From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 14EBD68ECB for ; Fri, 28 Aug 2020 14:39:43 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0E77C21EC6 for ; Fri, 28 Aug 2020 14:39:43 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id F38FF21EAE for ; Fri, 28 Aug 2020 14:39:41 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C6DC24473B for ; Fri, 28 Aug 2020 14:39:41 +0200 (CEST) To: Proxmox VE development discussion , Wolfgang Link , pve-devel@pve.proxmox.com References: <20200828111943.26450-1-w.link@proxmox.com> From: Thomas Lamprecht Message-ID: <2275e662-f47c-6f81-ba61-f19821d1974c@proxmox.com> Date: Fri, 28 Aug 2020 14:39:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:80.0) Gecko/20100101 Thunderbird/80.0 MIME-Version: 1.0 In-Reply-To: <20200828111943.26450-1-w.link@proxmox.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.787 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.782 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [ldap.pm, accesscontrol.pm] Subject: Re: [pve-devel] [access-contorl] fix #2947 login name for the LDAP/AD realm can be case-insensitive X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2020 12:39:43 -0000 off-topic: Please switch over your mails "To" address from the old to the new , thank you! On 8/28/20 1:19 PM, Wolfgang Link wrote: > This is an optional for LDAP and AD realm. > The default behavior is case-sensitive. > looks good in general, thanks! two nits and and additional place where we may want to use the new helper below. > Signed-off-by: Wolfgang Link > --- > PVE/API2/AccessControl.pm | 20 ++++++++++++++++++++ > PVE/Auth/LDAP.pm | 7 +++++++ > 2 files changed, 27 insertions(+) > > diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm > index fd27786..4b4d0be 100644 > --- a/PVE/API2/AccessControl.pm > +++ b/PVE/API2/AccessControl.pm > @@ -226,6 +226,25 @@ __PACKAGE__->register_method ({ > returns => { type => "null" }, > code => sub { return undef; }}); > > +sub lookup_username { > + my ($username) = @_; > + > + $username =~ /@(.+)/; > + > + my $realm = $1; > + my $domain_cfg = cfs_read_file("domains.cfg"); > + my $casesensitive = $domain_cfg->{ids}->{$realm}->{casesensitive} // 1; > + my $usercfg = cfs_read_file('user.cfg'); > + > + if ($casesensitive == 0) { nit: we normally rather use `if (!$casesensitive)` > + foreach my $user_name (keys %{$usercfg->{users}}) { > + return $user_name if lc $username eq lc $user_name; > + } above is fine, but if we'd use the built-in grep we could also easily die on multiple matches, for example, something below (untested): my @matches = grep { lc $username eq lc $_ } @{keys %{$usercfg->{users}}}; die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n" if scalar @matches > 1; return $matches[1]; And we then actually want to use this method also in the API call for adding new users, to ensure an admin do not accidentally adds the case-sensitive same user multiple times. > + } > + > + return $username; > +}; > + > __PACKAGE__->register_method ({ > name => 'create_ticket', > path => 'ticket', > @@ -292,6 +311,7 @@ __PACKAGE__->register_method ({ > my $username = $param->{username}; > $username .= "\@$param->{realm}" if $param->{realm}; > > + $username = lookup_username($username); > my $rpcenv = PVE::RPCEnvironment::get(); > > my $res; > diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm > index 09b2202..75cce0f 100755 > --- a/PVE/Auth/LDAP.pm > +++ b/PVE/Auth/LDAP.pm > @@ -129,6 +129,12 @@ sub properties { > optional => 1, > default => 'ldap', > }, > + casesensitive => { can we please use 'case-sensitive' here, makes it way easier to read. (and we (Wolfgang B and me) want to go away from using underscore as separator for API/ABI properties or parameters :)) > + description => "username is case-sensitive", > + type => 'boolean', > + optional => 1, > + default => 1, > + } > }; > } > > @@ -159,6 +165,7 @@ sub options { > group_classes => { optional => 1 }, > 'sync-defaults-options' => { optional => 1 }, > mode => { optional => 1 }, > + casesensitive => { optional => 1 }, > }; > } > >