https://pulp.plan.io/https://pulp.plan.io/favicon.ico2016-02-29T19:14:58ZPulpPulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=94352016-02-29T19:14:58Zsemyerssean.myers@redhat.com
<ul></ul><p>Here's a diff that appears to work, but I have no idea if it's a good idea:</p>
<pre><code class="diff syntaxhl" data-language="diff"><span class="gh">diff --git a/client_lib/pulp/client/validators.py b/client_lib/pulp/client/validators.py
index 4eb1d87..c941358 100644
</span><span class="gd">--- a/client_lib/pulp/client/validators.py
</span><span class="gi">+++ b/client_lib/pulp/client/validators.py
</span><span class="p">@@ -11,7 +11,7 @@</span> from pulp.common import dateutils
from pulp.common.plugins import importer_constants
<span class="gd">-ID_REGEX_ALLOW_DOTS = re.compile(r'^[.\-_A-Za-z0-9]+$')
</span><span class="gi">+ID_REGEX_ALLOW_DOTS = re.compile(r'^[.@\-_A-Za-z0-9]+$')
</span> ID_REGEX = re.compile(r'^[\-_A-Za-z0-9]+$')
<span class="gh">diff --git a/client_lib/test/unit/test_validators.py b/client_lib/test/unit/test_validators.py
index cb2ac34..3e35d89 100644
</span><span class="gd">--- a/client_lib/test/unit/test_validators.py
</span><span class="gi">+++ b/client_lib/test/unit/test_validators.py
</span><span class="p">@@ -131,7 +131,6 @@</span> class TestIdAllowDots(unittest.TestCase):
# Single input
self.assertRaises(ValueError, validators.id_validator_allow_dots, '**invalid**')
self.assertRaises(ValueError, validators.id_validator_allow_dots, '**inval.id**')
<span class="gd">- self.assertRaises(ValueError, validators.id_validator_allow_dots, 'invalid-@')
</span> self.assertRaises(ValueError, validators.id_validator_allow_dots, '-_-_- ')
# Multiple input
<span class="gh">diff --git a/server/pulp/server/db/model/__init__.py b/server/pulp/server/db/model/__init__.py
index 29fea05..2b18b55 100644
</span><span class="gd">--- a/server/pulp/server/db/model/__init__.py
</span><span class="gi">+++ b/server/pulp/server/db/model/__init__.py
</span><span class="p">@@ -1014,7 +1014,7 @@</span> class User(AutoRetryDocument):
:type _ns: mongoengine.StringField
"""
- login = StringField(required=True, regex=r'^[.\-_A-Za-z0-9]+$')
<span class="gi">+ login = StringField(required=True, regex=r'^[.@\-_A-Za-z0-9]+$')
</span> name = StringField()
password = StringField()
roles = ListField(StringField())
</code></pre>
<p>Something to note is that we have a specific test to make sure the <code>@</code> sign is caught as an invalid character. I don't know, and the test doesn't make clear, why the <code>@</code> sign is disallowed. It could maybe be a terrible thing to change the validation this way, and it could also be totally fine with the added benefit of (maybe?) getting kerberos users working.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=94362016-02-29T19:23:24Zamacdona@redhat.comaustin@redhat.com
<ul></ul><p>To determine if this will work, one thing we need to check on is that "@" is properly escaped when hitting the user API endpoints.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=94472016-02-29T20:27:09Zkfiresmithkfiresmith@gmail.com
<ul></ul><p>Hrm - having a hard time locating the line in the last portion of the diff - in fact I can't find it in any of the pulp/server/db/... <em>init</em>.py files:</p>
<p>[root@trenton ksf_mgr]# grep login /usr/lib/python2.7/site-packages/pulp/server/db/model/__init__.py<br>
[root@trenton ksf_mgr]# echo $?<br>
1<br>
[root@trenton ksf_mgr]# vim /usr/lib/python2.7/site-packages/pulp/server/db/model/__init__.py<br>
[root@trenton ksf_mgr]# locate '.py' | grep pulp | grep server | grep init | grep db | egrep .py$<br>
/usr/lib/python2.7/site-packages/pulp/server/db/__init__.py<br>
/usr/lib/python2.7/site-packages/pulp/server/db/migrate/__init__.py<br>
/usr/lib/python2.7/site-packages/pulp/server/db/migrations/__init__.py<br>
/usr/lib/python2.7/site-packages/pulp/server/db/model/__init__.py<br>
[root@trenton ksf_mgr]# for i in $(locate '.py' | grep pulp | grep server | grep init | grep db | egrep .py$); do grep login $i; done</p>
<p>Running pulp-server-2.7.1-1.el7.</p>
<p>Any advice?</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=94722016-03-01T15:55:54Zmhrivnakmhrivnak@redhat.com
<ul></ul><p>I'm not aware of any problems this might cause.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=95932016-03-04T15:47:13Zmhrivnakmhrivnak@redhat.com
