From cdb44e745ad16ed9d56686f7e4c35436fb582ec9 Mon Sep 17 00:00:00 2001
From: Pavel Klyuev <pashtet04@gmail.com>
Date: Fri, 16 Jun 2023 14:32:18 +0300
Subject: [PATCH] Add AuthenticationStrategy, ManagerDn, ManagerPassword,
 IdentityStrategy properties for LDAP integration

---
 api/v1/nificluster_types.go                   | 12 ++++++++++
 api/v1alpha1/nificluster_conversion.go        | 24 ++++++++++++-------
 api/v1alpha1/nificluster_conversion_test.go   | 18 ++++++++++----
 api/v1alpha1/nificluster_types.go             | 12 ++++++++++
 .../nifi.konpyutaika.com_nificlusters.yaml    | 16 +++++++++++++
 .../nifi.orange.com_nificlusters_crd.yaml     |  8 +++++++
 .../nifi.konpyutaika.com_nificlusters.yaml    | 16 +++++++++++++
 .../config/login_identity_providers.go        |  8 +++----
 8 files changed, 97 insertions(+), 17 deletions(-)

diff --git a/api/v1/nificluster_types.go b/api/v1/nificluster_types.go
index 13ecb065b9..cacb323f5f 100644
--- a/api/v1/nificluster_types.go
+++ b/api/v1/nificluster_types.go
@@ -503,6 +503,18 @@ type LdapConfiguration struct {
 	// Filter for searching for users against the 'User Search Base'.
 	// (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
 	SearchFilter string `json:"searchFilter,omitempty"`
+	// How the connection to the LDAP server is authenticated.
+	// Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
+	AuthenticationStrategy string `json:"authenticationStrategy,omitempty"`
+	// The DN of the manager that is used to bind to the LDAP server to search for users.
+	ManagerDn string `json:"managerDn,omitempty"`
+	// The password of the manager that is used to bind to the LDAP server to search for users.
+	ManagerPassword string `json:"managerPassword,omitempty"`
+	// Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
+	// The default functionality if this property is missing is USE_DN in order to retain backward compatibility.
+	// USE_DN will use the full DN of the user entry if possible.
+	// USE_USERNAME will use the username the user logged in with.
+	IdentityStrategy string `json:"identityStrategy,omitempty"`
 }
 
 // NifiClusterTaskSpec specifies the configuration of the nifi cluster Tasks
diff --git a/api/v1alpha1/nificluster_conversion.go b/api/v1alpha1/nificluster_conversion.go
index c5a881c1b5..550452c66c 100644
--- a/api/v1alpha1/nificluster_conversion.go
+++ b/api/v1alpha1/nificluster_conversion.go
@@ -317,10 +317,14 @@ func convertNifiClusterDisruptionBudget(src DisruptionBudget, dst *v1.NifiCluste
 
 func convertNifiClusterLdapConfiguration(src LdapConfiguration, dst *v1.NifiCluster) {
 	dst.Spec.LdapConfiguration = v1.LdapConfiguration{
-		Enabled:      src.Enabled,
-		Url:          src.Url,
-		SearchBase:   src.SearchBase,
-		SearchFilter: src.SearchFilter,
+		Enabled:                src.Enabled,
+		Url:                    src.Url,
+		SearchBase:             src.SearchBase,
+		SearchFilter:           src.SearchFilter,
+		AuthenticationStrategy: src.AuthenticationStrategy,
+		ManagerDn:              src.ManagerDn,
+		ManagerPassword:        src.ManagerPassword,
+		IdentityStrategy:       src.IdentityStrategy,
 	}
 }
 
