Bug 51261 – Nested groups don't work in Self Service white- and blacklists

Bug 51261 - Nested groups don't work in Self Service white- and blacklists


Summary:	Nested groups don't work in Self Service white- and blacklists

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Self Service
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Dirk Wiesenthal
QA Contact:	Johannes Keiser

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-10 10:22 CEST by Valentin Heidelberger
Modified:	2020-07-01 18:15 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2020-05-10 10:22:44 CEST

The self service internally has a function to resolve nested groups using the group memberships from the user object. It doesn't work or isn't used for the white and blacklists though. 
In fact I thought that nested groups weren't resolved at all for some conceptual reason in the self service but since there is a function to do that in there I doubt that now. Also we have ucs-school-selfservice-support to work around the missing function in school domains (which does not work in use cases with more than one server used for UMC, see bug 50761).


Here is my test setup:

- testgroup01 is a member of testgroup02
- user01 is a member of testgroup01, *should be allowed*, *but isn't*

ucr set umc/self-service/passwordreset/whitelist/groups=testgroup02

log says:
is_blacklisted(user01): neither black nor white listed



- testgroup01 is a member of testgroup02
- user01 is a member of testgroup01, *should not be allowed*, because blacklists have priority over whitelists according to the variable description, but *is allowed*

ucr set umc/self-service/passwordreset/whitelist/groups=testgroup01
ucr set umc/self-service/passwordreset/blacklist/groups="Administrators,Domain Admins,testgroup02"

log says:
-> is_blacklisted(user01): match in whitelisted groups

Comment 1 Dirk Wiesenthal

2020-06-25 22:29:11 CEST

Actually, the nested group functionality was used. Unfortunately, it was buggy: The groups of the user were processed:

The function used the UDM property "nestedGroup", which finds groups that are nested in this very group. Instead it should have used "memberOf", which finds groups where this very group is a member of.

Unittests were added.

univention-self-service 4.0.3-34A~4.4.0.202006252223

Comment 2 Johannes Keiser

2020-06-29 13:18:12 CEST

OK: nested groups are evaluated
OK: test
OK: yaml
-> verified

Comment 3 Erik Damrose

2020-07-01 18:15:19 CEST

<http://errata.software-univention.de/ucs/4.4/644.html>