Ldaps port cannot be specified via Env Var - potential regression?

lewinskimaciej · May 17, 2023, 11:32am

Hi,
I made a thread before but I actually realized where the issue is so I removed that and I wanted to make this instead, as kind of a feedback/bug report kind-of thread.
So we had working configuration for RoR version 1.27.1 and ELK at 7.8.1.
We had a working readonlyrest.yml config with ldaps mostly specified via environment variables like this:

ldaps:
    - name: ldap_internal_employees
      host: ${LDAP_INTERNAL_HOST}
      port: ${LDAP_INTERNAL_PORT}
      (...)

After updating our ELK stack, we updated RoR to 1.48.0 and configuration stopped working. RoR would fail on startup with the exception: Server information missing: use 'host' and 'port', 'servers'/'hosts' or 'service_discovery' option. that I believe comes from:

github.com

sscarduzio/elasticsearch-readonlyrest-plugin/blob/827e9ee1896d9822fb80c83ed37a147f279479db/core/src/main/scala/tech/beshu/ror/accesscontrol/factory/decoders/definitions/LdapServicesDecoder.scala#L273


      
                      case Some(hosts) if allHostsWithTheSameSchema(hosts) =>
                        Right(SeveralServers(hosts, haMethod.getOrElse(HaMethod.Failover)))
                      case Some(_) =>
                        Left(DefinitionsLevelCreationError(Message(s"The list of LDAP servers should be either all 'ldaps://' or all 'ldap://")))
                      case None =>
                        Left(DefinitionsLevelCreationError(Message(s"Please specify more than one LDAP server using 'servers'/'hosts' to use HA")))
                    }
                  case (None, None, Some(serverDiscoveryConfig)) =>
                    Right(serverDiscoveryConfig)
                  case (None, None, None) =>
                    Left(DefinitionsLevelCreationError(Message(s"Server information missing: use 'host' and 'port', 'servers'/'hosts' or 'service_discovery' option.")))
                  case _ =>
                    Left(DefinitionsLevelCreationError(Message(s"Cannot accept multiple server configurations settings (host,port) or (servers/hosts) or (service_discovery) at the same time.")))
                }
              }
              .emapE[ConnectionMethod](identity)
              .decoder
          
          
private implicit val serverDiscoveryDecoder: Decoder[Option[ConnectionMethod.ServerDiscovery]] = {
            val booleanDiscoverySettingDecoder =
              SyncDecoderCreator

It took me quite a while to figure out that the issue is related to env variables. Environment was properly set(we use docker compose but that doesn’t matter), variables were there and could be seen by readonlyrest.yml, as other variables, used for example in access_control_rules - worked.

So turns out that if ldaps.port is specified via environment variable like in an example above, startup will fail with exception mentioned above, if we hardcode it manually - it works. I believe there’s an issue somewhere with parsing variable to an int that causes this behaviour, and I am fairly sure that it worked in older versions as we did not change configurations for a while(at least not since I work at my current project). We have .env files for docker compose where we would specify

LDAP_INTERNAL_HOST=someserver.ad.somecompany.com
LDAP_INTERNAL_PORT=389
(...)

It might be worth mentioning this behaviour somewhere or fixing parsing of that particular setting.
It’s especially confusing since this example actually uses environment variable in port for ldaps?

lewinskimaciej · May 17, 2023, 11:33am

It also seems that code and documentation are all over the place when it comes to using environment variables in .yml.
F.e. docs mention ${env:TEST_VAR},
this example uses ${TEST_VAR},
this one has {LDAP1_HOST}
Might be good to mention ‘the right way’ in the docs and/or update older tests/examples.

sscarduzio · May 17, 2023, 2:25pm

Hello @lewinskimaciej thank you for contributing to make our product documentation better!

The forum limitations should be removed for you now. You can paste as many links as necessary so we can correct all of them.

We do evolve our syntax slowly in years. And when we do, we normally make sure the backwards compatibility is respected.

In this case we moved to a more explicit ${env:ENV_VAR}, and the latest documentation should all reflect this.

But if the old ${ENV_VAR} syntax stopped working, we have a bug.

@coutoPL WDYT?

lewinskimaciej · May 17, 2023, 2:41pm

Thanks! I’m not sure it’s because of the new syntax though. I checked a lot of combinations and every one failed for me. We moved to hard-coded port(since we use default on all environments anyway) and it seems to work perfectly. Host works with both formats as far as I’ve seen.

coutoPL · May 17, 2023, 3:59pm

Hi Maciej!
Thanks for reporting this. I confirm there is a problem with ENV usage in the LDAP connector “port” field (it works in the case of “host”). I think I know where the problem is. Will try to fix it today evening.

Will let you know.

coutoPL · May 17, 2023, 8:30pm

@lewinskimaciej please try this one: ROR 1.49.0-pre5 for ES 7.8.1

Let us know if it works now

lewinskimaciej · May 18, 2023, 8:37am

Hey, I’ve tested it locally and it seems to work properly We will update to new version when stable comes out then, for now hardcoded ports are good enough. Thank you!

coutoPL · May 18, 2023, 5:49pm

Great. We are going to release ROR 1.49.0 soon