First Last Prev Next    This bug is not in your last search results.
Bug 55348 - [UDM REST API]: listing SAML Service providers broken if old mapping format is used
[UDM REST API]: listing SAML Service providers broken if old mapping format i...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM - REST API
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-2-errata
Assigned To: Florian Best
Iván.Delgado
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-26 15:04 CEST by Florian Best
Modified: 2022-11-16 18:04 CET (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2022-10-26 15:04:17 CEST 
With:
dn: SAMLServiceProviderIdentifier=https://master46.school.dev/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,l=school,l=dev
simplesamlLDAPattributes: uid

The following exception happens:
    HTTPServerRequest(protocol='http', host='master46.school.dev', method='GET', uri='/udm/saml/serviceprovider/?filter=&scope=sub&hidden=0', version='HTTP/1.1', remote_ip='0.0.0.0')
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/tornado/web.py", line 1592, in _execute
        result = yield result
      File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1133, in run
        value = future.result()
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 2367, in get
        await self._get(object_type)
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 2422, in _get
        entry = Object.get_representation(objmodule, obj, properties, self.ldap_connection)
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 2796, in get_representation
        values = dict(decode_properties(module, obj, values))
      File "/usr/lib/python3/dist-packages/univention/admin/rest/module.py", line 3768, in decode_properties
        yield key, codec.decode_json(value)
      File "/usr/lib/python3/dist-packages/univention/admin/types.py", line 139, in decode_json
        return self.to_json_type(self.decode(value))
      File "/usr/lib/python3/dist-packages/univention/admin/types.py", line 122, in decode
        return self.decode_value(value)
      File "/usr/lib/python3/dist-packages/univention/admin/types.py", line 593, in decode_value
        return self.syntax.todict(value)
      File "/usr/lib/python3/dist-packages/univention/admin/syntax.py", line 571, in todict
        return dict(value)
    ValueError: dictionary update sequence element #0 has length 1; 2 is required

We should unmap the old format`simplesamlLDAPattributes: uid` as `simplesamlLDAPattributes: uid=uid` to prevent this error.
Comment 1 Florian Best univentionstaff 2022-11-03 14:05:41 CET 
This is the only affected property:
>>> inspect.getmembers(univention.admin.syntax, lambda m: inspect.isclass(m) and issubclass(m, univention.admin.syntax.complex) and not m.all_required and m.subsyntax_key_value)                                                             
[('attributeMapping', <class 'univention.admin.syntax.attributeMapping'>)]

A similar problem might exists for those syntax classes:
>>> [x[0] for x in inspect.getmembers(univention.admin.syntax, lambda m: inspect.isclass(m) and issubclass(m, univention.admin.syntax.complex) and not m.all_required and m.subsyntax_names)]
['ActivationDateTimeTimezone', 'DateTimeTimezone', 'IPv4_AddressRange', 'PrinterURI', 'UMC_CommandPattern', 'dhcpEntry', 'dnsSRVName']
Comment 2 Florian Best univentionstaff 2022-11-03 14:25:42 CET 
(In reply to Florian Best from comment #1)
> A similar problem might exists for those syntax classes:
> >>> [x[0] for x in inspect.getmembers(univention.admin.syntax, lambda m: inspect.isclass(m) and issubclass(m, univention.admin.syntax.complex) and not m.all_required and m.subsyntax_names)]
> ['ActivationDateTimeTimezone', 'DateTimeTimezone', 'IPv4_AddressRange',
> 'PrinterURI', 'UMC_CommandPattern', 'dhcpEntry', 'dnsSRVName']
They all seem to be fine. Can best be seen with IPv4_AddressRange as there the unmap function doesn't necessarily require two elements to be unmapped:

`IPv4_AddressRange.todict(('1.2.3.4',)) == {'first': '1.2.3.4', 'last': None}`
Comment 4 Florian Best univentionstaff 2022-11-10 09:41:24 CET 
Reproducer:
__udm saml/serviceprovider list

curl -H 'Accept: application/json' "http://Administrator:univention@localhost/univention/udm/saml/serviceprovider/SAMLServiceProviderIdentifier=https:,/=/,$(hostname -f)/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,$(ucr get ldap/base)" | python -m json.tool
Comment 5 Florian Best univentionstaff 2022-11-10 15:27:52 CET 
mapping and unmapping now always produce a mapping:

univention-saml.yaml
0fdc7b59f1b6 | fix(udm-rest): make sure unmapping of saml LDAPAttributes always unmap a mappable value

univention-saml (7.0.5-5)
0fdc7b59f1b6 | fix(udm-rest): make sure unmapping of saml LDAPAttributes always unmap a mappable value
Comment 6 Iván.Delgado univentionstaff 2022-11-11 13:21:06 CET 
Verified:
 * Comment 4
 * Advisory
 * ucs-test-saml
Comment 7 Arvid Requate univentionstaff 2022-11-15 18:19:48 CET 
f49175a623 | Advisory wording
First Last Prev Next    This bug is not in your last search results.