Bug 55015 – import_computer: improve search filter for mac adresses

Bug 55015 - import_computer: improve search filter for mac adresses


Summary:	import_computer: improve search filter for mac adresses

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Import scripts
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 5.0 v5
Assigned To:	Julian Helms
QA Contact:	Tobias Wenzel

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-07-19 22:23 CEST by Sönke Schwardt-Krummrich
Modified:	2024-03-21 15:49 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.017
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2022-07-19 22:23:55 CEST

from ucs-school-import/usr/share/ucs-school-import/scripts/import_computer:

---[cut]---
def mac_address_is_used(mac_address, lo):  # type: (str, LoType) -> bool
    result = lo.search(
        base=ucr["ldap/base"],
        scope="sub",
        filter=filter_format("(macAddress=%s)", [mac_address]),
        attr=["macAddress"],
    )
    return result and result[0][1]["macAddress"][0].decode("ASCII") == mac_address
---[cut]---

We should improve this method:

1) The attribute macAddress may also be used at different objects, so the search filter should contain an objectclass:

filter_format("(&(objectClass=univentionHost)(macAddress=%s)", [mac_address])

or even better the actual UDM search filter for Windows/MacOS/IPManaged clients.
Otherwise the macAddress may be mistakenly returned as "in use".

2) The search is already looking for objects, that contain the specified mac_address:

2a) if result is non-empty (evaluates to True), you found at least one object with the specified mac_address

2b) if several MAC addresses are set, it is unclear in which order you get the values for the macAddress attribute → LDAP does not guarantee a specific order or the order you saved the values → result[0][1]["macAddress"][0] may contain a different MAC address but e.g. result[0][1]["macAddress"][1] may contain the searched address → the lookup will mistakenly return False even when the address is already in use.

Comment 2 Tobias Wenzel

2024-02-15 13:14:59 CET

QA

- [x] (new) tests -> fail before, pass after fix (I renamed the mac-address-is-used-function to test this
- [x] changelog ok
- [x] advisory ok
- [x] manual test (see below)
- [x] package build works


Importing two computers:

$ cat computers.csv 
ipmanagedclient	routerg123m-01	10:00:ee:ff:cc:02	DEMOSCHOOL	10.0.5.1
windows	wing123m-01	10:00:ee:ff:cc:00	DEMOSCHOOL	10.0.5.5

$ /usr/share/ucs-school-import/scripts/import_computer computers.csv 
input file is  : computers.csv
Processing line 1: ipmanagedclient	routerg123m-01	10:00:ee:ff:cc:02	DEMOSCHOOL	10.0.5.1
 WARNING: no netmask specified for IP address 10.0.5.1 using 255.255.255.0
set ip to 10.0.5.1 is not net 10.0.5.0
Processing of line 1 completed
Processing line 2: windows	wing123m-01	10:00:ee:ff:cc:00	DEMOSCHOOL	10.0.5.5
 WARNING: no netmask specified for IP address 10.0.5.5 using 255.255.255.0
set ip to 10.0.5.5 is not net 10.0.5.0
Processing of line 2 completed


Importing them again

$ /usr/share/ucs-school-import/scripts/import_computer computers.csv 
input file is  : computers.csv
Processing line 1: ipmanagedclient	routerg123m-01	10:00:ee:ff:cc:02	DEMOSCHOOL	10.0.5.1
 computer routerg123m-01 already exists (school DEMOSCHOOL)
Processing line 2: windows	wing123m-01	10:00:ee:ff:cc:00	DEMOSCHOOL	10.0.5.5
 computer wing123m-01 already exists (school DEMOSCHOOL)


as expected -> error message

If the mac address of another computer, e.g. the replica is used 


$ /usr/share/ucs-school-import/scripts/import_computer computers.csv 
input file is  : computers.csv
Processing line 1: ipmanagedclient	routerg123m-01	52:54:00:ec:3f:e4	DEMOSCHOOL	10.0.5.1
 WARNING: no netmask specified for IP address 10.0.5.1 using 255.255.255.0
set ip to 10.0.5.1 is not net 10.0.5.0
WARNING: mac_address 10:00:ee:ff:cc:02 for computer wing123m-03 already used (school DEMOSCHOOL)
Processing of line 1 completed
Processing line 2: windows	wing123m-01	10:00:ee:ff:cc:00	DEMOSCHOOL	10.0.5.5
 computer wing123m-01 already exists (school DEMOSCHOOL)


$ udm computers/windows modify --dn cn=wing123m-01,cn=computers,ou=DEMOSCHOOL,dc=school,dc=test  --append mac=10:00:ee:ff:cc:02
Object modified: cn=wing123m-01,cn=computers,ou=DEMOSCHOOL,dc=school,dc=test
$ cat computers.csv 
windows	wing123m-02	10:00:ee:ff:cc:01	DEMOSCHOOL	10.0.5.6
$ /usr/share/ucs-school-import/scripts/import_computer computers.csv 
input file is  : computers.csv
Processing line 1: windows	wing123m-03	10:00:ee:ff:cc:02	DEMOSCHOOL	10.0.5.7
WARNING: mac_address 10:00:ee:ff:cc:02 for computer wing123m-03 already used (school DEMOSCHOOL)
root@primary:/tmp#

Comment 3 Julian Helms

2024-02-15 13:23:55 CET

Package: ucs-test-ucsschool
Version: 7.3.167
Branch: ucs_5.0-0
Scope: ucs-school-5.0


Package: ucs-school-import
Version: 18.0.42
Branch: ucs_5.0-0
Scope: ucs-school-5.0

Comment 4 Tobias Wenzel

2024-02-19 08:59:43 CET

jenkins looks good -> setting to verify

Comment 5 Johannes Königer

2024-03-21 15:49:47 CET

UCS@school 5.0 v5 has been released.

- https://docs.software-univention.de/ucsschool-changelog/5.0v5/en/changelog.html
- https://docs.software-univention.de/ucsschool-changelog/5.0v5/de/changelog.html

If this error occurs again, please clone this bug.