#2869 [1.24.1] Wrong email address for sending mails to users when using certificates.
Opened a year ago by frank-mdc. Modified 6 days ago

Hi developers,
We use ssl for authentication with koji. But when an user call
koji add-notification --tag=foo
and then
koji list-notifications --mine
the wrong email address is used.
The mail address is build from the CN name of the certificate instant of the SAN attribute email.
For example:
"Jon doe@foo.foo" instant of "jonTheDoe@foo2.doo" from the SAN attribute email.
This will result in an invalid mail address.


It is configurable. You can set DNUsernameComponent in kojihub conf. Default value is CN. E-mail itself is then combination of this value and configured domain from EmailDomain. So, we're not storing e-mail anywhere, it is always constructed. Adding separate e-mail is probably not something we want to do.

Metadata Update from @tkopecek:
- Custom field Size adjusted to None

a year ago

But when the filed is changed to something other then CN, then the web and build server can't authenticate to the hub, because only the certificates of the human users will have the SAN email filed. The certificates of the servers will only have the fqdn in the CN filed.

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.30

3 months ago

EmailDomain is used for creating notifications. Certificate is not used here at all (I don't know what I've read heare year ago). It simply <username>@<EmailDomain>. Is it ok to use this, or do you want to have different addresses based on their certs (which is bigger change)?

The user name is not the same as the local part of the san mail address field.
In the current case the user name is "Jon doe" but this is an invalid local part.

Hmm, I finally got it. Problem is that we see certificate only in sslLogin call and it is not available in other calls. So, we would need to store full email somewhere (user table) to be able to use it in different calls (it can't be even part of the session as notifications for build owner are not created this way). Such addresses could be inserted on first login. Anyway, some API would be needed to allow user to change it (not only admin via editUser extension).

Simpler option is to add email parameter for createNotification. It would leave it on user to put correct address there, but will still miss automatic recipients.

@mikem ?

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.31 (was: 1.30)

6 days ago

Login to comment on this ticket.

Metadata