Bug 51921 – [O365] groups listener doesn't support groups with more than 100 members

Bug 51921 - [O365] groups listener doesn't support groups with more than 100 members


Summary:	[O365] groups listener doesn't support groups with more than 100 members

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Office 365
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Felix Botner
QA Contact:	Erik Damrose

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-08-27 19:18 CEST by Arvid Requate
Modified:	2021-01-11 12:50 CET (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020081821000232, 2020102821000647
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2020-08-27 19:18:20 CEST

Ticket #2020081821000232 showed this traceback:

============================================================================
17.08.20 17:03:28.912  LISTENER    ( ERROR   ) : o365(D): azure_handler.add_objects_to_azure_group:476  Adding u'1fcddd66-7f89-446c-9945-d0365af5cab8'...
17.08.20 17:03:28.912  LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:475  Token valid until 2020-08-17T18:02:17.
17.08.20 17:03:28.913  LISTENER    ( ERROR   ) : o365(D): azure_handler.call_api:195  GET https://graph.windows.net/21bf6b10-84fc-4f9e-b020-5dc9ceed8103/groups/4001dbb1-b1a0-4
e48-afed-e885203fd648/$links/members?api-version=1.6 data: None
17.08.20 17:03:29.174  LISTENER    ( ERROR   ) : o365(I): azure_handler.call_api:226  status: 200 (OK) (GET https://graph.windows.net/21bf6b10-84fc-4f9e-b020-5dc9ceed8103/grou
ps/4001dbb1-b1a0-4e48-afed-e885203fd648/$links/members?api-version=1.6)
17.08.20 17:03:29.175  LISTENER    ( ERROR   ) : o365(D): azure_auth.get_access_token:475  Token valid until 2020-08-17T18:02:17.
17.08.20 17:03:29.175  LISTENER    ( ERROR   ) : o365(D): azure_handler.call_api:195  POST https://graph.windows.net/21bf6b10-84fc-4f9e-b020-5dc9ceed8103/groups/4001dbb1-b1a0-
4e48-afed-e885203fd648/$links/members?api-version=1.6 data: {'url': 'https://graph.windows.net/21bf6b10-84fc-4f9e-b020-5dc9ceed8103/directoryObjects/1fcddd66-7f89-446c-9945-d0
365af5cab8'}
17.08.20 17:03:29.294  LISTENER    ( ERROR   ) : o365(I): azure_handler.call_api:226  status: 400 (FAIL) Code: Request_BadRequest (POST https://graph.windows.net/21bf6b10-84fc
-4f9e-b020-5dc9ceed8103/groups/4001dbb1-b1a0-4e48-afed-e885203fd648/$links/members?api-version=1.6)
17.08.20 17:03:29.295  LISTENER    ( ERROR   ) : o365(E): azure_handler.__init__:149  One or more added object references already exist for the following modified properties: 
'members'.
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-group.py", line 173, in handler
    azure_group = ol.modify_group(old, new)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 482, in modify_group
    azure_group = self.create_group_from_new(new)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 342, in create_group_from_new
    return self.create_group(name, desc, self.dn)
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 336, in create_group
    self.add_ldap_members_to_azure_group(group_dn, new_group["objectId"])
  File "/usr/lib/pymodules/python2.7/univention/office365/listener.py", line 661, in add_ldap_members_to_azure_group
    self.ah.add_objects_to_azure_group(object_id, users_and_groups_to_add)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 489, in add_objects_to_azure_group
    self.call_api("POST", url, data=objs)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 240, in call_api
    raise ApiError(response, adconnection_alias=self.adconnection_alias)
univention.office365.azure_handler.ApiError: One or more added object references already exist for the following modified properties: 'members'.
17.08.20 17:03:29.299  LISTENER    ( WARN    ) : handler: office365-group (failed)
============================================================================

This is because the get_groups_direct_members function only receives 100 group members from the Azure Graph API.

In the Git branch linked to in the URL field of this bug I implemented https://docs.microsoft.com/en-us/graph/paging , which fixed the issue. My patch needs a bit of cleanup and commit splitting, it's a quick hack.

Comment 2 Erik Damrose

2020-11-04 15:34:01 CET

When this patch is applied, adding new ad connections via wizard does not work anymore, the following traceback may occur:

28.10.20 14:50:26.429  MAIN        ( ERROR   ) : Interner Server-Fehler in "office365/state".
Request: office365/state

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling
    six.reraise(etype, exc, etraceback)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 321, in _response
    result = _multi_response(self, request)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response
    return function(self, request)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 443, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 289, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/office365/__init__.py", line 214, in state
    users = ah.list_users()
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 282, in list_users
    return self._list_objects(object_type="user", object_id=objectid, ofilter=ofilter)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 279, in _list_objects
    return self.call_api("GET", url)
  File "/usr/lib/pymodules/python2.7/univention/office365/azure_handler.py", line 206, in call_api
    response = requests_func(**args)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 474, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 407, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 302, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 366, in prepare_url
    raise MissingSchema(error)

MissingSchema: Invalid URL "directoryObjects/$/Microsoft.DirectoryServices.User?$skiptoken=X'<long-token>'&api-version=1.6": No schema supplied. Perhaps you meant http://directoryObjects/$/Microsoft.DirectoryServices.User<............>

Comment 3 Felix Botner

2020-11-09 15:00:49 CET

* added arvids patch for paging (small fix to correct the url)
* moved the self.get_groups_direct_members(group_id) out of the object_ids loop in add_objects_to_azure_group
* check self.get_groups_direct_members only if more than one new member in add_objects_to_azure_group
* ignore "One or more added object references already exist for the following modified properties: 'members'." error in add_objects_to_azure_group

* added 92_office365/303_add_user_to_group_twice

Comment 4 Erik Damrose

2020-11-15 23:04:25 CET

OK added paging support
OK changes to group membership checks, ignore specific error when adding users to groups
OK 303_add_user_to_group_twice + 302_check_big_group

univention-office365 2.0.2-75

Verified

Comment 5 Erik Damrose

2021-01-11 12:50:34 CET

Released with App Version Univention Microsoft 365 Connector v3.3