Univention Bugzilla – Bug 51629
40_mail/25_imap_acls_correctly_respected fails in UCS 5.0
Last modified: 2021-05-25 16:01:48 CEST
40_mail/25_imap_acls_correctly_respected fails in UCS 5.0: Logging in with username=u'wr5lgz7s1s@AutoTest091.local' and password='univention' 0: Mailbox = Ham, nsdl0g93kr@AutoTest091.local -> l Current = {'Ham': {'wr5lgz7s1s@autotest091.local': 'lrwstipekxacd', 'nsdl0g93kr@AutoTest091.local': 'l'}} 0: Mailbox = Spam, nsdl0g93kr@AutoTest091.local -> l Current = {'Spam': {'wr5lgz7s1s@autotest091.local': 'lrwstipekxacd', 'nsdl0g93kr@AutoTest091.local': 'l'}} 0: Mailbox = INBOX, nsdl0g93kr@AutoTest091.local -> l Current = {'INBOX': {'wr5lgz7s1s@autotest091.local': 'lrwstipekxacd', 'nsdl0g93kr@AutoTest091.local': 'l'}} 0: Mailbox = shared/b4r4d161ft@autotest091.local, nsdl0g93kr@AutoTest091.local -> l Current = {'shared/b4r4d161ft@autotest091.local': {'#anyone': 'akxeilprwtscd'}} Unsetting mail/dovecot/mailbox/delete Restarting dovecot (via systemctl): dovecot.service. Traceback (most recent call last): File "25_imap_acls_correctly_respected", line 67, in <module> main() File "25_imap_acls_correctly_respected", line 60, in main imap.check_acls({mailbox: default_shared_permissions}) File "/usr/share/ucs-test/40_mail/essential/mailclient.py", line 147, in check_acls set2 = set(current.get(mailbox).get(who)) TypeError: 'NoneType' object is not iterable Might have to do with the '#' in '#anyone'. Didn't debug further.
commit 699c4c5eef202d056b0652956e1367a283b1e7e2 Author: Florian Best <best@univention.de> Date: Thu Feb 4 15:17:40 2021 +0100 Bug #31771: fix PEP8 styling issues commit c0be6eae1a0e8b01fd8977fc3ebef67aac3c6b5c Author: Jan Luttermann <luttermann@univention.de> Date: Thu Feb 4 09:57:11 2021 +0100 fixup! Bug #52241: fixed failing mailing tests commit bbff89a6e19ce69ba94cf5e1ccf5634313ddec6f Author: Jan Luttermann <luttermann@univention.de> Date: Tue Feb 2 14:59:08 2021 +0100 fixup! Bug #52241: fixed failing mailing tests commit ba614c4b991a42e97779ba9109447d1ecaa19ef7 Author: Jan Luttermann <luttermann@univention.de> Date: Tue Feb 2 14:03:12 2021 +0100 Bug #52241: fixed failing mailing tests
fixed by commit: 849d73f777a4b72bed0830cc8d80bbfb6a6d7453
I'm still confused about the '#'. >>> M.getacl('shared/fuwd0s1rsb@nstx23.ucs') ('OK', ['shared/fuwd0s1rsb@nstx23.ucs #anyone akxeilprwtscd']) >>> And doveadm returns a similar story without '#': root@primary23:~# doveadm acl get -A shared/fuwd0s1rsb@nstx23.ucs Username ID Global Rights wkqn42exdm@nstx23.ucs anyone global admin create delete expunge insert lookup post read write write-deleted write-seen wbth8h1mgh@nstx23.ucs anyone global admin create delete expunge insert lookup post read write write-deleted write-seen grzdok7nmr@nstx23.ucs anyone global admin create delete expunge insert lookup post read write write-deleted write-seen
openssl s_client -host 10.200.18.23 -port 993 [...] read R BLOCK * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready. a001 CAPABILITY * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN a001 OK Pre-login capabilities listed, post-login capabilities have more. a002 login wbth8h1mgh@nstx23.ucs univention * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY LITERAL+ NOTIFY SPECIAL-USE QUOTA ACL RIGHTS=texk a002 OK Logged in a003 GETACL shared/fuwd0s1rsb@nstx23.ucs * ACL shared/fuwd0s1rsb@nstx23.ucs #anyone akxeilprwtscd a003 OK Getacl completed (0.004 + 0.000 + 0.004 secs). dovecot now returns "#anyone" which might confuse our existing code.
Dovecot uses some prefix characters to indicate the origin of the ACL (e.g. '#') or to subtract rights from an existing ACL ('-'). I think the fix for the ucs-test script is okay for now. An additional comment has been added to mailclient.py: [5.0-0] 8bc1029ef7 Bug #51629: added new comment I found no place in UCS where we read out the ACLs via IMAP command "GETACL" resp. imaplib.getacl('foldername'). From dovecot-2.3.4.1/src/plugins/imap-acl/imap-acl-plugin.c: #define IMAP_ACL_ANYONE "anyone" #define IMAP_ACL_AUTHENTICATED "authenticated" #define IMAP_ACL_OWNER "owner" #define IMAP_ACL_GROUP_PREFIX "$" #define IMAP_ACL_GROUP_OVERRIDE_PREFIX "!$" #define IMAP_ACL_GLOBAL_PREFIX "#" imap_acl_write_right(string_t *dest, string_t *tmp, const struct acl_rights *right, bool neg) { const char *const *rights = neg ? right->neg_rights : right->rights; str_truncate(tmp, 0); if (neg) str_append_c(tmp,'-'); if (right->global) str_append(tmp, IMAP_ACL_GLOBAL_PREFIX); switch (right->id_type) { case ACL_ID_ANYONE: str_append(tmp, IMAP_ACL_ANYONE); break; case ACL_ID_AUTHENTICATED: str_append(tmp, IMAP_ACL_AUTHENTICATED); break; case ACL_ID_OWNER: str_append(tmp, IMAP_ACL_OWNER); break; case ACL_ID_USER: str_append(tmp, right->identifier); break; case ACL_ID_GROUP: str_append(tmp, IMAP_ACL_GROUP_PREFIX); str_append(tmp, right->identifier); break; case ACL_ID_GROUP_OVERRIDE: str_append(tmp, IMAP_ACL_GROUP_OVERRIDE_PREFIX); str_append(tmp, right->identifier); break; case ACL_ID_TYPE_COUNT: i_unreached(); } imap_append_astring(dest, str_c(tmp)); str_append_c(dest, ' '); imap_acl_write_rights_list(dest, rights); }
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".