Univention Bugzilla – Bug 50175
[UDM HTTP API] saml/serviceprovider objects cannot be accessed when schema in name
Last modified: 2019-10-02 16:06:35 CEST
Objects get listed at /univention/udm/saml/serviceprovider/ but the links cannot be followed if they contain a http(s) schema in the name. It works for the one with SAMLServiceProviderIdentifier=google.com. Example DN: SAMLServiceProviderIdentifier=https://saml.salesforce.com,cn=saml-serviceprovider,cn=univention,dc=uni,dc=dtr HTTP-Error 404: HTTP 404: Not Found
Grr, apache removes double slashes from URL's when using mod_proxy.
Double slashes are invalid in URI's. The following patch would work: diff --git a/management/univention-management-console-module-udm/src/univention/management/modules/udm/module.py b/management/univention-management-console-module-udm/src/univention/management/modules/udm/module.py index 804f1e69a4..a6a4fe106d 100755 --- a/management/univention-management-console-module-udm/src/univention/management/modules/udm/module.py +++ b/management/univention-management-console-module-udm/src/univention/management/modules/udm/module.py @@ -3562,12 +3562,12 @@ def encode_properties(module, obj, properties): def quote_dn(dn): if isinstance(dn, unicode): dn = dn.encode('utf-8') - return quote(dn) # .replace('/', quote('/', safe='')) + return quote(dn).replace('//', '-slash-slash-') # .replace('/', quote('/', safe='')) def unquote_dn(dn): # tornado already decoded it (UTF-8) - return dn + return dn.replace('-slash-slash-', '//') def last_modified(date)
Fixed by applying a similar patch. Duplicated slashes in a URI might be replaced with one slash, due to URI path normalization rules. Therefore // is replaced with %/ and vice versa. A test case has been added. ucs-test (9.0.3-48) 6b735084c767 | Bug #27816: Bug #50175: fix accessing objects with // in its DN univention-management-console-module-udm (9.0.14-1) 6b735084c767 | Bug #27816: Bug #50175: fix accessing objects with // in its DN
OK: links in collection can be followed: curl -k -X GET -H "Accept:application/json" -u Administrator:univention 'https://m66.uni.dtr/univention/udm/saml/serviceprovider/?hidden=true' | python -m json.tool | grep uri curl -k -X GET -H "Accept:application/json" -u Administrator:univention "https://m66.uni.dtr/univention/udm/saml/serviceprovider/SAMLServiceProviderIdentifier%3Dhttps%3A%25/saml.salesforce.com%2Ccn%3Dsaml-serviceprovider%2Ccn%3Dunivention%2Cdc%3Duni%2Cdc%3Ddtr" | python -m json.tool But the URI in the returned resource cannot be used: $ curl -i -k -X GET -H "Accept:application/json" -u Administrator:univention "https://m66.uni.dtr/univention/udm/saml/serviceprovider/SAMLServiceProviderIdentifier=https:%/SAMLServiceProviderIdentifier%3Dhttps%3A%25/saml.salesforce.com%2Ccn%3Dsaml-serviceprovider%2Ccn%3Dunivention%2Cdc%3Duni%2Cdc%3Ddtr" HTTP/1.1 400 Bad Request Date: Thu, 12 Sep 2019 08:21:44 GMT Server: Apache/2.4.25 (Univention) Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.25 (Univention) Server at m66.uni.dtr Port 443</address> </body></html>
(In reply to Daniel Tröder from comment #4) > But the URI in the returned resource cannot be used: > > $ curl -i -k -X GET -H "Accept:application/json" -u Administrator:univention > "https://m66.uni.dtr/univention/udm/saml/serviceprovider/ > SAMLServiceProviderIdentifier=https:%/ > SAMLServiceProviderIdentifier%3Dhttps%3A%25/saml.salesforce.com%2Ccn%3Dsaml- > serviceprovider%2Ccn%3Dunivention%2Cdc%3Duni%2Cdc%3Ddtr" You built that URI yourself? This URI is invalid because the % character is not percent encoded!
(In reply to Florian Best from comment #5) > (In reply to Daniel Tröder from comment #4) > > But the URI in the returned resource cannot be used: > > > > $ curl -i -k -X GET -H "Accept:application/json" -u Administrator:univention > > "https://m66.uni.dtr/univention/udm/saml/serviceprovider/ > > SAMLServiceProviderIdentifier=https:%/ > > SAMLServiceProviderIdentifier%3Dhttps%3A%25/saml.salesforce.com%2Ccn%3Dsaml- > > serviceprovider%2Ccn%3Dunivention%2Cdc%3Duni%2Cdc%3Ddtr" > > You built that URI yourself? This URI is invalid because the % character is > not percent encoded! No - that's what the UDM REST API returned.
Changed the replacement: // → ,/=/, This would create an invalid DN, so that the transformation doesn't interfere with existing objects. univention-directory-manager-rest (9.0.16-1) 59f8bb8fecab | Bug #27816: Bug #50175: replace // in DNs with characters which cannot occurr in a DN (In reply to Daniel Tröder from comment #4) > But the URI in the returned resource cannot be used: > > $ curl -i -k -X GET -H "Accept:application/json" -u Administrator:univention > "https://m66.uni.dtr/univention/udm/saml/serviceprovider/ > SAMLServiceProviderIdentifier=https:%/ > SAMLServiceProviderIdentifier%3Dhttps%3A%25/saml.salesforce.com%2Ccn%3Dsaml- > serviceprovider%2Ccn%3Dunivention%2Cdc%3Duni%2Cdc%3Ddtr" This was broken for all objects: it was "$module/$dn" + "$dn" Fixed in: univention-directory-manager-rest (9.0.16-2) 03829ce88790 | Bug #27816: Bug #50175: fix URI in object representation
UCS 4.4-2 has been released: https://docs.software-univention.de/release-notes-4.4-2-en.html https://docs.software-univention.de/release-notes-4.4-2-de.html If this error occurs again, please use "Clone This Bug".