Bug 52832 – Traceback during password change via UMC

Bug 52832 - Traceback during password change via UMC


Summary:	Traceback during password change via UMC

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-7-errata
Assigned To:	Felix Botner
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-02-23 09:54 CET by Felix Botner
Modified:	2021-02-24 16:52 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2021-02-23 09:54:11 CET

Set password/hashing/bcrypt=true
create a user
Unset password/hashing/bcrypt

Goto UMC as Administrator and change password for user:

Request: udm/put (users/user)

  File "/usr/lib/python2.7/dist-packages/notifier/threads.py", line 80, in _run
    result = self._function()
  File "/usr/lib/python2.7/dist-packages/notifier/__init__.py", line 104, in __call__
    return self._function(*tmp, **self._kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/udm/__init__.py", line 440, in _thread
    module.modify(properties)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 645, in modify
    obj.modify()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1410, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1324, in _modify
    ml = self._ldap_modlist()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1703, in _ldap_modlist
    ml = self._check_password_history(ml, pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1774, in _check_password_history
    if univention.admin.password.password_already_used(self['password'], pwhistory):
  File "/usr/lib/python2.7/dist-packages/univention/admin/password.py", line 302, in password_already_used
    if bcrypt.checkpw(password, password_hash):
  File "/usr/lib/python2.7/dist-packages/bcrypt/__init__.py", line 100, in checkpw
    raise TypeError("Unicode-objects must be encoded before checking")
TypeError: Unicode-objects must be encoded before checking

Comment 1 Florian Best

2021-02-23 10:02:16 CET

This probably doesn't happen with UCS 5.0, right?

Comment 2 Felix Botner

2021-02-23 10:05:04 CET

password is <type 'unicode'> (UMC)

Comment 3 Felix Botner

2021-02-23 10:08:53 CET

(In reply to Florian Best from comment #1)
> This probably doesn't happen with UCS 5.0, right?

i guess so, because we use

if bcrypt.checkpw(password.encode('utf-8'), password_hash.encode('ASCII')):

in UCS 5.0

should i just change 4.4-7 in that way?

or maybe

if isinstance(password, six.text_type):
 password = password.encode('utf-8')
...

Comment 4 Florian Best

2021-02-23 10:43:13 CET

(In reply to Felix Botner from comment #3)

Both variants are okay.

A direct .encode('UTF-8') would do .decode('UTF-8').encode('UTF-8') if the input is bytes. In UCS 5 we ensure this can't happen.

The check for unicode type is more correct in Py2/UCS 4.4 as both types are possible there.

Comment 5 Felix Botner

2021-02-23 10:56:58 CET

(In reply to Florian Best from comment #4)
> (In reply to Felix Botner from comment #3)
> 
> Both variants are okay.
> 
> A direct .encode('UTF-8') would do .decode('UTF-8').encode('UTF-8') if the
> input is bytes. In UCS 5 we ensure this can't happen.
> 
> The check for unicode type is more correct in Py2/UCS 4.4 as both types are
> possible there.

thanks, than i got with the Py2/UCS 4.4 variant

Comment 6 Felix Botner

2021-02-23 12:02:48 CET

a8d35dcf71ea1ddee0c87535ca7900f2783aa37e - univention-directory-manager-modules
encode password (utf8) if password is unicode 


2931616d66c9f053385216cfacd8b4d3e91db21d - yaml

Comment 7 Julia Bremer

2021-02-23 14:40:54 CET

Password change works as Administrator over UMC: OK
Password change works at login: OK
Password change works with udm: OK
Needs no merge to UCS5: OK
Ldap auth works: OK
umc-command auth works: OK
yaml: OK

Verified

Comment 8 Erik Damrose

2021-02-24 16:52:10 CET

<https://errata.software-univention.de/#/?erratum=4.4x901>