Bug 46466 – udm --policy-dereference doesn't remove "objectClass: univentionPolicyReference" if there is no other univentionPolicyReference remaining

Bug 46466 - udm --policy-dereference doesn't remove "objectClass: univentionPolicyReference" if there is no other univentionPolicyReference remaining


Summary:	udm --policy-dereference doesn't remove "objectClass: univentionPolicyReferen...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UDM - CLI
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-0-errata
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:
Keywords:

Duplicates:	47689 (view as bug list)
Depends on:	47689
Blocks:
	Show dependency tree / graph

Reported:	2018-03-02 15:32 CET by Valentin Heidelberger
Modified:	2019-04-17 14:07 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Cleanup
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2018-03-02 15:32:18 CET

When one manually removes a reference to a policy (e.g. a non-existing one https://forge.univention.org/bugzilla/show_bug.cgi?id=16966), the objectClass: univentionPolicyReference is not removed on that object.

Like so:

udm groups/group modify --dn="cn=container,dc=ucs,dc=test" --policy-dereference="cn=example-policy,cn=policies,dc=ucs,dc=test"

This results in /usr/share/univention-directory-manager-tools/proof_policies throwing a warning:
Warning: found univentionPolicyReference without such Attribute cn=container,dc=ucs,dc=test

Comment 1 Valentin Heidelberger

2018-03-02 15:34:21 CET

This is only relevant for objects that have no univentionPolicyReference attributes left after the above command of course

Comment 2 Valentin Heidelberger

2018-03-02 15:47:42 CET

The objectClass also cannot be removed with udm, because it's not a valid attribute to modify for groups/group or container/cn

Comment 3 Florian Best

2019-03-17 15:28:02 CET

Created a patch in branch fbest/47689-46466-unify-policy-reference-handling.
It moves the policy handling into the UDM core and removed the object class if no other policy is assigned.

Handles all cases (invalid DN syntax, not existing objects, no policy objects, referencing, dereferencing):

# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
Object modified: uid=test,cn=users,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
No modification: uid=test,cn=users,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-reference "foo"
Invalid syntax: foo 
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
Object modified: uid=test,cn=users,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-dereference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
No modification: uid=test,cn=users,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-dereference "foo"
Invalid syntax: foo 
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-reference "uid=test,cn=users,dc=dev,dc=local"
Object is not a policy: uid=test,cn=users,dc=dev,dc=local
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-dereference "uid=test,cn=users,dc=dev,dc=local"
No modification: uid=test,cn=users,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user create --set username=foobar --set password=univention --set lastname=foo --policy-reference "uid=test,cn=users,dc=dev,dc=local"
Object is not a policy: uid=test,cn=users,dc=dev,dc=local
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user create --set username=foobar --set password=univention --set lastname=foo --policy-reference "foo"
Invalid syntax: foo 
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user create --set username=foobar --set password=univention --set lastname=foo --policy-reference "cn=selfservice-umc-servers,cn=UMC,cn=policies,$ldap_base"
Object created: uid=foobar,dc=dev,dc=local
# /usr/share/pyshared/univention/admincli/admin.py users/user create --set username=foobar --set password=univention --set lastname=foo --policy-reference "cn=foo"
No such object: Policy does not exists cn=foo
OPERATION FAILED
# /usr/share/pyshared/univention/admincli/admin.py users/user modify --dn uid=test,cn=users,dc=dev,dc=local --policy-reference "cn=foo"
No such object: Policy does not exists cn=foo
OPERATION FAILED

Comment 4 Florian Best

2019-03-17 15:28:39 CET

*** Bug 47689 has been marked as a duplicate of this bug. ***

Comment 5 Florian Best

2019-04-11 10:08:56 CEST

Branch has been merged.

univention-directory-manager-modules (14.0.12-21)
22d25e871499 | Bug #46466: remove object class univentionPolicyReference if no policy is assigned

univention-directory-manager-modules.yaml
d64db1ed55b9 | YAML Bug #46466

Comment 6 Jürn Brodersen

2019-04-12 10:58:30 CEST

What I tested:
Created a user with a policy reference -> OK
Created a user without a policy reference-> OK
Add a policy reference -> OK
Add a second policy reference -> OK
Removed the first policy reference -> OK
Removed the second policy reference -> OK (Object class is removed)

We discussed the error message in case a non existing policy is referenced. I tested it with the old version and it throws an error as well -> No regression -> OK

YAML -> OK

There are a few failed jenkins tests, I don't think they are caused by this but I want to look at these a bit more before verifying this.

Comment 7 Jürn Brodersen

2019-04-17 11:48:41 CEST

jenkins looks good now :)
-> Verified

Comment 8 Erik Damrose

2019-04-17 14:07:28 CEST

<http://errata.software-univention.de/ucs/4.4/50.html>