Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only set encryption option to net-ldap when needed. #16954

Merged
merged 2 commits into from
Feb 6, 2018

Conversation

jvlcek
Copy link
Member

@jvlcek jvlcek commented Feb 5, 2018

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1542222

The net-ldap gem, which implements authentication mode ldaps and ldap, requires
encryption options when doing secure ldapS but can not handle empty
encryption options when doing unsecure ldap.

This PR ensure no encryption options, empty or otherwise, are passed to net-ldap
when the encryption options are unneeded.

Links

Steps for Testing/QA

Configure an appliance for Authentication Mode: LDAP
Attempt to log in with a valid user should succeed.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1542222

The net-ldap gem, which implements authentication mode ldap(s), requires
encryption options when doing secure ldapS but can not handle empty
encryption options when doing unsecure ldap. An empty encryption option
can not be provided.
@miq-bot
Copy link
Member

miq-bot commented Feb 5, 2018

@jvlcek unrecognized command 'add', ignoring...

Accepted commands are: add_label, assign, close_issue, move_issue, remove_label, rm_label, set_milestone

1 similar comment
@miq-bot
Copy link
Member

miq-bot commented Feb 5, 2018

@jvlcek unrecognized command 'add', ignoring...

Accepted commands are: add_label, assign, close_issue, move_issue, remove_label, rm_label, set_milestone

@jvlcek
Copy link
Member Author

jvlcek commented Feb 5, 2018

@miq-bot assign @gtanzillo

@miq-bot
Copy link
Member

miq-bot commented Feb 5, 2018

@jvlcek unrecognized command 'add', ignoring...

Accepted commands are: add_label, assign, close_issue, move_issue, remove_label, rm_label, set_milestone

@jvlcek
Copy link
Member Author

jvlcek commented Feb 5, 2018

@bdunne Please review, especially the spec file change.

@jvlcek
Copy link
Member Author

jvlcek commented Feb 5, 2018

@miq-bot add_label gaprindashvili/yes

@jvlcek
Copy link
Member Author

jvlcek commented Feb 5, 2018

@miq-bot add_label bug

@jvlcek
Copy link
Member Author

jvlcek commented Feb 5, 2018

@miq-bot add_label authentication

end

it 'returns a hostname when a hostname is availble and does not set encryption options' do
ldap = MiqLdap.new(:mode => "ldap", :host => ["testhostname", "localhost", "dummy", @host])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could set this up with a let since it is the same in this context

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I completely missed the ldap vs ldaps difference.

it 'returns a hostname when a hostname is availble and does not set encryption options' do
ldap = MiqLdap.new(:mode => "ldap", :host => ["testhostname", "localhost", "dummy", @host])
expect(ldap.ldap.host).to eq("testhostname")
expect(ldap.ldap.instance_variable_get(:@encryption)).to be_falsey
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this line be added to the previous it since they're the same otherwise?

Copy link
Member

@bdunne bdunne Feb 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait... will it be false or unset or nil?

@jvlcek
Copy link
Member Author

jvlcek commented Feb 6, 2018

Thank you @bdunne!

I reworked the test subject lines to try to make when ldap and when ldaps more obvious.

I also test for nil instead of falsey when encryption options should not be provided.

Thank you! JoeV

@miq-bot
Copy link
Member

miq-bot commented Feb 6, 2018

Checked commits jvlcek/manageiq@e76128c~...d1dbc9a with ruby 2.3.3, rubocop 0.52.0, haml-lint 0.20.0, and yamllint 1.10.0
2 files checked, 0 offenses detected
Everything looks fine. 🏆

options.store_path(:encryption, :tls_options, :verify_mode, OpenSSL::SSL::VERIFY_NONE) if options[:host].ipaddress?

if mode == "ldaps"
options[:encryption] = {:method => :simple_tls}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does options[:encryption] need to be a hash even when not using ldaps? I ask because it used to be an empty hash.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, options[:encryption] does not need to be a hash even when not using ldaps.

In fact this PR is fixing exactly that. options[:encryption] can not be an empty hash if it is not needed because net-ldap chokes on and empty hash for options[:encryption]

Making it an empty hash was the bug I introduced with #16850
that this PR is fixing.

Initially options[:encryption] was only set if mode == "ldaps" as follows:

options[:encryption] = {:method => :simple_tls} if mode == "ldaps"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bdunne Thanks again!

@bdunne bdunne merged commit 92faed2 into ManageIQ:master Feb 6, 2018
@bdunne bdunne added this to the Sprint 79 Ending Feb 12, 2018 milestone Feb 6, 2018
@bdunne bdunne assigned bdunne and unassigned gtanzillo Feb 6, 2018
simaishi pushed a commit that referenced this pull request Feb 8, 2018
Only set encryption option to net-ldap when needed.
(cherry picked from commit 92faed2)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1543635
@simaishi
Copy link
Contributor

simaishi commented Feb 8, 2018

Gaprindashvili backport details:

$ git log -1
commit 6c851ded3f3d35fb047ec687a2fe794462242a59
Author: Brandon Dunne <[email protected]>
Date:   Tue Feb 6 16:15:30 2018 -0500

    Merge pull request #16954 from jvlcek/bz1542222_miqldap
    
    Only set encryption option to net-ldap when needed.
    (cherry picked from commit 92faed2c62df2bcb9fb26e94ca9795031d54974f)
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1543635

@jvlcek jvlcek deleted the bz1542222_miqldap branch February 8, 2018 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants