From b2bcf34673ef37471d7a0500803c205d6d64760d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Fri, 13 Sep 2024 18:02:40 +0200 Subject: [PATCH 1/3] fix ldap search when filtering with empty string --- seacatauth/credentials/providers/ldap.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/seacatauth/credentials/providers/ldap.py b/seacatauth/credentials/providers/ldap.py index 793c1006..1719933c 100644 --- a/seacatauth/credentials/providers/ldap.py +++ b/seacatauth/credentials/providers/ldap.py @@ -288,11 +288,12 @@ async def iterate(self, offset: int = 0, limit: int = -1, filtr: str = None): yield i def _build_search_filter(self, filtr=None): - if filtr is None: + if not filtr: filterstr = self.Config["filter"] else: # The query filter is the intersection of the filter from config # and the filter defined by the search request + # The username must START WITH the given filter string filter_template = "(&{}({}=*%s*))".format(self.Config["filter"], self.Config["attrusername"]) assertion_values = ["{}".format(filtr.lower())] filterstr = ldap.filter.filter_format( From b5809a19af78c1e7fe26038db97c7f92004368e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Fri, 13 Sep 2024 18:03:06 +0200 Subject: [PATCH 2/3] remove base check (case in/sensitivity issues) --- seacatauth/credentials/providers/ldap.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/seacatauth/credentials/providers/ldap.py b/seacatauth/credentials/providers/ldap.py index 1719933c..7cadbfa6 100644 --- a/seacatauth/credentials/providers/ldap.py +++ b/seacatauth/credentials/providers/ldap.py @@ -176,20 +176,17 @@ def _get_worker(self, prefix, credentials_id, include=None) -> Optional[dict]: # TODO: Validate credetials_id with regex - # Ensure that the base lies within configured base - base = base64.urlsafe_b64decode(credentials_id[len(prefix):]).decode("utf-8") - if not base.endswith(self.Config["base"]): - raise KeyError("Credentials {!r} do not end with {!r}".format(credentials_id, self.Config["base"])) - + cn = base64.urlsafe_b64decode(credentials_id[len(prefix):]).decode("utf-8") with self._ldap_client() as lc: try: sr = lc.search_s( - base, + cn, ldap.SCOPE_BASE, filterstr=self.Config["filter"], attrlist=self.AttrList, ) - except ldap.NO_SUCH_OBJECT: + except ldap.NO_SUCH_OBJECT as e: + L.error(e) sr = [] if len(sr) == 0: From 192affe03895b250014cbf38fea417155f4e770f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Mon, 16 Sep 2024 10:48:58 +0200 Subject: [PATCH 3/3] update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21a7ed58..16d3604d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ - v24.29-alpha6 ### Fix +- Fix handling of empty filter in LDAP credentials provider (#421, `v24.36-alpha3`) - Sort assigned tenants and roles alphabetically (#417, `v24.36-alpha2`) - Do not check tenant existence when unassigning tenant (#415, `v24.29-alpha8`) - Hotfix: Session expiration in userinfo must match access token expiration (#414, `v24.29-alpha7`)