Bug 54617 - TypeError: argument should be a bytes-like object or ASCII string, not 'list'
TypeError: argument should be a bytes-like object or ASCII string, not 'list'
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Carlos García-Mauriño
Peter Stoll
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-30 11:03 CEST by Maximilian Janßen
Modified: 2022-06-08 16:50 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022030221001267
Bug group (optional): bitesize, External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Maximilian Janßen univentionstaff 2022-03-30 11:03:07 CEST
Version: 5.0-1 errata174

Remark: This always occurs when I attempt to edit a user from the portal

Error: 
Internal server error during "udm/get (users/user)".
Request: udm/get (users/user)

Traceback (most recent call last):
  File "%PY3%/notifier/threads.py", line 80, in _run
    result = self._function()
  File "%PY3%/notifier/__init__.py", line 105, in __call__
    return self._function(*tmp, **self._kwargs)
  File "%PY3%/univention/management/console/modules/udm/__init__.py", line 521, in _get
    obj = module.get(ldap_dn)
  File "%PY3%/univention/management/console/modules/udm/udm_ldap.py", line 720, in get
    obj.open()
  File "%PY3%/univention/admin/handlers/users/user.py", line 1349, in open
    self.reload_certificate()
  File "%PY3%/univention/admin/handlers/users/user.py", line 1511, in reload_certificate
    values = load_certificate(certificate)
  File "%PY3%/univention/admin/handlers/users/user.py", line 980, in load_certificate
    certificate = base64.b64decode(user_certificate)
  File "/usr/lib/python3.7/base64.py", line 80, in b64decode
    s = _bytes_from_decode_data(s)
  File "/usr/lib/python3.7/base64.py", line 46, in _bytes_from_decode_data
    "string, not %r" % s.__class__.__name__) from None
TypeError: argument should be a bytes-like object or ASCII string, not 'list'

Role: domaincontroller_master
Comment 1 Carlos García-Mauriño univentionstaff 2022-04-06 06:57:56 CEST
The problem happens when a user has several `userCertificate`. It can be replicated by creating a user with a certificate and then adding another one manually via LDAP (since the web interface or UDM don't allow it). It can be done with the following commands:

```bash
udm users/user create --set username=test2 --set lastname=name1 --set password=univention --set userCertificate="$(openssl x509 -in /etc/univention/ssl/"$(hostname -f)"/cert.pem | head -n -1 | tail -n +2)"

openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -outform der -out /tmp/1.der
```

then add the following content to `1.ldif`:

```ldif
dn: uid=test2,dc=mydomain,dc=intranet
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///tmp/1.der
```

and then executing:

```bash
ldapmodify -D cn=admin,dc=mydomain,dc=intranet -y /etc/ldap.secret -f 1.ldif
```

Once this is done, try to open the user for editing in the web interface and the Traceback occurs (which can be found in `/var/log/univention/management-console-web-server.log`).

The easy solution would be to just consider the first certificate if they are multiple. Another option would be to generate parameters such as `certificateDateNotBefore` for the first certificate and just leave the rest as they are. Fully supporting multiple certificates might require to rename the parameters obtained from each to avoid collisions.
Comment 2 Carlos García-Mauriño univentionstaff 2022-04-13 12:36:49 CEST
`userCertificate` was expected to be a single value but that's not always the case. A check was introduced in the code to get the first element of the list if there are multiple `userCertificate`s. The replication steps are in the previous comment.

Commits:

univention-directory-manager-modules.yaml
e04cccb5e710 | Bug #54617: update YAML for univention-directory-manager-modules
271d3b4c640a | Bug #54617: get first userCertificate if multiple

univention-directory-manager-modules (15.0.11-42)
271d3b4c640a | Bug #54617: get first userCertificate if multiple

univention-directory-manager-modules (15.0.11-40)
05ab9be4107b | Revert "Bug #54617: get first userCertificate if multiple"
b0cefee9d77a | Bug #54617: get first userCertificate if multiple
Comment 3 Peter Stoll univentionstaff 2022-06-01 13:17:45 CEST
YAML OK
Issue reproduced and successfully retested!