-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 5170 - BUG - incorrect behaviour of filter test #5315
Conversation
This CONFLICTS with #5316 Only ONE of these PR's can be merged! |
@mreynolds389 seem to fully pass the tests in suites/filter for me. |
Here is my revised test case that includes CVE test:
So I'd like to see this testcase updated, but the reset looks good to me! Approving fix... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor comments, but ack
Actually there are several "filter suite" regressions with this change: FAILED filter_with_non_root_user_test.py::test_all_positive[(&(!(l=Cupertino))(!(|(uid=wal)(&(sn~=tiller) (roomNumber=2295)))))] - AssertionError: assert [] |
Going to be fun to find out why these were failing probably because they were relying on some kind of bug .... |
The problem appears to be that in "only check access mode" of the filter test, that testing is completely busted because the logic is just a complete mess. The whole notion of "just check access divorced from what actually matched on this attribute" is a pretty broken concept anyway. So I think the fix is that we always have to filter test when we acl check. |
The issue is that because so many of these attributes aren't indexed, this is forcing the ALLIDS case, which means we go to the filter test which now has "acl check only" path. IF THESE WERE INDEXED then this would have broken on the server "as is" because the skip of the filter test ALSO takes the busted "access check only" route. So I think if this had of indexed sn/roomnumber/l then this test would fail too. Yet again, another bug ... Anyway, the fix is to strictly and always check access AND the filter matching because that's the only way that actually works correctly. I'll update the PR shortly once the tests finish. |
Worth pointing out, this was the only part of the code that used the broken access check only mode, everything else either does full access tests, or it's doing no access tests. |
That's the no root test with my fix for the broken acl check mode.
|
0c468c8
to
03b8ac7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Request for changes... Fix indentation, update CI test case (although I might have a new one at some point), and I think for all the new(and existing?) "filter" logging, we should add more info to the logging lines, like the entry DN, etc. It would just make things easier to debug.
Will do the changes today. :) |
03b8ac7
to
7bacc91
Compare
done, not sure what you wanted done with the test case though .... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides improving the logging, this looks good to me, and it passed the IPA tests.
exhausted hoorayyyyyy I'll improve the log and will merge. |
Bug Description: In the filter test during access only checks, OR conditions were not correctly evaluated. They would have their access checked, but it was not confirmed if this was the element that the entry matched. This mean that queries could incorrectly reduce entries. Fix Description: Remove the access check only mode from being using in filter tests since it is broken, and requires the full filter test to be evaluated along with it to work in complex cases. fixes: 389ds#5170 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389
7bacc91
to
2770f35
Compare
Bug Description: In the filter test during access only checks, OR conditions were not correctly evaluated. They would have their access checked, but it was not confirmed if this was the element that the entry matched. This mean that queries could incorrectly reduce entries. Fix Description: Remove the access check only mode from being using in filter tests since it is broken, and requires the full filter test to be evaluated along with it to work in complex cases. fixes: #5170 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389
Bug Description: In the filter test during access only checks, OR conditions were not correctly evaluated. They would have their access checked, but it was not confirmed if this was the element that the entry matched. This mean that queries could incorrectly reduce entries. Fix Description: Remove the access check only mode from being using in filter tests since it is broken, and requires the full filter test to be evaluated along with it to work in complex cases. fixes: #5170 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389
|
Bug Description: In the filter test during access only
checks, OR conditions were not correctly evaluated. They
would have their access checked, but it was not confirmed
if this was the element that the entry matched. This mean
that queries could incorrectly reduce entries.
Fix Description: In the "access only" check mode, do not
handle it as a "special case", and apply the full OR check
algorithm to ensure that the component we are matching on
is indeed, the one we are accessing.
fixes: #5170
Author: William Brown william@blackhats.net.au
Review by: ???