[webservice] User with admin ACL on department can ls objects at root base in WS

Hi

Description

Users that has been declared admin on a department can ls objects at root base through WS

Distribution Name and Version

Ubuntu 17.04

FusionDirectory Version

1.2

Plugin with the defect

fusiondirectory-plugin-webservice

PHP version used

PHP 7.0.22-0ubuntu0.17.04.1 (cli) (built: Aug 8 2017 22:03:30)

Origin of php packages

Official ubuntu repositories

Steps to Reproduce

1. set up a tree of departments
2. create users bob and alice in base root (under a ou=users,<base>)
3. as fd-admin, assign admin ACL to bob on a department that contains sub-departments.
4. as bob, try to assign admin ACL to alice on a sub-department : you should not be able to access the root of users branch to pick her up as you're not supposed to see these users,
5. using web service, logged in as bob, we can see alice and other user when calling ls method on ou=users, (tested with JMeter or fusiondirectory-shell), and fetch all its ldap

Expected behavior:

Same behaviour as in UI (Access denied message)

Actual behavior:

User can be listed, and user can access their dn and ldap attributes.

Reproduces how often: 100%

Additional Information

We have noticed this issue while looking for a simple way to automatically allow users that are admin on department to see users at root base without giving read rights on ou=users,<base> to everyone or asking FD users to assign another ACL alongside the admin ACL (through UI or WS), as it may get forgotten (2 steps instead of one) or desynchronized (old admins still having read rights even though they are no longer admins...).

closed

reopened

changed the description

assigned to @MCMic

added Bugs label

created branch 5704-webservice-user-with-admin-acl-on-department-can-ls-objects-at-root-base-in-ws

mentioned in commit 2faf61c5

So I have a fix in the MR for the ls method (it was bypassing ACLs for some reason). It’s a bit more complicated to do for the count method, so the count method is still bypassing ACLs. I can’t decide if this is a bug or a feature. Should the number of any given object type be a secret? Right now the result of count will not match the number of entries ls returns, that may be seen as problematic. But making a count with ACL-check would basically mean just call ls and count the number of results, so much less efficient than count.

added 1h of time spent

I pushed in the MR a fix for the count situation, so now ls and count will match. count will be fast if you count in a base where you directly have enough rights. It will be as slow as ls if you do it where you do not (for instance the ldap root while you are manager on a branch).

There is still one webservice/ACL problem that bothers me: with ls a user can show any LDAP field from an object. This is a big problem so I think we’ll have to restrict it to only the naming attribute, maybe even remove the attrs attribute from the ls method alltogether.

mentioned in commit 0ce24dcd

added 30m of time spent

mentioned in commit c55520b3

added 2h of time spent

mentioned in issue infra/automated-testing#2

changed milestone to %47

created branch 5704-webservice-user-with-admin-acl-on-department-can-ls-objects-at-root-base-in-ws