From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [Patch v2 access-control] fix #2947 login name for the LDAP/AD realm can be case-insensitive
Date: Mon, 7 Sep 2020 10:20:48 +0200 [thread overview]
Message-ID: <9f102575-138a-d839-94d4-4ef98482decf@proxmox.com> (raw)
In-Reply-To: <20200903083620.66529-1-w.link@proxmox.com>
one comment inline
On 9/3/20 10:36 AM, Wolfgang Link wrote:
> This is an optional for LDAP and AD realm.
> The default behavior is case-sensitive.
>
> Signed-off-by: Wolfgang Link <w.link@proxmox.com>
> ---
> v1 -> v2: * naming of paramenter
> * use grep instead of a loop, to avoid login errors
> with ambiguous usernames
>
> PVE/API2/AccessControl.pm | 23 +++++++++++++++++++++++
> PVE/Auth/AD.pm | 1 +
> PVE/Auth/LDAP.pm | 7 +++++++
> 3 files changed, 31 insertions(+)
>
> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
> index fd27786..3155d67 100644
> --- a/PVE/API2/AccessControl.pm
> +++ b/PVE/API2/AccessControl.pm
> @@ -226,6 +226,28 @@ __PACKAGE__->register_method ({
> returns => { type => "null" },
> code => sub { return undef; }});
>
> +sub lookup_username {
> + my ($username) = @_;
> +
> + $username =~ /@(.+)/;
i do not know if you saw my last mail, but we have to do a
better regex here, since the username can contain an '@'
so foo@bar@pve is a valid username (:-S)
and the realm here would parse to 'bar@pve'
so a better regex would be
/@([^@]+)$/
> +
> + my $realm = $1;
> + my $domain_cfg = cfs_read_file("domains.cfg");
> + my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1;
> + my $usercfg = cfs_read_file('user.cfg');
> +
> + if (!$casesensitive) {
> + my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}});
> +
> + die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n"
> + if scalar @matches > 1;
> +
> + return $matches[0]
> + }
> +
> + return $username;
> +};
> +
> __PACKAGE__->register_method ({
> name => 'create_ticket',
> path => 'ticket',
> @@ -292,6 +314,7 @@ __PACKAGE__->register_method ({
> my $username = $param->{username};
> $username .= "\@$param->{realm}" if $param->{realm};
>
> + $username = lookup_username($username);
> my $rpcenv = PVE::RPCEnvironment::get();
>
> my $res;
> diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
> index 4d64c20..88b2098 100755
> --- a/PVE/Auth/AD.pm
> +++ b/PVE/Auth/AD.pm
> @@ -94,6 +94,7 @@ sub options {
> group_classes => { optional => 1 },
> 'sync-defaults-options' => { optional => 1 },
> mode => { optional => 1 },
> + 'case-sensitive' => { optional => 1 },
> };
> }
>
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 09b2202..97d0778 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -129,6 +129,12 @@ sub properties {
> optional => 1,
> default => 'ldap',
> },
> + 'case-sensitive' => {
> + description => "username is case-sensitive",
> + type => 'boolean',
> + optional => 1,
> + default => 1,
> + }
> };
> }
>
> @@ -159,6 +165,7 @@ sub options {
> group_classes => { optional => 1 },
> 'sync-defaults-options' => { optional => 1 },
> mode => { optional => 1 },
> + 'case-sensitive' => { optional => 1 },
> };
> }
>
>
next prev parent reply other threads:[~2020-09-07 8:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 8:36 Wolfgang Link
2020-09-07 8:20 ` Dominik Csapak [this message]
2020-09-07 8:42 ` Wolfgang Link
2020-09-07 9:29 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f102575-138a-d839-94d4-4ef98482decf@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.