Univention Bugzilla – Bug 54802
search user by expiration date does not find the user
Last modified: 2023-06-12 16:16:29 CEST
Kelvin GET endpoint `/useres/` allows to search users filtering by their attributes. While filtering by other attributes work, filtering by `expiration_date` does not find users with the searched value. This happens at least in versions 1.5.1, 1.5.2 and 1.5.5. Tested uding docker.software-univention.de/ucsschool-kelvin-rest-api:1.4.3 and docker.software-univention.de/ucs-master-amd64-joined-ucsschool-udm-rest-api-only:stable-4.4-8. To replicate create the following user: ``` { "dn": "uid=kimcorey,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=ucs-test,dc=intranet", "url": "https://<fqdn>/ucsschool/kelvin/v1/users/kimcorey", "ucsschool_roles": [ "teacher:school:DEMOSCHOOL" ], "udm_properties": { "title": null }, "name": "kimcorey", "school": "https://<fqdn>/ucsschool/kelvin/v1/schools/DEMOSCHOOL", "firstname": "HoJohnson", "lastname": "Ho", "birthday": "2010-02-24", "disabled": false, "email": null, "expiration_date": "2030-03-10", "record_uid": "kimcorey", "roles": [ "https://<fqdn>/ucsschool/kelvin/v1/roles/teacher" ], "schools": [ "https://<fqdn>/ucsschool/kelvin/v1/schools/DEMOSCHOOL" ], "school_classes": {}, "source_uid": "TESTID" } ``` And then run: ``` curl -X 'GET' \ 'http://<fqdn>/ucsschool/kelvin/v1/users/?name=kimcorey&expiration_date=2030-03-10' \ -H 'accept: application/json' \ -H 'Authorization: Bearer ...' ``` Which will return `[]`. While filtering by another date date attribute (birthday) works: ``` curl -X 'GET' \ 'http://<fqdn>/ucsschool/kelvin/v1/users/?name=kimcorey&birthday=2010-02-24' \ -H 'accept: application/json' \ -H 'Authorization: Bearer ...' ``` Returns a list with one element (the created user). I stumbled upon this bug while running the tests of `kelvin-rest-api-client` (a8257c34) and seeing that `tests/test_user.py::test_search_exact[expiration_date]` fails because no objects are found. Nevertheless, the TravisCI pipeline in GitHub passes (uses `ucs5.0-1e175-ucsschool5.0v1-kelvin151`): https://github.com/univention/kelvin-rest-api-client/runs/6112658327?check_suite_focus=true Might be related to: * https://forge.univention.org/bugzilla/show_bug.cgi?id=54159 * https://forge.univention.org/bugzilla/show_bug.cgi?id=54126 * https://forge.univention.org/bugzilla/show_bug.cgi?id=54116
The jenkins job URL is wrong, instead it should have been: https://github.com/univention/kelvin-rest-api-client/runs/6112658309?check_suite_focus=true It looks like the problem might be related to the udm backend version (UCS 4.4 used by local tests and UCS 5.0 used by Jenkins).
This has been fixed already. PS: In the previouse messages I mentioned Jenkins but was Travis.
This was fixed in UDM in Bug 54150 (dup of Bug 54152), released with UCS 5.0 errata259. The Kelvin REST API still searches using "shadowExpire=19389" (LDAP value) instead of "userexpiry=2023-02-01" (UDM value). The 1st one works for older UCS versions, but is less safe as the calculation for shadowExpire is unsafe (for example not time zone aware). The LDAP value should be handled as a UDM internal, so using the newer method (and letting the UDM REST API make the transformation) would be better. Instead of backporting Bug 54150 to 4.4, I suggest to adapt the Kelvin API to not transform "expiration_date" anymore to "shadowExpire". And add a warning note to the Kelvin API documentation, that searching for "expiration_date" is only supported from version <next> on.