Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Numeric userid-username cannot be created #187

Open
phil-davis opened this issue Aug 27, 2020 · 6 comments
Open

Numeric userid-username cannot be created #187

phil-davis opened this issue Aug 27, 2020 · 6 comments
Labels
p3-medium

Comments

@phil-davis
Copy link

For example:

Scenario Outline: user with unusual username deletes a file                                   # /srv/app/testrunner/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature:258
    Given user "<username>" has been created with default attributes and without skeleton files # FeatureContext::userHasBeenCreatedWithDefaultAttributesAndWithoutSkeletonFiles()
    And user "<username>" has uploaded file with content "to delete" to "/textfile0.txt"        # FeatureContext::userHasUploadedAFileWithContentTo()
    And using <dav-path> DAV path                                                               # FeatureContext::usingOldOrNewDavPath()
    When user "<username>" deletes file "/textfile0.txt" using the WebDAV API                   # FeatureContext::userDeletesFile()
    Then as "<username>" file "/textfile0.txt" should exist in the trashbin                     # TrashbinContext::asFileOrFolderExistsInTrash()
    But as "<username>" file "/textfile0.txt" should not exist                                  # FeatureContext::asFileOrFolderShouldNotExist()

    Examples:
      | dav-path | username |
      | old      | dash-123 |
      | old      | null     |
      | old      | nil      |
      | old      | 123      |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '123' must be at least the local part of an email (Exception)
      | old      | -123     |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '-123' must be at least the local part of an email (Exception)
      | old      | 0.0      |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '0.0' must be at least the local part of an email (Exception)
      | new      | dash-123 |
      | new      | null     |
      | new      | nil      |
      | new      | 123      |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '123' must be at least the local part of an email (Exception)
      | new      | -123     |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '-123' must be at least the local part of an email (Exception)
      | new      | 0.0      |
        Provisioning::usersHaveBeenCreatedUnexpected failure when creating a user: HTTP status 400 HTTP reason Bad Request OCS status 400 OCS message preferred_name '0.0' must be at least the local part of an email (Exception)

First need to look and see exactly what the test code is doing with these - maybe it is sending some not-allowed email address.

Then look to see if the code in ocis-accounts needs changing to allow "numeric" in userid-username-email.
@phil-davis
Copy link
Author

https://github.com/owncloud/ocis-accounts/blob/master/pkg/service/v0/accounts.go#L513 has:

var usernameRegex = regexp.MustCompile("^[a-zA-Z_][a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]*(@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*)*$")

It insists that a username/userid/email-address-first-part/whatever-you-call-it must start with an alpha or underscore. But that is just not true. For example a University I was enrolled at used the student number for usernames and email address - e.g. username "247843222" and email address "247843222@student.myuniversity.edu.au" - that all works fine for cloud file sharing in oC10, cs3org/reva and owncloud/ocis-reva. So, IMO, we better make sure it works for owncloud/ocis

@phil-davis
Copy link
Author

This change specifically restricted the username: https://github.com/owncloud/ocis-accounts/blob/master/changelog/0.2.0_2020-08-19/tighten-screws.md

@phil-davis
Copy link
Author

Maybe we now have the distinction between userid and username - maybe the userid can be numeric and the username will have to start with "[a-z][A-Z]_" - I will try making the test code do that and see what explodes.

@phil-davis
Copy link
Author

@butonic commented:

hm, good point. I dug into the verification of unix usernames, because ultimately that username will appear as the username in an os that integrates with glauth to persist shares using acls. see https://unix.stackexchange.com/a/435120 and the systemd bug it caused: systemd/systemd#6237

@PVince81 PVince81 transferred this issue from owncloud/ocis-accounts Aug 27, 2020
@phil-davis
Copy link
Author

I did a demonstration in owncloud/ocis#498 with core branch test-u-username

When creating users, the test code puts a "u" in front of the userid when creating the username - e.g. it creates userid Alice with username uAlice, userid 123 with username u123. Then when sending basic auth, the test code sends the username (and password, of course). API endpoints that are constructed with a "user" in them still use the userid.

OCIS CI passes - good stuff.

In oC10 userid and username are the same thing. And so clients do not need to understand the difference. But for the current OCIS the valid values for username are more restricted. If clients get enhanced to understand that userid and username can be different, and the clients know how/when to use each, then the administrator could create users that have userid 123456 and username something123456. And maybe a human user only needs to be aware of their userid and underneath all the clients that they use can work out for themselves what is the username and in how to use it.

Or we can relax the validation of username, or ...?

This was referenced Aug 27, 2020
Closed
Closed
@jasson99
Copy link

jasson99 commented Sep 3, 2020

Also, users with some special characters in their usernames cannot be created.
For example users : a space and a@-+_.b cannot be created successfully .

  1. For user a@-+_.b
 curl -s -k -X POST https://localhost:9200/ocs/v1.php/cloud/users -H "OCS-APIREQUEST=true" -d username=a@-+_.b -d userid=a@-+_.b -d email=a@-+_.b@owncloud.org -d password=1234 -u admin:admin | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>error</status>
    <statuscode>400</statuscode>
    <message>preferred_name 'a@- _.b' must be at least the local part of an email</message>
  </meta>
</ocs>
  1. For user a space:
curl -s -k -X POST https://localhost:9200/ocs/v1.php/cloud/users -H "OCS-APIREQUEST=true" -d username=a space -d userid=a space -d email=aspace@owncloud.org -d password=1234 -u admin:admin | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>ok</status>
    <statuscode>100</statuscode>
    <message>OK</message>
  </meta>
  <data>
    <enabled>true</enabled>
    <id>a</id>
    <username>a</username>
    <displayname/>
    <email>aspace@owncloud.org</email>
    <uidnumber>0</uidnumber>
    <gidnumber>0</gidnumber>
  </data>
</ocs>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p3-medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phil-davis @jasson99