Bug 42114 – UMC-Server should provide access to specific commands for anonymous users

Bug 42114 - UMC-Server should provide access to specific commands for anonymous users


Summary:	UMC-Server should provide access to specific commands for anonymous users

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:
Keywords:	interim-2

Duplicates:	28742 37665 40894 41084 43653 43712 (view as bug list)
Depends on:	36215
Blocks:	42169
	Show dependency tree / graph

Reported:	2016-08-24 18:03 CEST by Florian Best
Modified:	2017-04-04 18:29 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-08-24 18:03:52 CEST

The UMC-Server should be able to serve requests for unauthenticated clients.

This is helpful when creating services like the Self-Service, which doesn't need to ship WSGI scripts.

Comment 1 Florian Best

2016-09-13 13:25:30 CEST

When starting the UMC-Webserver I saw:
"""ENGINE WARNING: Use of engine.autoreload_on is deprecated and will be removed in a future version. Use engine.autoreload.on instead.
"""
I adapt the config respectively.

Comment 2 Florian Best

2016-09-13 13:52:10 CEST

*** Bug 37665 has been marked as a duplicate of this bug. ***

Comment 3 Florian Best

2016-09-13 14:49:11 CEST

*** Bug 41084 has been marked as a duplicate of this bug. ***

Comment 4 Florian Best

2016-09-13 14:50:33 CEST

*** Bug 28742 has been marked as a duplicate of this bug. ***

Comment 5 Florian Best

2016-09-14 16:43:15 CEST

*** Bug 40894 has been marked as a duplicate of this bug. ***

Comment 6 Florian Best

2017-02-16 13:53:53 CET

I experienced the following UMC-Server crash:

16.02.17 13:35:47.986  AUTH        ( INFO    ) : Trying to authenticate user 'Administrator'
16.02.17 13:35:48.010  AUTH        ( ERROR   ) : Canonicalization of username failed: Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/auth.py", line 132, in __canonicalize_username
    result = lo.search(filter_format('(&(%s=%s)(objectClass=person))', (attr, username)), attr=['uid'], unique=True)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 439, in search
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Invalid credentials

16.02.17 13:35:48.065  AUTH        ( INFO    ) : Authentication for 'Administrator' was successful
16.02.17 13:35:48.086  LOCALE      ( INFO    ) : Locale or domain missing. Stopped loading of translation
16.02.17 13:35:48.088  MAIN        ( ERROR   ) : Could not get uid for 'Administrator': Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 188, in _search_user_dn
    ldap_dn = self.lo.searchDn(ldap.filter.filter_format('(&(uid=%s)(objectClass=person))', (self._username,)))
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 455, in searchDn
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

16.02.17 13:35:48.089  MAIN        ( ERROR   ) : The LDAP DN for user Administrator could not be found (lo=<univention.admin.uldap.access instance at 0x7fb39a0b10e0>)
16.02.17 13:35:48.109  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 243, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/sbin/univention-management-console-server", line 156, in _restart
    self._start()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 210, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 286, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 278, in step
    __min_timer = dispatch.dispatcher_run()
  File "/usr/lib/pymodules/python2.7/notifier/dispatch.py", line 72, in dispatcher_run
    if not disp():
  File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 154, in _simple_threads_dispatcher
    task.announce()
  File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 135, in announce
    self._callback( self, self._result )
  File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "/usr/lib/pymodules/python2.7/univention/management/console/auth.py", line 152, in __authentication_result
    self.signal_emit('authenticated', auth_result, request)
  File "/usr/lib/pymodules/python2.7/notifier/signals.py", line 75, in signal_emit
    self.__signals[ signal ].emit( *args )
  File "/usr/lib/pymodules/python2.7/notifier/signals.py", line 41, in emit
    cb( *args )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 886, in _authentication_finished
    self.initalize_processor(request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 927, in initalize_processor
    self.processor.set_credentials(**self.__credentials)
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 171, in set_credentials
    self._reload_acls_and_permitted_commands()
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 175, in _reload_acls_and_permitted_commands
    self._reload_acls()
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 179, in _reload_acls
    self.acls = LDAP_ACLs(self.lo, self._username, ucr['ldap/base'])
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 349, in __init__
    self._read_from_ldap()
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 365, in _read_from_ldap
    userdn = self.lo.searchDn(filter_format('(&(objectClass=person)(uid=%s))', [self.username]), unique=True)[0]
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 455, in searchDn
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: Insufficient access

