improve resilence and fix potential NPE in LDAP synchronization

Author: nkonev

aaa/src/main/java/name/nkonev/aaa/entity/ldap/LdapEntity.java

@@ -0,0 +1,31 @@
+package name.nkonev.aaa.entity.ldap;
+
+import name.nkonev.aaa.config.properties.LdapAttributes;
+import name.nkonev.aaa.utils.NullUtils;
+
+import javax.naming.directory.Attributes;
+import java.util.Set;
+
+import static name.nkonev.aaa.utils.ConvertUtils.*;
+
+// all props are nullable
+public record LdapEntity(
+    String id,
+    String username,
+    String email,
+    Set<String> roles,
+    Boolean locked,
+    Boolean enabled
+) {
+
+    public LdapEntity(LdapAttributes attributeNames, Attributes ldapEntry) {
+        this(
+            extractId(attributeNames, ldapEntry),
+            extractUsername(attributeNames, ldapEntry),
+            extractEmail(attributeNames, ldapEntry),
+            extractRoles(attributeNames, ldapEntry),
+            extractLocked(attributeNames, ldapEntry),
+            extractEnabled(attributeNames, ldapEntry)
+        );
+    }
+}

aaa/src/main/java/name/nkonev/aaa/repository/jdbc/UserAccountRepository.java

@@ -8,6 +8,7 @@
 import org.springframework.stereotype.Repository;
 
 import java.time.LocalDateTime;
+import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -38,4 +39,6 @@ public interface UserAccountRepository extends ListCrudRepository<UserAccount, L
     // here we intentionally set that deleted user exists
     @Query("select u.id from user_account u where u.id in (:userIds)")
     Set<Long> findUserIds(List<Long> userIds);
+
+    List<UserAccount> findByLdapIdInOrderById(Collection<String> strings);
 }

aaa/src/main/java/name/nkonev/aaa/repository/spring/jdbc/UserListViewRepository.java

@@ -227,16 +227,6 @@ public List<UserAccount> findPage(int pageSize, int offset) {
             userAccountRowMapper);
     }
 
-    public List<UserAccount> findPageWithLdapId(int pageSize, int offset) {
-        return jdbcTemplate.query(
-            PREFIX + " and ldap_id is not null " + PAGINATION_SUFFIX,
-            Map.of(
-                "limit", pageSize,
-                "offset", offset
-            ),
-            userAccountRowMapper);
-    }
-
     private static final String AND_USERNAME_ILIKE = " and " + USERNAME_SEARCH;
 
     public List<UserAccount> findByUsernameContainsIgnoreCase(int pageSize, long offset, String searchString) {

aaa/src/main/java/name/nkonev/aaa/security/LdapAuthenticationProvider.java

@@ -4,6 +4,7 @@
 import name.nkonev.aaa.converter.UserAccountConverter;
 import name.nkonev.aaa.dto.UserAccountDetailsDTO;
 import name.nkonev.aaa.entity.jdbc.UserAccount;
+import name.nkonev.aaa.entity.ldap.LdapEntity;
 import name.nkonev.aaa.exception.UserAlreadyPresentException;
 import name.nkonev.aaa.repository.jdbc.UserAccountRepository;
 import name.nkonev.aaa.services.CheckService;
@@ -27,13 +28,6 @@
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import static name.nkonev.aaa.converter.UserAccountConverter.normalizeEmail;
-import static name.nkonev.aaa.utils.ConvertUtils.convertToStrings;
-
-import name.nkonev.aaa.utils.NullUtils;
-
-import javax.naming.NamingException;
-
 // https://spring.io/guides/gs/authenticating-ldap
 @Component
 public class LdapAuthenticationProvider implements AuthenticationProvider {
@@ -76,37 +70,38 @@ public Authentication authenticate(Authentication authentication) throws Authent
                 var userAccount = transactionTemplate.execute(status -> {
                     var lq = LdapQueryBuilder.query().base(aaaProperties.ldap().auth().base()).filter(aaaProperties.ldap().auth().filter(), userName);
                     ldapOperations.authenticate(lq, encodedPassword);
-                    var ldapEntry = ldapOperations.searchForContext(lq).getAttributes();
 
-                    var ldapUserId = NullUtils.getOrNullWrapException(() -> ldapEntry.get(aaaProperties.ldap().attributeNames().id()).get().toString());
+                    var ldapAttributes = ldapOperations.searchForContext(lq).getAttributes();
+                    var ldapEntry = new LdapEntity(aaaProperties.ldap().attributeNames(), ldapAttributes);
+
+                    var ldapUserId = ldapEntry.id();
+                    if (ldapUserId == null) {
+                        LOGGER.warn("Got null ldap id for username={}", userName);
+                        return null;
+                    }
 
                     UserAccount byLdapId = userAccountRepository
                         .findByLdapId(ldapUserId)
                         .orElseGet(() -> {
                             // create a new
+
+                            // check conflict by username
                             userAccountRepository.findByUsername(userName).ifPresent(ua -> {
                                 throw new UserAlreadyPresentException("User with login '" + userName + "' is already present");
                             });
 
                             String email = null;
                             if (StringUtils.hasLength(aaaProperties.ldap().attributeNames().email())) {
-                                var ldapEmail = NullUtils.getOrNullWrapException(() -> ldapEntry.get(aaaProperties.ldap().attributeNames().email()).get().toString());
-                                email = normalizeEmail(ldapEmail);
+                                email = ldapEntry.email();
                             }
 
-                            final Set<String> rawRoles = new HashSet<>();
+                            Set<String> rawRoles = new HashSet<>();
                             if (StringUtils.hasLength(aaaProperties.ldap().attributeNames().role())) {
-                                try {
-                                    var groups = ldapEntry.get(aaaProperties.ldap().attributeNames().role()).getAll();
-                                    if (groups != null) {
-                                        rawRoles.addAll(convertToStrings(groups));
-                                    }
-                                } catch (NamingException e) {
-                                    LOGGER.error(e.getMessage(), e);
-                                }
+                                rawRoles = ldapEntry.roles();
                             }
                             var mappedRoles = RoleMapper.map(aaaProperties.roleMappings().ldap(), rawRoles);
 
+                            // check conflict by email
                             if (StringUtils.hasLength(email)) {
                                 if (!userService.checkEmailIsFree(email)){
                                     throw new UserAlreadyPresentException("User with email '" + email + "' is already present");