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li><li><strong>Severity</strong> changed from <i>3. High</i> to <i>2. Medium</i></li><li><strong>Triaged</strong> changed from <i>No</i> to <i>Yes</i></li><li><strong>Tags</strong> <i>Easy Fix</i> added</li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=96452016-03-07T18:27:20Zsemyerssean.myers@redhat.com
<ul></ul><p>kfiresmith wrote:</p>
<blockquote>
<p>Running pulp-server-2.7.1-1.el7.</p>
</blockquote>
<p>^ Ah, I completely missed this when I looked at this issue before.</p>
<blockquote>
<p>Any advice?</p>
</blockquote>
<p>The diff I posted was made against a recent 2.8 beta. Earlier versions of pulp will certainly be missing pulp.server.db.model. Tests aren't packaged up, so the change to validators.py is the only one you can make. It's possible that patching validators.py as seen in the diff will get the validaiton loosened up for you, but I think it's unlikely. The <code>@</code> was presumably invalid for a reason in earlier versions of pulp (including 2.7), but changes in 2.8 appear to have made it so that <code>@</code> doesn't break mongo or our API. So, my advice would be to test this patch with a 2.8 beta install and let us know if everything is ruined (or not!). :)</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=96492016-03-07T18:49:13Zkfiresmithkfiresmith@gmail.com
<ul></ul><p>semyers wrote:</p>
<blockquote>
<p>The <code>@</code> was presumably invalid for a reason in earlier versions of pulp (including 2.7), but changes in 2.8 appear to have made it so that <code>@</code> doesn't break mongo or our API. So, my advice would be to test this patch with a 2.8 beta install and let us know if everything is ruined (or not!). :)</p>
</blockquote>
<p>Ah - well that's no big problem. Since this isn't quite in production yet, I'll perform an upgrade to 2.8b as soon as I get back from Death Valley. If this ticket isn't updated by me by March 20th or so, I have expired in the desert and some hapless replacement will have to come in and figure this out again on their own.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=103852016-04-05T18:26:54Zkfiresmithkfiresmith@gmail.com
<ul></ul><p>Using @SeMeyers' changes appears to work insofar as i've been able to create the account!</p>
<ol>
<li>pulp-admin auth user create --login <a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a><br>
Enter password for user [<a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a>] :<br>
Re-enter password for user [<a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a>]:<br>
User [<a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a>] successfully created</li>
</ol>
<p>Disregard the below message - I'd forgotten to restart the necessary services.<br>
-Alright - I've gotten back and gotten upgraded to 2.8.0 and updated the files that exist on the local pulp server system. No joy:</p>
<ol>
<li>pulp-admin auth user create --login <a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a><br>
Enter password for user [<a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a>] :<br>
Re-enter password for user [<a href="mailto:jim_bob@AD.COLLEGE.EDU" class="email">jim_bob@AD.COLLEGE.EDU</a>]:<br>
Invalid properties: ['login']<br>
-</li>
</ol> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=104472016-04-07T15:42:58Zkfiresmithkfiresmith@gmail.com
<ul></ul><p>This input validation relaxation to allow '@' hasn't seemed to cause us any problems running Pulp 2.8. We've tested these AD accounts with mod_auth_kerb.so and mod_auth_gssapi.so and everything is working for AD/Kerberos integration with the code changes given by semyers in comment <a class="issue tracker-3 status-11 priority-6 priority-default closed child" title="Story: As a user, I can have Pulp attempt use auto_retry application wide using the 'unsafe_autoretry' p... (CLOSED - CURRENTRELEASE)" href="https://pulp.plan.io/issues/1">#1</a>.</p>
<p>We would love to have these changes integrated into Pulp's next release.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=104482016-04-07T15:46:32Zrbarlow
<ul></ul><p>I propose that we put this patch on master for the 2.9 release. Any objections?</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=104492016-04-07T16:14:23Zbmbouterbmbouter@redhat.com
