freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#6199 Received ACIError instead of DuplicatedError in stageuser_tests

Created 2 years ago by mbasti
Modified a year ago

Several similar errors in ipa.test_xmlrpc.test_stageuser_plugin:

        except errors.PublicError as got_exception:
>           assert type(expected_exception) is type(got_exception)
E           assert <class 'ipalib.errors.DuplicateEntry'> is <class 'ipalib.errors.ACIError'>
E            +  where <class 'ipalib.errors.DuplicateEntry'> = type(DuplicateEntry(u'user with name "tuser" already exists',))
E            +  and   <class 'ipalib.errors.ACIError'> = type(ACIError(u"Insufficient access: Insufficient 'add' privilege to add the entry ...ts,cn=provisioning,dc=dom-150,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.",))

Version of DS: 389-ds-base-1.3.5.12-1.fc24.x86_64

In the latest provided build of DS, there were some changes in ACI enforcing, thus this is probbably the root cause

The latest changes to fix a CVE issue did not change aci implementation, but changed return codes to avoid guessing. Eg if a user tries to add an existing entry where he would not have access to create did get "already exists", but now always gets "insufficient access", so this could affect expected return codes in clients

This is caused by exactly what Ludwig wrote. Admin has no write access to deleted users container, before DS 1.3.5.12 it receives DuplicatedEntry, but now it receives ACIError.

We cannot rely on DuplicatedEntry error anymore in code, there must be explicit check in [stage]user-add to not add entry if already exists.

Note it exists the priviledge "Stage User Provisioning" that grant user_A (having this permission) the right to ADD a stage user but not to read them.

If user_A creates a stage user_B and stage user_B already exists, it will receive "already exists".

A user not having the ADD permission will receive "insufficient rights"

But this is happening for admin user. The one has all privileges. This is about user-add and deleted container.

master:

  • 5c50b26 Raise DuplicatedEnrty error when user exists in delete_container
a year ago

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4.1

Login to comment on this ticket.

defect

IPA

https://git.fedorahosted.org/cgit/freeipa.git/tree/ipatests/test_xmlrpc/test_stageuser_plugin.py

1

Regression

yes

https://bugzilla.redhat.com/show_bug.cgi?id=1370512

lryznaro

cancel