Fix parsing of search response #294
Conversation
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
70ac79e
to
2caa725
Compare
|
Assuming this works can you add a unit test for |
|
@manics I'll make sure to include that if the function is retained, but I think maybe use of |
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
2caa725
to
3ffc6ba
Compare
consideRatio
changed the title
We were using conn.response but should have used conn.entries as we only cared for search results and not other kinds of messages that could be part of conn.response.
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
3ffc6ba
to
2123f36
Compare
|
@manics @franciscaestecker this is ready for review now. I think the bug resided in this projet's use of |
| @@ -547,6 +550,9 @@ def get_user_attributes(self, conn, userdn): | |||
| search_filter="(objectClass=*)", | |||
| attributes=self.auth_state_attributes, | |||
| ) | |||
| # FIXME: Handle situations with multiple entries below or comment | |||
| # why its not important to do. | |||
| # | |||
There was a problem hiding this comment.
Maybe we should throw an error, same as in resolve_username? If there's a possibility of the entries corresponding to different Identities this implies a change in the LDAP server could lead to a different ordering of responses, resulting in a user gaining access to another user's account.
If it's two entries for the same user we still need to understand what the difference is, in case some attributes are different which could lead to inconsistent configuration of the singleuser server.
There was a problem hiding this comment.
I don't think users will get access to another JupyterHub account, as its just impacting the auth state (see code below from the end of af the authenticate function) - but they could get access to another users ldap data through their jupyterhub account.
I'll open an issue for this to be tracked separately from this PR - do you think its important to get fixed before release?
user_attributes = self.get_user_attributes(conn, userdn)
self.log.debug("username:%s attributes:%s", login_username, user_attributes)
username = resolved_username if self.use_lookup_dn_username else login_username
auth_state = {
"ldap_groups": ldap_groups,
"user_attributes": user_attributes,
}
return {"name": username, "auth_state": auth_state}There was a problem hiding this comment.
@manics btw off topic, but I just wanted to say I greatly appreciate your effort into the jupyterhub - you regularly make me very thankful!!
There was a problem hiding this comment.
My preference is to include this in the next release.
I think we should try and avoid any ambiguities in authenticator given their importance- I'd rather we were too strict and then relax things later. Ideally we'd get more input from people with expertise in LDAP, but it's clear we don't have that, and unfortunately the only way we can get real-world input is to release something and wait for bug reports.
There was a problem hiding this comment.
Yeah I agree, I figure it makes sense to be in a separate PR though - I'll work it next!
There was a problem hiding this comment.
I've come to disagree with my former self, this is in scope of "Fix parsing of search response".
I pushed the commit to this PR!
It seems like a error in how things were setup if this happens. Co-authored-by: Simon Li <[email protected]>
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
dcb65fd
to
cf8aa04
Compare
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
cf8aa04
to
00f8af1
Compare
|
I iterated a bit on the log messages as well to make errors have some pointer on what may be configured wrong or similar. I'm hands off now! |
There was a problem hiding this comment.
The more detailed logging is good! I'm worried about including login ... denied in resolve_username though, since the decision is made in authenticate(). If there's a future refactor this could easily be missed, resulting in incorrect logs. Can we split the errors logs, so the resolve_username error contains the detail of why a username wasn't resolve, and put the definite denied error log in
ldapauthenticator/ldapauthenticator/ldapauthenticator.py
Lines 598 to 600 in 70ea3cd
instead?
The two log messages will still occur together so there's no loss of context.
consideRatio
force-pushed
the
pr/conn-stuff
branch
from
c858a76
to
769f4fb
Compare
|
Good point @manics, I've made the resolve_username function not draw conclusions on whats happening outside the function and instead focused on logging things in scope for the function to log based on its purpose only. |
There was a problem hiding this comment.
Thanks!
@franciscaestecker please could you try this PR? Assuming it fixes your bug reported in #292 we can release this in the next few days as 2.0.2
|
@manics I'll proceed with a release |
Fixes #292 and a bug that maybe never surfaced where things could work before 2.0.0 when the conn.response list had multiple elements thanks to being ordered in a way where the first element was the one of relevance, even though LDAP specification sais any ordering is allowed. Maybe the ldap3 client orders them, but who knows.
Also fixes #295
Investigation
type=searchResEntryresponses?Answer: yes we should use conn.entries, it is only including
type=searchResEntryresponses, see the code here.References