[Freeipa-devel] [RANT] --setattr validation is a minefield.

Martin Kosek mkosek at redhat.com
Tue Apr 10 17:53:03 UTC 2012 

On Tue, 2012-04-10 at 19:25 +0200, Petr Viktorin wrote:
> On 04/10/2012 07:07 PM, Martin Kosek wrote:
> > On Tue, 2012-04-10 at 17:03 +0200, Jan Cholasta wrote:
> >> On 10.4.2012 16:00, Petr Viktorin wrote:
[snip]
> >> Like you said above, we should either not validate --{set,add,del}attr
> >> or don't allow them on known attributes.
> >
> > IMHO, validating attributes we manage in the same way for both --setattr
> > and standard attrs is not that wrong. It is a good precaution, because
> > if we let an unvalidated value in, it can make even a bigger mess later
> > in our pre_callbacks or post_callbacks where we assume that at this
> > point everything is valid.
> 
> Then we should validate *exactly* the same way, including not allowing 
> no_update attributes to be updated.

That makes some sense, I could agree with that.

> 
> > If somebody wants to modify attributes in an uncontrolled, unvalidated
> > way, he is free to use ldapmodify or other tool to play with raw LDAP
> > values. Without our guarantee of course.
> 
> That's clear.
> 
> > But if he chooses to use our --{set,add,del}attr we should at least help
> > him to not shoot himself to the leg and validate/normalize/encode the
> > value. I don't know how many users use this API, but removing a support
> > for all managed attributes seems as a big compatibility break to me.
> 
> Well, it was broken (see https://fedorahosted.org/freeipa/ticket/2405, 
> 2407, 2408), so I don't think many people used it.
> 
> Anyway, what's the use case? Why would the user want to use --setattr 
> for validated attributes? Is our regular API lacking something?
> 

1) Currently, --{set,add,del}attr is the only way to add/remove values
to/from multivalue LDAP attributes without having to re-state all other
values. This point may not be that critical if we introduce other means
to handle multivalued attribute as you proposed earlier.

2) I don't know if this is a real example, but --{set,add,del}attr can
be used to create an interface with other tool or system working with
LDAP. If such tool knows attribute names, it could add or modify objects
in IPA managed LDAP without knowing our CLI names or parsing them from
our metadata.

This way, such tool could take advantage of all the power that IPA has
to sanitize/validate/check LDAP values it adds or modifies.

Martin

More information about the Freeipa-devel mailing list