@@ -755,10 +759,14 @@ func convertNifiClusterFromDisruptionBudget(src v1.DisruptionBudget, dst *NifiCl
 
 func convertNifiClusterFromLdapConfiguration(src v1.LdapConfiguration, dst *NifiCluster) {
 	dst.Spec.LdapConfiguration = LdapConfiguration{
-		Enabled:      src.Enabled,
-		Url:          src.Url,
-		SearchBase:   src.SearchBase,
-		SearchFilter: src.SearchFilter,
+		Enabled:                src.Enabled,
+		Url:                    src.Url,
+		SearchBase:             src.SearchBase,
+		SearchFilter:           src.SearchFilter,
+		AuthenticationStrategy: src.AuthenticationStrategy,
+		ManagerDn:              src.ManagerDn,
+		ManagerPassword:        src.ManagerPassword,
+		IdentityStrategy:       src.IdentityStrategy,
 	}
 }
 
diff --git a/api/v1alpha1/nificluster_conversion_test.go b/api/v1alpha1/nificluster_conversion_test.go
index fb96e90e76..17707540b5 100644
--- a/api/v1alpha1/nificluster_conversion_test.go
+++ b/api/v1alpha1/nificluster_conversion_test.go
@@ -107,7 +107,11 @@ func assertNifiClustersEqual(anc *NifiCluster, nc *v1.NifiCluster, t *testing.T)
 	if anc.Spec.LdapConfiguration.Enabled != nc.Spec.LdapConfiguration.Enabled ||
 		anc.Spec.LdapConfiguration.SearchBase != nc.Spec.LdapConfiguration.SearchBase ||
 		anc.Spec.LdapConfiguration.SearchFilter != nc.Spec.LdapConfiguration.SearchFilter ||
-		anc.Spec.LdapConfiguration.Url != nc.Spec.LdapConfiguration.Url {
+		anc.Spec.LdapConfiguration.Url != nc.Spec.LdapConfiguration.Url ||
+		anc.Spec.LdapConfiguration.AuthenticationStrategy != nc.Spec.LdapConfiguration.AuthenticationStrategy ||
+		anc.Spec.LdapConfiguration.ManagerDn != nc.Spec.LdapConfiguration.ManagerDn ||
+		anc.Spec.LdapConfiguration.ManagerPassword != nc.Spec.LdapConfiguration.ManagerPassword ||
+		anc.Spec.LdapConfiguration.IdentityStrategy != nc.Spec.LdapConfiguration.IdentityStrategy {
 		t.Error("LDAP configurations are not equal")
 	}
 	if anc.Spec.NifiClusterTaskSpec.RetryDurationMinutes != nc.Spec.NifiClusterTaskSpec.RetryDurationMinutes {
@@ -432,10 +436,14 @@ func createNifiCluster() *NifiCluster {
 				Budget: "50",
 			},
 			LdapConfiguration: LdapConfiguration{
-				Enabled:      true,
-				Url:          "url",
-				SearchBase:   "searchBase",
-				SearchFilter: "searchFilter",
+				Enabled:                true,
+				Url:                    "url",
+				SearchBase:             "searchBase",
+				SearchFilter:           "searchFilter",
+				AuthenticationStrategy: "authenticationStrategy",
+				ManagerDn:              "managerDn",
+				ManagerPassword:        "managerPassword",
+				IdentityStrategy:       "identityStrategy",
 			},
 			NifiClusterTaskSpec: NifiClusterTaskSpec{
 				RetryDurationMinutes: 5,
diff --git a/api/v1alpha1/nificluster_types.go b/api/v1alpha1/nificluster_types.go
index de2f121afe..b31bc30f3e 100644
--- a/api/v1alpha1/nificluster_types.go
+++ b/api/v1alpha1/nificluster_types.go
@@ -495,6 +495,18 @@ type LdapConfiguration struct {
 	// Filter for searching for users against the 'User Search Base'.
 	// (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
 	SearchFilter string `json:"searchFilter,omitempty"`
+	// How the connection to the LDAP server is authenticated.
+	// Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
+	AuthenticationStrategy string `json:"authenticationStrategy,omitempty"`
+	// The DN of the manager that is used to bind to the LDAP server to search for users.
+	ManagerDn string `json:"managerDn,omitempty"`
+	// The password of the manager that is used to bind to the LDAP server to search for users.
+	ManagerPassword string `json:"managerPassword,omitempty"`
+	// Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
+	// The default functionality if this property is missing is USE_DN in order to retain backward compatibility.
+	// USE_DN will use the full DN of the user entry if possible.
+	// USE_USERNAME will use the username the user logged in with.
+	IdentityStrategy string `json:"identityStrategy,omitempty"`
 }
 
