Bug 478168 - MIGRATED_FROM_JIRA: Proxy search fails with non-objectClass filters applied
MIGRATED_FROM_JIRA: Proxy search fails with non-objectClass filters applied
Status: MODIFIED
Product: penrose
Classification: Retired
Component: Unknown (Show other bugs)
2.0
All Linux
low Severity low
: ---
: ---
Assigned To: Endi Sukma Dewata
Ben Levenson
:
Depends On:
Blocks: 471500
  Show dependency treegraph
 
Reported: 2008-12-27 03:05 EST by Chandrasekar Kannan
Modified: 2015-01-04 19:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2008-12-27 03:05:32 EST
Searches on proxied mappings fails if non-objectClass filters are applied. The ProxyEngine does not include the filter attributes in the search, therefore the SearchHandler filter validation routine removes otherwise valid entries.

To replicate- On a proxy mapping, search with a filter with a non-objectclass attribute (e.g. cn=*). All returns are filtered by the SearchHandler because the attributes cannot be validated by the FilterTool.

SearchHandler: 95
Entry child = (Entry)event.getObject();
log.debug("Checking filter "+filter+" on "+child.getDn());
if (!handler.getFilterTool().isValid(child, filter)) {
     log.debug("Entry ""+child.getDn()+"" doesn't match search filter.");
     return;
}

With a non-objectclass filter applied, isValid() always fails because the filter attribute values are not included as part of the event object. 

Since filter validation is occurring within Penrose, any filter attributes should be included as part of the search attributes in the query to the backend identity store. I have a patch available with this functionality if desired.
Additional Comments From endisd dated Tue Nov 21 14:54:07 CST 2006 
Michael,

Could you provide a sample test scenario (test data, search filter, and expected results)? Also if you could, please provide the patch. Thank you very much.

Additional Comments From rammic dated Wed Nov 29 09:18:55 CST 2006 
Patch causes in the inclusion of the filter attributes into the search query to the backend IdP.

Adds ConcreteFilter.java- Interface representing an attribute filter object with concrete attribute values. (i.e. Not a filter operator such as AND, OR, NOT, etc) I suggest refactoring filters under two different interfaces, namely OperatorFilters and OperandFilters, to make iterating over a filter set easier.

Additional Comments From rammic dated Wed Nov 29 09:21:28 CST 2006 
Attached is the patch I have in my working environment. Please review and let me know if you need additional input regarding the need for this update. 

Apologies for the delay in responding, I didn't receive a JIRA notification of the comment.

Additional Comments From jimyang dated Wed Nov 29 09:56:36 CST 2006 
Michael,

You should be getting a notification now. JIRA notification for Penrose is misconfigured.


Additional Comments From endisd dated Wed Nov 29 15:26:05 CST 2006 
Michael,

Thanks for the patch, now I understand completely what you're trying to do. After some considerations, I think it's better to move the filter checking from the SearchHandler into the Engine implementations. This way each engine can do what's best for itself. In this case the ProxyEngine no longer need to invoke isValid() because we can assume that the underlying LDAP server has done filter checking as well, thus avoiding redundant work. The DefaultEngine will still need to perform filter checking though. I've committed the changes into branches/1.1 and will be released in the next version.

I have some questions for you about your suggestions about the filter. I will post that in the forum since it's no longer related to this issue.


=========================================================
Issue dump from jira
$VAR1 = {
          'priority' => '3',
          'customFieldValues' => [],
          'project' => 'PENROSE',
          'status' => '5',
          'components' => [
                            {}
                          ],
          'attachmentNames' => 'FilterExclusionPatch.txt',
          'reporter' => 'rammic',
          'key' => 'PENROSE-191',
          'assignee' => 'endisd',
          'summary' => 'Proxy search fails with non-objectClass filters applied',
          'id' => '10569',
          'updated' => '2006-11-29 15:26:05.0',
          'votes' => '0',
          'fixVersions' => [
                           {
                             'releaseDate' => '2006-12-25 00:00:00.0',
                             'sequence' => '21',
                             'name' => 'Penrose-1.1.3',
                             'released' => 'true',
                             'id' => '10092',
                             'archived' => 'false'
                           },
                           {
                             'releaseDate' => '2007-05-18 00:00:00.0',
                             'sequence' => '22',
                             'name' => 'Penrose-1.2',
                             'released' => 'true',
                             'id' => '10088',
                             'archived' => 'false'
                           }
                         ],
          'description' => 'Searches on proxied mappings fails if non-objectClass filters are applied. The ProxyEngine does not include the filter attributes in the search, therefore the SearchHandler filter validation routine removes otherwise valid entries.

To replicate- On a proxy mapping, search with a filter with a non-objectclass attribute (e.g. cn=*). All returns are filtered by the SearchHandler because the attributes cannot be validated by the FilterTool.

SearchHandler: 95
Entry child = (Entry)event.getObject();
log.debug("Checking filter "+filter+" on "+child.getDn());
if (!handler.getFilterTool().isValid(child, filter)) {
     log.debug("Entry \""+child.getDn()+"\" doesn't match search filter.");
     return;
}

With a non-objectclass filter applied, isValid() always fails because the filter attribute values are not included as part of the event object. 

Since filter validation is occurring within Penrose, any filter attributes should be included as part of the search attributes in the query to the backend identity store. I have a patch available with this functionality if desired.',
          'affectsVersions' => [
                               {
                                 'releaseDate' => '2006-10-26 00:00:00.0',
                                 'sequence' => '19',
                                 'name' => 'Penrose-1.1.1',
                                 'released' => 'true',
                                 'id' => '10090',
                                 'archived' => 'false'
                               }
                             ],
          'created' => '2006-11-09 12:53:44.0',
          'environment' => 'n/a',
          'resolution' => '1',
          'type' => '1'
        };


=========================================================
Comment 1 Chandrasekar Kannan 2008-12-27 03:05:34 EST
Marking bug as MODIFIED as it was already resolved in Jira - PENROSE-191

Note You need to log in before you can comment on or make changes to this bug.