From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1833068FAA for ; Fri, 28 Aug 2020 14:41:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 15CEB2207E for ; Fri, 28 Aug 2020 14:41:57 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 59A5922071 for ; Fri, 28 Aug 2020 14:41:56 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 28386443FF for ; Fri, 28 Aug 2020 14:41:56 +0200 (CEST) From: Thomas Lamprecht To: Proxmox VE development discussion , Wolfgang Link Reply-To: Proxmox VE development discussion References: <20200828111943.26450-1-w.link@proxmox.com> <2275e662-f47c-6f81-ba61-f19821d1974c@proxmox.com> Message-ID: Date: Fri, 28 Aug 2020 14:41:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:80.0) Gecko/20100101 Thunderbird/80.0 MIME-Version: 1.0 In-Reply-To: <2275e662-f47c-6f81-ba61-f19821d1974c@proxmox.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.778 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.782 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm, ldap.pm] Subject: Re: [pve-devel] [access-contorl] fix #2947 login name for the LDAP/AD realm can be case-insensitive X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2020 12:41:57 -0000 On 8/28/20 2:39 PM, Thomas Lamprecht wrote: > off-topic: Please switch over your mails "To" address from the old > to the new , thank you! > > On 8/28/20 1:19 PM, Wolfgang Link wrote: >> This is an optional for LDAP and AD realm. >> The default behavior is case-sensitive. >> > > looks good in general, thanks! > two nits and and additional place where we may want to use the new helper > below. > >> Signed-off-by: Wolfgang Link >> --- >> PVE/API2/AccessControl.pm | 20 ++++++++++++++++++++ >> PVE/Auth/LDAP.pm | 7 +++++++ >> 2 files changed, 27 insertions(+) >> >> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm >> index fd27786..4b4d0be 100644 >> --- a/PVE/API2/AccessControl.pm >> +++ b/PVE/API2/AccessControl.pm >> @@ -226,6 +226,25 @@ __PACKAGE__->register_method ({ >> returns => { type => "null" }, >> code => sub { return undef; }}); >> >> +sub lookup_username { >> + my ($username) = @_; >> + >> + $username =~ /@(.+)/; >> + >> + my $realm = $1; >> + my $domain_cfg = cfs_read_file("domains.cfg"); >> + my $casesensitive = $domain_cfg->{ids}->{$realm}->{casesensitive} // 1; >> + my $usercfg = cfs_read_file('user.cfg'); >> + >> + if ($casesensitive == 0) { > > nit: we normally rather use `if (!$casesensitive)` > >> + foreach my $user_name (keys %{$usercfg->{users}}) { >> + return $user_name if lc $username eq lc $user_name; >> + } > > above is fine, but if we'd use the built-in grep we could also easily die > on multiple matches, for example, something below (untested): > > my @matches = grep { lc $username eq lc $_ } @{keys %{$usercfg->{users}}}; > > die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n" > if scalar @matches > 1; > > return $matches[1]; > > > And we then actually want to use this method also in the API call for adding > new users, to ensure an admin do not accidentally adds the case-sensitive same argh, meant the same user when compared case *in*sensitively > user multiple times. > >> + } >> + >> + return $username; >> +}; >> + >> __PACKAGE__->register_method ({ >> name => 'create_ticket', >> path => 'ticket', >> @@ -292,6 +311,7 @@ __PACKAGE__->register_method ({ >> my $username = $param->{username}; >> $username .= "\@$param->{realm}" if $param->{realm}; >> >> + $username = lookup_username($username); >> my $rpcenv = PVE::RPCEnvironment::get(); >> >> my $res; >> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm >> index 09b2202..75cce0f 100755 >> --- a/PVE/Auth/LDAP.pm >> +++ b/PVE/Auth/LDAP.pm >> @@ -129,6 +129,12 @@ sub properties { >> optional => 1, >> default => 'ldap', >> }, >> + casesensitive => { > > > can we please use 'case-sensitive' here, makes it way easier to read. > (and we (Wolfgang B and me) want to go away from using underscore as > separator for API/ABI properties or parameters :)) > >> + description => "username is case-sensitive", >> + type => 'boolean', >> + optional => 1, >> + default => 1, >> + } >> }; >> } >> >> @@ -159,6 +165,7 @@ sub options { >> group_classes => { optional => 1 }, >> 'sync-defaults-options' => { optional => 1 }, >> mode => { optional => 1 }, >> + casesensitive => { optional => 1 }, >> }; >> } >> >>