Bug 53044 - Group membership validation should be case-insensitive
Group membership validation should be case-insensitive
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: Ucsschool-lib
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v9-errata
Assigned To: Tobias Wenzel
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-09 09:46 CEST by Daniel Tröder
Modified: 2021-05-06 14:12 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2021-04-09 09:46:44 CEST
The validation code in the ucsschool.lib checks the group membership for users.
It calculates the expected group name from the schools the user is a member of.
Then it checks the users group membership. It does however not do that case-insensitive.
Customer with old OUs found the problem: https://help.univention.com/t/fehler-beim-ucs-school-consistency-check/17638

All DN comparisons must be case-insensitive.
Comment 1 Tobias Wenzel univentionstaff 2021-04-09 17:25:49 CEST
I implemented a fix in

[twenzel/4.4/53044_case_insensitive_validation] ca9b7e227 Bug #53044: make validation case insensitive (part 2)
[twenzel/4.4/53044_case_insensitive_validation] 516fc5fce Bug #53044: make validation case insensitive (part 1)

with new tests. Since the consistency script and the school object validation,
which is executed when creating/modifying/listing school objects do not share
the code, this had to be modified in consistency.py & validation.py.

Remark: Since the validation of groups, roles (& schools) is case insensitive, the logging e.g. in /var/log/univention/management-console-module-schoolwizards.log will be, too.
Comment 2 Daniel Tröder univentionstaff 2021-04-12 09:06:17 CEST
Please (manually) build an environment like the customer in the above forum post has and check that there are no errors.
→ Uppercase OU name
→ Rename Domain Users $OU group to have a lower case OU-part.

The 'ucsschoolRole' attribute is case-insensitive. Please adapt the validation code to ignore the case in comparisions.
Comment 3 Tobias Wenzel univentionstaff 2021-04-12 14:14:37 CEST
As discussed, this has already been implemented and tested as requested in comment 2 → resolve
Comment 4 Tobias Wenzel univentionstaff 2021-04-29 16:20:05 CEST
QA suggestions were implemented in 

[twenzel/4.4/53044_case_insensitive_validation] 931851b95 fixup! fixup! Bug #53044: make validation case insensitive (part 1)
[twenzel/4.4/53044_case_insensitive_validation] 728f1b4a0 fixup! fixup! Bug #53044: make validation case insensitive (part 2)
[twenzel/4.4/53044_case_insensitive_validation] 7412e889e fixup! Bug #53044: make validation case insensitive (part 1)
[twenzel/4.4/53044_case_insensitive_validation] dff941cf8 fixup! Bug #53044: make validation case insensitive (part 2)


tests were passing on my machine.
Comment 5 Daniel Tröder univentionstaff 2021-05-03 16:51:18 CEST
# /usr/share/ucs-school-import/scripts/create_ou TestOU01

# univention-ldapsearch -LLL uid=studentou1 ucsschoolSchool memberOf
dn: uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr
ucsschoolSchool: TestOU01
memberOf: cn=Domain Users TestOU01,cn=groups,ou=TestOU01,dc=uni,dc=dtr
memberOf: cn=TestOU01-Klasse1A,cn=klassen,cn=schueler,cn=groups,ou=TestOU01,dc=uni,dc=dtr
memberOf: cn=schueler-TestOU01,cn=groups,ou=TestOU01,dc=uni,dc=dtr

# rename groups

# univention-ldapsearch -LLL uid=studentou1 ucsschoolSchool memberOf
dn: uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr
ucsschoolSchool: TestOU01
memberOf: cn=Domain Users testou01,cn=groups,ou=TestOU01,dc=uni,dc=dtr
memberOf: cn=testou01-klasse1a,cn=klassen,cn=schueler,cn=groups,ou=TestOU01,dc=uni,dc=dtr
memberOf: cn=schueler-testou01,cn=groups,ou=TestOU01,dc=uni,dc=dtr


import logging
import univention.admin.uldap
from ucsschool.lib.models.users import Student
from ucsschool.lib.models.validator import validate

logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger()

lo, po = univention.admin.uldap.getAdminConnection()
user = Student.from_dn("uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr", "TestOU01", lo)
user_udm = user.get_udm_object(lo)

print(user_udm["school"])
['TestOU01']  # <== correct OU

validate(user_udm, logger)
# no error

user_udm["school"] = ["DEMOSCHOOL"]  # <== wrong OU
validate(user_udm, logger)
# lots of error

user_udm["school"] = ["testou01"]  # <== lower case OU
validate(user_udm, logger)
# no error

----------------------------

# /usr/share/ucs-school-umc-diagnostic/scripts/ucs-school-object-consistency --user_dn uid=studentou1,cn=schueler,cn=users,ou=TestOU01,dc=uni,dc=dtr

# no error (expect unrelated ones, see bug #53211)
Comment 6 Daniel Tröder univentionstaff 2021-05-03 16:51:52 CEST
Please squash, merge, build, advisory.
Comment 7 Tobias Wenzel univentionstaff 2021-05-04 10:18:47 CEST
squashed, merged & build in

[4.4] 27781a43a Bug #53044: update advisory
[4.4] 348be00bc Bug #53044: add changelog & advisory
[4.4] 4df3b61e7 Bug #53044: make validation case insensitive


Package: ucs-school-lib
Version: 12.2.24A~4.4.0.202105041013
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-test-ucsschool
Version: 6.0.219A~4.4.0.202105041015
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 8 Daniel Tröder univentionstaff 2021-05-05 08:28:19 CEST
OK: merge and build
OK: tests succeed on single- and multi-master & replication node
(Small improvement: [4.4 addca13af] Bug #53055: fix and improve test case id output)
OK: advisory
Comment 9 Tobias Wenzel univentionstaff 2021-05-06 14:12:04 CEST
Errata updates for UCS@school 4.4 v9 have been released.

https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html

If this error occurs again, please clone this bug.