From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id EE5CA90708
for <pve-devel@lists.proxmox.com>; Wed, 15 Mar 2023 12:42:12 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id C561E92D1
for <pve-devel@lists.proxmox.com>; Wed, 15 Mar 2023 12:41:42 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-devel@lists.proxmox.com>; Wed, 15 Mar 2023 12:41:41 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 590574167D;
Wed, 15 Mar 2023 12:41:41 +0100 (CET)
Message-ID: <4837827c-33d4-b861-f45e-9e3531b3a99b@proxmox.com>
Date: Wed, 15 Mar 2023 12:41:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:110.0) Gecko/20100101
Thunderbird/110.0
Content-Language: en-US
To: Christoph Heiss <c.heiss@proxmox.com>,
Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20230131125043.380402-1-c.heiss@proxmox.com>
<20230131125043.380402-2-c.heiss@proxmox.com>
<3c2d120e-eb11-aa79-be1f-eba3879cd58a@proxmox.com>
<20230315111748.irvdaowr73thr3o5@maui.proxmox.com>
From: Dominik Csapak <d.csapak@proxmox.com>
In-Reply-To: <20230315111748.irvdaowr73thr3o5@maui.proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.061 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
NICE_REPLY_A -0.001 Looks like a legit reply (A)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [proxmox.com, ldap.pm]
Subject: Re: [pve-devel] [PATCH access-control 1/2] ldap: Allow quoted
values for DN attribute values
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2023 11:42:13 -0000
On 3/15/23 12:17, Christoph Heiss wrote:
> Thanks for the review!
>
> On Wed, Mar 15, 2023 at 10:54:38AM +0100, Dominik Csapak wrote:
>> hi,
>>
>> so high level comment:
>> i'd write most of what you wrote in the cover letter here in the commit message,
>> makes it much more convenient to find it only via git ;)
> Good point, I'll do that if/when I spin a v2 and for further patchsets!
> I will also include the main points from below, to really make things clear.
>
>>
>> also i'm missing a bit the rationale for how the regex was chosen, besides
>> that it works in some conditions
> Ack, I should have elaborated on that in the commit.
>
> Basically, I took the current regex and what characters are allowed in
> attribute values (see patch #2). From that, constructing the character
> class for the not-allowed characters (and conversely, the quoted version
> of that to allow such special characters) and further the whole regex
> was rather simple. The latter was based on the previous one.
>
> So although it looks a bit like a mess, it's a rather simple regex if
> you look at it this way.
>
>>
>> further comment inline
>>
>> On 1/31/23 13:50, Christoph Heiss wrote:
>>> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
>>> ---
>>> src/PVE/Auth/LDAP.pm | 8 +++++---
>>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
>>> index 4792586..4d771e7 100755
>>> --- a/src/PVE/Auth/LDAP.pm
>>> +++ b/src/PVE/Auth/LDAP.pm
>>> @@ -10,6 +10,8 @@ use PVE::Tools;
>>>
>>> use base qw(PVE::Auth::Plugin);
>>>
>>> +our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
>>
>> are you sure you did not make it more strict than what is allowed?
>>
>> e.g. if i had 'foo=<,bar=>' that would have previously worked, but now is forbidden AFAICS
> Thing is, that would have not worked previously anyway. "Worked" in that
> sense that any sensible LDAP server would have failed to parse or
> outright rejected such DNs anyway, but could be configured using the
> API/UI.
>
> Picking up on your example, "<" and ">" are both not allowed (at least
> unquoted) in DN attribute values - see the docs patch again. But using
> them properly quoted (e.g. foo="<",bar=">") worked before as does it
> with the patch.
>
> I just tested this exact example (using an unpatched PVE) against a
> (somewhat current, v2.5.13 as available in bullseye-backports) slapd
> server for the sake of it - it fails when performing the search with
> "invalid DN" - as expected.
>
>> while we can make such changes, we should only do so on major releases where it's a breaking
>> change, preferably with a workaround and/or script where we can rewrite/warn the user
>> that it's not valid syntax
>>
>> OTOH, most users probably won't notice since they did not use such 'strange' values
>>
>> the problem here is that possibly working configs are not valid anymore
>> (for logins it's problematic, depending on how the admins log in)
> Following up on the above, I'd hope no user has such configuration. And
> if so, that user has to be using a completely bonkers LDAP
> server/implementation.
>
> In conclusion, I don't see how this could break existing setups. But I
> do see your point - breaking someones existing setup is a no-go. In that
> case I would just hold onto this patchset for the next major release.
ok i mistook the 'reserved' characters as reserved by us, not ldap.
in such a case, when there is an external format/etc. please
include a reference on where to find these restrictions
(e.g. a link to an rfc)
if my example and all that could have been configured but
would now be invalid are not valid ldap syntax anyway, i think
we can get more strict and "break" someones config
(as you said, shouldn't have worked anyway)
or how do you see that @thomas?
(maybe there are some weirdly configured ldap instances out there?)
>
>>
>>> +
>>> sub type {
>>> return 'ldap';
>>> }
>>> @@ -19,7 +21,7 @@ sub properties {
>>> base_dn => {
>>> description => "LDAP base domain name",
>>> type => 'string',
>>> - pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
>>> + pattern => $dn_regex,
>>> optional => 1,
>>> maxLength => 256,
>>> },
>>> @@ -33,7 +35,7 @@ sub properties {
>>> bind_dn => {
>>> description => "LDAP bind domain name",
>>> type => 'string',
>>> - pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
>>> + pattern => $dn_regex,
>>> optional => 1,
>>> maxLength => 256,
>>> },
>>> @@ -91,7 +93,7 @@ sub properties {
>>> description => "LDAP base domain name for group sync. If not set, the"
>>> ." base_dn will be used.",
>>> type => 'string',
>>> - pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
>>> + pattern => $dn_regex,
>>> optional => 1,
>>> maxLength => 256,
>>> },
>>> --
>>> 2.34.1
>>>
>>>
>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel@lists.proxmox.com
>>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>>
>>
>>