute_filters: &BTreeMap<String, String>,
 ) -> Result<Vec<String>, Error> {
     // User group memberships are tricky, because users have exactly one *primary* and any number of *secondary* groups.
     // Additionally groups can be members of other groups.
@@ -330,7 +336,7 @@ async fn user_group_distinguished_names(
 
     // Users can also specify custom filters via `group_attribute_filters`
     let custom_group_filter =
-        group_attribute_filters
+        additional_group_attribute_filters
             .iter()
             .fold(String::new(), |mut out, (k, v)| {
                 // NOTE: This is technically an LDAP injection vuln, but these are provided statically by the OPA administrator,
diff --git a/rust/user-info-fetcher/src/main.rs b/rust/user-info-fetcher/src/main.rs
@@ -298,7 +298,7 @@ async fn get_user_info(
                         &ad.tls,
                         &ad.base_distinguished_name,
                         &ad.custom_attribute_mappings,
-                        &ad.custom_group_attribute_filters,
+                        &ad.additional_group_attribute_filters,
                     )
                     .await
                     .context(get_user_info_error::ActiveDirectorySnafu),

Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ pub struct ActiveDirectoryBackend {`
`118`	`118`	`/// These fields will be spliced into an LDAP Search Query, so wildcards can be used,`
`119`	`119`	`/// but characters with a special meaning in LDAP will need to be escaped.`
`120`	`120`	`#[serde(default)]`
`121`		`- pub custom_group_attribute_filters: BTreeMap<String, String>,`
	`121`	`+ pub additional_group_attribute_filters: BTreeMap<String, String>,`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]`
Original file line number	Diff line number	Diff line change
`@@ -298,7 +298,7 @@ async fn get_user_info(`
`298`	`298`	`&ad.tls,`
`299`	`299`	`&ad.base_distinguished_name,`
`300`	`300`	`&ad.custom_attribute_mappings,`
`301`		`- &ad.custom_group_attribute_filters,`
	`301`	`+ &ad.additional_group_attribute_filters,`
`302`	`302`	`)`
`303`	`303`	`.await`
`304`	`304`	`.context(get_user_info_error::ActiveDirectorySnafu),`