Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid = in group names #5972

Closed
wants to merge 2 commits into from
Closed

Forbid = in group names #5972

wants to merge 2 commits into from

Conversation

kobergj
Copy link
Collaborator

@kobergj kobergj commented Mar 30, 2023

Since underlying ldap library panics when you do so, this is the best (aka quickest) way to solve this

@kobergj kobergj mentioned this pull request Mar 30, 2023
Closed
@ownclouders
Copy link
Contributor

ownclouders commented Mar 30, 2023
edited
Loading

💥 Acceptance test localApiTests-apiCors-ocis failed. Further test are cancelled...

This was referenced Mar 30, 2023
Closed
Closed
rhafer
rhafer suggested changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this there is some problem with escaping here (which is likely not limited to the '=' charcter). It would be way better to correctly understand that problem before we merge this "fix".

(BTW, this might also be a problem with the libregraph/idm and it might just work when using a proper LDAP server)

@kobergj
Copy link
Collaborator Author

kobergj commented Mar 30, 2023
edited
Loading

@rhafer I don't think it is related to escaping. When renaming a group we use the method ModifyDN which is expecting a string consisting of key-value pair separated by "="

Updating with group e.g. "grp=" leads to a sting like cn=grp=. This causes the idm package to panic because it gets confused.

I tried escaping "=" or quoting the names, both without success.

But you are right maybe this does not happen with another ldap server.

@rhafer
Copy link
Contributor

rhafer commented Mar 30, 2023

Uff. You're right. = does not need to be escaped in LDAP DNs (https://www.rfc-editor.org/rfc/rfc4514)

There seems to be a bug in ldap.ParseDN() which causes it to choke on DN attribute value ending with =. (It will not return an error, but also not correctly parse it). And then idm panics on it because it does not expect an empty result when err is nil 💥

We should definetly create an upstream issue for this.

But if we want to disallow names with = for now, we should do that consistently through out the LDAP backend. (users, schools and classes have the same issue I think)

rhafer
rhafer suggested changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until go-ldap gets a fix I think this is fine. But we should add the same "fix" to all the other callers of ModifyDN

@saw-jan saw-jan mentioned this pull request Mar 31, 2023
Closed
@SwikritiT SwikritiT mentioned this pull request Mar 31, 2023
Merged
@kobergj kobergj force-pushed the ForbidEqualForGroupNames branch from 4fe10da to 1aba274 Compare April 3, 2023 09:28
@kobergj kobergj force-pushed the ForbidEqualForGroupNames branch from 1aba274 to c9da494 Compare April 3, 2023 10:24
@kobergj
adjust tests
15ca806 
Signed-off-by: jkoberg <[email protected]>
@kobergj kobergj force-pushed the ForbidEqualForGroupNames branch from c9da494 to 15ca806 Compare April 3, 2023 10:43
@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 3, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

62.9% 62.9% Coverage
11.7% 11.7% Duplication

@kobergj kobergj requested a review from rhafer April 3, 2023 12:56
@kobergj
Copy link
Collaborator Author

kobergj commented Apr 3, 2023

@rhafer followed your suggestion. Please double check

rhafer
rhafer reviewed Apr 3, 2023
View reviewed changes
services/graph/pkg/service/v0/service.go
@@ -424,3 +427,19 @@ func parsePurgeHeader(h http.Header) bool {
}
return false
}

// ldap is using `=` signs as delimiter for key-values when doing requests
// underlying go library is having problems when trying to parse names (keys) that contain `=`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if you'd mention the upstream issue here. I just found: go-ldap/ldap#416 (even though it's talking about base64 encoded values, the issue is really about the = sign).

rhafer
rhafer approved these changes Apr 3, 2023
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kobergj Look was just fixed a couple of days ago: go-ldap/ldap#425

Funny coincidence. I wonder if we should just wait for next go-ldap release. But I am also fine merging this. Would be nice if you'd mention the upstream issue in the code tough.

@kobergj kobergj marked this pull request as draft April 3, 2023 15:23
@kobergj
Copy link
Collaborator Author

kobergj commented Apr 3, 2023

Let's test with new version. If it works we can close this PR

@kobergj
Copy link
Collaborator Author

kobergj commented Apr 4, 2023

Superior fix here: #6004

@kobergj kobergj closed this Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhafer rhafer rhafer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kobergj @ownclouders @rhafer