<ul></ul><p>Going into the 2.9 release sounds fine, but FYI at this moment master is still 2.8.3. master will become 2.9.0 when we branch off the 2.8-dev branch from master.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=105502016-04-08T17:42:17Zrbarlow
<ul><li><strong>Platform Release</strong> set to <i>2.9.0</i></li><li><strong>Triaged</strong> changed from <i>Yes</i> to <i>No</i></li></ul><p>Let's retriage it, since it has a patch and we have community testing from kfiresmith. I propose 2.9.0.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=107722016-04-13T19:23:31Zkfiresmithkfiresmith@gmail.com
<ul></ul><p>Please ignore last comment. Something reverted the local customizations to the python files listed in smeyers' patch. I re-added '@' to the regex and everything works again. D'oh!</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=108032016-04-15T14:38:50Zmhrivnakmhrivnak@redhat.com
<ul><li><strong>Triaged</strong> changed from <i>No</i> to <i>Yes</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=123782016-06-15T17:51:09Zsemyerssean.myers@redhat.com
<ul><li><strong>Platform Release</strong> deleted (<del><i>2.9.0</i></del>)</li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=127052016-06-29T17:59:35Zbmbouterbmbouter@redhat.com
<ul><li><strong>Sprint Candidate</strong> changed from <i>No</i> to <i>Yes</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=127062016-06-29T18:03:14Zamacdona@redhat.comaustin@redhat.com
<ul><li><strong>Groomed</strong> changed from <i>No</i> to <i>Yes</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=127332016-06-30T14:38:21Zmhrivnakmhrivnak@redhat.com
<ul><li><strong>Sprint/Milestone</strong> set to <i>23</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=129182016-07-11T13:17:22Zamacdona@redhat.comaustin@redhat.com
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>ASSIGNED</i></li><li><strong>Assignee</strong> set to <i>amacdona@redhat.com</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=129242016-07-11T14:55:13Zamacdona@redhat.comaustin@redhat.com
<ul><li><strong>Status</strong> changed from <i>ASSIGNED</i> to <i>POST</i></li></ul><p><a href="https://github.com/pulp/pulp/pull/2635" class="external">https://github.com/pulp/pulp/pull/2635</a></p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=129962016-07-14T17:22:25ZAnonymous
<ul><li><strong>Status</strong> changed from <i>POST</i> to <i>MODIFIED</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Allow at sign in user ids Adjust the regex to allow usernames to contain the at sign so that ema..." href="https://pulp.plan.io/projects/pulp/repository/pulp/revisions/bd85660d386dd31838a0b151563f4cbaeaf52011">pulp|bd85660d386dd31838a0b151563f4cbaeaf52011</a>.</p> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=129972016-07-14T17:27:11Zamacdona@redhat.comaustin@redhat.com
<ul><li><strong>Platform Release</strong> set to <i>2.9.2</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=134612016-08-05T14:13:00Zsemyerssean.myers@redhat.com
<ul><li><strong>Status</strong> changed from <i>MODIFIED</i> to <i>5</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=135212016-08-08T20:12:42Zpthomas@redhat.com
<ul><li><strong>Status</strong> changed from <i>5</i> to <i>6</i></li></ul><p>verified</p>
<pre><code>[root@tigger ~]# pulp-admin auth user create --login jim_bob@AD.COLLEGE.EDU
Enter password for user [jim_bob@AD.COLLEGE.EDU] :
Re-enter password for user [jim_bob@AD.COLLEGE.EDU]:
User [jim_bob@AD.COLLEGE.EDU] successfully created
[root@tigger ~]# rpm -qa pulp-server
pulp-server-2.9.2-0.2.beta.el7.noarch
[root@tigger ~]#
</code></pre> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=138052016-08-15T22:07:39Zsemyerssean.myers@redhat.com
<ul><li><strong>Status</strong> changed from <i>6</i> to <i>CLOSED - CURRENTRELEASE</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=253582018-03-08T19:03:55Zbmbouterbmbouter@redhat.com
<ul><li><strong>Sprint</strong> set to <i>Sprint 5</i></li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=253732018-03-08T19:05:49Zbmbouterbmbouter@redhat.com
<ul><li><strong>Sprint/Milestone</strong> deleted (<del><i>23</i></del>)</li></ul> Pulp - Issue #1728: Please relax input validation on --login for 'pulp-admin user create'https://pulp.plan.io/issues/1728?journal_id=391032019-04-15T20:34:17Zbmbouterbmbouter@redhat.com
<ul><li><strong>Tags</strong> <i>Pulp 2</i> added</li></ul>