 // NifiClusterTaskSpec specifies the configuration of the nifi cluster Tasks
diff --git a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
index 2ba8017a17..494a6ff46a 100644
--- a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
+++ b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
@@ -707,8 +707,16 @@ spec:
                 type: array
               ldapConfiguration:
                 properties:
+                  authenticationStrategy:
+                    type: string
                   enabled:
                     type: boolean
+                  identityStrategy:
+                    type: string
+                  managerDn:
+                    type: string
+                  managerPassword:
+                    type: string
                   searchBase:
                     type: string
                   searchFilter:
@@ -5031,8 +5039,16 @@ spec:
                 type: array
               ldapConfiguration:
                 properties:
+                  authenticationStrategy:
+                    type: string
                   enabled:
                     type: boolean
+                  identityStrategy:
+                    type: string
+                  managerDn:
+                    type: string
+                  managerPassword:
+                    type: string
                   searchBase:
                     type: string
                   searchFilter:
diff --git a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
index 6ee4eefb5d..00be666348 100644
--- a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
+++ b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
@@ -1108,6 +1108,14 @@ spec:
                   description: Space-separated list of URLs of the LDAP servers (i.e.
                     ldap://<hostname>:<port>).
                   type: string
+                authenticationStrategy:
+                  type: string
+                managerDn:
+                  type: string
+                managerPassword:
+                  type: string
+                identityStrategy:
+                  type: string
               type: object
             listenersConfig:
               description: listenerConfig specifies nifi's listener specifig configs
diff --git a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
index 2ba8017a17..494a6ff46a 100644
--- a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
+++ b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
@@ -707,8 +707,16 @@ spec:
                 type: array
               ldapConfiguration:
                 properties:
+                  authenticationStrategy:
+                    type: string
                   enabled:
                     type: boolean
+                  identityStrategy:
+                    type: string
+                  managerDn:
+                    type: string
+                  managerPassword:
+                    type: string
                   searchBase:
                     type: string
                   searchFilter:
@@ -5031,8 +5039,16 @@ spec:
                 type: array
               ldapConfiguration:
                 properties:
+                  authenticationStrategy:
+                    type: string
                   enabled:
                     type: boolean
+                  identityStrategy:
+                    type: string
+                  managerDn:
+                    type: string
+                  managerPassword:
+                    type: string
                   searchBase:
                     type: string
                   searchFilter:
diff --git a/pkg/resources/templates/config/login_identity_providers.go b/pkg/resources/templates/config/login_identity_providers.go
index 29ffde9b7a..0d7ea7698f 100644
--- a/pkg/resources/templates/config/login_identity_providers.go
+++ b/pkg/resources/templates/config/login_identity_providers.go
@@ -68,9 +68,9 @@ var LoginIdentityProvidersTemplate = `<?xml version="1.0" encoding="UTF-8" stand
     <provider>
         <identifier>ldap-provider</identifier>
         <class>org.apache.nifi.ldap.LdapProvider</class>
-        <property name="Authentication Strategy">START_TLS</property>
-        <property name="Manager DN"></property>
-        <property name="Manager Password"></property>
+        <property name="Authentication Strategy">{{.LdapConfiguration.AuthenticationStrategy}}</property>
+        <property name="Manager DN">{{.LdapConfiguration.ManagerDn}}</property>
+        <property name="Manager Password">{{.LdapConfiguration.ManagerPassword}}</property>
         <property name="TLS - Keystore"></property>
         <property name="TLS - Keystore Password"></property>
         <property name="TLS - Keystore Type"></property>
@@ -87,7 +87,7 @@ var LoginIdentityProvidersTemplate = `<?xml version="1.0" encoding="UTF-8" stand
         <property name="Url">{{.LdapConfiguration.Url}}</property>
         <property name="User Search Base">{{.LdapConfiguration.SearchBase}}</property>
         <property name="User Search Filter">{{.LdapConfiguration.SearchFilter}}</property>
-        <property name="Identity Strategy">USE_DN</property>
+        <property name="Identity Strategy">{{.LdapConfiguration.IdentityStrategy}}</property>
         <property name="Authentication Expiration">12 hours</property>
     </provider>
     {{end}}