Comment 7 Florian Best

2017-02-24 08:13:14 CET

This has been implemented by adding a attribute allow_unauthenticated="true" to the <command> of the XML definition of a module.
As now unauthenticated users can contact the UMC-Server directly in non-AUTH requests I needed to implement some more error handling to protect against DoS and UMC-Server crashes.

univention-management-console (9.0.42-1):
r77084 | Bug #42114: prevent server crashes in the authentication finished callback
r77066 | Bug #42114: ignore flavor argument
r77030 | Bug #42114: fixup error in sanization if PatternSanitizer is used
r77028 | Bug #42114: remove __all__
r77001 | Bug #42114: fix py-support in preinst
r77000 | Bug #42114: fix py-support in preinst
r76999 | Bug #42114: respond with 401 Unauthorized for known UMC commands when not being logged in
r76413 | Bug #42114: fix ldap filter escaping
r76370 | Bug #42114: fix executing anonymous commands
r75937 | Bug #42114: fix crash of UMC-Server due to __processes not defined in subclass
r75623 | Bug #42114: make it possible to define required commands for a flavor/module to have access to for viewing the module
r73183 | Bug #42114: general thread error handling
r73039 | Bug #42114: error handling of LDAP server down
r72529 | Bug #42114: Fix some pyflakes warnings
r72453 | Bug #42114: fix up svn r71911, revert svn r72429
r72429 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients
r72417 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients
r72411 | Bug #42114: Make the UMC-Server more robust against crashes by unauthenticated clients
r72038 | Bug #42114: rename 'prevent_unauthenticated' into 'allow_anonymous'
r71977 | Bug #42114: rename 'prevent_unauthenticated' into 'allow_anonymous'
r71952 | Bug #42114: prevent memory leak and denial of service
r71951 | Bug #42114: make it possible to execute commands without authentication
r71911 | Bug #42114: make it possible to execute commands without authentication
r71972 | Bug #42114: allow anonymous commands to be send to the UMC-Server

Comment 8 Florian Best

2017-03-02 20:35:06 CET

*** Bug 43653 has been marked as a duplicate of this bug. ***

Comment 9 Jürn Brodersen

2017-03-03 13:24:15 CET

circular import may be introduced:

>>> import univention.management.console.base
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 124, in <module>
    from univention.management.console.protocol.message import Response, MIMETYPE_JSON
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/__init__.py", line 187, in <module>
    from session import *
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 67, in <module>
    from ..base import Base
ImportError: cannot import name Base

Comment 10 Florian Best

2017-03-03 14:09:13 CET

*** Bug 43712 has been marked as a duplicate of this bug. ***

Comment 11 Florian Best

2017-03-03 14:45:31 CET

(In reply to Jürn Brodersen from comment #9)
> circular import may be introduced:
> 
> >>> import univention.management.console.base
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File "/usr/lib/pymodules/python2.7/univention/management/console/base.py",
> line 124, in <module>
>     from univention.management.console.protocol.message import Response,
> MIMETYPE_JSON
>   File
> "/usr/lib/pymodules/python2.7/univention/management/console/protocol/
> __init__.py", line 187, in <module>
>     from session import *
>   File
> "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.
> py", line 67, in <module>
>     from ..base import Base
> ImportError: cannot import name Base

This is the same in UCS 4.1 so I don't think we need to fix it. It's no problem for the UMC modules.

Comment 12 Jürn Brodersen

2017-03-03 17:07:30 CET

What I tested:
umc-command -U Administrator -P univention setup/lang/locales -o 'pattern=*'
->STATUS   : 200 -> OK
umc-command --no-auth setup/lang/locales -o 'pattern=*'
->STATUS   : 401 -> OK
umc-command --no-auth passwordreset/get_reset_methods -o username=foo
->STATUS   : 200 -> OK
umc-command -U Administrator -P univention passwordreset/get_reset_methods -o username=foo
->STATUS   : 200 -> OK

-> NOT anonymous modules work only logged in -> OK
-> anonymous modules work logged in and logged out -> OK

-> All OK -> Verified

Comment 13 Alexander Kläser

2017-03-07 09:52:43 CET

REOPENED → Please add a changelog entry.

Comment 14 Florian Best

2017-03-07 12:59:43 CET

r77418 | Changelog Bug #42114 Bug #42132

Comment 15 Jürn Brodersen

2017-03-14 12:26:35 CET

(In reply to Florian Best from comment #14)
> r77418 | Changelog Bug #42114 Bug #42132

OK -> Verified

Comment 16 Stefan Gohmann

2017-04-04 18:29:19 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".